What makes you think that? Secure Boot prevents this rootkit from running and is the recommended mitigation:
> Bootkitty is signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled unless the attackers certificates have been installed.
> To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled
In fairness, the blog post confusingly says this in the next bullet point:
> Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification before GRUB is executed.
However, this would still require Rootkitty to have gained execution already, which it wouldn't be able to if Secure Boot was enabled and the malicious actor's certificates weren't installed.
Hello, I am the Bootkitty developer. The reason our bootkit is self-signed is because it uses the LogoFAIL vulnerability to register a MOK on the system to bypass secureboot, which is why our signature is included. I will leave an analysis article about LogoFAIL at the link below.
https://www.binarly.io/blog/logofail-exploited-to-deploy-boo...
Secure boot prevents this proof of concept but it doesn't prevent all UEFI boot kits and this particular kit will likely evolve.
On window: It took several years until the first two real UEFI bootkits were discovered in the wild (ESPecter, 2021 ESET; FinSpy bootkit, 2021 Kaspersky), and it took two more years until the infamous BlackLotus – the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems – appeared (2023, ESET).
Certainly true if the target application is running on the same host as Wireshark. But mitmproxy is very helpful when the device or application isn't fully under your control, for example if you can't set a proxy.
Mitmproxy also has a few features which make it a lot easier to use than wireshark alone, even if the aim is only to inspect TLS traffic. Including the wireguard server mode or transparent proxying for example.
Another approach is to route things through a managed switch and use port mirroring to get a the traffic. More expensive or not, maybe dependend on whether you have managed switches in the network or not. Less intrusive though.
The email address wouldn't be in the document directly, only in the SVG. Whether the title of the SVG contains "Email us" or the email address wouldn't affect how it works.
If the scrapper is searching the DOM rather than simply downloading the webpages, then the email will found regardless.
You can bind a device to another, so while you would need the ability to issue the command, a server wouldn't be required to handle the state propagation.
Exactly. On a bigger scale, the time wasted by people redoing the formatting because it isn't pasted by default would outweigh that wasted by people writing blog posts about having to remove it.
And if they're that animated by it, they're are likely the sort of user that would look for a solution and change the default or learn how to paste in their software of choice without formatting.
I wonder if this lets you measure the average attention span of visitors? I'd be curious to see the impact on the average of the various platforms where this is shared.
The location report is signed with a public key advertised by the "lost" device.
To retrieve the device's location and to prevent Apple from knowing who lost the device, all signed in users can download any location report for a given public key.
That doesn’t explain how the keylogger obtains the set of things uploaded. Or is it just spamming the network and hope all the updates make it? Like you don’t even know which beacon made it out
Yep, that’s pretty much it. There doesn’t seem to be a guarantee that you’ll get all the “packets”. I’m not sure what the Find My update rate is either so I don’t imagine this will be very effective to exfiltrate data.
> Bootkitty is signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled unless the attackers certificates have been installed.
> To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled
In fairness, the blog post confusingly says this in the next bullet point:
> Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification before GRUB is executed.
However, this would still require Rootkitty to have gained execution already, which it wouldn't be able to if Secure Boot was enabled and the malicious actor's certificates weren't installed.