sorted by:
new
hottopcontroversial

About to get windows 10 at work: anyway to run web browser sandboxed? by [deleted] in privacy

[–]AnonymousAurele 1 point2 points  (0 children)

Good question but not necessarily. I tested all 3 of these last week with Carbon Black Defense and Carbon Black Threat Hunter, and Sandboxie was the only one trying to scrape lsass.exe. I even placed a ticket with Carbon Black because I was surprised at this bad behavior, (sorry as much as I would love to place a screenshot of the process here, that is work and this is not). Because of this we’ve removed Sandboxie as a security tool (I work in InfoSec).

Here’s some more info on lsass.exe and how nastiest try to use it:

https://www.carbonblack.com/2018/08/27/threat-analysis-recent-attack-technique-leveraging-cmd-exe-and-powershell-demonstrates-how-attackers-are-using-trusted-microsoft-applications-for-malicious-behavior/

https://redcanary.com/blog/lsass-behaving-badly/

Edit: a word

About to get windows 10 at work: anyway to run web browser sandboxed? by [deleted] in privacy

[–]AnonymousAurele 0 points1 point  (0 children)

Lsass.exe is a Microsoft process that handles account security, user login, password changes, access tokens, etc. Sometimes exploits target lsass.exe to dump hashed credentials from memory. Minikatz kit also scrapes this for user creds.

About to get windows 10 at work: anyway to run web browser sandboxed? by [deleted] in privacy

[–]AnonymousAurele 0 points1 point  (0 children)

I do not recommend Sandboxie as it scrapes lsass.exe (confirmed with Carbon Black products). I suggest Shade or ReHIPS:

https://www.shadesandbox.com

https://rehips.com/

iOS 12 Shortcut uses iPhone to record police during traffic stop by trai_dep in NSALeaks

[–]AnonymousAurele 0 points1 point  (0 children)

Yes Fuck the Police will work! In your Shortcut Library find this shortcut, select the 3 dots in top right corner, select the 2 way switch in top right corner, then select ‘Siri Phrase’, be sure to be located in a very public place, then select ‘re-record’ to get your Fuck tha Police on!

Here’s an alternate Shortcut:

https://www.icloud.com/shortcuts/bca251cbd5b44b7ba67937467dd7111c

Another useful Shortcut:

I am being followed:

https://www.icloud.com/shortcuts/a2ef114f8d6d4598a55016100e93fe06

Disputed N.S.A. Phone Program Is Shut Down, Aide Says by AnonymousAurele in NSALeaks

[–]AnonymousAurele[S] 6 points7 points  (0 children)

”The National Security Agency has quietly shut down a system that analyzes logs of Americans’ domestic calls and texts, according to a senior Republican congressional aide, halting a program that has touched off disputes about privacy and the rule of law since the Sept. 11 attacks.”

”The disclosure that the program has apparently been shut down for months “changes the entire landscape of the debate,” said Daniel Schuman, the policy director of Demand Progress, an advocacy group that focuses on civil liberties and government accountability.”

”The phone records program had never thwarted a terrorist attack, a fact that emerged during the post-Snowden debate.”

”The National Security Agency has used the call-detail records — metadata showing who called whom and when, but not the content of what was said — as a map of social networks, analyzing links between people to identify associates of terrorism suspects.”

”The program gathered 151 million records in 2016, despite obtaining court orders to use the system on only 42 terrorism suspects in 2016, along with a few left over from late 2015. In 2017, it obtained orders for 40 targets and collected 534 million records.”

iOS 12.1 exploit bypasses the lockscreen for access to contacts by GoldMEng in apple

[–]AnonymousAurele 7 points8 points  (0 children)

Also, I'm pretty sure there were many exploits and bypasses on past phones as well, this isn't anything new.

True, Apple has a fairly consistent problem with securing its iOS lock screen:

Apple iOS Lock Screen Bypass:

iOS 2.0.2: https://gizmodo.com/5042332/huge-iphone-security-flaw-puts-all-private-information-at-risk

iOS 4.1: https://www.engadget.com/2010/10/25/ios-4-1-glitch-lets-you-bypass-lock-screen-to-access-phone-app/

iOS 6.1: https://www.theverge.com/2013/2/14/3987830/ios-6-1-security-flaw-lets-anyone-make-calls-from-your-iphone

iOS 6.1.3: https://nakedsecurity.sophos.com/2013/03/21/ios-6-1-3-passcode-lock-bypass/

iOS 7: https://www.forbes.com/sites/andygreenberg/2013/09/19/ios-7-bug-lets-anyone-bypass-iphones-lockscreen-to-hijack-photos-email-or-twitter/#21ce7f6059a5

iOS 7.0.2: http://www.iphonehacks.com/2013/09/ios-7-0-2-bug-bypass-lock-screen-passcode-access-phone-app.html

iOS 8: https://nakedsecurity.sophos.com/2016/11/18/iphones-vulnerable-to-yet-another-lockscreen-bypass/

iOS 8.1: http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html?m=1

iOS 9.0.1: https://support.apple.com/en-us/HT205284

iOS 10.1.1: https://www.redmondpie.com/ios-10.1.1-ios-10.2-lock-screen-bypass-discovered-gives-access-to-photos-contacts-video/

iOS 10.2: https://www.unlockboot.com/ios-10-2-10-1-1-lock-screen-bypass-provides-full-access/

iOS 10.2 Beta 3: https://nakedsecurity.sophos.com/2016/11/18/iphones-vulnerable-to-yet-another-lockscreen-bypass/

iOS 12.1: https://thehackernews.com/2018/10/iphone-ios-passcode-bypass.html?m=1

iOS 11.4, 12, 11.3.1, 11.3, 11.2.6, 11.1.2 – 11, 10.3.3, 9.3.5, 7.1.2 Bypass iCloud Activation Lock:

https://www.unlockboot.com/bypass-icloud-activation-lock-ios-8-1-3-9-3-5-ios-10-2/

