I'm hitting many bugs in @Tutanota these days. Typically, just this morning when I opened the Mail Android app, I got "Error message: You forgot to migrate your databases! sys.version should be >= 114 but in db it is 112", and a "404 Not Found" on a calendar event. For this last one, it's probably because I deleted the event from the Tuta Calendar app, but it didn't stop it from displaying a reminder for the deleted event... And the unread email counter is constantly wrong 😫

#InfoSec #Privacy

The Macroeconomics Of Privacy and Dignity - Mike Hoye at the @matrix Conference 2024

"This is not your privacy this is OUR privacy this is the public good"

Love this. Very much agree with this thinking

youtube.com/watch?v=cs_V8Ns4gg…

#matrixconf #matrix #privacy #opsec #infosec #ethics

The Macroeconomics Of Privacy and Dignity - Mike Hoye

Day 2 - LAB3

^YouTube

Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!

> Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!

So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.

So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: forum.torproject.org/t/tor-rel…

Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).

@delroth did an amazing writeup of the whole thing here: delroth.net/posts/spoofed-mass…

#tor #infosec #cybersecurity #threatintel #privacy

[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

It would be hard to explain to Verizon I run Tor relays since they technically don't allow servers. I hope I'm not forced onto AT&T Internet Air as my particular co-op rental unit won't let met get Spectrum even when other units can, not that I wante…

^{Tor Project Forum}

🦾6 AI Tos Used by Hackers

🔹Poisongpt
🔹Wormgpt
🔹Speechif.ai
🔹Deepl.ai
🔹Freedom.ai
🔹Passgan.ai

🔖#infosec #cybersecurity #hacking #pentesting #security

ICYMI: Internet Archive hacked, data breach impacts 31 million users

1. Nobody is safe.

2. A non-profit is using bcrypt to hash passwords, no reason why your for-profit company can't do the same.

#cybersecurity #security #infosec

bleepingcomputer.com/news/secu…

American Water shuts down online services after #cyberattack

American Water is the largest water and wastewater treatment utility in the US…

OT systems not affected - so appears this only affects their IT systems. Suspected nation state activity (Russia).

(I encourage everyone sharing this with their friends because cyber attacks absolutely can have direct “real world” consequences.)

#cybersecurity #infosec #security

bleepingcomputer.com/news/secu…

T-Mobile reaches $31.5 million settlement with FCC over past data breaches

Apparently, T-mobile is now mandated to implement better cybersecurity controls, such as properly segmenting networks and using phishing resistant #MFA.

This settlement covers the breaches in 2021, 2022, and 2023. Will we get a 2024 special? 💀

#cybersecurity #infosec #databreach

cyberscoop.com/t-mobile-fcc-se…

ODF wholesome encryption is the default password (symmetric) encryption mode in LibreOffice 24.8.

Supports AES-256-GCM and Argon2id.

LibreOffice 24.2/24.8 is required to open the encrypted files.

Disable: Tools > Options > Load/Save > General > ODF Format Version > 1.3 (drop down menu) > Apply > OK

AES: en.wikipedia.org/wiki/Advanced…
GCM: en.wikipedia.org/wiki/Galois/C…
Argon2: en.wikipedia.org/wiki/Argon2

Website: libreoffice.org
Mastodon: @libreoffice

#LibreOffice #Encryption #InfoSec #Privacy #E2EE

Privacy-focused Tuta Mail Opens Second Office in Munich:

tuta.com/blog/tuta-in-munich

See how Tuta stacks up with other email providers in keeping your information private:

tuta.com/email-comparison

#infosec #cybersecurity #privacy

I can't even find the words. Like, just stop being weird to women.

#tech #infosec #technology

Замедление YouTube с технической стороны

#network #security #infosec #proxy #vless #vmess #youtube #roscompozor #ntc_party

Готовые средства обхода. Waujito написал своё решение под линукс (github.com/Waujito/youtubeUnbl…), которое направлено только на ютуб.
Также для Windows существует GoodbyeDPI от ValdikSS (github.com/ValdikSS/GoodbyeDPI), под линукс еще есть zapret (github.com/bol-van/zapret).
Существует ByeDPI (github.com/hufrea/byedpi), который работает как прокси (Windows/Linux). Также есть версия ByeDPI под андроид (github.com/dovecoteescapee/Bye…), работает как "фейковый впн".

