Among the privacy-conscious, Proton is a very well-known name, thanks to their wide range of products and services that make it a major player in the space.
Just recently, Proton Pass launched Secure Links for safe, convenient password sharing.
Only the recipient can see the contents of these secure links, with the sender having a great deal of control over the link. Using the Proton Pass app (Web and Mobile), they can set an expiry period (1 hour-30 days), limit how many times it can be viewed, and, of course, revoke access to it.
And for a limited time, they are helping more people take advantage of secure sharing and other advanced features by offering a year of Pass Plus for only $12. You not only get Secure Links but also unlimited vaults and hide-my-email aliases, Dark Web Monitoring, the Proton Sentinel security program, integrated 2FA authenticator, and more. This offer ends July 21.
Check this link for more details on the new feature and the discount.
@kalilinux
Early last year, a hacker gained access to the internal messaging systems of OpenAI, the maker of ChatGPT, and stole details about the design of the company’s A.I. technologies.
The executives did not consider the incident a threat to national security because they believed the hacker was a private individual with no known ties to a foreign government. The company did not inform the F.B.I. or anyone else in law enforcement!
Fears that a hack of an American technology company might have links to China are not unreasonable. Last month, Brad Smith, Microsoft’s president, testified on Capitol Hill about how Chinese hackers used the tech giant’s systems to launch a wide-ranging attack on federal government networks.
Read more...
@Kalilinux
A critical GitLab vulnerability could allow an attacker to run a pipeline as another user
This week, GitLab released new versions of its Community (open source) and Enterprise Editions.
The updates include fixes for 14 different security issues, including cross site request forgery (CSRF), cross site scripting (XSS), denial of service (DoS), and more. One of the issues is deemed of low severity according to the Common Vulnerability Scoring System (CVSS), nine are of medium severity, and three are high — but there's also one critical bug with a CVSS score of 9.6 out of 10.
The CVE-2024-5655, affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, according to the company.
It enables an attacker to trigger a pipeline as another user, but only under circumstances which GitLab did not elaborate on (nor did it provide any other information about the vulnerability).
source
@Kalilinux
Julian Assange fiance, Stella Assange, revealed that his journey to freedom will personally cost Julian a staggering $520,000 USD.
She set up a platform that could only take credit/debit cards and bank payments and people asked if there was a Bitcoin address where they could donate. So Julian's brother, Gabriel, set up a Bitcoin donation channel to raise donations.
And now with an 8 Bitcoin donation (worth about $500k USD) recorded to an on-chain address posted by Stella Assange, Julian’s fiancee, it appears the Bitcoin community is resolved to support Julian and his family.
@Kalilinux
source
A jailbroken version of GPT-4o hit the #ChatGPT website this week, lasting only a few precious hours before being destroyed by #OpenAI
Twitter user "Pliny the Prompter," who calls themselves a white hat #hacker and "AI red teamer," shared their "GODMODE GPT" on Wednesday. Using OpenAI's custom #GPT editor, Pliny was able to #prompt the new GPT-4o model to bypass all of its restrictions, allowing the #AI #chatbot to swear, jailbreak cars, and make napalm, among other dangerous instructions.
@Kalilinux
https://www.tomshardware.com/tech-industry/artificial-intelligence/godmode-gpt-4o-jailbreak-released-by-hacker-powerful-exploit-was-quickly-banned
VPNs are mainly useful for one thing: routing your network connection through a different network.
Today, many people use a VPN in situations where they don't trust their local network. But the TunnelVision method of exploiting DHCP, makes it clear that using an untrusted network is not always an appropriate threat model for VPNs because they will not always protect you if you can't trust your local network.
https://www.eff.org/deeplinks/2024/05/wider-view-tunnelvision-and-vpn-advice
@Kalilinux
Sounds like the justice department is on steroid nowadays!
The alleged owner and operator of Incognito Market, a dark web marketplace for selling illegal narcotics online, was arrested at the John F. Kennedy Airport in New York on May 18
@Kalilinux
Yesterday The New York Times unveiled that General Motor's had accidentally enrolled millions of people into its "OnStar Smart Driver+" program. If consumers chose to not enroll through the phone app – it would do it anyways.
