Skip to main content

Search

Items tagged with: infosec


Una copia del libro Alice and Bob Learn Application Security sobre una mesa de cristal. El libro tiene una portada de color morado y en el centro se abre un círculo con una ilustración en el que una mujer con pelo largo sostiene una tablet con la que está interactuando un hombre con gafas con cara sonriente.


In exciting news I appear to be part of one of the first data breaches of the fediverse era!

I got this email 20 minutes ago letting me know my data migration from mastodon.social was dumped in a breach.

I'm going to be honest, I've got some opinions on the fact that a public bucket is used to store archives, with just obfuscation to stop people from downloading them.

#mastodon #infosec #fediverse

Hello tedivm, 

Early morning Feb 24 we were indirectly made aware of a misconfiguration on our object storage domain (files.mastodon.social) that allowed anyone to see the list of all uploaded files. Within 30 minutes this mistake was corrected. However, we have reasons to believe that the issue has existed since Feb 2, when we began upgrading our infrastructure. Normally Mastodon relies on long, randomly generated file names with high entropy to ensure that certain files are accessed only by those who know the link. However, that misconfiguration allowed that measure to be bypassed. Most files in our object storage are public in nature—profile pictures, custom emojis, images and videos attached to public posts. But there is a type of file that should never be accessed by anyone but its owner, and it’s the user’s archive takeout. Unfortunately, your archive takeout was among those in the system when the incident occurred. We have immediately deleted all archive takeouts to prevent anyone from downloading them, but we have reasons to believe that at least some of them were downloaded by unauthorized parties. Archive takeouts contain the following information:

* Your public profile

* Your favorites

* Your bookmarks

* Your posts and media attachments (including followers-only and mention-only posts)
They DO NOT contain your e-mail address or any other Personal Identifiable Information from your account, excepting anything you've manually put in your public profile or shared in posts. No action is required on your part. We apologize sincerely for this mistake. We are changing the Mastodon software to not rely on high entropy links for access control to archive takeouts any longer, as well as adding an automated check into the admin dashboard to detect similar misconfigurations and notify other server operators about them. Security is important to us and we are continuously improving our processes as we scale our organization from one employee to multiple to ensure that mistakes like this do not happen in the future.

Eugen Rochko | CEO

Mastodon gGmbH

joinmastodon.org | e: hello@joinmastodon.org


While a few apps such as Signal, iMessages, WhatsApp, and Threema encrypt the payload of their push notifications end-to-end, many other apps don't encrypt the payload. This includes most email apps and most apps in the social networking and shopping categories.

#Privacy #infoSec #infosecurity

https://www.cnbc.com/2023/12/06/apple-and-google-phone-users-spied-on-through-phone-push-notifications.html


In my team we have openings for #developer focused on #offensive / #redteam development. You will help to make the research and education sector better (focused specially for #sweden) with your skills and write all #opensource tools.

https://vr.se/sidfot/arbeta-hos-oss/lediga-jobb.html?rmpage=job&rmjob=441&rmlang=SE #python #sverige #svenska #sunet #infosec

Ask me any question about the position or team and culture.

Please boost for more reach



Polish hackers figured out that a train manufacturer had programmed its trains to break down after certain dates, or if they were serviced at another company's workshop.

https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/

attn @jon@echo_pbreyer

#trains #RighttoRepairEurope #InfoSec #railway #Poland #Polska


#InfoSec picks of the day:

➡️ @haveibeenpwned - Site which lets you check if you are victim of security breaches

➡️ @smashingsecurity - Award-winning humorous podcast about computer security

➡️ @gcluley - Computer security expert, blogger, co-host of Smashing Security podcast

➡️ @rysiek - IT expert, dev, good guy hacker

➡️ @adminmagazine - Technical journal for system administrators

➡️ @kalilinux - Linux distro for computer security tasks such as digital forensics, penetration testing etc

1/4


I quit a high-paying #infosec job a couple of weeks ago because of bad managers and trash industry. Cold turkey. Nothing lined up, no backup plan, nothing. It was the money or my sanity. Now that I have to look for something else, I am seriously considering leaving the industry altogether.


CVE-2023-49103 is a vulnerability in #ownCloud that exposes the PHP environment. In containerized deployments, this includes the ownCloud admin password, mail server credentials, and license key.

