Check out the announcement:
Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch https://arstechnica.com/information-technology/2020/10/a-watch-designed-exclusively-for-kids-has-an-undocumented-spying-backdoor/
You can spend 3 months writing a 0day for some obscure mach kernel handling bug to sneak your way to local root but did you try just asking the user for their password? You know which one has a higher ROI? The most simplistic one. This is why you get $22million dollar thefts from a UI, if you ask a user persistently enough in a manner that does not disrupt their usage of the machine or raise inconsistency in machine behavior - the user almost always enters the passwords as normal at the machine.
Exploitation of human behavior always gives better results than a single bug. I wrote this example for macOS in Swift. It's a great LPE attack, by presenting every 15 minutes a UIKit dialog that mimics precisely Apple notices, users will just enter the local admin (or iCloud) password. On every run, this stores clipboard and passwords input from a launchd daemon, once the user gives the right password and it authenticates to root - it clears out the persistence and transmits the logs back to me.
Fake pop-ups through ElectrumX update notifications have been used to steal $22 million worth of BTC. Security experts need to understand that attackers use *whatever* *works* -if you ask the user to give you access to their computer - they frequently will - as simple as a pop-up notification and trojan wallet installer was all that anyone ever required to exploit the open nature of code and crypto. https://www.zdnet.com/article/bitcoin-wallet-trick-has-netted-criminals-more-than-22-million/
If I were to redo this project I’ve been working on the last few years, I would not have been pedantic about building the GUI in C++ despite the power it’s given me, features take weeks to implement that would take minutes in other languages. I’m glad I chose Lua and Jit VM technology for numerous reasons but the thing that amuses me the most is that innovation in Lua obfuscation is coming from a bunch of Roblox hackers that just want to cheat at video games and protect their mods.
Android ransomware has picked up some ominous new tricks https://arstechnica.com/information-technology/2020/10/android-ransomware-has-picked-up-some-ominous-new-tricks/
Apple’s T2 security chip has an unfixable flaw - Checkm8 vulnerability used to jailbreak iPhones hits Macs as well https://arstechnica.com/information-technology/2020/10/apples-t2-security-chip-has-an-unfixable-flaw/
Help us design the next mobile PINE64 platform: the PineCom!
The FBI Team Sent to ‘Exploit’ Protesters’ Phones in Portland https://www.nybooks.com/daily/2020/10/08/the-fbi-team-sent-to-exploit-protesters-phones-in-portland/
Team https://hacker.house cyber security assurance services and professional training ~ UNIX Hacker's Fraternity president https://hackerfraternity.org ~ Author of ISBN
9781119561453, a book on professional computer hacking.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!