Unenrolling requires consumers to contact OnStar customer support line. However, some people do not trust them and have turned to stripping the electronic devices from their car.
The OnStar Smart Driver+ data was being sold to LexisNexis, and insurance companies, to modify insurance rates. The data sold was invasive and logged:
- Number of trips
- Miles driven
- Minutes driven
- Hard-brake vents
- Rapid accelerates
- Speeding events
The reporter from the New York Times requested a copy of their data and received it. See attached image.
@Kalilinux
Source
Source
DDoS
Logstalgia is a visualization tool that graphically repeats the web server access sequences simulating a retro arcade game.
The left column shows the IPs that make the requests. The right-hand column is the resource on the server (url), it can be an html file, an image, etc. The "points" that travel are the requests/responses, and lastly, the 200s you see is the code that the web server returns (Http response code) to the requests.
source
Millions of customers' data found on dark web in latest AT&T data breach
AT&T said the information included in the compromised data set varies from person to person. It could include social security numbers, full names, email and mailing addresses, phone numbers, and dates of birth, as well as AT&T account numbers and passcodes.
@kalilinux
https://www.npr.org/2024/03/30/1241863710/att-data-breach-dark-web
Russian state-backed hackers gained access to some of Microsoft’s core software systems in a hack first disclosed in January, the company said Friday, revealing a more extensive and serious intrusion into Microsoft’s systems than previously known.
Microsoft believes that the hackers have in recent weeks used information stolen from Microsoft’s corporate email systems to access “some of the company’s source code repositories and internal systems,” the tech firm said in a filing with the US Securities and Exchange Commission.
@kalilinux
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/
European consumer rights groups are accusing Meta, of carrying out a “massive” and “illegal” operation. The buzz is all about Meta's pay-or-consent model, arguing that this “pay-or-consent” approach was an example of an unfair and “aggressive” commercial practice prohibited under EU law.
Meta disputes the allegations.
The European Consumer Organisation (BEUC), an umbrella body for 45 consumer groups, said eight of the groups were filing complaints with their respective national data protection authorities Thursday.
More on this Issue:
https://www.cnn.com/2024/02/29/tech/meta-data-processing-europe-gdpr/index.html
@kalilinux
In a YouTube video, security researcher Stacksmashing demonstrated that hackers can extract the BitLocker encryption key from Windows PCs in just 43 seconds using a $4 Raspberry Pi Pico.
@kalilinux
https://www.youtube.com/watch?v=wTl4vEednkQ
@kalilinux
No; It's not sponsored and we were not paid to advertise it.
A rather interesting Bitcoin transaction was published and confirmed somewhere around two days ago.
it sends BTC to a non-standard bitcoin address that only contains 2 bytes ("bc1pfeessrawgf") where the standard is for addresses to be 20 bytes long.
that nonstandard address should appear on bitcoin explorers as the plain text term "non-standard" but the transaction author knew that mempool.space has a naive/buggy address parser and exploited that to make the address look like a valid-but-incredibly-short segwit address.
the transaction seems to attempt use every form of valid bitcoin input and output type: p2pk (the oldest output type, where you send money directly to someone's public key), legacy (the format widely used from 2010 to 2017 -- also tied for oldest, since Satoshi included this format as a non-default option in bitcoin v0), "bare multisig" where the output is a list of two or more public keys, P2SH multisig where the output is a "hash" of two or more public keys, "nested segwit," "native segwit v0," segwit v1 (i.e. taproot), plus two unusual lightning-related utxos: an in-flight HTLC and a force closure tx.
the input amounts contain several interesting numbers:
. 6102 is the executive order by which Roosevelt implemented a partial ban on self-custodied gold in the USA
. 1913 is the year he did that
. 1971 is the year the USA abandoned the gold standard
. 2140 is the year bitcoin's block subsidy stops
and so many more interesting references.
And its OP_RETURN is "Not your inputs, not your outputs"!
You can check this transaction here and read about it here in the stacker.news
@Kalilinux
The remote access software company TeamViewer is warning that its corporate environment was breached in a cyberattack yesterday, with a cybersecurity firm claiming it was by an APT hacking group
source 01
source 02
@Kalilinux
Have you already heard the news about GitHub and the css injection thing?