Patch before your ownCloud instance becomes an ownedCloud instance :blobcatphoto:

#CVE202349103 #Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE


Well, I'm kind of back to Mastodon. I took a long break from all social media and deleted every single one of my accounts... Mastodon, LinkedIn, Twitter/X, etc.

I guess I'm going to try it out again. I do miss the #InfoSec community and haven't been keeping up with the news and happenings as I should have been.

I hope to re-kindle some online friendships, so if you find me here, please say hello!


The average user of https://cvecrowd.com sends about 9 HTTP requests to the web server.

On November 2nd, TWO MILLION requests were sent from three IP addresses in two hours.

The Anatomy of an Attack 🧵
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #BlueTeam #CveCrowd


The latest #Intel processor vulnerability (CVE-2023-23583) leading to information disclosure, denial of service, or privilege escalation has been patched today for #Debian 12 and Debian 11 users through an intel-microcode #security update. Update your systems now!

#Linux #infosec #infosecurity


YET another example in people having no problem in making colors and saying "hackers" erroneously to call #cybercriminals when hackers are in reality for most part the good guys but then
have no issue neither 2 actually become #cybercriminals in the name
of fucking $ is why that even do I work in #infosec for 24
years now still like when people call me a #hacker rather than
a #infosec because 4 me that is just a job not a way of thinking or a culture
#HackingIsNotACrime https://www.theregister.com/2023/11/20/former_infosec_coo_pleads_guilty/


This dumb password rule is from Movistar.

Min 7 and max 8 characters for password! Also to be different than the
username: the user name is automatically generated and is based on the
surname of the user with some characters replaced by digits 😀
Has been that way for more than 10 years.

https://dumbpasswordrules.com/sites/movistar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules


Whoever has my passwords, can steal my identity and spend my money.

Whoever can read my email, can reset (almost) all my passwords.

Whoever controls my MX record, can receive my email.

Once again, DNS is the linchpin. At least I have DNSSEC to make poisoning attacks and other DNS lies harder.

#infosec


I have a free 1 year subscription for #Norton360 #antivirus.
I already have AV for all our work computers* so my question for all you #infosec people out there... what should I do with this please?

*We currently have Eset/Nod32 but I'm evaluating Bitdefender as our contract renews soon. If anyone can share good/bad experience about these two I'd appreciate it. There seem to be a lot more buzzwords in AV than I remember and it's hard to see that one product is any better or worse than another.

  • Give it away (suggestions by reply please) (0%, 0 votes)
  • Give it someone you hate (50%, 1 vote)
  • Bin it! (50%, 1 vote)
  • Something else (suggest in comments) (0%, 0 votes)
2 voters. Poll end: 2 weeks ago


Anyone trying to break into #infosec or #getfedihired and struggling to get a foot in the door should be talking to @Lemniscate - she's the real deal.


Dec 7
FXBG Hackers - 0x10 - December 2023
Thu 12:00 AM - 2:00 AM
FXBG Hackers

FXBG Hackers - Fredericksburg, VA


1st Wednesday of Every Month!

(Note: not everyone RSVPs or clicks "Participate" in Mobilizon, so if it says no one is participating, it's lying. We have a couple hundred members with 20 to 30 folks that come out each month.)

White Hat, Black Hat, Gray Hat - N00b, 1337, Obso1337 Hacktivist, Corporate, Fed, Govt, Mil, Hobbyist - All are welcome.

AGENDA


  • 7:00 - Soft start / Socializing
  • 7:15 - Meeting begins
    • Intro
    • Guidelines
    • Community News


  • 7:30 - Firetalks
    • 10-minute presentation
    • 5-minute discussion
    • Slides, media, and demos are encouraged but not required.
    • We'll have a large display and a display laptop running Ubuntu available if need be; otherwise, bring your laptop or speak without slides.
    • Note: No vendor pitches, no recruiter pitches.


  • 8:45 - Who's Hiring / Who's Looking for Work
    • Those that are hiring can give a quick announcement.
    • Those who are looking for work can give a quick pitch.


  • 9:00 - Formal End of Meetup
  • 9:00+ - Socializing, Eating, Hanging Out, Hacking
    • The brewery closes at 9:00, but the night owls typically migrate to another venue after the meetup.


