We've been doing this a while. Let's SWING for the big leagues.
Tomorrow, we're doing a deep dive on #burpSuite from a #screenReader perspective. It will be mostly #blind (as in playthrough) as I've not looked at this program for a few years, and fully blind (as in sight) given ... well ... screenReader user :)

I've learned more, and hey who knows, maybe they've improved ......
If it turns out they haven't, we'll look at @zaproxy next as a more viable, generally more #accessible alternative. See you tomorrow at 3 EST over at twitch.tv/ic_null #infosec #cybersecurity #zaproxy #portswigger #java #programming

IC_null - Twitch

Fully blind person hacking, coding and tinkering while using a screen reader. THM, HTB, accessibility, all the things.

^Twitch

Microsoft's Recall function is looking like a total security disaster.

doublepulsar.com/recall-steali…

#Microsoft #Recall #CyberSecurity

Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster.

I wrote a piece recently about Copilot+ Recall, a new Microsoft Windows 11 feature which — in the words of Microsoft CEO Satya Nadella- takes “screenshots” of your PC constantly, and makes it into an…

^{Kevin Beaumont (DoublePulsar)}

#Android is getting an AI-powered #scam call detection feature

Will be powered by Gemini Nano, which #Google says can be run locally and offline to process "fraudulent language and other conversation patterns typically associated with scams" and push real-time alerts during calls where detected red flags are present.

It will be opt-in, but Gemini Nano is currently only supported on Google Pixel 8 Pro and Samsung S24 series devices.

#cybersecurity #security

theverge.com/2024/5/14/2415621…

Android is getting an AI-powered scam call detection feature

Google is testing a new call monitoring feature that warns users if the person they’re talking to is likely attempting to scam them and encourages them to end such calls.

^{Jess Weatherbed (The Verge)}

Mini Blue Team Diaries Story:

Was responsible for SecOps at a SaaS platform that managed lots of things for companies, including travel bookings.

We had a bunch of customers in the higher education space who used SSO to login to our app. Unfortunately, MFA within the SSO configuration was not common back then, so a compromised university account would lead to much access, including to our platform.

Suddenly, a thing we saw a lot of, was higher-ed customers reporting that they were being charged for trips that just didn't make sense. These were bookings for same day travel, usually between two African cities.

After some digging around and investigation, we figured out that a threat actor would phish or purchase the users university credentials, then, using the SSO into our environment, they'd make bookings using the travel booking feature - those bookings were made on behalf of the threat actors customers, who actually thought they were dealing with a legit, well-connected travel agent.

We were able to advise our customers on how to stop this type of thing happening, with approval rules for bookings, and ya know, MFA, and also managed to build in some detective controls so our team could detect and shut down such bookings as soon as they came in.

What made this particularly interesting though, through some OSINT, we were able to determine the true identity of the actor responsible - and we connected with them on Facebook, mainly because we wanted to ask them about their methods now that we'd all but shut down their scheme.

We chatted for a bit, and got some useful intel. At the end, the actor congratulated the team on our new controls, and said they'd moved on to using another service they'd found to make his bookings.

For more, slightly less mini, Blue Team Diaries stories like this, check out infosecdiaries.com

#infosec #DFIR #BlueTeam #infosecreads #cybersecurity

Infosec Diaries

Learn Pen Testing, Blue Teaming and Digital Forensics

^{Infosec Diaries}

I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:

$ cat testapp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
if (argc == 2 && !strcmp(argv[1], "secret"))
{
printf("access granted!\n");
return EXIT_SUCCESS;
}
else
{
printf("access denied!\n");
return EXIT_FAILURE;
}
}
$ gcc -Wall -O2 -o testapp.c -o testapp
$ ./testapp kensentme
access granted!
$

I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.

It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.

Some links:
- Ken Thompson's "Reflections on Trusting Trust" paper: cs.cmu.edu/~rdriley/487/papers…
- David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" dwheeler.com/trusting-trust/

#hacking #exploitdevelopment #kenthompson #infosec #cybersecurity @vegard

iodéOS 5 is out

blog.iode.tech/iodeos-5-is-out…

#iodéOS #iodéOS5 #android14 #lineageos21 #privacy #cybersecurity #opensource

Seems to me that a new role has emerged for those who want a career in cybersecurity: Cybercriminal Troll.

