Search
Items tagged with: CyberSecurity
We've been doing this a while. Let's SWING for the big leagues.
Tomorrow, we're doing a deep dive on #burpSuite from a #screenReader perspective. It will be mostly #blind (as in playthrough) as I've not looked at this program for a few years, and fully blind (as in sight) given ... well ... screenReader user :)
I've learned more, and hey who knows, maybe they've improved ......
If it turns out they haven't, we'll look at @zaproxy next as a more viable, generally more #accessible alternative. See you tomorrow at 3 EST over at twitch.tv/ic_null #infosec #cybersecurity #zaproxy #portswigger #java #programming
IC_null - Twitch
Fully blind person hacking, coding and tinkering while using a screen reader. THM, HTB, accessibility, all the things.Twitch
Microsoft's Recall function is looking like a total security disaster.
doublepulsar.com/recall-steali…
#Microsoft #Recall #CyberSecurity
Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster.
I wrote a piece recently about Copilot+ Recall, a new Microsoft Windows 11 feature which — in the words of Microsoft CEO Satya Nadella- takes “screenshots” of your PC constantly, and makes it into an…Kevin Beaumont (DoublePulsar)
IC_null - Twitch
Fully blind person hacking, coding and tinkering while using a screen reader. THM, HTB, accessibility, all the things.Twitch
#Android is getting an AI-powered #scam call detection feature
Will be powered by Gemini Nano, which #Google says can be run locally and offline to process "fraudulent language and other conversation patterns typically associated with scams" and push real-time alerts during calls where detected red flags are present.
It will be opt-in, but Gemini Nano is currently only supported on Google Pixel 8 Pro and Samsung S24 series devices.
theverge.com/2024/5/14/2415621…
Android is getting an AI-powered scam call detection feature
Google is testing a new call monitoring feature that warns users if the person they’re talking to is likely attempting to scam them and encourages them to end such calls.Jess Weatherbed (The Verge)
Mini Blue Team Diaries Story:
Was responsible for SecOps at a SaaS platform that managed lots of things for companies, including travel bookings.
We had a bunch of customers in the higher education space who used SSO to login to our app. Unfortunately, MFA within the SSO configuration was not common back then, so a compromised university account would lead to much access, including to our platform.
Suddenly, a thing we saw a lot of, was higher-ed customers reporting that they were being charged for trips that just didn't make sense. These were bookings for same day travel, usually between two African cities.
After some digging around and investigation, we figured out that a threat actor would phish or purchase the users university credentials, then, using the SSO into our environment, they'd make bookings using the travel booking feature - those bookings were made on behalf of the threat actors customers, who actually thought they were dealing with a legit, well-connected travel agent.
We were able to advise our customers on how to stop this type of thing happening, with approval rules for bookings, and ya know, MFA, and also managed to build in some detective controls so our team could detect and shut down such bookings as soon as they came in.
What made this particularly interesting though, through some OSINT, we were able to determine the true identity of the actor responsible - and we connected with them on Facebook, mainly because we wanted to ask them about their methods now that we'd all but shut down their scheme.
We chatted for a bit, and got some useful intel. At the end, the actor congratulated the team on our new controls, and said they'd moved on to using another service they'd found to make his bookings.
For more, slightly less mini, Blue Team Diaries stories like this, check out infosecdiaries.com
Little high on theory but we did get to do some proper hollywood hacking. More next week! :) #selfPromo #acccessibility #infoSec #cybersecurity
(IC_Null Stream) Beginning of an adventure: What's a beginner with a screenreader have to do to hack
Start of a new project. As IC_Null on Twitch, I'll be covering hacking, coding and overall tech content. The content will be archived here.Follow my new hack...YouTube
zeit.de/digital/datenschutz/20…
#Cybersecurity #bundeswehr
Bundeswehr: Jeder konnte sie finden
Recherchen von ZEIT ONLINE offenbaren eine Sicherheitslücke bei der Bundeswehr und der Bundesregierung: Wer wann zu einem Videocall einlud, ließ sich öffentlich einsehen.Eva Wolfangel (ZEIT ONLINE)
Personally, I'm just going to delete my account.
