Skip to main content

Search

Items tagged with: infosec


Great news! The latest episode of Security Take(s) Two is finally posted! In this episode @0xBennyV and @chetwisniewski look into the attacks against the City of Atlanta in 2018. Did they cost the city $2.6 million, $5 million or $17 million? More importantly why!? #InfoSec #Podcast https://securitytaketwo.com/cityofatlanta/
Security Take Two podcast logo. It is a movie clapboard with the episode details. City of Atlanta, Season 01, Length 30:35, Episode 004, Date 2024-11-15, Talent Ben Verschaeren and Chester Wisniewski





Since it's Halloween...

The Malware Mash!

https://thecyberwire.com/stories/79cb0c1f7ff74f638c54fddeaa6177ae/the-malware-mash

#infosec


Krótko i treściwie, dlaczego warto używać Signala i jak go zainstalować (nadaje się do podsyłania mniej technicznym znajomym, których chcemy przekonać do jedynego słusznego komunikatora 😉)

https://www.youtube.com/watch?v=iwB_zC51KlY

PS. Czy można jeszcze liczyć na jakąś instancję Invidious, czy YouTube pokonał już wszystkie?

@signalapp @mateuszchrobok #infosec #cyberbezpieczenstwo #signal


I have a friend who is being harassed and threatened semi-anonymously via Facebook. She knows *who* it is, but Facebook and Police are characteristically being uselss.

I am kinda useless at this side of deanonymization, but does anyone have advice or resources for deanonymizing enough to get cops to move?

#infosec #batsignal


Reminder: As we approach Cybersecurity Awareness Month (Do not abbreviate) we need to not go down the rabbit hole when providing advice to our friends, family, and the media.

People are only likely to pay attention to personal computer security for maybe 2 minutes a year. Don't hype threats that aren't there (Public WiFi, Juice Jacking, Gen AI threats), focus on the basics that are causing most of the harm... Patch your iPhone/Android/PC/Mac/Router and use a password manager.

#InfoSec


After checking about:config, "Hide weather on New Tab" sets the config value "browser.newtabpage.activity-stream.feeds.showWeather" to "false", but leaves "browser.newtabpage.activity-stream.feeds.weatherfeed" as the default of "true". So, my suspicion was correct, #Firefox is still sending your location off every 30 minutes to get the weather in the background by default even if you disable this new widget: https://searchfox.org/mozilla-central/source/browser/components/newtab/lib/WeatherFeed.sys.mjs #infosec #privacy
a screenshot of Firefox's about:config after hiding the weather widget, showing weatherfeed unmodified as true and showWeather modified to false.


Ok, here's the deal on the "YubiKey cloning attack" stuff:

:eyes_opposite: Yes, a way to recover private keys from #YubiKey 5 has been found by researchers.

But the attack *requires*:

👉 *physically opening the YubiKey enclosure*

👉 physical access to the YubiKey *while it is authenticating*

👉 non-trivial electronics lab equipment

I cannot stress this enough:

✨ In basically every possible scenario you are safer using a YubiKey or a similar device, than not using one. ✨

#InfoSec #YubiKey5


Pleased to announce the launch of Surveillance Watch, an interactive map and resource that documents the hidden connections within the opaque surveillance industry: https://www.surveillancewatch.io/

By mapping out the intricate web of surveillance companies, their subsidiaries, partners, and financial backers, we hope to expose the enablers fueling this industry's extensive rights violations, ensuring they cannot evade accountability for being complicit in this abuse.

#Privacy #Surveillance #InfoSec


🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz



A couple things to think about here:

This appears to be a malicious maintainer - not a compromised account. Meaning the person themselves, coded this in an pushed it out.

So:
1) Did they try and backdoor any other code?
2) Are they part of a greater campaign or is anyone else helping them.

This is a massive breach of trust.

That said! Huge kudos to Andres Freund, Florian Weimer, and others in finding this.

A lot of eyes are on this now. CISA is involved. Major distros are involved, etc. Many eyes and such.

#infosec #linux #foss #hacking #cve20243094 #cve



When interviewing a man and woman together, I will often deliberately give the woman the last word. I'm not overt about it, I simply structure the conversation that way.

