Étiquette : vulnerability (Page 13 of 40)

Delays Aren’t Good Enough—Apple Must Abandon Its Surveillance Plans | Electronic Frontier Foundation

6 septembre 2021 / noflux

apple with an eye in the center

“The features Apple announced a month ago, intending to help protect children, would create an infrastructure that is all too easy to redirect to greater surveillance and censorship. These features would create an enormous danger to iPhone users’ privacy and security, offering authoritarian governments a new mass surveillance system to spy on citizens. They also put already vulnerable kids at risk, especially LGBTQ youth, and create serious potential for danger to children in abusive households. The responses to Apple’s plans have been damning: over 90 organizations across the globe have urged the company not to implement them, for fear that they would lead to the censoring of protected speech, threaten the privacy and security of people around the world, and have disastrous consequences for many children.”

Source : Delays Aren’t Good Enough—Apple Must Abandon Its Surveillance Plans | Electronic Frontier Foundation

Une action en justice pourrait bloquer l’accès aux plus importants sites pornographiques

5 septembre 2021 / noflux

Un panneau Pornhub à Las Vegas, Nevada, en 2017.

“Dans les faits, il est en réalité souvent compliqué pour la justice de remonter jusqu’aux propriétaires des grands sites pornographiques, qui s’abritent derrière des cascades de sociétés domiciliées dans plusieurs pays. MindGeek, l’entreprise leader du secteur – elle possède Pornhub, RedTube ou encore YouPorn, pour un chiffre d’affaires qui se compte en centaines de millions de dollars –, a ses bureaux au Canada, mais est fiscalement domiciliée au Luxembourg et possède des dizaines de filiales dans une demi-douzaine de pays. Les associations, en coordination avec la chancellerie, ont donc changé d’angle d’attaque : plutôt que les sites, elles ont ciblé les fournisseurs d’accès Internet (FAI), présents sur le territoire, Orange, SFR, Free, Bouygues… « Nous assignons les FAI en référé car il n’est pas toujours possible d’identifier les éditeurs de contenus pornographiques », reconnaît Me Laurent Bayon, le conseil des deux associations, qui espère que le ministère public appuiera leur demande.”

Source : Une action en justice pourrait bloquer l’accès aux plus importants sites pornographiques

16 juillet 2021 / noflux

“We’ve enhanced Android’s auto-rotate feature with face detection, using the front-facing camera to more accurately recognize when to rotate the screen. This is especially helpful for people who are using their devices while lying down on a couch or in bed, for example. For developers, this means that the auto-rotation behavior will provide a better user experience for users who have opted in through Settings. The enhanced auto-rotate feature lives within our recently announced Private Compute Core, so images are never stored or sent off the device. In Beta 3 this feature is available on Pixel 4 and later Pixel devices.To make screen rotation as speedy as possible on all devices, we’ve also optimized the animation and redrawing and added an ML-driven gesture-detection algorithm. As a result, the latency for the base auto-rotate feature has been reduced by 25%, and the benefits of the face detection enhancement build on top of those improvements. Give the auto-rotate improvements a try and let us know what yo”

Source : Android Developers Blog: Android 12 Beta 3 and final APIs

default filename tv 📺

4 juillet 2021 / noflux

“default filename tv finds and plays youtube videos that were uploaded from the camera without edits to the filename.”

Source : default filename tv 📺

Reverse engineering generative models from a single deepfake image

22 juin 2021 / noflux

“Deepfakes have become more believable in recent years. In some cases, humans can no longer easily tell some of them apart from genuine images. Although detecting deepfakes remains a compelling challenge, their increasing sophistication opens up more potential lines of inquiry, such as: What happens when deepfakes are produced not just for amusement and awe, but for malicious intent on a grand scale? Today, we — in partnership with Michigan State University (MSU) — are presenting a research method of detecting and attributing deepfakes that relies on reverse engineering from a single AI-generated image to the generative model used to produce it. Our method will facilitate deepfake detection and tracing in real-world settings, where the deepfake image itself is often the only information detectors have to work with.”

Source : Reverse engineering generative models from a single deepfake image

18 mai 2021 / noflux

“A huge Eufy privacy breach has resulted in both live and recorded camera feeds being shown to complete strangers. They also have complete access to the account, including control of pan-and-tilt cameras where fitted. ”

Source : Eufy privacy breach leaks both live and recorded cam feeds – 9to5Mac

11 mai 2021 / noflux

A Colonial Pipeline facility in Baltimore. Its pipelines feed large storage tanks up and down the East Coast.

« We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives, » it said in a statement posted on its website. « Our goal is to make money and not creating problems for society. »
The group seemed somewhat surprised that its actions resulted in closing a major pipeline and suggested that perhaps it would avoid such targets in the future.

Source : FBI Confirms DarkSide as Colonial Pipeline Hacker – The New York Times

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

29 avril 2021 / noflux

FFmpeg vulnerabiltiies by year

“Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed. For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.”

Source : Signal >> Blog >> Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

Troy Hunt: Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

28 avril 2021 / noflux

“Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world’s most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before eventually being brought to a halt in February.
Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet. This isn’t the first time HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police using it for similar purposes a few years earlier. ”

Source : Troy Hunt: Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

20 avril 2021 / noflux

“Lorsque la victime va copier une adresse, le malware va la remplacer dans le presse-papier par l’adresse d’un portefeuille contrôlé par les malfaiteurs — les chercheurs en ont compté plus d’une centaine. Résultat : quand la victime va « coller » l’adresse du destinataire de la transaction dans le champ prévu à cet effet, elle va en réalité coller celle du malfrat. Et si elle valide la transaction, elle lui enverra involontairement l’argent.Oui, si la victime est suffisamment attentive, elle remarquera que l’adresse qu’elle a copiée et celle qu’il a collée ne sont pas similaires, et elle ne validera pas la transaction. Mais ce manque de finesse du subterfuge ne l’empêche pas de fonctionner. D’après Avast, Hack Boss aurait récolté plus de 8,4 Bitcoin, 6,9 Ethereum ou encore 2 300 Dogecoin depuis la mise en place de son arnaque en novembre 2018.”

Source : Ce malware manipule les copier/coller pour détourner des cryptomonnaies – Cyberguerre