December 29, 2023

                            December 29, 2023

                December 29, 2023

                        December 29, 2023
Follow up on Triangulation’s hardware bypass

            Hector Martin: "So some fun stuff was just presented at 37C3, and…" - Treehouse Mastodon
            So some fun stuff was just presented at 37C3, and... I bet I have some answers.

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

First, yeah, the dbgwrap stuff makes perfect sense. I knew about it for the main CPUs, makes perfect sense it'd exist for the ASCs too. Someone had a lightbulb moment. We might even be able to use some of those tricks for debugging stuff ourselves :)

Second, that "hash" is almost certainly not a hash. It's an ECC code**. I bet this is...

No new iPhone? No secure iOS: Looking at an unfixed iOS vulnerability

ASCII art: From a Commodity Into an Obscurity

A group of security researchers from Technical University in Berlin managed to get root access to @Tesla's Autopilot computer by exploiting Secure boot mechanism with voltage glitching. #37c3 #tesla #carhack pic.twitter.com/S4QBXWPJ5B
— Bogdan Djukic (@bdjukic) December 28, 2023

gonna take this opportunity to plug my nspredicate/nsexpression talk again. https://t.co/xi3zRz0GKg pic.twitter.com/mNks5Sz28P
— 𝚊𝚕𝚔𝚊𝚕𝚒 (@alkalinesec) December 28, 2023

HMS Wellesley - a ship of the line launched in 1815. Sunk by the Luftwaffe - 24 September 1940. 

She was the last ship of the line to be sunk and the only one to have been sunk by air. pic.twitter.com/I3OMNIySQO
— Jimmy Bagpuss (@Jim_Bagnall) December 28, 2023

Indirect Prompt Injections in the Wild: real world exploits and mitigations 🧐🧵

Con el rápido crecimiento y el uso generalizado de la inteligencia artificial y los Modelos de Lenguaje Extensos (LLMs), los usuarios se enfrentan a un mayor riesgo de seguridad: estafas,… pic.twitter.com/1XfDyhJpvO
— Ekoparty | Hacking everything (@ekoparty) December 28, 2023

Microsoft (December 2021): Hey everybody, we've fixed CVE-2021-43890!

Microsoft (December 2023): Hey everybody, CVE-2021-43890 is being exploited in the wild!

The unspoken part (as far as I can tell): Whoops, we accidentally unfixed CVE-2021-43890 in April 2023.

🤦‍♂️ https://t.co/OOlBDY0g9O pic.twitter.com/TP7ZRcCBVF
— Will Dormann (@wdormann) December 28, 2023

I'm a big fan of how Glock would have been 69-70 and his assassin was 67. The mental image of an elderly weapons designer and an elderly French mercenary beating the shit out of each other with fists and a rubber mallet in a parking garage https://t.co/TvIEL44gGL
— TWINKDEFCON (@twinkdefcon) December 27, 2023

Oh ....... pic.twitter.com/o9g2uIFNAg
— TWINKDEFCON (@twinkdefcon) December 27, 2023

spy vs spy 

(2023 redraw) pic.twitter.com/tsQiCCFEtH
— Rory Blank (@BoneJail) December 28, 2023

BurpSuite plugin for discovering AuthZ/AuthN vulnerabilities

            GitHub - Quitten/Autorize: Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests
            Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automa...

“You are what you eat”

Me: pic.twitter.com/RHWyTcNLC0
— Stone Cold Jane Austen (@AbbyHiggs) December 28, 2023

                            Don't miss what's next. Subscribe to the grugq's newsletter: