Profile

Cover photo
Sean M
AboutPosts

Stream

Sean M

Shared publicly  - 
 
Dangerous Anker Cable
Text from +Benson Leung​​...

+Nathan K. has published a new warning video. If you have purchased this cable from +Anker (https://www.amazon.com/gp/product/B01HI00NCY/, model A8185011) be warned...

Stop using the cable immediately, especially if your household has Type-C laptops like Chromebooks with 15V or 20V power supplies as well as 5V only ones like Nexus phones.

The cable is not just theoretically dangerous. I have independently verified this myself.

If you have one of these more advanced power supplies to charge your laptop that supports 5V 9V 15V and 20V : https://www.anker.com/products/A2053111 and then do the following steps, you will seriously risk your device safety.

DANGER ZONE
1. Plug in your Anker cable to the 5V 9V 15V 20V Anker charger.
2. Plug the cable into Chromebook Pixel 2015
3. Pixel starts charging at 15V or 20V.
4. Unplug the cable from Pixel, but leave it plugged into the charger
5. Plug it into some other device, like Nexus 5X...
END DANGER ZONE

After steps 4 and 5, the cable still has Vbus hot at 15V or 20V, where it's supposed to be at 0V.

Anything you plug it into after that point may blow up.

Be warned. Anker, listen up. This is product recall time.
 
This is a fast-publish. Do not buy any +Anker #USB #TypeC   Powerline 3.1Gen2 cables from +Amazon.com. There are major errors with many of them as independently verified by +Benson Leung. I originally described this failure in my Plus post below. Linked is a video showing how you can use it to DESTROY your device.

Anker has only partially responded to inquiries for clarification. Please get a properly USB-IF certified cable instead, such as the J5Create JUCX01 (5a/100w version ONLY) or Scosche Strikeline CC3G23 (5a/100w "clear plastic wrap" version ONLY) or Plugable/Belkin USB-IF certified 3a/60w cables (slower).

Cease using the Anker cable immediately if you did purchase it! Anker needs to address this and very seriously needs to consider issuing a recall for this product.

(BAD) Anker Powerline 3.1Gen2 cable analysis:
https://plus.google.com/102612254593917101378/posts/VdKCcY5h13w

(GOOD) j5create JUCX01 cable analysis:
(get the USB-IF certified JUCX01 -- NOT JUCX03)
https://plus.google.com/102612254593917101378/posts/FgpTkikhKUy

(IFFY) Scosche CC3G23 cable analysis:
(get the version in plastic wrap --  NOT twist ties)
https://plus.google.com/102612254593917101378/posts/ERCL2JLY3Rz

#USBC  
19 comments on original post
1
Add a comment...

Sean M

Shared publicly  - 
 
Bloodhound - Active Directory Relationships

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
3
Add a comment...

Sean M

Shared publicly  - 
 
Auto Domain Admin and Network Exploitation (autoDANE)
By dane at sensepost dot com

Auto DANE attempts to automate the process of exploiting, pivoting and escalating privileges on windows domains.

This tool provides a pretty slick UI for the initial processes of auditing an internal network. Configure the depth for host to domain enumeration.

https://github.com/sensepost/autoDANE 
1
1
Add a comment...

Sean M

Shared publicly  - 
 
Windows 10 Update Further Removes User Control

Among other changes...

It is in my opinion unacceptable that they removed the ability to restrict random apps from being installed. As a single system user (admin), I should be able to control the programs that get installed.

Turn off Microsoft consumer experiences
Using this option, you could prevent Windows 10 from automatically downloading and installing promoted apps like Candy Crush Soda Saga, Flipper, Twitter, NetFlix, Pandora, MSN News and many other potentially unwanted apps and games. Now you can't prevent these apps from being automatically downloaded and installed if you are using Windows 10 Pro or Home editions. The policy setting (or Registry setting) has no effect in these editions.
 
Today, we surprisingly discovered that Microsoft has secretly changed the availability of some Group Policy options in Windows 10 version 1607. Windows 10 version 1607 "Anniversary Update" has reduced the control via Group Policy that you have in Pro edition. Pro edition users have lesser options available compared to version 1511, so many behaviors of the OS cannot be controlled. If you open the Group Policy management console and read the desc...
1 comment on original post
4
2
Jay Jinn's profile photoSean M's profile photo
2 comments
Sean M
 
+Jay Jinn if not for these decisions by Microsoft, Windows 10 would be a great operating system.

The only thing holding 10 back is Microsoft. 
Add a comment...

Sean M

Shared publicly  - 
 
Protecting Android with more Linux kernel defenses

Blog post detailing Google's efforts to harden the kernel in Android.

https://security.googleblog.com/2016/07/protecting-android-with-more-linux.html
4
1
Add a comment...

Sean M

Shared publicly  - 
 
Who Authorizes Access? Is Tech Support Potentially Criminal?

Unfortunately, the Computer Fraud and Abuse Act (CFAA) provides ample room for judicial ambiguity and abuse. A recent ruling by the US Ninth Circuit depended upon the concept of "unauthorized access", which is not well defined in the CFAA.

At issue in this case is that a former employee, who had his access revoked, used credentials of an employee, who had access, to retrieve information from a database. The credentials were not stolen or hacked. The employee with access freely gave their functional credentials (username and password) to the former employee. The former employee then used these credentials to access the database.

The Ninth Circuit ruled that system users, such as the employee, cannot transfer or allow access rights to others. Instead, that permission must come from the system owner. So, even with legitimate credentials, an individual is violating access rights if they have not specifically been given that permission by the system owner.