Police around the world are making videos to scare the bejeezus out of scammers and hackers, revealing in a jaunty way how they are about to be busted.

Nice one Met Police.

#LabHost #cybersecurity #cybercrime #scam #phishing

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

I still stand by this: if #sms #mfa wasn’t still massively used (especially by the financial sector), sim swaps would be less attractive to sim swappers.

It’s also crazy so much trust is placed in telecoms guarding your phone number and MFA factor for your bank. 🫨

#security #cybersecurity #simswap

tmo.report/2024/04/t-mobile-em…

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

T-Mobile employees, both third-party and corporate, are receiving cash offers via text to complete SIM swaps for criminals.

^{Jman100 (The Mobile Report)}

This piece is worth reading if you’re in tech criticism or infosec/cybersecurity and are being asked for commentary on IoT and smart home devices.

People aren’t foolish for using IoT or for wanting things to be easier in their homes. This tech makes positive and meaningful change for people of all kinds of abilities. It’s valid to worry about the privacy or security issues that IoT is riddled with, but don’t draw a direct line from there to blaming the user - some people have no alternatives that don’t involve giving up independent access to their own homes and lives. Everyone deserves to live in ways that fit their needs.

Instead, join the push to hold manufacturers and providers to account for poor security and privacy practices. Advocate for better, more respectful and accessible default configurations. Help people understand how to anticipate and mitigate the worst of these issues when they’re setting things up, and give them power and agency over their home systems.

We all deserve to have tech that works for us, in all the ways that matters.

#accessibility
#a11y #infosec
#cybersecurity
#iot #smarthome

theverge.com/24080201/smart-ho…

How smart home technology made my home more accessible

Using one’s phone or voice to flip a light switch may be convenient since you don’t need to get up. For the author and other disabled people, this makes it accessible.

^{Steven Aquino (The Verge)}

Who wants a #cybersecurity jobs AMA? My mentee session canceled! #CybersecurityCareers #Resumes #CybersecurityEducation

youtube.com/live/0z95pwVOiTM?f…

AMA Cybersecurity Careers and Resumes (and other stuff!)

My mentorship session canceled, let's chat!

^YouTube

This should be widely read, especially by the #cybersecurity community.

spectrum.ieee.org/lean-softwar…

Why Bloat Is Still Software’s Biggest Vulnerability

A 2024 plea for lean software

^{Bert Hubert (IEEE Spectrum)}

The UK government's attempts to erode your online #privacy never cease. 🇬🇧🕵️

Luckily you've got Tuta in your corner! 🥊

We've teamed up with academics, #cybersecurity researchers, & other privacy oriented companies, like @element and @brave to fight back!

👉 cdt.org/insights/open-letter-f…

[swe] EU Cyber Resilience Act är på gång och vi har fått tillgång till den nya versionen efter förra årets förhandlingar mellan komissionen, parlamentet och rådet. På torsdag kör vi Dataföreningen ett gratis lunchseminarie där vi diskuterar CRA - senaste uppdateringarna, vad säger Open Source-grupperna och vad gäller för tillverkare av digitala produkter?

Registrera dig här:

dfs.se/pa_gang/prata-eu-cyber-…

#CRA #EUCRA #CYBERSECURITY

Today, we call on all Interior, Justice & Economy ministers of EU countries, to choose the right side: #privacy or #surveillance.

Together with other privacy-first companies we call on our ministers to defend encryption & protect privacy. 🔒

Read the full text here: tuta.com/blog/open-letter-encr…

#chatcontrol #encryption #security #cybersecurity

Switch easily between work and personal Bitwarden accounts on Desktop, Mobile apps, and now the Bitwarden browser extension! Learn more in this blog: bitwarden.com/blog/account-swi…

#cybersecurity #security #passwordsecurity #passwordmanager #passwordmanagement

Switch between Bitwarden accounts quickly and easily | Bitwarden Blog

Quickly switch between multiple Bitwarden accounts in the browser extension, desktop and mobile apps.

^Bitwarden

curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.

cve.org/Media/News/item/news/2…

#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity

Critical flaw found in WordPress plugin used on over 300,000 websites.

Read more in my article on the Tripwire blog: tripwire.com/state-of-security…

#cybersecurity #wordpress #vulnerability

Critical flaw found in WordPress plugin used on over 300,000 websites

A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.

