Skip to main content

Search

Items tagged with: infosec


If you have associates who've moved to Hive Social, please alert them to this report. The new platform is apparently an infosec car crash, and not currently safe to use.

"The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login."

#InfoSec #CyberSecurity #HiveSocial

https://zerforschung.org/posts/hive-en/​


I thought the #infosec community and organizations like #defcon were lost forever to centralized surveillance capitalism products like Twitter and Discord.

It made me sad, and really afraid for the future of the internet.

Watching everyone flood over to Mastodon gives me so much joy and hope.

This seemed impossible, but maybe sometimes it takes the emergence of dictators to make people rally for democratic governance.

You are all welcome!

Let's take back control of the internet together.


ATTENTION EVERYONE WRINGING THEIR HANDS OVER “#MASTODON ADMINS CAN READ MY DIRECT MESSAGES”: #SysAdmins have *always* been able to read your #email and DMs unless encrypted, including at the big #SocialNetworks and Internet providers. We used to have t-shirts that said, “I READ YOUR EMAIL.”

It’s just hitting now because you got used to places where the admins were kept away in their cubicles and data centers instead of greeting you at the front door.

#privacy #security #InfoSec #cybersecurity


#introduction to anyone in the fediverse!

I am an #SRE/#DevOps consultant and a polyglot Software Developer. I enjoy making complicated things simple and messy services reliable.

Currently working on some cool things with #AWS Outposts. I also dig #infosec and #serverless. First programming language was Delphi.

I grew up and live in the magnificent West #Auckland, #NewZealand 🇳🇿

Cat person 🐱‍. Father 👪. Cyclist 🚲. I stand with Ukraine 🇺🇦.


This is an old project, but by some miracle it's still working and I woke up this morning wanting to celebrate the things I love more.

This Inkplate e-ink screen shows Conway's Game of Life, seeded from tarpits I have on the Internet. The tarpits are programs on my computer that superficially look like insecure Telnet and Remote Desktop services, but actually exist to respond super slowly and make bots scanning the Internet 'get stuck'.

When a bot connects to the tarpit, the data it sends gets squished into a 5x5 grid and 'stamped' onto a Game of Life board. Data from a bot at the IP address 1.1.x.x will get stamped on the top left corner, data from a bot at 254.254.x.x will get stamped on the bottom right corner.

Conway's Game of Life, a set of simple rules that govern whether cells should turn on or off, updates the display once per second. The result is that bot attacks end up appearing as distinct 'creatures', that get bigger and more angry looking over time (as their centre is updated with new data). After the attack finishes, the 'creature' eventually burns itself out.

Despite that description, it's a really chill piece of art that doesn't draw too much attention but I can happily watch for a long time.

Credit for the idea goes to @_mattata, I had been wanting to make a real-life version of XKCD #350 for years before seeing his Botnet Fishbowl project.

#projects #inkplate #esp32 #eink #infosec #tarpit
E-ink screen in a frame, with a Conway's Game of Life grid on it. There is a cluster of activity happening on the left side of the grid, representing an ongoing bot attack.


See our good friend and frequent guest, @kyle, discuss supply chain security in this CNBC piece on manufacturing consumer electronics in the USA. We're excited to see @purism in the news!

https://youtu.be/YdbA7Z8Ae4w

#security #supplyChain #infosec #manufacturing #electronics #hardware #phones #teamKyle


I was interviewed about supply chain security (around 15 min mark) in a longer CNBC feature about manufacturing phones in the USA. In short, it's less about trust concerns with any particular country/govt., and more about reducing the links in the supply chain to reduce the opportunities to tamper with hardware.

Our Made-in-USA-electronics Librem 5 USA phone also got a number of shout-outs. Pretty neat!

https://youtu.be/YdbA7Z8Ae4w #security #supplychain #infosec #manufacturing


so looking at whois, I see you're on namecheap. Try setting it up on Cloudflare's free plan for DNS and such. Namecheap is also a PITA, I prefer #Cloudflare as my registrar as well. They're kind of industry standard as well for a lot of #Infosec as well too.


To learn more about #MLS and why this protocol exists in the first place when we already have Signal's, here is a great podcast on the topic: https://www.cryptography.fm/7.

