Skip to main content

Search

Items tagged with: Infosec


So Google is now preventing people from removing location data from photos taken with Pixel phones.

Remember when Google's corporate motto was "don't be evil?"

Obviously, accurate location data on photos is more useful to a data mining operation like Google.

From Google: "Important: You can only update or remove estimated locations. If the location of a photo or video was automatically added by your camera, you can't edit or remove the location."

It's enshitification in action.

Source: support.google.com/photos/answโ€ฆ

#technology #tech @technology #business #enshitification #Android #Google @pluralistic #infosec


Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!

letsencrypt.org/

#opensource #TLS #PKI #infosec


Yours truly is looking for an #InfoSec / #Cybersecurity job in a safer state than Florida. I do pretty much all things security... like consulting, malware analysis, auditing, compliance, blue team, red team, purple team, SecDev, SecOps, SecDevOps, etc.

My kids are all grown now, so I am more than willing to travel / relocate. If you have any leads or tips on some good companies, please let me know.

#GetFediHired
[matrix] โ€ข [SimpleX]


Microsoft Authenticator prompts the user to accept sharing analytics during the first launch. The prompt only dismisses when the user taps on "Accept." In fact, the app starts sending analytics even before accepting the privacy statement.๐Ÿคฆโ€โ™‚๏ธ

In this video, we downloaded the authenticator app from the App Store and we opened it as we monitored the iPhone network traffic. While the app was showing the permission prompt, we captured at least 3 calls made by the app sending diagnostics to Microsoft. The app sent 14 KB of analytics even before accepting the prompt.

The message on the prompt actually says that Microsoft needs to collect diagnostic data in order to keep Authenticator secure and up to date. ๐Ÿ˜ตโ€๐Ÿ’ซ

#Privacy #Cybersecurity #2FA #InfoSec #Security #Microsoft

youtu.be/r5456XXG6v0


Many iPhone users are asking us to recommend safe authenticator apps. Well, the App Store is making it useless to recommend any app. No matter what you search for, the top hit is almost always an ad for a scam app.

#Apple #AppStore #2FA #InfoSec


Please boost! We are *hiring* for *two* jobs in information security! Come work with our amazing team building solutions for the security have-nots in our world!

Red Queen Dynamics needs 1) a leader for engineering/cloud infrastructure, and 2) a product designer. We are a remote-first security company and we welcome people from all backgrounds and life journeys. #infosec #infosecjobs #hiring #cybersecurity

You can apply here! Tech Lead: linkedin.com/jobs/view/3475289โ€ฆ

Product Designer: linkedin.com/jobs/view/3475289โ€ฆ

Or stay up to date with all our job postings on our website: rqdn.io/career-opportunities


I know there is a lot going on at Twitter right now, but here's one more thing. Twitter is ignoring #GDPR requests from people to delete their DMs.

At the moment, when you press delete on a Twitter DM (an individual message or conversation) the DM isn't actually deleted from Twitter's servers, just your inbox view.

So people in Europe have been making requests for Twitter to blitz all their messages. It hasn't properly answered them. And now regulators are looking at it

Full story here: wired.com/story/delete-twitterโ€ฆ

#Twitter #gdpr #infosec #technology #news #wired


It's trivial to determine the real IP of a Mastodon server behind Cloudflare. All it takes is one well-crafted request:

gist.github.com/cutiful/4f36daโ€ฆ

I wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.

Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.

#MastoAdmin #InfoSec


People following my account for a while probably noticed me talking about South Korea every now and then. Iโ€™ve hinted towards doing some important research, and now the time has finally come for the first disclosures.

But first I need to do a bunch of explaining because most people (my past self from a few months ago included) are largely unfamiliar with the Korean software landscape. See: they have those โ€œsecurityโ€ applications that everyone has to install if they want to use online banking for example.

What could possibly go wrong with applications developed by private vendors without any kind of security vetting and that everyone in a country has to install, whether they like it or not? A lot of course.

In this first blog post I explain how in my limited understanding the current situation came about, show why the companies lack incentive to really invest in security and give you a first slight idea of the disastrous consequences.

No, Iโ€™m not exaggerating. The next blog post is scheduled for January 9th, and it will be about a specific application. I submitted seven vulnerability reports for this one. It took a real issue and claimed to have solved it โ€“ by making matters considerably worse than they were.

palant.info/2023/01/02/south-kโ€ฆ

#infosec #ApplicationSecurity #privacy #korea


Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022.

Steals all your SSH keys!

"If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022)."

#infosec #machinelearning #deeplearning

pytorch.org/blog/compromised-nโ€ฆ

news.ycombinator.com/item?id=3โ€ฆ


๐Ÿ”“ Like good neocolonizers, #humanitarian organizations & #nonprofits, like militaries, also collect vast amounts of #biometric & other private information about people with reckless disregard for basic #privacy and #security concepts.

โœŠ๐Ÿฝ We must hold them accountable for the risks and damages their actions cause: it's unacceptable to allow society to continue this way.

:pesthorn: Thanks to #CCC for helping expose the dangerous truth.

#SurevillanceCapitalism #infosec

web.archive.org/web/2022122712โ€ฆ


People wonder why I am always so harsh on #LastPass. Thing is, Iโ€™ve been watching them ignore security risks for years. Yes, things that they are being warned about again and again, yet they choose not to address them.

You think unencrypted URLs are bad? Take a look at this seven years old presentation by Martin Vigo and Alberto Garcia Illera: blackhat.com/docs/eu-15/materiโ€ฆ. Starting with page 69 it explains how the custom_js feature could be abused to extract usersโ€™ passwords.

Guess what, this feature is still present and used on PayPal for example. Still no encryption and nothing to protect the users. No change whatsoever in at least seven years that LastPass was made aware of this issue.

Instead, when disclosing #LastPassBreach they again lie that they donโ€™t have access to your passwords. But they do. Anyone with access to their server does. NSA could order them to extract your passwords. Hackers who gain access to their server could abuse this to get your passwords. Or just to run their JavaScript code on any website, and then they donโ€™t even need your passwords.

And thatโ€™s only one out of the many documented backdoors that LastPass chooses to ignore, both in terms of implementation and their public communication.

#infosec #ApplicationSecurity


Apparently some dickhead (or dickheads, as the case may be) uploaded malware into an issue on Codeberg and shared links to it and managed to get Codeberg onto a number of block lists so some folks canโ€™t access the site now because their ISPs are blocking it.

If you know the folks who run these lists and can help remove Codeberg from them, Iโ€™d appreciate it.

More details: codeberg.org/Codeberg/Communitโ€ฆ

CC @Codeberg

#codeberg #infosec #foss #freeSoftware


Tutanota: U2F support is now also available on #Android and #iOS

U2F keys are now supported on all @Tutanota clients.

(Tutanota is also an avoidthehack recommended encrypted email provider).

#mfa #2fa #privacy #cybersecurity #infosec #infosecurity

tutanota.com/blog/posts/app-upโ€ฆ


Raspberry Pi is really proud of hiring "a policeman & it's going really great" who "was a surveillance officer for 15 years" and built covert surveillance equipment. RPi dismisses the very thing they're so proud of as "he built lightsabers [as toys]. Chill."). Dear reader, it must be remarked that the concern is not his rad lightsaber toys (which, to be clear, are rad). The concern is that he's got experience in surveillance equipment, and the company is proud to have hired him for it, and proudly blocking everyone who expresses the slightest concern about it instead of being even remotely willing to listen and understand why people are skeeved out, even people who aren't on the ACAB train and are gently voicing concerns with a surveillance cop potentially having the keys to their hardware/software.

This is not the behavior of a company that's concerned about privacy, security, trust, or autonomy, and I don't think this company can or should be trusted to remain federated with instances that want to be welcoming to marginalized people or anti-authoritarians.

Really hate to say it, because I've used and loved RPis for several years now, but if nothing else, please use a different SBC from now on. There are many options out there that aren't so eager to insult you for having concerns about security.

raspberrypi.social/@Raspberry_โ€ฆ

archive in case they delete
archive.ph/8YQqH

#raspberrypi #rpi #surveillance #infosec #sysadmin #fediblock #acab #devops #police #sbc #singleboardcomputer


a vulnerability in hyundai vehicles equipped with sirius xm from 2015 onwards allows them to be unlocked and started remotely by unauthorized third-parties #infosec blog.koddos.net/bug-on-hyundaiโ€ฆ


This is an old project, but by some miracle it's still working and I woke up this morning wanting to celebrate the things I love more.

This Inkplate e-ink screen shows Conway's Game of Life, seeded from tarpits I have on the Internet. The tarpits are programs on my computer that superficially look like insecure Telnet and Remote Desktop services, but actually exist to respond super slowly and make bots scanning the Internet 'get stuck'.

When a bot connects to the tarpit, the data it sends gets squished into a 5x5 grid and 'stamped' onto a Game of Life board. Data from a bot at the IP address 1.1.x.x will get stamped on the top left corner, data from a bot at 254.254.x.x will get stamped on the bottom right corner.

Conway's Game of Life, a set of simple rules that govern whether cells should turn on or off, updates the display once per second. The result is that bot attacks end up appearing as distinct 'creatures', that get bigger and more angry looking over time (as their centre is updated with new data). After the attack finishes, the 'creature' eventually burns itself out.

Despite that description, it's a really chill piece of art that doesn't draw too much attention but I can happily watch for a long time.

Credit for the idea goes to @_mattata, I had been wanting to make a real-life version of XKCD #350 for years before seeing his Botnet Fishbowl project.

#projects #inkplate #esp32 #eink #infosec #tarpit


See our good friend and frequent guest, @kyle, discuss supply chain security in this CNBC piece on manufacturing consumer electronics in the USA. We're excited to see @purism in the news!

youtu.be/YdbA7Z8Ae4w

#security #supplyChain #infosec #manufacturing #electronics #hardware #phones #teamKyle


I was interviewed about supply chain security (around 15 min mark) in a longer CNBC feature about manufacturing phones in the USA. In short, it's less about trust concerns with any particular country/govt., and more about reducing the links in the supply chain to reduce the opportunities to tamper with hardware.

Our Made-in-USA-electronics Librem 5 USA phone also got a number of shout-outs. Pretty neat!

youtu.be/YdbA7Z8Ae4w #security #supplychain #infosec #manufacturing


To learn more about #MLS and why this protocol exists in the first place when we already have Signal's, here is a great podcast on the topic: cryptography.fm/7.

#Privacy #Security #Crytology #Cryptography #InfoSec


โ€œHertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86โ€
hertzbleed.com/

When constant-time crypto code doesnโ€™t run in constant timeโ€ฆ

#infosec


Best of luck to Epic in their bullshit process.
---
RT @geerlingguy
lol for one of my #opensource projects, an #infosec employee at @EpicGames emailed me this questionnaire with over 100 questions and wants me to fill it out so *they* can use my freely available open source software.

No.
twitter.com/geerlingguy/statusโ€ฆ


โš ๏ธ TIL

:microsoft: If you use #Microsoft #Outlook, it scans all of your arriving #email and sends the URLs to #Bing for indexing.

๐Ÿ˜ฌ #infosec

scribe.rip/@ryanbadger/magic-lโ€ฆ


#infosec

A: Social Engineering
B: Physical Access
C: Vuln Exploitation
D: Lateral Movement
E: Supply Chain Attack

What am I missing?


โ€œiPhones Vulnerable to Attack Even When Turned Offโ€
threatpost.com/iphones-attack-โ€ฆ

โ€œEvil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhoneโ€
arxiv.org/pdf/2205.06114.pdf

#infosec


HIRING: Cyber Engineer / Dulles, Virginia, United States infosec-jobs.com/J12184/ #InfoSec #InfoSecJobs #Cybersecurity #security #jobsearch #techjobs #hiringnow #Dulles #Virginia #UnitedStates #SOC #CISSP #Python


I never did an #introduction!

Hi, I'm Max. I live in #NYC and do #journalism at PCMag where I cover #infosec, #security, and #privacy. I also write reviews of #VPN and professionally complain about #capitalism. I'm the Unit Chair of the ZDCG #union and moonlight as a #labor organizer. If you want to learn about how to unionize your workplace, plz DM me. I play #banjo badly and think about #medieval literature. I'm spending too much money on #fountainpens.


here is the 1995 paper that the #Spectre paper published in 2019 cites - and don't forget the research was funded by the NSA:

An in-depth analysis of the 80x86 processor families identifies architectural properties that may have unexpected, and undesirable, results in secure computer systems. In addition, reported implementation errors in some processor versions render them undesirable for secure systems because of potential security and reliability problems. In this paper, we discuss the imbalance in scrutiny for hardware protection mechanisms relative to software, and why this imbalance is increasingly difficult to justify as hardware complexity increases. We illustrate this difficulty with examples of architectural subtleties and reported implementation errors.


citeseerx.ist.psu.edu/viewdoc/โ€ฆ

Sibert, O., Porras, P. A., & Lindell, R. (1995, May). The intel 80x86 processor architecture: pitfalls for secure systems. In Proceedings 1995 IEEE Symposium on Security and Privacy (pp. 211-222). IEEE.

#infosec


As we are a #FOSS community, I thought it would be a good idea to ask: Who is #hiring?

Looking for a new challenge.

I am really good at:

- #infosec marketing
- #technicalwriting
- #marketing
- #infosec
- #scripting (#python)

Hoping to bypass the HR filter. If you are #recruiting at a humane company that respects & values employees, please reach out!

#remote

(++ to anyone who picks up on my good/excessive hashtag usage)


My #introduction:

I did two years of engineering school and two years of journalism. I'm a geek who loves to tell a story.

I make #comics, #illustrations & #paintings. I do a lot of #memoir work, kids books (#kidlit), and speculative #fantasy.

I've spent about 15 years in the world of #infosec (thank you, day job!) and I do a lot of writing and podcasting in this field. I'm not an expert but I am a nerd for #tech and #privacy.

Links are all in my profile if you want to learn more. I'm not gonna spam you.

This is not my first time on Mastodon but I'm trying to consolidate a bunch of my older profiles right here.

โ‡ง