Security: Microsoft, More Breaches, and Fake Security From CISA (Back Doors' Proponents and Pushers)
-
You can’t stop me. MS Teams session hijacking and bypass | Pen Test Partners
Microsoft Teams stores unencrypted session tokens and cached conversations in users’ roaming AppData, which can be used by an attacker to gain access to the victim’s Teams account without having to authenticate or contend with potential conditional access policies.
This is a design choice by Microsoft as the folder is located in \AppData\Roaming\, which is a folder designed to be synchronised with folder redirection and similar technologies for user convenience. Imagine the frustration IT departments would be faced with if their Citrix users had to log into Teams every single morning. You can almost hear the angry mob with torches and pitchforks.
We leveraged this on a client engagement when I compromised a central file server, which held users’ roaming AppData.
-
Microsoft Teams is storing authentication tokens in cleartext
The vulnerability is present in the desktop versions of Teams for Windows, macOS and Linux. Threat actors who have local (physical) or remote access to a victim's system, can access the credentials of users who are signed in, without requiring administrator privileges. Hackers could bypass 2-factor authentication requirements even if it was enabled in the account, and access other related apps such as Skype and Outlook. This could potentially be exploited to impersonate other users, tamper with data, or to engineer targeted phishing attacks.
-
Microsoft Teams stores authentication tokens in plaintext
Microsoft's workplace-oriented messaging app, Teams, saves authentication tokens in an unencrypted plaintext format - potentially allowing attackers to control conversations and move laterally inside a network.
Security firm Vectra Protect claims the weakness affects the desktop app for Windows, Mac, and Linux, which was developed using the Microsoft Electron framework.
-
Twitter, Mudge and survival of the quittest
The affair also raises suspicions of performative tokenism on the part of some tech giants, who sometimes appear to keep some of their security and ethics personnel on staff merely for window-dressing. Just recently, Meta disbanded its Responsible Innovation Team just about a year after touting them, while Patreon, which suffered a massive data breach in 2015, laid off its entire security staff.
-
Securing the Supply Chain of Nothing
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) recently released a document entitled, “Securing the Software Supply Chain – Recommended Practices Guide for Developers.” I hoped the document might shed light on practical, perhaps even novel, ways for the private sector to increase systems resilience to supply chain attacks. The authors are respected authorities, and the topic is salient to the public.
Instead, the document’s guidance contains a mixture of impractical, confusing, confused, and even dangerous recommendations.
-
Microsoft Releases Out-of-Band Security Update for Microsoft Endpoint Configuration Manager [Ed: Microsoft the back doors company]
Microsoft has released a security update to address a vulnerability in Microsoft Endpoint Configuration Manager, versions 2103-2207. An attacker could exploit this vulnerability to obtain sensitive information.
-
SIM Swapper Abducted, Beaten, Held for $200k Ransom
A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities.
-
Trojans Can Lurk Inside AVR Bootloaders
If there’s one thing we’ve learned over the years, it’s that if it’s got a silicon chip inside, it could be carrying a virus. Research by one group focused on hiding a trojan inside an AVR Arduino bootloader, proving even our little hobbyist microcontrollers aren’t safe.
-
iTWire - Optus hit by huge data breach, up to 9m customers claimed affected
Australia's second largest telecommunications provider Singtel Optus has revealed its customers' data has been possibly accessed in a network attack.
The Australian claimed the data breach affected up to nine million customers.
Optus said in a statement that information which may have been exposed included customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers.
-
Prompt Injection/Extraction Attacks against AI Systems - Schneier on Security
This is an interesting attack I had not previously considered.
The variants are interesting, and I think we’re just starting to understand their implications.
-
I don’t know how to solve prompt injection
Some extended thoughts about prompt injection attacks against software built on top of AI language models such a GPT-3. This post started as a Twitter thread but I’m promoting it to a full blog entry here.
The more I think about these prompt injection attacks against GPT-3, the more my amusement turns to genuine concern.
I know how to beat XSS, and SQL injection, and so many other exploits.
I have no idea how to reliably beat prompt injection!
-
No more passwords? Passkeys explained in three questions
When signing up for a service, application or site (an online store, for example) with a passkey you will have to use a device that belongs to you: a smartphone, computer or a tablet. During registration, the smartphone will create two encrypted keys, which are unique and specific for each service. There is the private key, which remains on the smartphone, and the public key, held by the site or application in question.
Then, each time a connection is attempted, the service will pose a sort of riddle to the smartphone, a "challenge" that only the user will be able to solve thanks to its private key. Once this "challenge" is solved the user will then have to give their approval and prove that they are the owner of the smartphone, for example by putting their finger on the fingerprint reader, presenting their face, typing in a PIN or by drawing a pattern on the screen in order to finalize the connection.
-
Trolling forum Kiwi Farms admits being hacked
Kevin Beaumont, a cyber-pundit who also goes by his Twitter handle @GossiTheDog, said the hack had probably been augmented by a remote-code execution script called Troonshine that gathered data and credentials from users of the extremist forum and sent it to a website named after coded offensive language used by Kiwi Farms.
-
Is It Possible for Encryption to Harm Cybersecurity?
A second notable development has been the rise of cloud-based public resolvers, with examples being those operated by companies such as Google, Cloudflare and Quad9. Traditionally DNS services have mainly been provided by ISPs to their customers, but these cloud-based resolvers have offered an alternative option, one that seems primarily to have attracted the attention of more technically knowledgeable users rather than being a mass-market option.
Some have welcomed the emergence of these independent resolvers as it provides greater choice and enables them to overcome what they regard as the restrictive filtering policies adopted by their ISPs (NB these are often driven by the need to comply with regulatory requirements). A downside to these resolvers being used is that network operators may lose visibility of the characteristics of network traffic, affecting their ability to manage security risks and quality of service.