@shieldigital

🇬🇧 ChatBot de Reino Unido GOVUK Chat El Gobierno del Reino Unido ha lanzado GOV,UK Chat, un nuevo asistente de inteligencia artificial integrado en la aplicación oficial. Este chatbot permite a los ciudadanos obtener respuestas sobre servicios gubernamentales utilizando información procedente de miles de páginas de orientación oficial disponibles en línea. Sin embargo, existe una limitación a destacar: no es posible utilizarlo de forma anónima. Para acceder al asistente, es necesario iniciar sesión o crear una cuenta GOV,UK One Login antes de realizar cualquier consulta. La información está GOV,UK sin necesidad de identificarse, sin embargo las consultas no lo son. ¿Por qué hay que identificarse para ciertas consultas? 🤔

Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: https://t.co/7rQnioRa8A Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web. Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more. Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive. Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out. Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it. It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source. Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

Este es el orden que se da cuando comienzas a proteger tu privacidad: 1. Entendimiento digital 2. Privacidad digital 3. Soberanía digital 4. Pragmatismo 5. Privacidad física 6. Soberanía física 7. Pragmatismo 8. "Preparacionismo" Digital 9. "Preparacionismo" Físico 10. Comprensión del mundo digital 11. Comprensión del mundo físico 12. Esperar digitalmente 13. Esperar físicamente ¿Qué esperar? A medida que te acercas al punto 13, lo sabes. ¿En que punto te encuentras?

🩸$526M in BTC shorts liquidated in 24 hours Bitcoin rallied from $74K to $78K and the move had all the hallmarks of a classic short squeeze. At 13:00 UTC alone, the market absorbed a single $357M short liquidation spike. The takeaway: the rally was amplified not by fresh demand, but by the forced closure of bearish positions. This matters because a short squeeze can accelerate price very rapidly - but on its own, it does not confirm sustainable spot demand.

‼️A full-chain one-click exploit for iOS 18 through 18.7, bundled with a bonus stealer called "GHOSTBLADE," is allegedly being sold on a popular cybercrime forum. ‣ Threat Actor: rosestealer ‣ Category: Exploit / Malware ‣ Name: "EL Muncho" Full-Chain Exploit + GHOSTBLADE Stealer ‣ Target: iOS 18 to 18.7 ‣ Price: $50,000 (negotiable) Full-chain exploit stages: 01 - RCE in Safari: Victim loads a malicious page (one-click) resulting in Remote Code Execution inside the Safari process. 02 - Double Sandbox Escape: Escape WebContent sandbox to GPU Process to mediaplaybackd (higher privileges). 03 - Kernel Privilege Escalation: Full kernel read/write, complete control over the device. 04 - Post-Exploitation: Runs the GHOSTBLADE Stealer, injecting payload into a high-privilege process. All data exfiltrated back to C2. GHOSTBLADE Stealer dumps: ▪️ sms.db ▪️ ChatStorage.sqlite (WhatsApp) ▪️ Keychain / Passwords ▪️ Wi-Fi Passwords ▪️ iCloud Files ▪️ Telegram Data (messages, Axolotl.sqlite) ▪️ Device Keychain (passwords, Wi-Fi, auth tokens, saved logins) ▪️ Safari Browsing History, Cookies, and Saved Passwords ▪️ Signed-in Accounts and Device/Account Identifiers ▪️ SIM Card / Cellular Information ▪️ Full Location History ▪️ Saved/Known Wi-Fi Networks and Passwords ▪️ Find My iPhone Settings and Location Services Data ▪️ Photos (including metadata, hidden photos, screenshots) ▪️ iCloud Drive Files ▪️ Notes Database, Calendar Database ▪️ Health Data (Apple Health app) ▪️ Cryptocurrency Wallet and Exchange Data (Coinbase, Binance, MetaMask, Ledger, Trezor, Exodus, Phantom) ▪️ Keychain Items Related to Banking/Financial Apps Operates as hit-and-run with data exfiltrated to C2 and traces/logs deleted automatically.

📱 Más noticias de miedo contra Signal Recientemente se ha hecho viral una noticia: "Se logra romper Signal, han accedido a la app". Sin embargo, la realidad (como de costumbre) es algo diferente. A pesar de lo que se trata de hacer pensar, no se ha roto el cifrado de Signal ni nada por el estilo. Lo que ha sucedido es que tras haber accedido a un dispostivo con iOS, has logrado extraer ciertos mensajes, gracias a las notificaciones Push. Cuando llegan mensajes a través de Signal, el iPhone almacena automáticamente vistas previas de las notificaciones push (incluyendo el nombre del remitente y el contenido del mensaje) en una base de datos local del dispositivo. Estas vistas previas permanecen en el caché de notificaciones aunque la aplicación se elimine por completo. Solo pudieron acceder a mensajes entrantes gracias a herramientas forenses pero aunque el mensaje estuviese pensado para autodestruirse, si se había almacenado en la caché de notificaciones en algún momento, podía reconstruirse. Esto no es algo que afectase solo a Signal, sino a cualquier aplicación que hubiese hecho un uso similar de las notificaciones. Esto destaca 2 cosas: En primer lugar, que hay que ser consciente de todos los vectores de riesgo a los que nos exponemos. En segundo lugar, la importancia de apagar nuestro dispositivo para iniciarlo "limpio". Por otro lado, la difusión de forma errónea de lo sucedido, da que pensar, pues parece que hay cierto interés en aparentar que la app no es segura.