Ref: cash.app/legal/us/en-us/tos
#privacy #infosec #cybersecurity #arbitration #BindingArbitration #ConsumerRights
Terms of Service | Cash App
The Cash App Terms of Service govern your use of Cash App. By using Cash App you agree to be bound by these Terms, and all other terms and policies applicable to each Service.cash.app
I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:
$ cat testapp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
if (argc == 2 && !strcmp(argv[1], "secret"))
{
printf("access granted!\n");
return EXIT_SUCCESS;
}
else
{
printf("access denied!\n");
return EXIT_FAILURE;
}
}
$ gcc -Wall -O2 -o testapp.c -o testapp
$ ./testapp kensentme
access granted!
$
I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.
It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.
Some links:
- Ken Thompson's "Reflections on Trusting Trust" paper: cs.cmu.edu/~rdriley/487/papers…
- David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" dwheeler.com/trusting-trust/
#hacking #exploitdevelopment #kenthompson #infosec #cybersecurity @vegard
Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers
David A. Wheeler's Page on Countering 'Trusting Trust' through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilersdwheeler.com
iodéOS 5 is out
blog.iode.tech/iodeos-5-is-out…
#iodéOS #iodéOS5 #android14 #lineageos21 #privacy #cybersecurity #opensource
iodéOS 5 is out - iodé
Today, our team is rolling out the Over-The-Air (OTA) update of iodéOS version 5! You can find it in the updater app.antoine (iodé)
Seems to me that a new role has emerged for those who want a career in cybersecurity: Cybercriminal Troll.
Police around the world are making videos to scare the bejeezus out of scammers and hackers, revealing in a jaunty way how they are about to be busted.
Nice one Met Police.
#LabHost #cybersecurity #cybercrime #scam #phishing
T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs
I still stand by this: if #sms #mfa wasn’t still massively used (especially by the financial sector), sim swaps would be less attractive to sim swappers.
It’s also crazy so much trust is placed in telecoms guarding your phone number and MFA factor for your bank. 🫨
#security #cybersecurity #simswap
tmo.report/2024/04/t-mobile-em…
T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs
T-Mobile employees, both third-party and corporate, are receiving cash offers via text to complete SIM swaps for criminals.Jman100 (The Mobile Report)
This piece is worth reading if you’re in tech criticism or infosec/cybersecurity and are being asked for commentary on IoT and smart home devices.
People aren’t foolish for using IoT or for wanting things to be easier in their homes. This tech makes positive and meaningful change for people of all kinds of abilities. It’s valid to worry about the privacy or security issues that IoT is riddled with, but don’t draw a direct line from there to blaming the user - some people have no alternatives that don’t involve giving up independent access to their own homes and lives. Everyone deserves to live in ways that fit their needs.
Instead, join the push to hold manufacturers and providers to account for poor security and privacy practices. Advocate for better, more respectful and accessible default configurations. Help people understand how to anticipate and mitigate the worst of these issues when they’re setting things up, and give them power and agency over their home systems.
We all deserve to have tech that works for us, in all the ways that matters.
#accessibility
#a11y #infosec
#cybersecurity
#iot #smarthome
theverge.com/24080201/smart-ho…
How smart home technology made my home more accessible
Using one’s phone or voice to flip a light switch may be convenient since you don’t need to get up. For the author and other disabled people, this makes it accessible.Steven Aquino (The Verge)
Who wants a #cybersecurity jobs AMA? My mentee session canceled! #CybersecurityCareers #Resumes #CybersecurityEducation
youtube.com/live/0z95pwVOiTM?f…
AMA Cybersecurity Careers and Resumes (and other stuff!)
My mentorship session canceled, let's chat!YouTube
This should be widely read, especially by the #cybersecurity community.
spectrum.ieee.org/lean-softwar…
Why Bloat Is Still Software’s Biggest Vulnerability
A 2024 plea for lean softwareBert Hubert (IEEE Spectrum)
The UK government's attempts to erode your online #privacy never cease. 🇬🇧🕵️
Luckily you've got Tuta in your corner! 🥊
We've teamed up with academics, #cybersecurity researchers, & other privacy oriented companies, like @element and @brave to fight back!