Советую прочитать подробный комментарий от ValdikSS о том, как использовать эти средства. (github.com/yt-dlp/yt-dlp/issue…)

Если есть желание погрузиться глубже в эту тему, вот тут можно посмотреть подробнее: https://ntc.party/t/замедление-youtube-в-россии/8055/ and https://ntc.party/t/обсуждение-замедление-youtube-в-россии/8074/

Комменты как обычно бурлят.

habr.com/ru/articles/832678/

Замедление YouTube с технической стороны: ограничение и обход

Привет, Хабр!В последнее время замечаю огромное количество информации по поводу замедления Великого, но очень мало где видел конкретику о том, как именно это раб...

^{Vadim Vetrov (Habr)}

I learned about secure software development on the job, but like ethical computing (which I've talked about before), this should also be included in formal education. Because of the current threat models, topics like security by design and zero-trust frameworks are critical when developing Internet systems. linuxfoundation.org/press/linu…

#securitybydesign #security #softwaredevelopment #zerotrust #infosec #cybersecurity #education

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

Findings show nearly one-third of industry professionals are not familiar with secure software development practices

^{The Linux Foundation}

This dumb password rule is from SecureAccess Washington.

Central authentication for all Washington State services
(DoL, ESD, etc).

Password must have *exactly* 10 characters, but form happily
lets you enter more and only throws errors after submit,
providing no useful feedback.

dumbpasswordrules.com/sites/se…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

SecureAccess Washington - Dumb Password Rules

Central authentication for all Washington State services (DoL, ESD, etc). Password must have *exactly* 10 characters, but form happily lets you enter more and only throws errors after submit, providing no useful feedback.

^{dumbpasswordrules.com}

🔐 C++ Must Become Safer — Andrew Lilley Brinker — Software Supply Chain Security

｢ If a cheap-to-maintain legacy system is faced with the proposition of an expensive rewrite, it may instead be eliminated. The externalities of this kind of change are difficult to consider in advance and in general ｣

alilleybrinker.com/blog/cpp-mu…

#C #CPP #Rust #MemorySafety #Infosec

C++ Must Become Safer — Andrew Lilley Brinker — Software Supply Chain Security

I work on software supply chain security at MITRE, including serving as amember of the OmniBOR Working Group, where I lead development of the Rustimplementation, and as the project manager for Hipcheck, a tool forautomated supply chain risk assessmen…

^{www.alilleybrinker.com}

This dumb password rule is from Virgin Media.

Your password needs to be between 8 and 10 characters long, with no
spaces, and must contain only numbers and letters. The first character
must be a letter.

Feb 2020 Update: policy remains the same but the description is hidden
leaving you to guess the acceptable length/chars. Users are now lef...

dumbpasswordrules.com/sites/vi…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Virgin Media - Dumb Password Rules

Your password needs to be between 8 and 10 characters long, with no spaces, and must contain only numbers and letters. The first character must be a letter.

^{dumbpasswordrules.com}

This dumb password rule is from Banque de Tahiti.

You have to enter your password using this *very* Frenchy keypad. You don't have lowercase letters, the blanks are not spaces but just non-clickable gaps, but as a compensation you have some weird symbols that your keyboard does not have a key for (e.g. `µ`).

No accessible version available.

dumbpasswordrules.com/sites/ba…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Banque de Tahiti - Dumb Password Rules

You have to enter your password using this *very* Frenchy keypad. You don't have lowercase letters, the blanks are not spaces but just non-clickable gaps, but as a compensation you have some weird symbols that your keyboard does not have a key for (e…

^{dumbpasswordrules.com}

STAGGERING: Nearly all #ATT customers' text & call records breached.

An unnamed entity now has an NSA-level view into Americans' lives.

Damage isn't limited to AT&T customers.

But everyone they interacted with.

Also a huge national security incident given government customers on the network.

And of course, third party #Snowflake makes an appearance.

cnn.com/2024/07/12/business/at…

#infosec #cybersecurity #telco #cellular #privacy #security #breach

Do you want to help secure GNOME and get a reward? 🏅

We are testing a new program in which people get a payment for reporting and/or solving vulnerabilities.

yeswehack.com/programs/gnome-b…

From €500 to €10,000 depending on criticality 💶

For now only GLib is in scope but we will expand the list of modules and advertise as the program grows.

In partnership with @yeswehack and @sovtechfund

#GNOME #infosec #FreeSoftware #security #bugBounty #OpenSource #cybersecurity

GNOME Bug Bounty Program bug bounty program - YesWeHack

GNOME Bug Bounty Program bug bounty program details

^{YesWeHack #1 Bug Bounty Platform in Europe}

In-Process is out, featuring all the news on NVDA 2024.2 AND the newly released NVDA 2024.3 Beta 1 plus info on our new Code Signing Certificate, a thank you to our donors, and we remember community contributor, Austin Pinto.

