This week in infosec: links

Previous part

Web Application Reconnaissance Framework - WARF is a Recon framework for the web application. It comprises different tools to perform information gathering on the target such as subdomain enumeration, directory Bruteforce, gathering all sorts of endpoints like Wayback URLs, JS URLs, endpoints from JS files, API/Secret keys, etc.

Telenot Complex: Insecure AES Key Generation - This blog post details our discovery of a vulnerability in the AES1 key generation of an alarm system widely used in Germany. Due to this flaw it was possible to clone the key fobs used with this system. A video demonstrating our proof of concept follows below. The flaw was found within compasX, the management software for alarm systems in a series named “complex,” which are manufactured by Telenot.2 The vulnerability was assigned CVE-2021-34600 and an advisory was released along with this blog post.

WordPress 5.8.2 Stored XSS Vulnerability - In this blog post, we investigate a WordPress vulnerability we reported back in 2018, and that remained unpatched for around 3 years afterwards. It can for example be used for privilege escalation and to hijack an admin account from an author account. However, as we’ll see, exploitation can also be achieved without special privileges when certain WordPress plugins are installed. When we reported the vulnerability, the wordpress.org website itself was affected and could have been exploited by any forum user to launch a supply chain attack for WordPress plugins.

Big tech wants us to empathize with robots

When Bird scooters first became a thing, I hated them. I once had to stop my car three separate times to move scooters that had been left in the middle of the road at 50-foot intervals, presumably by some psychopath hoping to cause an accident. One day, I saw one blocking the entrance to my apartment’s courtyard and decided I’d had enough. I pushed it over. In response, it emitted a plaintive little wail, almost like a wounded bird. For a moment, I actually felt guilty.

Then I realized that was the point. Big tech can exploit workers, suppress information, make our cities less safe, toxify our political discourse, and destroy our mental health, but if you handle their products roughly, you’re a bad person. Maybe even a sociopath.

It’s like that moment in Dr. Strangelove when the soldier hesitates to blast open a Coke machine so they can use the change to place a call that will avert nuclear war. Only this time, the Coke machine has a face and begs for its life.

Grayson Quay

Git info on a Hugo static website

Since Hugo is a static website builder (it only outputs HTML and XML from your Markdown files), if you want a way to display the latest git commits from a specific git repository on your website, you will be in a bit of a pickle. To achieve this level of Zen-ness we need to use the secret teachings of a man formally known as Bearly Grill: adapt, improvise and overcome.

Keep in mind that the bash part can probably be done by someone in a one-liner using just sed and channeling the power of your inner Stallman but this is something I quickly wrote so I can have some stats on the Civitas project page. Feel free to improve and email me the changes if you want. Or not.

So, basically we need two parts: one that will parse the output of the git log command into a JSON file (so that it can be loaded into the static Hugo website) and the second part that loads the JSON file and builds the DOM structure.

BlackBerry 10 OS battery drain

BlackBerry 10 OS battery drain

Due to the BlackBerry shutdown from January 4, 2022, the BlackBerry 10 OS devices seem to have a serious problem. I have a BlackBerry Passport on which I’m running some tests and lately I noticed a massive battery drain. Actually, I noticed the issue earlier but I couldn’t link it to the BlackBerry Services EOL from this year because I foolishly thought that BlackBerry would still keep the servers up or at least give the users an update that will remove any dependency on their servers. But they didn’t.

The problem is that the device is doing 3 requests per second to several external BlackBerry servers (that are now offline) and as you can imagine, this kills the battery really fast. I encountered the issue last year because I was using a custom blocklist on a Pi-hole and it blocked all blackberry.com and blackberry.net domains, but I wasn’t using the device as much as to notice the reduced battery life.

Smartphone security

If you’re still new to the world of smartphones (or even if you’re not), you may be a bit suspicious about the level of security afforded by these rather complex devices. And while modern smartphones nearly always come with a standard assortment of security features, there are still steps you can take to keep your sensitive personal information safe at all times.

Signs that your smartphone is compromised

  • Slow smartphone performance. Your phone now uses a lot more memory, CPU or battery power, gets hotter under normal use and/or gets hot when it is idle.

  • Advertising popups. A sign of adware/malware is the appearance of popup windows on the phone screen or in the web browser, these can be advertising banners of various content, elements that interfere with the normal operation of your smartphone or are constantly opening new web browser tabs.

  • Unknown applications and/or files. Applications that you did not download yourself may appear on the device, files you are not familiar with appear on the memory card (if there is one in your phone), calls or messages may also be made without your knowledge.

  • Data usage jumps. Malware can and will use your phone’s resources in the background, monitoring your activities 24/7 and upload your data to rogue remote servers.

  • Strange application behavior. Applications turn on and off themselves, perform any action without your knowledge or interaction and maybe crash.