^{www.tripwire.com}

📫GREAT Reason To Both Use / Support @thunderbird #Thunderbird

New Microsoft #Outlook Collects / Shares Your Data w/Over 772 Parties

#email #communication #FOSS #Microsoft #Thunderbird #Mozilla #encryption #crypto #e2ee #infosec #Proton #surveillance #cybersecurity #privacy #News

proton.me/blog/outlook-is-micr…

Outlook is Microsoft’s new data collection service

The new Outlook now appears to be a data collection service for Microsoft’s 772 external partners for targeted advertising.

^{Edward Komenda (Proton)}

Performed Email security standards tests with
@internet_nl .
Internet.nl - test to check if the service supports modern internet standards like IPv6, DNSSEC, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI.

Scores:
@protonmail - 75%
@skiff - 85%
@Tutanota - 87%

#emailsecurity #privacy #cybersecurity

Infoek.cz je pod DDoS a Slowloris útoky vlastně denně, a to již od začátku války na Ukrajině. Rusům se nelíbí projev nesouhlasu s napadením suverénního státu v některých článcích. 😀

Během noci byl Slowloris útok opět masivní, ale web se drží. 😉

V geoblokaci webu jsou všichni návštěvníci z Ruska, Íránu, Palastiny a Kataru. Automaticky jsou přesměrováni na infoek.cz/ip-ban/. Na jiný odkaz v rámci stránky se nedostanou.

#StandWithUkraine #FckRussia #cybersecurity

If you do 1 thing today, use @Tutanota and forward your #gmail and #hotmail to your new inbox. Take back your mailbox!

For your second thing, switch to an encrypted messenger like #Signal and get your friends and family on it. It's so easy.

#cybersecurity #cybersecurityawarenessmonth #E2EE #globalencryptionday #privacy

Share this with your friends and family and spread #privacy! yt.artemislena.eu/watch?v=MFlF… 🥰

Undermining encryption is dangerous and puts everyone at risk.

The EU Commission now postponed a vote on #chatcontrol - a clear sign that Chat Control must fail.

Check here why Chat Control is the "most criticized law of all time":
tutanota.com/blog/chat-control…

#CybersecurityAwarenessMonth #cybersecurity

Chat Control Criticism: Why the EU CSAM Scanning Plans Must Fail.

The EU Regulation to Prevent and Combat Child Sexual Abuse has become the "most criticized law of all time".

^Tutanota

I'm hiring! As a manager at IBM I have a position open in Ireland for somebody looking to start a career in offensive cybersecurity.

It would be amazing to use the Fediverse to find a new teammate!

#FediHire #fedihired #cybersecurity

krb-sjobs.brassring.com/TGnewU…

Mozilla: "In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. It would force browser providers to create the means to mandatorily block websites present on a government provided list. Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments"

blog.mozilla.org/netpolicy/202…
#france #browser #cybersecurity #mozilla #security #surveillance

France’s browser-based website blocking proposal will set a disastrous precedent for the open internet - Open Policy & Advocacy

Article 3 (para II and III) of the SREN Bill would force providers to create the means to mandatorily block websites on a government provided list encoded into the browser.

^{Udbhav Tiwari (Open Policy & Advocacy)}

This dumb password rule is from MySwissLife.

User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.

dumbpasswordrules.com/sites/my…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

MySwissLife - Dumb Password Rules

^{dumbpasswordrules.com}

Is #Gmail killing independent email?

"Is it okay that Gmail has the power to decide whether a business is sending spam or not?"

Gmail has rigged the email game imo. It makes running a self-hosted email server hard, even after properly configuring DKIM, DMARC, and SPF.

#cybersecurity #privacy #technology

tutanota.com/blog/posts/gmail-…

Is Gmail killing independent email?

People report that self-hosted emails always end up in Gmail spam. Is there anything Google can do about it?

^Tutanota

Stay strong: Desperate governments worldwide want to downright criminalize #privacy and #encryption now, using laughable pretexts like #cybersecurity causing #childabuse to literally put everyone on the planet under a permanent wiretapping mandate like we're common criminals by default.

Smartphones are especially susceptible to surveillance, and among those devices we have the least control over instead of corporations merely renting them to us: It's time for that to change!

Minecraft clones stealthily load ads on millions of Android devices.

grahamcluley.com/minecraft-clo…

#cybersecurity #adware #minecraft #google #googleplay #android

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security