Know Thy Enemy: The Taxonomies That Meta Uses to Map the Offensive Privacy Space

This talk introduces and examines privacy-inclusive taxonomies Meta has developed and uses to track privacy weaknesses, enumerate privacy adversarial TTPs, deconflict privacy and security efforts, and scale detection and remediation efforts. Taxonomies, such as #MITRE's #CVE, #CAPEC, and #ATT&CK® #frameworks, have long been used to track and understand cybersecurity weaknesses and the tactics of cyber adversaries. These taxonomies help #organizations stay abreast of trends, guide software development best practices, and pinpoint the most effective remediation and detection strategies to common #cybersecurity issues. As the field of offensive privacy matures, organizations require similar taxonomies to understand #privacy threats and align efforts across #security and privacy teams....

By: Zach Miller , David Renardy

Full Abstract and Presentation Materials

Bypassing the “run-as” debuggability check on Android via newline injection | Meta Red Team X –

An attacker with ADB access to an Android device can trick the “run-as” tool into believing any app is debuggable. By doing so, they can read and write private data and invoke system APIs as if they were most apps on the system—including many privileged apps, but not ones that run as the system user. Furthermore, they can achieve persistent code execution as Google Mobile Services (GMS) or as apps that use its SDKs by altering executable code that GMS caches in its data directory.

Google assigned the issue CVE-2024-0044 and fixed it in the March 2024 Android Security Bulletin, which becomes public today. Most device manufacturers received an advance copy of the Bulletin a month ago and have already prepared updates that include its fixes.

#Infosec #Vulnerabilities #CVE #Android #ADB