CRYPTOGRAPHY BUG BOUNTY

TYPE #1 Reward: $300K - $1M
TYPE #2 Reward: $12,000

We've extensively researched cryptography and developed a simple standalone linux app that doesn't require network access, you can also monitor network to ensure security. App is automated and controllable through bash. bugs type #2 is only have one purpose but finding a type #1 bugs, which serves a dual purpose: advancing the development of the new generation of blockchain and type #1 data refers to cryptocurrencies that have remained transaction-free since 2009, guaranteeing their lack of ownership... If you discover type #1 bug, you could be rewarded generously and your life could greatly improve. we firmly believe that more hands and our collective knowledge hold immense power.

System requirements: README
Special Bonus: If someone discovers bug type #2 for the second time, they shall be rewarded twofold.

Contract me: @THEALFA

Reports: 0 Last paid: $0
Last updated: 1 SEP 2023

It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Ah, the wind in your hair, the open road ahead, and not a care in the world… except all the trackers, cameras, microphones, and sensors capturing your every move. Ugh. Modern cars are a privacy nightmare.

Car makers have been bragging about their cars being “computers on wheels" for years to promote their advanced features. However, the conversation about what driving a computer means for its occupants' privacy hasn’t really caught up. While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines. Machines that, because of their all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car.

https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/

#privacy #security
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Hacking Meduza: Pegasus spyware used to target Putin’s critic

An investigation by Access Now and the Citizen Lab at the Munk School of Global Affairs at the University of Toronto (the Citizen Lab) has revealed that the iPhone of journalist Galina Timchenko, head of Meduza, a leading Russian independent media outlet based in Latvia, has been infected with Israeli firm NSO Group’s Pegasus spyware. The spyware attack took place two weeks after the Russian government declared Meduza an “undesirable organization” for its critical coverage of Vladimir Putin’s regime and the war in Ukraine. At the same time, some European political leaders were publicly arguing for surveillance of all Russians in exile. This is the first documented case of a Pegasus infection of a Russian journalist.

https://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/

#pegasus #spyware
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

GameLauncher: A WIP replacement for samsungs gamelauncher which respects your privacy

GameLauncher is an app to see all your games in one place but without tracking.

GameLauncher is an open-source replacement for proprietary game-launchers from samsung and other manufacturers. It works without a network connection and collects absolutely no data about you. Simply launch the app and all your apps will be there. Still WIP!

https://github.com/0xFOSSMan/GameLauncher

#foss #opensource #gamelauncher
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Using silent SMS to localize LTE users

Proof of concept implementation

In this blog post, I’ll dive into an intriguing technique – using silent SMS messages to track LTE users’ locations. We’ll see how an attacker could send silent SMS messages with a defined pattern and analyze LTE traffic to verify the victim location.

https://mandomat.github.io/2023-09-21-localization-with-silent-SMS/

#silentsms #proofofconcept #lte #sms
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Your child’s privacy is worth more than likes

Sharenting and its implications for children's privacy

Some parents love to share pictures and videos of their children online. Pictures of the newborn baby or that first smile; a video with the first steps, the first visit to the swimming pool, parties, trips, family moments; then perhaps posts with funny stories, intriguing questions, and even sensitive conversations, such as a teenager revealing to the parent that they are non-binary. This behavior even has a name: sharenting, or documenting your child’s life online. And it has serious implications for children's privacy.

https://www.theprivacywhisperer.com/p/your-childs-privacy-is-worth-more

#privacy #children #sharenting
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Thou Shalt Not Reject: Analyzing Accept-Or-Pay Cookie Banners on the Web

Privacy regulations have led to many websites showing cookie
banners to their users. Usually, cookie banners present the user
with the option to “accept” or “reject” cookies. Recently, a new form
of paywall-like cookie banner has taken hold on the Web, giving
users the option to either accept cookies (and consequently user
tracking) or buy a paid subnoscription for a tracking-free website
experience.

In this paper, we perform the first completely automated analysis
of cookiewalls, i.e., cookie banners acting as a paywall.

https://www.devashishgosain.com/assets/files/paper-cameraready.pdf

#pdf #cookies #banner
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Reflections of the Israel-Palestine Conflict on the Cyber World

In the midst of the ongoing Israel-Palestine conflict, a notable upsurge of hacktivist collectives has emerged, announcing an unceasing barrage of digital assaults directed at a wide range of targets from both sides of the conflict.

This situation unfolds as a response to the ongoing Israel-Palestine conflict, which involves Palestinian militant groups led by Hamas initiating a large-scale offensive originating from the Gaza Strip and targeting Israel.

Although the cyber world sometimes seems like a stand-alone entity, it must be a reflection of the physical world, so just like the hacktivism resurgence that came with the Ukraine-Russia war, this sad conflict situation for humanity will also show an increasing business of war in the cyber world.

https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/

Read as well:
https://www.dnaindia.com/india/report-israel-palestine-conflict-how-indian-hackers-sunk-their-cyber-fangs-into-hamas-palestinian-national-bank-3063682

#cyberwar
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit

In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. The chain was reported to Apple under a 7-day disclosure deadline and Apple released iOS 16.4.1 on April 7, 2023 fixing CVE-2023-28206 and CVE-2023-28205.


