Nixintel

7.1K posts

Nixintel banner
Nixintel

Nixintel

@nixintel

Steven Harris | OSINT & Cyber Security Specialist | Investigator | Teach OSINT @SANSInstitute | @OSINTCurious | https://t.co/EGO8CWyA6H

UK Katılım Şubat 2019
1.5K Takip Edilen23.9K Takipçiler
Nixintel retweetledi
Paul Moore - Security Consultant 
Paul Moore - Security Consultant @Paul_Reviews·
Bypassing #EU #AgeVerification using their own infrastructure. I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly. Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts". This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring. Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.
Paul Moore - Security Consultant @Paul_Reviews

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

English
270
3.1K
12.3K
1.1M
Nixintel retweetledi
Paul Moore - Security Consultant 
Paul Moore - Security Consultant @Paul_Reviews·
Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
Paul Moore - Security Consultant @Paul_Reviews

.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..." I did. It didn't take long to find what looks like a serious #privacy issue. The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well. But, the source image used to collect that data is written to disk without encryption and not deleted correctly. For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them. For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them. This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary. From a #GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach. youtube.com/watch?v=4VRRri…

English
663
6.2K
24.7K
3.3M
Nixintel retweetledi
Preston Byrne
Preston Byrne@prestonjbyrne·
The new European “anonymous age verification” app turns out to be not that anonymous after all Doxing is doxing.
Paul Moore - Security Consultant @Paul_Reviews

.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..." I did. It didn't take long to find what looks like a serious #privacy issue. The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well. But, the source image used to collect that data is written to disk without encryption and not deleted correctly. For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them. For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them. This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary. From a #GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach. youtube.com/watch?v=4VRRri…

English
23
1.3K
5.1K
99.2K
Nixintel retweetledi
Reclaim The Net
Reclaim The Net@ReclaimTheNetHQ·
The EU keeps saying its digital identity wallet is voluntary. Germany's ruling party now wants to require it for every social media login. They even want VPN workarounds blocked, which means deep packet inspection of your internet traffic. You don't set an 80% adoption target for something you plan to keep optional... reclaimthenet.org/eu-says-eudi-w…
English
68
719
1.6K
75.6K
Nixintel retweetledi
Graham Smith 
Graham Smith @Cyberleagle·
The new Council of Europe Online Safety Recommendation wants you bloggers and regular public online posters (who are ‘outside formal editorial oversight’) to be subject to self-regulatory codes, encouraged by Member States. I am so reminded of this. cyberleagle.com/2018/10/a-lord…
Graham Smith  tweet media
English
2
10
25
1.9K
Vatnik Soup
Vatnik Soup@P_Kallioniemi·
GRU agents posing as Ukrainians are reportedly planning to seize buildings in the city centre. Ukrainian intelligence says the operation involves former Berkut fighters who crushed Euromaidan protests in 2014 before fleeing to Russia. Former Berkut commander Serhiy Kusyuk is reportedly already in Budapest.
Vatnik Soup tweet media
English
121
2.6K
6.2K
356.1K
Nixintel retweetledi
spiked
spiked@spikedonline·
The threat to free speech in Britain is coming from all sides. We have myriad laws, policing practices and even the ECHR turning us into one of the most censored democracies on Earth. Every single bit of this must go, says Andrew Tettenborn buff.ly/U3Ncse6
English
6
78
214
4.4K
Nixintel
Nixintel@nixintel·
@MalcontentmentT Those are flares being popped rather than a break up aren't they?
English
1
0
0
56
Nixintel retweetledi
Michael Hill
Michael Hill@Michael_J_Hil·
Michael Hill tweet media
ZXX
4
108
1.4K
53.8K
Nixintel retweetledi
Footy Flix
Footy Flix@FootyFlixx·
The World Cup schedule in full if you’re in the U.K. 🇬🇧🏆 📸 - @Bermuda060404
Footy Flix tweet media
English
2
7
34
11.6K
Nixintel retweetledi
The ONLYOFFICE
The ONLYOFFICE@only_office·
⚠️ We have made the important decision to suspend our partnership with Nextcloud. Read our latest blog post to understand why we took this step and what it means for our community moving forward 👉 onlyo.co/4tctiwc P.S: No impact to current partners or clients
The ONLYOFFICE tweet media
English
5
21
137
29.4K
Nixintel retweetledi
SANS Institute, EMEA
SANS Institute, EMEA@SANSEMEA·
Europe's first-ever SANS OSINT Summit is here. 🔍 15 – 16 June 2026 | Amsterdam Hands-on training + practitioner-led sessions on what's actually working in OSINT right now. Seats are limited — don't miss out 👉 go.sans.org/3Ui2Eg #OSINT #ThreatIntel #Amsterdam
SANS Institute, EMEA tweet media
English
0
1
0
453
Nixintel retweetledi
Jimmy Wales
Jimmy Wales@jimmy_wales·
I should add "Wikipedia could be compelled to" is not the same thing as "Wikipedia will". My own estimate of the odds of us demanding identity for all users in order to edit Wikipedia is exactly zero. At that point, it isn't a regulatory or legal question alone - it gets to be political. Will they dare block Wikipedia if we simply flatly refuse? Will we need to send them pictures of hamsters in response to fine demands?
English
29
73
622
59.1K
Nixintel retweetledi
Benonwine
Benonwine@benonwine·
WOW The BBC is now suggesting the UK needs fewer dogs. That’s… quite something. 😮😳🫢 Dogs are part of everyday life for millions of people in the UK and we are a dog loving people. My MESSAGE to the BBC, F***K OFF! What’s yours?
English
2K
3K
15K
642.2K
Nixintel
Nixintel@nixintel·
Much to agree with here. Attribution of foreign influence campaigns is generally weak or non-existent in most reporting. FIMI research also lacks consistent ways to separate dissenting organic opinion from hostile foreign influence, and so too often treats them as the same thing. One effect of this seems to be that the "disinformation" bogeyman appears to be bigger than it really is.
Stéphane Luçon@sfglucon

x.com/i/article/2038…

English
0
0
3
335
90s Football
90s Football@90sfootball·
Who remembers the Orbis World Cup 90 ring binder?
90s Football tweet media
English
30
42
698
33.5K
Nixintel retweetledi
Tobias Schneider
Tobias Schneider@tobiaschneider·
What is especially scarring is that many of us have previously hired humans for the kinds of tasks that we now hand to AI and it is plain evident that frontier models already outperform early career graduates with advanced degrees at lots of intellectual tasks!
Philippe Lemoine@phl43

The replies to this tweet are completely delusional. It's really weird to me the lengths at which people go to deny how useful AI can be and exaggerate its flaws.

English
1
1
27
3.9K
Nixintel retweetledi
Ed Conway
Ed Conway@EdConwaySky·
Good to see our salt story followed up here👇 The slow motion collapse (actually no longer slow motion) of Britain's chemicals industry is a BIG deal. But NB it's not just salt. Ammonia, sulphuric acid, ethanol, and a host of other foundational chemicals too. All going or gone
spiked@spikedonline

The factory that produces half of Britain’s salt could soon be killed by Net Zero. For the first time in history, England is set to be a net importer of the world’s most important mineral. This will be catastrophic for UK manufacturing, says Ruari McCallion buff.ly/M8o8O6P

English
153
1.7K
4.8K
320.7K

Keşfet

@vonderleyen @P_Kallioniemi @MalcontentmentT @Bermuda060404 @90sfootball @elonmusk @BarackObama @taylorswift13