Search Results for “Lorenzo Franceschi-Bicchierai”


March 13, 2020
Emanuel Maiberg, Jason Koebler, and Lorenzo Franceschi-Bicchierai / Motherboard

Emanuel Maiberg, Jason Koebler, and Lorenzo Franceschi-Bicchierai / Motherboard  
Cybersecurity Team Finds More Than Dozen Critical Security Flaws in Voatz Mobile Voting App

An audit by the team at cybersecurity firm Trail of Bits found that Voatz, a mobile voting app that has been used in several elections in the United States, has more than a dozen critical security flaws. Trail of Bits performed the first-ever “white-box” security assessment of the platform, with access to the Voatz Core Server and backend software. Their assessment confirmed the issues flagged in previous reports by MIT, which Voatz denied despite knowing of the flagged flaws. Trail of Bits also discovered more vulnerabilities and made recommendations to fix issues and prevent bugs from compromising voting security.

Related: Trail of Bits

Tweets:@alex_gaynor @mattblaze @mattblaze @kimzetter @lorenzofb


April 15, 2020
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
Hackers Are Selling Zero-Day Vulnerabilities in Zoom’s Windows and macOS Clients, Asking Price for Windows Flaw is $500,000

Hackers are selling two critical zero-day vulnerabilities in Zoom’s Windows and macOS clients that would allow someone to hack users and spy on their calls, according to several sources. The zero-day for Zoom on Windows would enable hackers to access the app but would need to be coupled with another bug to access the whole machine. The MacOS one is not a remote code execution. The asking price for the Zoom Windows zero-day app is $500,000.

May 6, 2020
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
Critics Say Apple’s Lawsuit Against Correllium Has Stifled Security Research and Limited Researchers’ Ability to Tinker With Apple Products and Code

Apple launched a copyright lawsuit last year against a start-up based in Florida called Corellium for developing and selling software that allows customers, usually researchers, to sell develop and sell software that allows customers to create virtual iPhone replicas. This move, critics say, has stifled security research and affected how security researchers and software makers can tinker with Apple’s products and code.  of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas. In January, Apple sent a negative message to would-be researchers when it subpoenaed the defense contractor L3Harris and Santander Bank, requesting information on how they use Corellium, all communications they’ve had with the startup, internal communications about their products, and any contracts they’ve signed with the company, among other information.

Related: Input, MacDailyNews, Slashdot, AppleInsider

Tweets:@LorenzoFB @josephfcox


May 23, 2020
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
Very Early Leaked Version of iOS 14 Came From Development Phone, Gives Hackers and Jailbreakers Huge Lead, Sources

Security researchers and hackers have had access to a leaked early version of iOS 14, the iPhone’s next operating system, since at least February, eight months earlier than the new iOS is usually published. Sources in the jailbreaking community familiar with the leak told us they think that someone obtained a development iPhone 11 running a version of iOS 14 dated December 2019, which was made to be used only by Apple developers. Sources say the person paid Chinese developers thousands of dollars for the development phone and then extracted the iOS in the jailbreaking community. Although the final iOS likely will look different, iPhone hackers and researchers now have substantial lead time in which they’re able to probe iOS 14 to look for vulnerabilities in whatever is eventually released to the public.

April 17, 2020
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
Pastebin Kills Off Ability to Scrape Its Site, Says It Will Look for a Way to Give Security Researchers Access Following Outcry

The most famous paste site, Pastebin, used by hackers of all stripes to host lists of stolen passwords, announcements of data breaches, and malware has made it harder for security researchers to scrape it looking for that kind of information. Security researchers across the web expressed their dismay at this move decrying their inability to scrape the site using an API.  Pastebin said that the Scraping API “has been discontinued due to active abuse by third parties for commercial purposes, such activity is prohibited by our current terms and conditions.” After the outcry from the researchers, Pastebin said it is looking for a way to give security researchers access.

Related: Cyberscoop, Reddit – cybersecurity, Zeroguard

Tweets:@olihough86 @pastebin @pastebin @matalaz @olihough86 @ItsReallyNick @pastebin

Cyberscoop : Pastebin just made it easier for hackers to avoid detection, researchers say
Reddit – cybersecurity: Pastebin Just Made It Easier for Hackers to Avoid Detection
Zeroguard: PasteBin Kills Search And That’s Okay. No, Really.

@olihough86: in case you missed what's going on at @pastebin
@pastebin: Access to the Enterprise API is granted to Pastebin verified institutions and organizations only. If you wish to use the Enterprise API or want to know more, please contact our sales team (sales@pastebin.com) to apply.
@pastebin: API access is still available - https://pastebin.com/api. The Scraping API has been discontinued due to active abuse by third parties for commercial purposes, such activity is prohibited by our current T&C’s, please see Section C, P.4.
@matalaz: You are killing the exact feature many of us paid for.
@olihough86: so @pastebin changed their T&Cs on the 11th April to remove all mention of the scraping API (literally just deleted the whole section) between then and today (4 days) didn't even have the decency to pop an email out to subscribers
@ItsReallyNick: 1. Attackers abuse Pastebin to host payloads. 2. Some security teams abuse Pastebin APIs to keep up with them. Glad they’ve finally put a stop to... *checks notes* the second one? ?
@pastebin: At Pastebin, we take security seriously. If you are an independent security researcher and would like to volunteer and collaborate with us, please feel free to reach out to security@pastebin.com. #pastebin #cti #dfir


October 22, 2019
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
In Its First Action Ever Against Stalkerware, FTC Bars Company Behind Three Pieces of Monitoring Software From Selling Any More Apps Unless Used for Legit Purposes

In the first such action the regulator has taken, the Federal Trade Commission (FTC) announced it has barred a company, Retina-X Studios, LLC and its owner, James N. Johns, Jr., which are  behind three pieces of so-called stalkerware, from selling any more apps that monitor mobile devices unless they take steps to ensure their software is only used for legitimate purposes. The settlement resolves allegations that these apps compromised the privacy and security of the consumer devices on which they were installed. One of the apps, called MobileSpy, was used to monitor employees and children. Two other apps, called PhoneSheriff and TeenShield, were used to monitor mobile devices used by children.  Retina-X sold more than 15,000 subscriptions to all three stalking apps before the company stopped selling them in 2018.

Related: FTC

Tweets:@evacide @josephfcox @lorenzofb @vanderaj