Note on FireTalks: If it's your first time here - chill, relax, enjoy and hang out. Otherwise, hop up and give a fire talk. Fire talks are short talks around a topic generally related to hacking. Talks last roughly 10 minutes or less, with 5 minutes of discussion afterward. Be as formal or informal as you like. Slides, demos, and media are encouraged but not required. If you're unsure what to talk about or have worries about presenting, ask one of the organizers for help. We're here for you. We apply a very broad definition of hacking - taking something and utilizing it beyond its intended means.

Note: We do not advocate illegal activities. If you're discussing bypassing computer security, you have permission to do so or are utilizing your equipment in a lab environment.

CODE OF CONDUCT & RULES


  1. Don't hack the venue!
  2. Don't hack other attendees without consent.
  3. Don't talk about anything illegal.
  4. Don't harass other attendees.
  5. Follow venue rules.
  6. Treat venue staff well.
  7. Do participate. Do Have Fun.
  8. Don't hack the venue!

All are welcome regardless of race, age, experience, gender identity, sexual orientation, ethnicity, disability, national origin, religion, or creed.

The Paradox of Tolerance Addressed: We do NOT tolerate intolerance. You will be banned if you advocate ostracizing, oppressing, or hurting others.


My new keycaps came in and I put them on. I like it. Double shot pbt. The artisan keycap is for the key that changes the backlight. Blank one is technically a macro, but is by default for cortana/siri. Couldn't be bothered to change it.

#hardware #infosec #infosecurity #cybersecurity #cybersec #cyber #mechanicalkeyboard


#ekoparty #infosec #conf #timetable #agenda #text Aqui les regalo el cronograma de ekoparty 2023 de manera legible y accesible. La verdad pésima la página de la organización, una basura. https://pastebin.com/3JQC3Zsw

De nada.


STMicroelectronics STM32F1 Bypass read-out protection (RDP) .
Interesting blogpost for anyone into microcontrollers hacking.
(credits Marc Schink and Johannes Obermaier)

https://blog.zapb.de/stm32f1-exceptional-failure/

#stm #hacking #microcontroller #infosec #cybersecurity #iot #embedded


:tor: Tor Project Needs Our Help

📉 Donations Down This Year

:tor: Tor: Not Only A Browser For Privacy Online:

It's Also An Essential Tool #Journalists / Vulnerable Populations Around The World Use To Access Internet / Bypass Censorship.

💡 ❤️ Tor is FREE. So worth it.

(I donated)

#TorBrowser #nonprofit #charity #donate #proxy #encryption #crypto #infosec #cybersecurity #censorship #internet #GreatFireWall #Snowflake #privacy

🔗 :tor: Tor Project Donation Page: https://donate.torproject.org


Wondering what CVEs are being discussed on Mastodon right now?

I've just launched https://cvecrowd.com, a website that shows you exactly that!

Learn more below 🧵

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE #CveCrowd

Screenshot of https://cvecrowd.com. In it's current size, there are 5 columns, each for one CVE that is currently discussed. The first in the screenshot is CVE-2023-4966. The column displays information from MITRE and NVD like the dates when the CVE was published and modified, the CVSS v3.1 vector and the CVE description. There is a line graph showing that the CVE was mentioned 4 times with 34 interactions in the last 24 hours. Beneath the description are the posts of fellow Mastodon users regarding that CVE, sorted by popularity. The other columsn are structured alike.


I'm hoping for someone to help with some PRs for the following metadata:

zoho assist
splashtop
ScreenConnect
Remote Utilities
AnyConnect
Chrome Remote Desktop

This project is early stages but it's definitely needed, so if you have ideas, feedback, or want to be involved, let me know! #cybersecurity #infosec


I'm putting together a project to monitor RMMs and their metadata with the goal of auto building alerting mechanisms such as carbon black watch lists and sigma alerts.

https://github.com/LivingInSyn/RMML

#cybersecurity #infosec


Manufactured image depicting IRC channel takeover.


EU Governments Set To Approve End Of Secure Messaging

People Don't Have A Right To Basic Security... For Their Own Devices?

(don't think it won't spread)

#News #e2ee #encryption #crypto #EU #ChatControl #MassSurveillance #privacy #SurveillanceCapitalism #Governance #infosec #cybersecurity

https://www.patrick-breyer.de/en/chat-control-2-0-eu-governments-set-to-approve-the-end-of-private-messaging-and-secure-encryption/

Este sitio web utiliza cookies. Si continúa navegando por este sitio web, usted acepta el uso de las cookies.