👉 cdt.org/insights/open-letter-f…
Open Letter from Security Experts Voices Concerns Over the Proposed Changes to UK Investigatory Powers Act’s Notices Regime - Center for Democracy and Technology
The proposed amendments to the UK’s Investigatory Powers Act (IPA) have prompted a powerful open letter addressed to the UK Home Secretary from security experts united in their commitment to a secure, reliable, and inclusive internet.Center for Democracy and Technology
[swe] EU Cyber Resilience Act är på gång och vi har fått tillgång till den nya versionen efter förra årets förhandlingar mellan komissionen, parlamentet och rådet. På torsdag kör vi Dataföreningen ett gratis lunchseminarie där vi diskuterar CRA - senaste uppdateringarna, vad säger Open Source-grupperna och vad gäller för tillverkare av digitala produkter?
Registrera dig här:
dfs.se/pa_gang/prata-eu-cyber-…
Prata EU Cyber Resilience Act med oss! #13
Dags för januari månads Prata EUCRA med oss Torsdag 25/1 är det dags för årets första webinarium. * CRA - den senaste uppdateringen. Vad är nytt, vad är borta? Vi pratar om den senaste uppdateringen från EU vad gäller Cyber Resilience Act.Dataföreningen
Today, we call on all Interior, Justice & Economy ministers of EU countries, to choose the right side: #privacy or #surveillance.
Together with other privacy-first companies we call on our ministers to defend encryption & protect privacy. 🔒
Read the full text here: tuta.com/blog/open-letter-encr…
#chatcontrol #encryption #security #cybersecurity
Open Letter Calling On EU Member States To Defend Encryption
As the trilogue is about to start, EU Member States must decide what side they are on: privacy or surveillance.Tutanota
Switch easily between work and personal Bitwarden accounts on Desktop, Mobile apps, and now the Bitwarden browser extension! Learn more in this blog: bitwarden.com/blog/account-swi…
#cybersecurity #security #passwordsecurity #passwordmanager #passwordmanagement
Switch between Bitwarden accounts quickly and easily | Bitwarden Blog
Quickly switch between multiple Bitwarden accounts in the browser extension, desktop and mobile apps.Bitwarden
curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.
cve.org/Media/News/item/news/2…
#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity
Critical flaw found in WordPress plugin used on over 300,000 websites.
Read more in my article on the Tripwire blog: tripwire.com/state-of-security…
#cybersecurity #wordpress #vulnerability
Critical flaw found in WordPress plugin used on over 300,000 websites
A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.www.tripwire.com
📫GREAT Reason To Both Use / Support @thunderbird #Thunderbird
New Microsoft #Outlook Collects / Shares Your Data w/Over 772 Parties
#email #communication #FOSS #Microsoft #Thunderbird #Mozilla #encryption #crypto #e2ee #infosec #Proton #surveillance #cybersecurity #privacy #News
proton.me/blog/outlook-is-micr…
Outlook is Microsoft’s new data collection service
The new Outlook now appears to be a data collection service for Microsoft’s 772 external partners for targeted advertising.Edward Komenda (Proton)
Performed Email security standards tests with
@internet_nl .
Internet.nl - test to check if the service supports modern internet standards like IPv6, DNSSEC, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI.
Scores:
@protonmail - 75%
@skiff - 85%
@Tutanota - 87%
#emailsecurity #privacy #cybersecurity
Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.
Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txtinternet.nl
Infoek.cz je pod DDoS a Slowloris útoky vlastně denně, a to již od začátku války na Ukrajině. Rusům se nelíbí projev nesouhlasu s napadením suverénního státu v některých článcích. 😀
Během noci byl Slowloris útok opět masivní, ale web se drží. 😉
V geoblokaci webu jsou všichni návštěvníci z Ruska, Íránu, Palastiny a Kataru. Automaticky jsou přesměrováni na infoek.cz/ip-ban/. Na jiný odkaz v rámci stránky se nedostanou.