#Privacy #Security #Crytology #Cryptography #InfoSec


I’ve asked this on Twitter before but let’s also try it here in the hope to reach more people outside of the #infosec bubble.

Do you use a password manager?

Reblogs appreciated!

  • Yes (81%, 3148 votes)
  • No (14%, 559 votes)
  • What’s a password manager? (1%, 60 votes)
  • Show results (2%, 87 votes)
3854 voters. Poll end: 2 weeks ago


Are there any existing #infosec lists or accounts people recommend. Mastodon noob here part of the #TwitterMigration


Looks like #Telegram leaks usernames in #TLS SNI:
https://nitter.it/fo0_/status/1580146963579740160

🤦‍♀️

TLS SNI is sent in *clear text*, because it is a mechanism that informs the server hosting multiple websites on a single IP address which TLS certificate to present to the client.

Putting username in SNI makes it *trivial* for anyone listening on the wire to track who and when is communicating with Telegram servers. Add some timing analysis and one can reason about who is talking to whom.

Metadata kills.

#Infosec


# #

Years ago (before becoming more privacy-sensitive #) I got a # # account.

Apparently I can't use it anymore with my email client (#) without giving Google my mobile phone number. Which I won't.

❓ What email provider would you recommend, that does not do shady things with my data?

It should work with an email client, which excludes web-interface-only providers. Preferably free if possible, but I am okay with paying a service I can trust.


“Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86”
https://www.hertzbleed.com/

When constant-time crypto code doesn’t run in constant time…

#


Content warning: Tweeted. No content guarantees.


#

A: Social Engineering
B: Physical Access
C: Vuln Exploitation
D: Lateral Movement
E: Supply Chain Attack

What am I missing?
5 diagrams depicting threat models


Researchers have uncovered “#,” what they call a "nearly-impossible-to-detect" # malware that’s targeting the financial sector in Latin America.

https://t.co/Kf9iAaf3fe

# # #


I work at a ccTLD (.IS), and lately we are seeing a *lot* of new accounts immediately registering multiple domains that all had been registered in the past. I suspect we're not the only ccTLD that sees this.

We know of at least two instances of this being used to take over social media accounts that had e-mails in expired domains set as backup e-mail addresses.

This seems to be organized and well-resourced.

Please double-check you don't use e-mails in any expired domains anywhere.

#


# 100.0.2, Firefox for # 100.3.0, Firefox ESR 91.9.1, and Thunderbird 91.9.1 are all out now to fix two critical # vulnerabilities. Update your installations ASAP!

# #


“iPhones Vulnerable to Attack Even When Turned Off”
https://threatpost.com/iphones-attack-turned-off/179641/

“Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone”
https://arxiv.org/pdf/2205.06114.pdf

#


HIRING: Cyber Engineer / Dulles, Virginia, United States https://infosec-jobs.com/J12184/ # # # # # # # # # # # # #


If information security folks did automotive safety:

“Haha, what a newb! Died ’cos he hadn’t configured his seat belts to retract in case of an accident!”

# # # #


I never did an #!

Hi, I'm Max. I live in # and do # at PCMag where I cover #, #, and #. I also write reviews of # and professionally complain about #. I'm the Unit Chair of the ZDCG # and moonlight as a # organizer. If you want to learn about how to unionize your workplace, plz DM me. I play # badly and think about # literature. I'm spending too much money on #.


Content warning: abandon x86 forever! Spectre, academic paper from 1995 w/ link


As we are a # community, I thought it would be a good idea to ask: Who is #?

Looking for a new challenge.

I am really good at:

- # marketing
- #
- #
- #
- # (#)

Hoping to bypass the HR filter. If you are # at a humane company that respects & values employees, please reach out!

#

(++ to anyone who picks up on my good/excessive hashtag usage)


My #:

I did two years of engineering school and two years of journalism. I'm a geek who loves to tell a story.

I make #, # & #. I do a lot of # work, kids books (#), and speculative #.

I've spent about 15 years in the world of # (thank you, day job!) and I do a lot of writing and podcasting in this field. I'm not an expert but I am a nerd for # and #.

Links are all in my profile if you want to learn more. I'm not gonna spam you.

This is not my first time on Mastodon but I'm trying to consolidate a bunch of my older profiles right here.