Infosec.Pub

…

https://analognowhere.com/_/xeietm/

Your daily dose of analognowhere.

Hennepin County Attorney Mary Moriarty said a nationwide warrant has been issued in the first criminal charges against an ICE agent for on-duty actions during the surge.

Gift link — uses URL shortener because Lemmy removes the gift token

Hacking the EU Age Verification app in under 2 minutes.

During setup, the app asks you to create a PIN. After entry, the app encrypts it and saves it in the shared_prefs directory.

1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.

So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.

After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.

Other issues:

1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.

Seriously von der leyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time. . Von Der Leyen "The European Age Verification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..."

I did. It didn't take long to find what looks like a serious privacy issue.

The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well.

But, the source image used to collect that data is written to disk without encryption and not deleted correctly.

For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them.

For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.

This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary.

From a GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach.

YouTube Video.

Source: Paul Moore(Security Consultant) X/Twitter, 2.

cross-posted from: https://infosec.pub/post/45063941

Source

Description: roadside memorial with a sign reading "IN MEMORY OF THOSE KILLED BY I.C.E." alongside dozens of crosses.

Location: HWY 8 outside Elma, WA.

Photo taken from the passenger seat while traveling from the South Sound toward the coast. Considering Grays Harbor County voted Trump three out of three elections (although not overwhelmingly so), this was heartening to see. I don't make it out this way too often, so I'm uncertain exactly when this was erected, but it was sometime in the last few months.

Documents I obtained show that the IRS already has a powerful set of tools to force compliance, from undercover agents to wiretaps and other forms of electronic surveillance. The collaborates with ICE to monitor the travel of American citizens through. But now, thanks to AI, the IRS’s ultimate goal is for “minimal human contact,” as one document put it.

The centerpiece is Palantir software that allows IRS investigators and auditors to conduct "near real-time data analysis" through a custom tool called the “Selection and Analytic Platform,” or SNAP.

What that means in practice is that millions of middle-income Americans who once fell below the threshold of what scarce human auditors could manage are now within reach. The little guy just became a lot easier to monitor at scale.

The big guy? Not so much.

Source

The last time I posted about the dyke March people were mad they missed it, @nycdykemarch instagram page just posted the flyer for this year’s march so figured I’d share.

I was at the last one, me and my gf were at the end of the parade, in wash square park (we like the chaos lol). It was nice seeing people who are like us. Yes there’s the big pride parade in June, but this one felt a lot more specific to us . If you want to be outside in nyc and be around other gays/butches/studs/dykes/ transmasc / transfem , or anyone who feels affinity. I literally saw all different walks of lesbians in the crowd which was dope. It’s definitely something to check out.

i have a challenge for y'all... I'm an enjoyer of eccentic stuff, bordering on kitsch and tacky XD particularly shoes, but then I fon't know how to style my choices other than going all black.

Any ideas? Bonus points if you include some images , thanks in advance.

In a setback for federal efforts to thwart climate litigation, the judge ruled that the suit, which tried to block the state from suing oil companies, was too speculative.

Comments