I've noticed that quite often the man will then jump in with, "one more thing," he wants to share.

Men — don't do this!

Ladies, I'm wondering how often this sort of thing happens to you. I'm guessing it's common, but I'm also aware my perception might be skewed by my own annoyance by it.

#infosec #podcast


Having trouble thinking of password security questions? Try one of these:

#infosec

NIHILISTIC PASSWORD SECURITY QUESTIONS.

BY SOHEIL REZAYAZDI

What is the name of your least favorite child?

In what year did you abandon your dreams?

What is the maiden name of your father's mistress?

At what age did your childhood pet run away?

What was the name of your favorite unpaid internship?

In what city did you first experience ennui?

What is your ex-wife's newest last name?

What sports team do you fetishize to avoid meaningful discussion with others?

What is the name of your favorite canceled TV show?

What was the middle name of your first rebound?

On what street did you lose your childlike sense of wonder?

When did you stop trying?


In ads: Our apps mind their business. Not yours.

In court: Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple.

#Privacy #Security #Cybersecurity #Apple #iPhone #InfoSec #dataprivacy



Excerpt from the court document:


"Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple."

Civil Case No.: 5:22-CV-07069-EJD
Case 5:22-cv-07069-EJD Document 122 Filed 12/08/23 Page 30 of 41


If you don’t use a password manager, what’s the reason?

Feel free to comment.

Reposts appreciated for more reach.

#infosec

  • Don't know how to use it (18%, 21 votes)
  • Don't trust it (77%, 90 votes)
  • Don't know what it is (4%, 5 votes)
116 voters. Poll end: 9 months ago


The endgame is almost always #spam. LI accounts frequently have complete copies of their owners' professional address books, a valuable set of mostly high-quality addresses.

Very rarely (all day every day, but only to a tiny percentage of people) they are going after the account owner specifically or hitting contacts of their primary target to impersonate them.

#InfoSec


Someone from Bardstown, Kentucky has just been trying to log into my LinkedIn account using credentials leaked from elsewhere, and I'm here chuckling about the little they would stand to gain from this fraudulent access. What's the endgame for compromised LinkedIn accounts? #InfoSec



I'm positively impressed by the latest shame scam I just received. It even includes a password of mine that has been reported as part of a dump several years ago, and it makes the claim that they somehow installed a trojan virus on all my devices and caught me on camera masturbating way more impactful.

I wanted to congratulate them for the marginal ingenuity but unfortunately they do indicate it's useless to reply directly to the sender email address. 😞

#InfoSec


Thank you so much to @zackwhittaker for abandoning Patreon over their privacy invasive insanity and taking the risk of moving to a new platform to respect his newsletter's subscribers. I for one will be increasing my support in gratitude. #InfoSec


Fundacja IT Girls przygotowała e-booka "Bezpieczni online - twój klik ma znaczenie", warto się zapoznać

https://sklep.itgirls.org.pl/e-book-bezpieczni-online-twoj-klik-ma-znaczenie/

(pobranie za darmo wymaga podania imienia, nazwiska i adresu e-mail)

#infosec #cyberbezpieczenstwo #ebook


This phishing message I found in Spam this morning is the most convincing I've seen in a while, at least for people who don't pay attention, but let's talk about all the signs it's fake if you know what to look for.
#infosec #phishing
🧵 1/12
Screenshot of LastPass phishing email with suspicious aspects marked with red lines and arrows. Read the thread to find out what's wrong with it!


I guess I shouldn't be surprised, but I am certainly disappointed that the closed captions on the Black Hat videos, which I paid $2500 for are widely inaccurate and have not been proofread. I feel bad for deaf people who rely on these, as the machine generated ones are questionable at best. For free content I understand relying on it, or even for real-time content, but for recorded video that you pay a premium for this is unacceptable. #InfoSec #AI #Accessibility


This is great news, but despite working for a cybersecurity tool creator, WTF? Anyone who cares what the law says will only make your tool safer. Anyone we should worry about doesn't care about Minnesota's law. What an odd carve-out that seems dangerously misguided. https://techhub.social/@Techmeme/110426754830120294 #InfoSec