Catch up on everything here: nvaccess.org/post/in-process-3…

#NVDA #NVDAsr #ScreenReader #News #Blog #Newsletter #InfoSec #PreRelease #Beta #FOSS

In-Process 3rd July 2024

In-Process 3rd July 2024 We’ve got a new stable release AND a new beta to cover. And do please read the important note on the new Code Signing Certificate as it will affect you if you downloa…

^{NV Access}

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

dumbpasswordrules.com/sites/ce…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

CenturyLink Residential - Dumb Password Rules

^{dumbpasswordrules.com}

qualys.com/regresshion-cve-202…

#CVE_2924_6387

Unauthenticated RCE in SSH.

Happy Monday.

18 year old regression. Sigh.

#infosec

OpenSSH Vulnerability: CVE-2024-6387 FAQs and Resources | Qualys, Inc.

Discover what the OpenSSH vulnerability, CVE-2024-6387, is as well as resources and tools to help detect and mitigate vulnerabilities in your network.

^{www.qualys.com}

If anyone out there is looking for some #infosec / #cybersecurity-related training, feel free to peruse this giant list I've been putting together over time ⬇️

shellsharks.com/online-trainin…

Know of a training that isn’t listed here? Let me know about it and I can add!

We're truly in a golden age of resources for learning infosec/IT, the hardest part becomes choosing the best thing!

#mondayblogs #mentorshipmonday

Online IT/Security Training

A list of online IT and infosec training resources.

^shellsharks

We've been doing this a while. Let's SWING for the big leagues.
Tomorrow, we're doing a deep dive on #burpSuite from a #screenReader perspective. It will be mostly #blind (as in playthrough) as I've not looked at this program for a few years, and fully blind (as in sight) given ... well ... screenReader user :)

I've learned more, and hey who knows, maybe they've improved ......
If it turns out they haven't, we'll look at @zaproxy next as a more viable, generally more #accessible alternative. See you tomorrow at 3 EST over at twitch.tv/ic_null #infosec #cybersecurity #zaproxy #portswigger #java #programming

IC_null - Twitch

Fully blind person hacking, coding and tinkering while using a screen reader. THM, HTB, accessibility, all the things.

^Twitch

Microsoft published a report last month acknowledging the existence of a long running honeypot operation running on code.microsoft[.]com.

techcommunity.microsoft.com/t5…

#microsoft #infosec #threatintel

Examining the Deception infrastructure in place behind code.microsoft.com

The domain name code.microsoft.com has an interesting story behind it. Here we examine how we've used this to collect actionable threat intelligence.

^{TECHCOMMUNITY.MICROSOFT.COM}

Ok wtf was that?!

Went to a webpage and it said "verifying that you are human" and a thingy was spinning...

I braced for a captcha...

Nothing. It moved on to loading the page.

Apparently I passed.

How did it verify me?

No really, how?

#infosec #ThisIsANewOne

Link: journals.asm.org/doi/10.1128/c…

Mini Blue Team Diaries Story:

Was responsible for SecOps at a SaaS platform that managed lots of things for companies, including travel bookings.

We had a bunch of customers in the higher education space who used SSO to login to our app. Unfortunately, MFA within the SSO configuration was not common back then, so a compromised university account would lead to much access, including to our platform.

Suddenly, a thing we saw a lot of, was higher-ed customers reporting that they were being charged for trips that just didn't make sense. These were bookings for same day travel, usually between two African cities.

After some digging around and investigation, we figured out that a threat actor would phish or purchase the users university credentials, then, using the SSO into our environment, they'd make bookings using the travel booking feature - those bookings were made on behalf of the threat actors customers, who actually thought they were dealing with a legit, well-connected travel agent.

We were able to advise our customers on how to stop this type of thing happening, with approval rules for bookings, and ya know, MFA, and also managed to build in some detective controls so our team could detect and shut down such bookings as soon as they came in.

What made this particularly interesting though, through some OSINT, we were able to determine the true identity of the actor responsible - and we connected with them on Facebook, mainly because we wanted to ask them about their methods now that we'd all but shut down their scheme.

We chatted for a bit, and got some useful intel. At the end, the actor congratulated the team on our new controls, and said they'd moved on to using another service they'd found to make his bookings.

For more, slightly less mini, Blue Team Diaries stories like this, check out infosecdiaries.com

#infosec #DFIR #BlueTeam #infosecreads #cybersecurity

Infosec Diaries

Learn Pen Testing, Blue Teaming and Digital Forensics

^{Infosec Diaries}