Heads up: Tomorrow (Thursday 12) I'll be with @7Rocky at #BlackHatEurope 2024 presenting the OBD-II exploitation tool "pwnobd" at Arsenal Station 1. We'll have a demonstrator where you can try attacks against and leveraging OBD-II dongles in a simulated CAN environment, and we'll be showing off a few cool findings we made with this tool. If you wanna talk about vehicle security, come see us at Arsenal Station 1 in the Business Hall between 12:45 and 14:00.

#BlackHat #BHEU2024 #BlackHatEurope2024 #cybersecurity #obd #opensource #can

@godotengine This is a defender's problem with software frameworks in general, by the way; piggybacking off a new but somewhat established software framework is always an easy, low-cost way to make fully-undetectable malware. Game engines are just especially problematic in this regard due to how difficult it is to sandbox applications that require graphics acceleration.

@godotengine In comparison to other engines:

- With Unity, you either have dotnet assemblies (which can be easily reverse-engineered using existing tools and could be easily fingerprinted and triaged against known-good hashes) or IL2CPP binaries (which are clearly delimited from the rest of the code and for which there's already tooling to uncover symbols and whatnot). Some games may also come with custom scripting runtimes, but I'd say these can be automatically flagged for further analysis in most cases.

- Unreal does share similar issues as Godot in this regard, though (including source code access, which last time I checked you could have for free even if the engine is not open-source). But I recall Unreal being a complete pain in the arse to export for platforms other than Windows, and it just being less accessible in general, especially at lower levels.

In both cases, games for both engines do at least work reliably on Windows Sandbox (albeit with levels of performance varying from "alright" to "PowerPoint presentation").

@godotengine Damn, took threat actors long enough.

I've long held a pet theory that writing malware using Godot would give a threat actor a fairly good return on investment even when comparing other engines. That said, I don't think this is Godot's fault; IMO it is still difficult to safely run untrusted games and Windows still lacks serious sandboxing capabilities that are available for all users. On Linux you can at least use something like firejail or bubblewrap or Bottles… and even those options feel somewhat lacking or dauting for the average user.

Most Godot games out there cannot be run on W10 Windows Sandbox due to requiring Vulkan or OpenGL (this is the "anti-sandbox technique" Checkpoint Research talks about, and for the average malware sandbox I'd say this applies with any game engine), although this was fixed in Godot 4.3 with the addition of DirectX support. With Windows Sandbox being IMO the most user-friendly way to run untrusted Windows application, this makes it more difficult for an end user to safely run any untrusted Godot game.

Plus, you got a fully-fledged scripting engine out of the box that cannot be introspected by AMSI on Windows (not that it does a lot on red team scenarios anyway) and the engine is open source and single-executable so it's easy to add new capabilities at the C++ level and break existing reversing tools, with everything being compiled to a huge executable that makes Ghidra sweat (and gamedevs especially pre-4.0 can often end up shipping custom versions of the engine with added extensions, so you cannot just do a similarity analysis and discard executables that deviate too much from upstream without getting some significant false positives).

While encouraging gamedevs to lean towards web exports, I've also seen a lot of indie devs out there be frustrated with them in most game engines for various reasons, and now there seems to be an gamedev culture of "please download the game if you experience performance issues", setting the end user expectative and making the issue worse.

All in all, this is more of a systemic issue; the state of cybersecurity on gaming just sucks.

@chloe There's a lot of VNC devices on VNCResolver coming from Fortinet's ASN, last time I checked. I am almost certain this is part of their training/customer demo infrastructure. I've seen a few "attacker simulation" Kali boxes there too.

@ckure This will unfortunately never go away for one reason: FFmpeg existing as a software that many other software projects wanna use as the best library to manipulate media. Because may god forgive you if you want to deal with media format patents (and GPL)… so it's back to using it as a command in order to avoid all of that. Plus, it being a complex piece of software way more used standalone than it is with the API, it's always easier to search for and adapt usage examples for the command than it is for the API.

And yet, yep, I've found it's often the easiest way to get anywhere from directory traversal to DoS or sometimes even RCE in any project that uses it. It's a sad state of affairs, honestly.