#StandWithUkraine #FckRussia #cybersecurity
If you do 1 thing today, use @Tutanota and forward your #gmail and #hotmail to your new inbox. Take back your mailbox!
For your second thing, switch to an encrypted messenger like #Signal and get your friends and family on it. It's so easy.
#cybersecurity #cybersecurityawarenessmonth #E2EE #globalencryptionday #privacy
Share this with your friends and family and spread #privacy! yt.artemislena.eu/watch?v=MFlF… 🥰
Big Tech Wants to See You Naked. Protect Your Privacy Now!
Tutanota - no tracking, no ads. Get your encrypted mailbox now: https://tutanota.com/big-tech-alternative?t-src=you Today's web is broken. You are being tracked when you search the web, shop online; even when you read your emails.Tutanota | Invidious
Undermining encryption is dangerous and puts everyone at risk.
The EU Commission now postponed a vote on #chatcontrol - a clear sign that Chat Control must fail.
Check here why Chat Control is the "most criticized law of all time":
tutanota.com/blog/chat-control…
#CybersecurityAwarenessMonth #cybersecurity
Chat Control Criticism: Why the EU CSAM Scanning Plans Must Fail.
The EU Regulation to Prevent and Combat Child Sexual Abuse has become the "most criticized law of all time".Tutanota
I'm hiring! As a manager at IBM I have a position open in Ireland for somebody looking to start a career in offensive cybersecurity.
It would be amazing to use the Fediverse to find a new teammate!
#FediHire #fedihired #cybersecurity
krb-sjobs.brassring.com/TGnewU…
Junior - HOC – Targeter | IBM Careers
Job Details: At Randori, an IBM company, we help defenders continuously assess their real-world security. Our automated attkrb-sjobs.brassring.com
Mozilla: "In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. It would force browser providers to create the means to mandatorily block websites present on a government provided list. Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments"
blog.mozilla.org/netpolicy/202…
#france #browser #cybersecurity #mozilla #security #surveillance
France’s browser-based website blocking proposal will set a disastrous precedent for the open internet - Open Policy & Advocacy
Article 3 (para II and III) of the SREN Bill would force providers to create the means to mandatorily block websites on a government provided list encoded into the browser.Udbhav Tiwari (Open Policy & Advocacy)
Brightly warns of SchoolDude data breach exposing credentials
U.S. tech company and Siemens subsidiary Brightly Software is notifying customers that their personal information and credentials were stolen by attackers who gained access to the database of its SchoolDude online platform.Sergiu Gatlan (BleepingComputer)
This dumb password rule is from MySwissLife.
User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.
dumbpasswordrules.com/sites/my…
#password #passwords #infosec #cybersecurity #dumbpasswordrules
Is #Gmail killing independent email?
"Is it okay that Gmail has the power to decide whether a business is sending spam or not?"
Gmail has rigged the email game imo. It makes running a self-hosted email server hard, even after properly configuring DKIM, DMARC, and SPF.
#cybersecurity #privacy #technology
tutanota.com/blog/posts/gmail-…
Is Gmail killing independent email?
People report that self-hosted emails always end up in Gmail spam. Is there anything Google can do about it?Tutanota
Stay strong: Desperate governments worldwide want to downright criminalize #privacy and #encryption now, using laughable pretexts like #cybersecurity causing #childabuse to literally put everyone on the planet under a permanent wiretapping mandate like we're common criminals by default.
Smartphones are especially susceptible to surveillance, and among those devices we have the least control over instead of corporations merely renting them to us: It's time for that to change!
Minecraft clones stealthily load ads on millions of Android devices.
grahamcluley.com/minecraft-clo…
#cybersecurity #adware #minecraft #google #googleplay #android
Minecraft clones stealthily load ads on millions of Android devices
Boffins at McAfee have identified 38 Android apps in the Google Play store that unashamedly rip off the ever-popular gaming sensation Minecraft…Graham Cluley
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
#Privacy #Cybersecurity #InfoSec #2FA #Google #Security