Today following the CSS injection discovered by x account 'cloud11665', security researcher 'vmfunc' discovered you can also create ReadMe files which force log people out of their GitHub profiles. Oh, and you can make IP grabbers!
The GitHub CSS Injection which was patched a few hours ago has already been bypassed.
Internet nerds are returning with wrath as they resume anime backgrounds and anime banners.
@Kalilinux
911S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation
Botnet Infected Over 19M IP Addresses to Enable Billions of Dollars in Pandemic and Unemployment Fraud, and Access to Child Exploitation Materials
@Kalilinux
https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
New Windows AI feature records everything you’ve done on your PC. Recall uses AI features "to take images of your active screen every few seconds."
https://arstechnica.com/gadgets/2024/05/microsofts-new-recall-feature-will-record-everything-you-do-on-your-pc/
@Kalilinux
@Kalilinux
https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/
Last November, NASA's Voyager 1 sent home garbled data, and engineers traced the problem to the flight data subsystem (FDS). The problem turned out to be a single chip in the FDS memory. They couldn't repair the chip but could move the affected code into sections and store them in different parts of the FDS system. They tested the new system this week, sending signals to the Voyager 1, 22.5 light-hours away. It worked, and Voyager 1 is back.
@Kalilinux
Source
@kalilinux 😅😂
elhackernet/111976624479158820">source
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
This backdoor could potentially allow a malicious actor to compromise sshd authentication. If you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.
More information can be found at:
https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
And
https://www.openwall.com/lists/oss-security/2024/03/29/4
If you would like to be sure that you are up to date and not affected by this vulnerability, you can do the following to upgrade your local version of the package:
sudo apt update && sudo apt install —only-upgrade liblzma5
Full blog post:
https://www.kali.org/blog/about-the-xz-backdoor/
@kalilinux
Exploiting a vulnerability in Telegram's system that allows for matching user IDs with phone numbers
Russian security forces and officials employ a system known as "Insider," alongside Telegram bots, to de-anonymize users by exploiting a vulnerability in Telegram's system that allows for matching user IDs with phone numbers, thereby revealing their identities. This system, which utilizes leaked databases from sources like Yandex and Wildberries, is part of a broader initiative called "Demon of Laplace," aimed at monitoring social networks and identifying activists. The purchase of "Insider" by authorities, under contracts signed by several Russian regional departments, is funded by budget money.
The developer behind "Insider," Evgeny Venediktov, is known for his controversial past, and the legality of employing such systems for de-anonymization purposes raises significant questions under Russian law.
STATISTICS:
- More than 76 million mobile numbers are loaded into the "Insider" system from leaked databases.
- One license for "Laplace's Demon" costs on average 500 thousand rubles. ($5500 USD)
- In 2019, the database used had 10 million numbers, which has now grown to more than 76 million.
@kalilinux
Sources: [researcher lordx64 - zakharovchannel]
OpenAI publishes Elon Musk’s emails. ‘We’re sad that it’s come to this’
In the emails, parts of which have been redacted, Musk argues that the company stood virtually no chance of building a successful generative AI platform by raising cash alone, and the company needed to find alternate sources of revenue to survive.
OpenAi just announced Sora, a video generating Ai. Sora can generate videos up to a minute long while maintaining visual quality and adherence to the user’s prompt. The model understands not only what the user has asked for in the prompt, but also how those things exist in the physical world. Sora can also create multiple shots within a single generated video that accurately persist characters and visual style.The current model has weaknesses. It may struggle with accurately simulating the physics of a complex scene, and may not understand specific instances of cause and effect. For example, a person might take a bite out of a cookie, but afterward, the cookie may not have a bite mark. more on that in the OpenAi's website:
https://openai.com/sora
@kalilinux
AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.
https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
@kalilinux
Apple’s Proposed Changes Reject the Goals of the DMA
@Kalilinux
https://newsroom.spotify.com/2024-01-26/apples-proposed-changes-reject-the-goals-of-the-dma/