Over the last few years Apple has been hardening the Safari WebContent (or "renderer") process sandbox attack surface on iOS, recently removing the ability for the WebContent process to access GPU-related hardware directly. Access to graphics-related drivers is now brokered via a GPU process which runs in a separate sandbox.


Analysis of this in-the-wild exploit chain reveals the first known case of attackers exploiting the Safari IPC layer to "hop" from WebContent to the GPU process, adding an extra link to the exploit chain (CVE-2023-32409)

https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html

#ios #exploit
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Counter-OSINT & privacy guide: how to protect your personal data

https://github.com/soxoj/counter-osint-guide-en

#osint #guide
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Persistent cross-site noscripting vulnerabilities in Liferay Portal

In 2023 we found multiple vulnerabilities in Liferay Portal, a digital experience platform for enterprise websites. It is a free and open-source software project. A few thousand installations on the Internet not suppressing the Liferay-Portal HTTP response header can be found via special purpose search engines.

The Liferay Portal in the Community Version is the foundation for the web interface of Liechtenstein's electronic health portal. That's the reason we got involved with the portal software – not as a customer pentest project, but out of interest. We wrote a blog post about the Liechtenstein's electronic health portal (blog post is in German). We reported our findings regarding the Liferay Portal to Liferay in order to get them addressed. Now we are releasing technical details about the vulnerabilities.

Another vulnerability we mentioned in the health portal is a Denial of Service attack, where a nested Graph QL query is not restricted by the portal and which consumes available resources leading to a Denial of Service. This vulnerability is known to Liferay.

Just so there are no misunderstandings: We did not try to use these vulnerabilities against Liechtenstein's electronic health portal.

https://www.pentagrid.ch/en/blog/stored-cross-site-noscripting-vulnerabilities-in-liferay-portal/

#vulnerabilities #liferay
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

💡 So, ad blockers violate YouTube ToS? Good, because user agent spoofers don't.
Change your user agent to Windows Phone to disable ads. 💡

https://files.enderman.ch/noscripts/yt-antiadblocker.mp4

#antiadblocker #youtube #adblocker
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

A step-by-step Android penetration testing guide for beginners

Greetings fellow hackers, my name is Sandy, Security Analyst and Bug bounty hunter.

As I’m presently engaged in Android penetration testing, I’d like to relay my experiences with you, as they may prove beneficial in addressing some of the inquiries, I had difficulty resolving answers too, without more introductions let’s get started.

https://infosecwriteups.com/a-step-by-step-android-penetration-testing-guide-for-beginners-8435e5e969a3

#android #pentest
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Marketing Company Claims That It Actually Is Listening to Your Phone and Smart Speakers to Target Ads

A marketing team within media giant Cox Media Group (CMG) claims it has the capability to listen to ambient conversations of consumers through embedded microphones in smartphones, smart TVs, and other devices to gather data and use it to target ads, according to a review of CMG marketing materials by 404 Media and details from a pitch given to an outside marketing professional. Called “Active Listening,” CMG claims the capability can identify potential customers “based on casual conversations in real time.”

https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/

👉🏼 https://webcache.googleusercontent.com/search?q=cache:G8IWWik_R1YJ:https://www.cmglocalsolutions.com/blog/active-listening-an-overview&hl

👉🏼 https://webcache.googleusercontent.com/search?q=cache:ZA57uuvQNT8J:https://www.cmglocalsolutions.com/blog/how-voice-data-works-and-how-you-can-use-it-in-your-business&hl

#advertising #targeted #privacy
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Operation Triangulation: The last (hardware) mystery

Today, on December 27, 2023, we (Boris Larin, Leonid Bezvershenko, and Georgy Kucherin) delivered a presentation, noscriptd, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg. The presentation summarized the results of our long-term research into Operation Triangulation, conducted with our colleagues, Igor Kuznetsov, Valentin Pashkov, and Mikhail Vinogradov.

This presentation was also the first time we had publicly disclosed the details of all exploits and vulnerabilities that were used in the attack. We discover and analyze new exploits and attacks using these on a daily basis, and we have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is definitely the most sophisticated attack chain we have ever seen.

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

#operationtriangulation #attack #iphone
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The Battle for Biometric Privacy

The pushback against ubiquitous surveillance and targeted deepfaking has begun—but regulation may fail to keep up with AI advances.

In 2024, increased adoption of biometric surveillance systems, such as the use of AI-powered facial recognition in public places and access to government services, will spur biometric identity theft and anti-surveillance innovations. Individuals aiming to steal biometric identities to commit fraud or gain access to unauthorized data will be bolstered by generative AI tools and the abundance of face and voice data posted online.

https://www.wired.com/story/the-battle-for-biometric-privacy/

#biometric #privacy #deepfake
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Mullvad VPN – an interview with the Swedish mole

The company was founded in March 2009 and we recently spoke to the Managing Director Jan Jonsson.

https://tarnkappe.info/artikel/interviews/mullvad-vpn-an-interview-with-the-swedish-mole-289150.html

#mullvad #vpn #interview
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv