Search
Items tagged with: Infosec
So Google is now preventing people from removing location data from photos taken with Pixel phones.
Remember when Google's corporate motto was "don't be evil?"
Obviously, accurate location data on photos is more useful to a data mining operation like Google.
From Google: "Important: You can only update or remove estimated locations. If the location of a photo or video was automatically added by your camera, you can't edit or remove the location."
It's enshitification in action.
Source: support.google.com/photos/answโฆ
#technology #tech @technology #business #enshitification #Android #Google @pluralistic #infosec
Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!
#opensource #TLS #PKI #infosec
Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).letsencrypt.org
Yours truly is looking for an #InfoSec / #Cybersecurity job in a safer state than Florida. I do pretty much all things security... like consulting, malware analysis, auditing, compliance, blue team, red team, purple team, SecDev, SecOps, SecDevOps, etc.
My kids are all grown now, so I am more than willing to travel / relocate. If you have any leads or tips on some good companies, please let me know.
#GetFediHired
[matrix] โข [SimpleX]
Matrix - Decentralised and secure communication
You're invited to talk on Matrix. If you don't already have a client this link will help you pick one, and join the conversation. If you already have one, this link will help you join the conversationmatrix.to
Microsoft Authenticator prompts the user to accept sharing analytics during the first launch. The prompt only dismisses when the user taps on "Accept." In fact, the app starts sending analytics even before accepting the privacy statement.๐คฆโโ๏ธ
In this video, we downloaded the authenticator app from the App Store and we opened it as we monitored the iPhone network traffic. While the app was showing the permission prompt, we captured at least 3 calls made by the app sending diagnostics to Microsoft. The app sent 14 KB of analytics even before accepting the prompt.
The message on the prompt actually says that Microsoft needs to collect diagnostic data in order to keep Authenticator secure and up to date. ๐ตโ๐ซ
#Privacy #Cybersecurity #2FA #InfoSec #Security #Microsoft
Privacy: Microsoft Authenticator sends analytics even before accepting the privacy statement
When opening Microsoft Authenticator for the first time after downloading it from the App Store, it prompts the user to accept sharing diagnostics with Micro...YouTube
Please boost! We are *hiring* for *two* jobs in information security! Come work with our amazing team building solutions for the security have-nots in our world!
Red Queen Dynamics needs 1) a leader for engineering/cloud infrastructure, and 2) a product designer. We are a remote-first security company and we welcome people from all backgrounds and life journeys. #infosec #infosecjobs #hiring #cybersecurity
You can apply here! Tech Lead: linkedin.com/jobs/view/3475289โฆ
Product Designer: linkedin.com/jobs/view/3475289โฆ
Or stay up to date with all our job postings on our website: rqdn.io/career-opportunities
Career Opportunities
Looking for a place to stretch your wings? Check out our remote work opportunities that range from sales to product development.rqdn.io
I know there is a lot going on at Twitter right now, but here's one more thing. Twitter is ignoring #GDPR requests from people to delete their DMs.
At the moment, when you press delete on a Twitter DM (an individual message or conversation) the DM isn't actually deleted from Twitter's servers, just your inbox view.
So people in Europe have been making requests for Twitter to blitz all their messages. It hasn't properly answered them. And now regulators are looking at it
Full story here: wired.com/story/delete-twitterโฆ
#Twitter #gdpr #infosec #technology #news #wired
Want to Delete Your Twitter DMs? Good Luck With That
People in Europe are making GDPR requests to have their private messages erased, but Elonโs team is ignoring them.Matt Burgess (WIRED)
It's trivial to determine the real IP of a Mastodon server behind Cloudflare. All it takes is one well-crafted request:
gist.github.com/cutiful/4f36daโฆ
I wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.
Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.
Detecting the real IP of a Cloudflare'd Mastodon instance
Detecting the real IP of a Cloudflare'd Mastodon instance - mastodon-ip.mdGist
People following my account for a while probably noticed me talking about South Korea every now and then. Iโve hinted towards doing some important research, and now the time has finally come for the first disclosures.
But first I need to do a bunch of explaining because most people (my past self from a few months ago included) are largely unfamiliar with the Korean software landscape. See: they have those โsecurityโ applications that everyone has to install if they want to use online banking for example.
What could possibly go wrong with applications developed by private vendors without any kind of security vetting and that everyone in a country has to install, whether they like it or not? A lot of course.
In this first blog post I explain how in my limited understanding the current situation came about, show why the companies lack incentive to really invest in security and give you a first slight idea of the disastrous consequences.
No, Iโm not exaggerating. The next blog post is scheduled for January 9th, and it will be about a specific application. I submitted seven vulnerability reports for this one. It took a real issue and claimed to have solved it โ by making matters considerably worse than they were.
palant.info/2023/01/02/south-kโฆ
#infosec #ApplicationSecurity #privacy #korea
South Koreaโs online security dead end
Websites in South Korea often require installation of โsecurity applications.โ Not only do these mandatory applications not help security, way too often they introduce issues.Almost Secure
Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022.
Steals all your SSH keys!
"If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022)."
#infosec #machinelearning #deeplearning
pytorch.org/blog/compromised-nโฆ
news.ycombinator.com/item?id=3โฆ
PyTorch
An open source machine learning framework that accelerates the path from research prototyping to production deployment.pytorch.org
๐ Like good neocolonizers, #humanitarian organizations & #nonprofits, like militaries, also collect vast amounts of #biometric & other private information about people with reckless disregard for basic #privacy and #security concepts.
โ๐ฝ We must hold them accountable for the risks and damages their actions cause: it's unacceptable to allow society to continue this way.
Thanks to #CCC for helping expose the dangerous truth.
#SurevillanceCapitalism #infosec
web.archive.org/web/2022122712โฆ
For Sale on eBay: A Military Database of Fingerprints and Iris Scans
German security researchers studying biometric capture devices popular with the U.S. military got more than they expected for $68 on eBay.Kashmir Hill (The New York Times)
People wonder why I am always so harsh on #LastPass. Thing is, Iโve been watching them ignore security risks for years. Yes, things that they are being warned about again and again, yet they choose not to address them.
You think unencrypted URLs are bad? Take a look at this seven years old presentation by Martin Vigo and Alberto Garcia Illera: blackhat.com/docs/eu-15/materiโฆ. Starting with page 69 it explains how the custom_js feature could be abused to extract usersโ passwords.
Guess what, this feature is still present and used on PayPal for example. Still no encryption and nothing to protect the users. No change whatsoever in at least seven years that LastPass was made aware of this issue.
Instead, when disclosing #LastPassBreach they again lie that they donโt have access to your passwords. But they do. Anyone with access to their server does. NSA could order them to extract your passwords. Hackers who gain access to their server could abuse this to get your passwords. Or just to run their JavaScript code on any website, and then they donโt even need your passwords.
And thatโs only one out of the many documented backdoors that LastPass chooses to ignore, both in terms of implementation and their public communication.
Apparently some dickhead (or dickheads, as the case may be) uploaded malware into an issue on Codeberg and shared links to it and managed to get Codeberg onto a number of block lists so some folks canโt access the site now because their ISPs are blocking it.
If you know the folks who run these lists and can help remove Codeberg from them, Iโd appreciate it.
More details: codeberg.org/Codeberg/Communitโฆ
CC @Codeberg
#codeberg #infosec #foss #freeSoftware
Codeberg on more block lists
Further to #841 (which is now closed), Codeberg is on some other block lists: - https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt - https://v.firebog.net/hosts/Prigent-Malware.txt See https://mastodon.ar.Codeberg.org
Tutanota: U2F support is now also available on #Android and #iOS
U2F keys are now supported on all @Tutanota clients.
(Tutanota is also an avoidthehack recommended encrypted email provider).
#mfa #2fa #privacy #cybersecurity #infosec #infosecurity
tutanota.com/blog/posts/app-upโฆ
U2F support is now also available on Android and iOS.
Celebrate with us the new release of Tutanota!Tutanota
Raspberry Pi is really proud of hiring "a policeman & it's going really great" who "was a surveillance officer for 15 years" and built covert surveillance equipment. RPi dismisses the very thing they're so proud of as "he built lightsabers [as toys]. Chill."). Dear reader, it must be remarked that the concern is not his rad lightsaber toys (which, to be clear, are rad). The concern is that he's got experience in surveillance equipment, and the company is proud to have hired him for it, and proudly blocking everyone who expresses the slightest concern about it instead of being even remotely willing to listen and understand why people are skeeved out, even people who aren't on the ACAB train and are gently voicing concerns with a surveillance cop potentially having the keys to their hardware/software.
This is not the behavior of a company that's concerned about privacy, security, trust, or autonomy, and I don't think this company can or should be trusted to remain federated with instances that want to be welcoming to marginalized people or anti-authoritarians.
Really hate to say it, because I've used and loved RPis for several years now, but if nothing else, please use a different SBC from now on. There are many options out there that aren't so eager to insult you for having concerns about security.
raspberrypi.social/@Raspberry_โฆ
archive in case they delete
archive.ph/8YQqH
#raspberrypi #rpi #surveillance #infosec #sysadmin #fediblock #acab #devops #police #sbc #singleboardcomputer
Bug on Hyundai app allows hackers to unlock and start cars remotely - KoDDoS Blog
Researchers have detected a vulnerability on Hyundai and SiriusXM. The vulnerability allows an attacker to start and unlock cars remotely. An attacker can execute commands on a car by just knowing the vehicle identification number.Ali Raza (KoDDoS)
This is an old project, but by some miracle it's still working and I woke up this morning wanting to celebrate the things I love more.
This Inkplate e-ink screen shows Conway's Game of Life, seeded from tarpits I have on the Internet. The tarpits are programs on my computer that superficially look like insecure Telnet and Remote Desktop services, but actually exist to respond super slowly and make bots scanning the Internet 'get stuck'.
When a bot connects to the tarpit, the data it sends gets squished into a 5x5 grid and 'stamped' onto a Game of Life board. Data from a bot at the IP address 1.1.x.x will get stamped on the top left corner, data from a bot at 254.254.x.x will get stamped on the bottom right corner.
Conway's Game of Life, a set of simple rules that govern whether cells should turn on or off, updates the display once per second. The result is that bot attacks end up appearing as distinct 'creatures', that get bigger and more angry looking over time (as their centre is updated with new data). After the attack finishes, the 'creature' eventually burns itself out.
Despite that description, it's a really chill piece of art that doesn't draw too much attention but I can happily watch for a long time.
Credit for the idea goes to @_mattata, I had been wanting to make a real-life version of XKCD #350 for years before seeing his Botnet Fishbowl project.
#projects #inkplate #esp32 #eink #infosec #tarpit
See our good friend and frequent guest, @kyle, discuss supply chain security in this CNBC piece on manufacturing consumer electronics in the USA. We're excited to see @purism in the news!
#security #supplyChain #infosec #manufacturing #electronics #hardware #phones #teamKyle
Why The U.S. Fell Behind In Phone Manufacturing
Made in China. Itโs a common phrase known by many. Cell phones, TV screens and game consoles are just some of the millions of electronics manufactured and im...YouTube
I was interviewed about supply chain security (around 15 min mark) in a longer CNBC feature about manufacturing phones in the USA. In short, it's less about trust concerns with any particular country/govt., and more about reducing the links in the supply chain to reduce the opportunities to tamper with hardware.
Our Made-in-USA-electronics Librem 5 USA phone also got a number of shout-outs. Pretty neat!
youtu.be/YdbA7Z8Ae4w #security #supplychain #infosec #manufacturing
Why The U.S. Fell Behind In Phone Manufacturing
Made in China. Itโs a common phrase known by many. Cell phones, TV screens and game consoles are just some of the millions of electronics manufactured and im...YouTube
To learn more about #MLS and why this protocol exists in the first place when we already have Signal's, here is a great podcast on the topic: cryptography.fm/7.