Minnesota Governor Tim Walz signs the broadest-yet right-to-repair bill, with exceptions including game consoles and cybersecurity tools, effective July 1, 2024 (Elizabeth Chamberlain/iFixit News)

https://www.ifixit.com/News/75965/minnesotas-new-right-to-repair-law-will-give-the-whole-world-repair-manuals
http://www.techmeme.com/230524/p36#a230524p36


Minnesota Governor Tim Walz signs the broadest-yet right-to-repair bill, with exceptions including game consoles and cybersecurity tools, effective July 1, 2024 (Elizabeth Chamberlain/iFixit News)


"I can't trust online password managers, it's way better to have a self-hosted version like Keepass... I'm a proud user of...
... what. the. fuck. " https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/

#infosec #cybersecurity #passwordmanagers


If you access corporate email on a personal device that can be unlocked with FaceID, you must change your face at least once every sixty days.

You may not reuse any of the most recent 12 faces.

#infosec #PasswordExpiration #BYOD


☣️ This is why you should never trust your important information (like passwords!) to proprietary software like @1password.

#OpenSource #FreeSoftware #privacy #security #infosec

🤡 #1Password becomes #spyware:

https://blog.1password.com/privacy-preserving-app-telemetry/


So Google is now preventing people from removing location data from photos taken with Pixel phones.

Remember when Google's corporate motto was "don't be evil?"

Obviously, accurate location data on photos is more useful to a data mining operation like Google.

From Google: "Important: You can only update or remove estimated locations. If the location of a photo or video was automatically added by your camera, you can't edit or remove the location."

It's enshitification in action.

Source: https://support.google.com/photos/answer/6153599?hl=en&sjid=8103501961576262529-AP

#technology #tech @technology #business #enshitification #Android #Google @pluralistic #infosec


All the more reason Tiktok can't be trusted and that Project Texas is a sham. They have been abusing data entrusted to them by their users for years and it didn't require the data to be "in China". Data sovereignty is a sham and jingoistic bullshit to start with. Is it encrypted? No? Then it is vulnerable. China, Texas, the ISS, doesn't matter. The only safe unencrypted data is data on a Space X rocket. https://securitycafe.ca/@globeandmail@botsin.space/110234264207587278 #InfoSec #TikTok

‘Our data has never been stored in China,’ TikTok CEO tells Ted Talks


Did you know, it's now possible to fingerprint by HTTP/2?

On Firefox, I recommend you to disable the protocoll until we find a solution to either spoof it or break the fingerprinting method. It works even without #javascript.

The whitepaper 👉 https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients-wp.pdf

#privacy #fingerprinting #infosec #opsec #cybersecurity #http #http2 #browserleaks

Test yourself at https://browserleaks.com/http2



Edit: main site unblocked. #Yunohost login page still blocked.



Website of Reykjavík #Hackerspace, Hakkavélin, just got flagged by #Google Safe Browsing as "deceptive"; anyone who visits this site gets a scary red warning:
https://hakkavelin.is/

Thing is, I manage this site. It's literally a single static HTML file.

This is what we get for allowing shitty journalists to farm clicks by abusing the words "hacker" and "hack" to mean "cybercriminal" and "attack".

#FuckGoogle #Hackers #InfoSec
Full-page red scary warning about hakkavelin.is, in Icelandic.


#ChatGPT conversation histories leaked:
https://www.pcmag.com/news/openai-confirms-leak-of-chatgpt-conversation-histories

Can you guess who or what does Sam Altman from #OpenAI blame for it?

"A bug in an open source library."

Yup. #FLOSS is great for #OpenAI as a way to build on somebody else's code, and as a way to train their models on somebody else's code. But as soon as shit hits the fan, it *will* get thrown under the bus.

Wanna *bet* it's not an #AGPL library? SV hypercapitalists keep away from those!

#FOSS #InfoSec


Today, I am spending some time at @pancakescon - a pop-up virtual hacker / infosec convention on Chicago time. Just started and running for the next ~10 hours. Come join us! #infosec #hacking


Am I the only one irritated by the military jargonization of #InfoSec? The PayPal cred stuffers aren't actors. They are criminals, thugs, thieves, opportunists, scammers and fraudsters. They are not actors.