Tag: Engineers | SpinSafe

Google Engineers Hacked The PlayStation Portal And Turned It Into A PSP Emulator

February 21, 2024/in Computer Security

Sony’s PlayStation Portal handheld is designed to stream games from your PS5, but that hasn’t stopped Google engineers from hacking the device to run emulated PSP games. Google security engineer Calle Svensson and cloud vulnerability researcher Andy Nguyen showed off some of their work on X/Twitter, revealing a PlayStation Portal running the PSP version of Grand Theft Auto 3 through the PPSSPP emulator.

Nguyn added in a second tweet that the hack is entirely software-based, allowing the engineers to exploit vulnerabilities in the handheld without needing to change its hardware. Don’t expect this hack to go public, as Nguyen said there are currently no plans to release it.

Sony has only released a few consoles of the portable variety over the years, as it ventured into this market with the PSP in 2004 and followed it up with the PS Vita in 2011. Each handheld console received several revisions over the years, but the PlayStation Portal takes a different approach to stand out from competitor devices like the Nintendo Switch, Steam Deck, and ROG Ally. Combining a sharp display with DualSense-inspired controllers, the PlayStation portal streams games from your PS5 over wi-fi and was launched late last year.

“With a limited use-case and inconsistent performance from remote play, as well as the way it rarely takes advantage of the PS5 ecosystem, the PlayStation Portal is tough to recommend,” Michael Higham wrote in GameSpot’s PlayStation Portal hands-on feature. “If the PS5 is your primary gaming platform, and if you have a strong internet connection throughout your home, and if you’re in situations where you’re eager to play PS5 games without access to the TV the console is connected to, then you’ll get plenty of use out of the Portal.”

Source…

Microsoft finally explains cause of Azure breach: An engineer’s account was hacked

September 6, 2023/in Internet Security

Microsoft said the corporate account of one of its engineers was hacked by a highly skilled threat actor that acquired a signing key used to hack dozens of Azure and Exchange accounts belonging to high-profile users.

The disclosure solves two mysteries at the center of a disclosure Microsoft made in July. The company said that hackers tracked as Storm-0558 had been inside its corporate network for more than a month and had gained access to Azure and Exchange accounts, several of which were later identified as belonging to the US Departments of State and Commerce. Storm-0558 pulled off the feat by obtaining an expired Microsoft account consumer signing key and using it to forge tokens for Microsoft’s supposedly fortified Azure AD cloud service.

The disclosure left two of the most important questions unanswered. Specifically, how was a credential as sensitive as the consumer signing key stolen from Microsoft’s network, and how could it sign tokens for Azure, which is built on an entirely different infrastructure?

On Wednesday, Microsoft finally solved the riddles. The corporate account of one of its engineers had been hacked. Storm-0558 then used the access to steal the key. Such keys, Microsoft said, are entrusted only to employees who have undergone a background check and then only when they are using dedicated workstations protected by multi-factor authentication using hardware token devices. To safeguard this dedicated environment, email, conferencing, web research, and other collaboration tools aren’t allowed because they provide the most common vectors for successful malware and phishing attacks. Further, this environment is segregated from the rest of Microsoft’s network, where workers have access to email and other types of tools.

Those safeguards broke down in April 2021, more than two years before Storm-0558 gained access to Microsoft’s network. When a workstation in the dedicated production environment crashed, Windows performed a standard “crash dump,” in which all data stored in memory is written to disk so engineers can later diagnose the cause. The crash dump was later moved into Microsoft’s…

Source…

Engineer’s Failure to Update Plex Software Led to Massive Data Breach

March 7, 2023/in Computer Security

Mar 07, 2023Ravie LakshmananPassword Security / Software Update

The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what’s a sobering reminder of the dangers of failing to keep software up-to-date.

The embattled password management service last week revealed how unidentified actors leveraged information stolen from an earlier incident that took place prior to August 12, 2022, along with details “available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack” between August and October 2022.

The intrusion ultimately enabled the adversary to steal partially encrypted password vault data and customer information.

The second attack specifically singled out one of the four DevOps engineers, targeting their home computer with a keylogger malware to obtain the credentials and breach the cloud storage environment.

This, in turn, is said to have been made possible by exploiting a nearly three-year-old now-patched flaw in Plex to achieve code execution on the engineer’s computer, the streaming media service told The Hacker News in a statement.

The vulnerability in question is CVE-2020-5741 (CVSS score: 7.2), a deserialization flaw impacting Plex Media Server on Windows that allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user.

“This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it,” Plex said in an advisory released at the time.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

The shortcoming, which was discovered and reported to Plex by Tenable in March 2020, was addressed by Plex in version 1.19.3.2764 released on May 7, 2020. The current version of Plex Media Server is 1.31.1.6733.

“Unfortunately, the LastPass employee…

Source…

A Top LastPass Engineer’s Home PC Got Pwned by a Hacker’s Keylogger

March 1, 2023/in Computer Security

Beleaguered password manager LastPass has announced yet another serious security screwup and, this time, it may be the final straw for some users.

For months, the company has been periodically providing updates about a nasty data breach that occurred last August. At the time, LastPass revealed that a cybercriminal had managed to worm their way into the company’s development environment and steal some source code but claimed there was “no evidence” that any user data had been compromised as a result. Then, in December, the company made an update, revealing that, well, actually, yeah, certain user information had been compromised, but couldn’t share what, exactly, had been impacted. Several weeks later it did reveal what had been impacted: users’ vault data, which, under the right, extreme circumstances, could lead to total account compromises. And now, finally, LastPass has provided yet more details, revealing that the fallout from the breach was even worse than previously imagined. It’s probably enough to make some users run screaming for the hills.

Tag Archive for: Engineers