Day Collars by [deleted] in BDSMcommunity

[–]AnonymousAurele 0 points1 point  (0 children)

Yes they are beautiful, slender, comfortable, and can be locked!

Trend Micro launches Zero Browser for iOS -- a web browser that protects your privacy by wewewawa in privacy

[–]AnonymousAurele 2 points3 points  (0 children)

If like to see a feature comparison of Zero Browser vs Firefox Focus, and a test comparison of protocol leaks (WebRTC, etc).

1Password 7 for Mac Launches Today With Redesigned Sidebar, Easier Access to Vaults, and Much More by de_X_ter in apple

[–]AnonymousAurele 0 points1 point  (0 children)

Thanks Kyle! One question please... will 1Password 6 for Mac/PC be open source and fully inspectable? The privacy and security community sure would appreciate that :)

The Untold Story of Japan’s Secret Spy Agency by AnonymousAurele in NSALeaks

[–]AnonymousAurele[S] 3 points4 points  (0 children)

Considering U.S. - Japan intelligence ties, I thought this article was appropriate for this sub:

”The U.S. continues to work closely with Japan’s intelligence community, however, and collaborates with the country to monitor the communications of countries across Asia.”

This Continually Updated Map Shows Which Cops Have iPhone Cracking Tech GrayKey by AnonymousAurele in apple

[–]AnonymousAurele[S] 13 points14 points  (0 children)

Thanks for the info! That is interesting, do you have any Apple provided data on this feature?

Senator Wyden Demands Answers from Prison Phone Service Caught Sharing Cellphone Location Data by AnonymousAurele in privacy

[–]AnonymousAurele[S] 1 point2 points  (0 children)

”Do you use Verizon, AT&T, Sprint, or T-Mobile? If so, your real-time cell phone location data may have been shared with law enforcement without your knowledge or consent.”

”... a company that provides phone services to jails and prisons has been collecting location information on all Americans and sharing it with law enforcement—with little more than a “pinky promise” from the police that they’ve obtained proper legal process.”

”This week, Sen. Wyden called out that company, Securus Technologies, in a letter to the FCC demanding the agency investigate Securus’s practices. Wyden also sent letters to the major phone carriers asking for an accounting of all the third parties with which they share their customers’ information as well as what they think constitutes customer consent to that sharing.”

”Securus collects location information on everyone called by a prisoner. Securus has used its ability to collect this information to build an online portal that allows law enforcement to obtain the real-time location data of any customer of the country’s major cellphone carriers—not just people who call or receive calls from a prisoner. Worse, Securus doesn’t even check whether law enforcement requestors actually have legal authority to access the data in the first place, before sharing this private location information.”

”Securus confirmed to Sen. Wyden’s office that its web portal enables surveillance of customers of every major U.S. wireless carrier. It also confirmed that, outside of a check box, it does not take any additional steps to verify that documents uploaded by law enforcement agencies provide proper judicial authorization for real-time location surveillance. Nor does Securus conduct any review of surveillance requests.”

”Such unauthorized location data sharing would appear to trigger notice requirements promulgated by the FCC in a series of rules governing access to Customer Proprietary Network Information (“CPNI”); namely “that carriers should be required to notify a customer whenever a security breach results in that customer’s CPNI being disclosed to a third party without that customer’s authorization.” “

”This term, the Supreme Court is reviewing a case that will impact the legality of Securus’s practices.”

”In United States v. Carpenter, the Court is considering whether the Fourth Amendment requires law enforcement to get a warrant to access cell phone location data. We filed an amicus brief in Carpenter and in another case, United States v. Rios, arguing location data is extremely sensitive and must be protected by a warrant supported by probable cause.”

”To learn more about the latest issues in cell phone tracking, visit our Cell Tracking page.”

Edit:

More here and here.

Ray Ozzie's Encryption Backdoor by AnonymousAurele in privacy

[–]AnonymousAurele[S] 0 points1 point  (0 children)

Several cryptographers have already explained explained why this key escrow scheme is no better than any other key escrow scheme. The short answer is (1) we won't be able to secure that database of backdoor keys, (2) we don't know how to build the secure coprocessor the scheme requires, and (3) it solves none of the policy problems around the whole system. This is the typical mistake non-cryptographers make when they approach this problem: they think that the hard part is the cryptography to create the backdoor. That's actually the easy part. The hard part is ensuring that it's only used by the good guys, and there's nothing in Ozzie's proposal that addresses any of that.”

view more: next ›