Edit: yeah, I've seen cases where even doing it properly with a list instead of string concatenation still results in a vulnerability. Although it *does* mitigate some of the worst problems.

I've been doing information security for more than a decade. I have trained people, written organization policies, built systems with security in mind.

And yet a few days ago I almost lost money to a phishing campaign pretending to be my infrastructure provider asking me to "update my payment details."

I was tired. I clicked the link, followed the instructions.

What saved my bacon is that I opened the link in a private-mode browser window, where I was not logged into my provider's system.

The Reverse Engineering community has spoken. #Diaphora will be ported to #Ghidra in the next months. I would love to have it working properly by the end of the year, but I cannot be sure. So, no ETA for now.

Regarding the "unspecified Linux vulnerability" that the author has been "hyping the shit out of" (their words) all week -

It's accidentally leaked, due to an unpaid open source maintainer making a boo boo.

It's in CUPS, a printing subsystem. It isn't Linux specific.

CUPS isn't faced much to the internet, I've checked and done a Shodan Safari. It also isn't installed by default on Linux server installs for almost all distros.

It's not a big deal, update packages are dropping, don't panic.

Heads up to Kia owners/potential buyers: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

https://www.youtube.com/watch?v=IDAWbzQFqqk

Very interesting! I think this theory from HGModernism about #youtube "name-spam" bots does have some merit. I suspect attackers may be looking to peform an oracle attack against a content creator's keyword blocklist in order to reveal some of the blocked words (particularly people names), or some other part of YouTube's anti-spam system.

#threatintel #cybersecurity #video #contentmoderation

@hacks4pancakes
"You've been part of a breach."
"Which one?"
* gestures at everything *

Starting Thursday, Kaspersky deleted its anti-malware software from computers across the United States and replaced it with UltraAV's antivirus solution without warning.

https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/

@Dee

#Discord told me on #HackerOne that this isn't a security #vulnerability, so cool, I'll talk about it publicly.

You can disable 2FA¹ on another person's account if you get access to their phone momentarily.

All you have to do is create a new account and put their phone number in as the login; if you verify the code, it strips it from the other account with no warning, and they can't take it back.

So have fun I guess?

¹ SMS is not #2FA

#infosec

@againsthimself wow, this is truly incredible satire, and at the same time a humbling read. I don't know how I have never read this before.

Seems like a good day to revisit James Mickens' the only two threat models: regular and Mossad.

https://www.usenix.org/system/files/1401_08-12_mickens.pdf

This is your daily reminder that ad blockers and not clicking Google and other search ads are a good way to reduce your attack surface to some of the latest malware distribution methods. I'm currently putting together research on a couple of different malware / initial access tool delivery channels that use malvertising as their main method of distribution, using... *shocked face* compromised WordPress blogs as repositories.

Fuite de données chez Boulanger, Truffaut, Divia, PepeJeans, Grobill et Cultura, 27 millions de personnes touchés.

👉 Nom,
👉 Prénom,
👉 Date de naissance,
👉 Numéro Téléphone,
👉 Adresse postale complète,
👉 Coordonnées géographiques (latitude et longitude),
👉 Email,
👉 IBAN

> https://next.ink/149551/boulanger-cultura-diviamobilites-les-fuites-de-donnees-se-multiplient/

Pensez à changer de nom, de date de naissance, de téléphone et à déménager et changer de banque...

En vrai soyez vigilant envers les mails, les sms, les appels téléphoniques, les courriers voir les démarcheurs qui pourraient débarquer chez vous.
Le risque de Phishing ou d'arnaque est important.
Le risque d'usurpation d'identité est aussi majeur avec toutes ces données...

Le hackeur dit aussi posséder des données "assurance retraite" mais on ne sait pas de quoi il s'agit pour l'instant

#infosec #leak

hi #infosec #cybersecurity fedi, I need your help. What are your best tips and resources to get a first contact in and handle responsible security disclosure? All stakeholders involved are/seem to be within Europe, in this case. No security.txt that I can find.