#Privacy #Security #Crytology #Cryptography #InfoSec
Episode 7: Scaling Up Secure Messaging to Large Groups With MLS!
Raphael Robert from Wire talks about how MLS wants to scale secure messaging to groups with hundreds or even thousands of participants.Cryptography FM
โHertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86โ
hertzbleed.com/
When constant-time crypto code doesnโt run in constant timeโฆ
Best of luck to Epic in their bullshit process.
---
RT @geerlingguy
lol for one of my #opensource projects, an #infosec employee at @EpicGames emailed me this questionnaire with over 100 questions and wants me to fill it out so *they* can use my freely available open source software.
No.
twitter.com/geerlingguy/statusโฆ
Firefox Kills Another Tracking Cookie Workaround
#News #Firefox #Mozilla #privacy #cookies #infosec #Cybersecurity
theregister.com/2022/06/30/firโฆ
Firefox kills another tracking cookie workaround
URL query parameters won't work in version 102 of Mozilla's browserBrandon Vigliarolo (The Register)
A: Social Engineering
B: Physical Access
C: Vuln Exploitation
D: Lateral Movement
E: Supply Chain Attack
What am I missing?
โiPhones Vulnerable to Attack Even When Turned Offโ
threatpost.com/iphones-attack-โฆ
โEvil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhoneโ
arxiv.org/pdf/2205.06114.pdf
iPhones Vulnerable to Attack Even When Turned Off
Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.Elizabeth Montalbano (Threatpost)
Cyber Engineer
Cyber EngineerExperience: SeniorsLocation: Dulles, VANode is supporting a U.S. Government customer on a large mission-critical development and sustainment program to design, build, deliver, and operate a network operations environment; including โฆinfosec-jobs.com
I never did an #introduction!
Hi, I'm Max. I live in #NYC and do #journalism at PCMag where I cover #infosec, #security, and #privacy. I also write reviews of #VPN and professionally complain about #capitalism. I'm the Unit Chair of the ZDCG #union and moonlight as a #labor organizer. If you want to learn about how to unionize your workplace, plz DM me. I play #banjo badly and think about #medieval literature. I'm spending too much money on #fountainpens.
here is the 1995 paper that the #Spectre paper published in 2019 cites - and don't forget the research was funded by the NSA:
An in-depth analysis of the 80x86 processor families identifies architectural properties that may have unexpected, and undesirable, results in secure computer systems. In addition, reported implementation errors in some processor versions render them undesirable for secure systems because of potential security and reliability problems. In this paper, we discuss the imbalance in scrutiny for hardware protection mechanisms relative to software, and why this imbalance is increasingly difficult to justify as hardware complexity increases. We illustrate this difficulty with examples of architectural subtleties and reported implementation errors.
citeseerx.ist.psu.edu/viewdoc/โฆ
Sibert, O., Porras, P. A., & Lindell, R. (1995, May). The intel 80x86 processor architecture: pitfalls for secure systems. In Proceedings 1995 IEEE Symposium on Security and Privacy (pp. 211-222). IEEE.
As we are a #FOSS community, I thought it would be a good idea to ask: Who is #hiring?
Looking for a new challenge.
I am really good at:
- #infosec marketing
- #technicalwriting
- #marketing
- #infosec
- #scripting (#python)
Hoping to bypass the HR filter. If you are #recruiting at a humane company that respects & values employees, please reach out!
(++ to anyone who picks up on my good/excessive hashtag usage)
My #introduction:
I did two years of engineering school and two years of journalism. I'm a geek who loves to tell a story.
I make #comics, #illustrations & #paintings. I do a lot of #memoir work, kids books (#kidlit), and speculative #fantasy.
I've spent about 15 years in the world of #infosec (thank you, day job!) and I do a lot of writing and podcasting in this field. I'm not an expert but I am a nerd for #tech and #privacy.
Links are all in my profile if you want to learn more. I'm not gonna spam you.
This is not my first time on Mastodon but I'm trying to consolidate a bunch of my older profiles right here.