In this case, it may not seem like a significant deal. The guy did malicious things with the access. He transferred trade secrets for his personal usage. The problem is that the situation is hardly uncommon outside of criminal actions.

Consider what occurs when a person calls upon tech support, whether that is family, friend, or professionals. That tech support technician often needs to interact with the malfunctioning system. When that malfunctioning system is your computer or device, you are the system owner. However, when that malfunctioning system is a third-party or cloud system, you are a system user. So, if a user needs assistance with their Gmail, Office 360, or Pandora they generally have the tech support technician troubleshoot the issue for them by granting the technician access to their account.

With the Ninth Circuit's ruling, the legality of this is in question. If a user can no longer authorize access to others then those actions become "unauthorized access", per the Ninth Circuit ruling.

Helpful individuals, such as +Lauren Weinstein​, who provide a lot of long distance tech support may find themselves outside the law since the client cannot authorize access, if the help is with cloud services or in situations where system ownership is a third party.

Perhaps the defining demarcation should be the scope of the access. In this case, the access was to a company-wide database, which - in my opinion - should require system owner permission. However, in the case of tech support, the scope of access is generally going to be limited to a user's data only. In the case of only the specific user's data, it seems prudent to allow them the right to determine access. For perspective, this is the difference between allowing someone access to the entire mail server (former) versus a single mailbox (latter).

I am not a lawyer, so do not take my opinion as legally sound. I am merely considering the possible issues with restricting system permissions to the owner, and the ambiguity.

For more updates, follow +Electronic Frontier Foundation​. 
This week, the Ninth Circuit Court of Appeals, in a case called United States v. Nosal, held 2-1 that using someone else’s password, even with their knowledge and permission, is a federal criminal offense.
2
Lauren Weinstein's profile photoSean M's profile photo
2 comments
Sean M
+
1
2
1
 
+Lauren Weinstein​, agreed that Tech Support is unlikely to be in the crosshairs of the CFAA. It would be nice, though, if the law was better clarified. 
Add a comment...

Sean M

Shared publicly  - 
 
EFF DES Cracker Machine Brings Honesty to Crypto Debate

EFF spent a year and $250-thousand to build a machine that can crack DES encryption in a handful of days; they cracked an RSA challenge in 3 days, and beat the previous record, which was 39 days.

A book is available to US residents. The book contains the design details. It is currently restricted to hardcopy and the US due to export controls that make online publishing potentially illegal.

https://www.eff.org/press/releases/eff-des-cracker-machine-brings-honesty-crypto-debate
SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised the level of honesty in crypto politics by revealing that the Data Encryption Standard (DES) is insecure. The U.S. government has long pressed industry to limit encryption to DES (and even weaker forms), without revealing how easy it is to crack. Continued adherence to this policy would put critical infrastructures at risk; society should choose a different course.
2
1
Add a comment...

Sean M

Shared publicly  - 
 
Pixel C Physical Keyboard Alternatives?

Does anyone have any recommendations for a Pixel C physical keyboard that has better support for special characters, such as the pipe (|), brackets ([]), curly braces ({}), backward slash (\), and tilde (~)?

It is really inconvenient having to switch to the onscreen keyboard for them. 
1
Michael Kuechenmeister's profile photoSean M's profile photo
2 comments
Sean M
 
Mostly just trying to comfortably use Bash, but programming would benefit from the same keys, too. 
Add a comment...

Sean M

Shared publicly  - 
 
Android Tamer

Android Tamer is a Virtual / Live Platform for Android Security professionals.

This Environment allows people to work on large array of android security related task’s ranging from Malware Analysis, Penetration Testing and Reverse Engineering.

1) What is android Tamer?
Android Tamer is a one stop tool required to perform any kind of operations on Android devices / applications / network
Home · FAQ's · Blog · Download · AndroidTamer 4 : Released · Torrent Link (OLD) · Version 2 : OLD · Version 1 : Old · Learn Android Security; Resources. Android Security Enhancements · Tools MindMap · Presentation · External Mentions; SWAG; Wallpapers.
2
4
Add a comment...

Sean M

Shared publicly  - 
 
 
In a move to prove a point about security, a group of hackers have released blueprints to 3D print the eighth and last TSA master key this week at a conference in New York.If you are unfamiliar, TSA approved locks allow luggage security personnel to unlock and inspect your bags without damaging locks, using master keys.
View original post
2
Michael Kuechenmeister's profile photo
 
The only surprise is that it took this long.
Add a comment...

Sean M

Shared publicly  - 
 
Futuristic Cyberattack Scenario

This is a piece of near-future fiction about a cyberattack on New York, including hacking of cars, the water system, hospitals, elevators, and the power grid. Although it is definitely a movie-plot attack, all the individual pieces are plausible and will certainly happen individually and separately.

Worth reading -- it's probably the best example of this sort of thing to date.

Story:
"Envisioning the Hack That Could Take Down New York City"
http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html
3
4
Add a comment...

Sean M

Shared publicly  - 
 
Telegram Message Size Limitations Bypassed

Researchers discovered ability method to send messages outside normal limits - 1 to 4096 bytes.

The flaw has not been released, but it hasn't been reported to Telegram, either, due to the researcher being until to locate a venue for reporting the vulnerability.
1
Add a comment...
Work
Occupation
IT Guy
Links
YouTube
Basic Information
Gender
Male