"Your experience is important to us." Specifically, it's important to us that you allow us to ruin your experience.
Get the fuck out of here with that bullshit.
#privacy #infosec #AdBlocker #MLive #AdTech #TechIsShitDispatch

Alt...

A screenshot showing an article on mlive.com, but you can't see the article because it's blocked by a big pop-up preventing you from accessing the page unless you disable your ad blocker.

@troed @protonprivacy Sure, but who is 'they' - presumably #Allianz has a pretty large and high quality #CyberSec #InfoSec team who must have implemented this new policy. It seems very unlikley to be simple ignorance.

I was renewing an #Insurance policy this morning and they said they no longer accept @protonprivacy emails addresses because 'they are associated with fraud'. WTAF?

They used my #Protonmail address happily for 3 years. Where has this change come from? Is this #BigTech selling #CyberSec #InfoSec products which just happen to lock end users into their products?

#Allianz since you asked.

CW: Data Leaks & Privacy Risks

🔔 Search and set your LeakLake Alerts — you'll be shocked by what folks query AI about (your name? Your biz intel? or any other keyword).

In infosec, staying ahead of exposed chats in ChatGPT, Grok, Gemini & more is key to threat hunting & compliance. Apart from security and privacy concerns, check for any keyword. 👇
🔗 https://leaklake.com
#AI #DataPrivacy #Infosec #Monitoring #LeakLake #Leaks #ChatGPT #Gemini #Claude #Perplexity #Grok

⚠️ CRITICAL: CVE-2025-42890 in SAP SQL Anywhere Monitor 17.0 (Non-GUI) — hard-coded credentials let attackers bypass auth remotely for RCE & full system takeover. Audit & restrict access now. Await SAP patches. https://radar.offseq.com/threat/cve-2025-42890-cwe-798-use-of-hard-coded-credentia-91b98cfd #OffSeq #SAP #Infosec #CVE202542890

Alt...

Critical threat: CVE-2025-42890: CWE-798: Use of Hard-coded Credentials in SAP_SE SQL Anywhere Monitor (Non-Gui)

When censoring names or other things in screenshots/images, it's important to know that a lot of image editing programs default to a brush with partial transparency both for the shape of the brush as well as sometimes the color itself, We've personally been able to extract enough information from censored screenshots to narrow down what the crossed out sections are, even if to the naked eye they were not readable. Built in mobile image editors tend to be the worst offender in this.

To make sure that a censor truly stays unreadable, make sure that the color used is a solid one and to use a brush that has solid edges. Some programs like Gnu Imp have a "pencil" tool, which either fully paints in a given pixel, or not at all, use that when in doubt.

DO NOT apply distorting effects such as mosaic or blur, these can be narrowed down quite easily, especially if it's a screenshot or something similar.

Below a simple showcase of the effectiveness of different default brushes in Gnu Imp at the same brush size that We made for a friend and wanted to share more broadly.

#privacy #InfoSec #screenshot #censorship

Alt...

Showcase of strokes from different brushes in Gnu Imp with the same brush size but varying effective stroke thickness.

Container escape vulnerabilities discovered in runC container runtime

Three high-severity vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881, all CVSS 8.2) in runC container runtime enable attackers to escape container isolation and gain root access on host systems through mount race conditions and procfs manipulation, affecting Docker, Kubernetes, and major cloud platforms.

**If you're running Docker, Kubernetes, or any containerized environments, plan an update it to pull the latest runC to version 1.2.8, 1.3.3, or 1.4.0-rc.3 or later. There is a possible exploit that lets attackers escape containers and take full control of your host systems with root privileges. It's not trivial, but why wait for hackers to find a way in. In the meantime, scan your Dockerfiles and use only Dockerfiles from trusted sources.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/container-escape-vulnerabilities-discovered-in-runc-container-runtime-s-3-7-f-p/gD2P6Ple2L

Sunday Trivia Question:

What is this object? 🤔

Describe it's cultural importance in the history of computing 😌🤷‍♂️

#InfoSec #Computing #History #RetroComputing

Alt...

A white ceramic teapot sits on a patterned table surface. The teapot is round with a curved handle and a spout. The lid is also white and curved, fitting snugly on top of the body of the teapot. T he table beneath has a light green background with a grid-like pattern of darker green and white squares. Parts of other objects, like a chair and bottles, are visible in the background, slightly out of focus. Provided by @altbot@fuzzies.wtf, generated privately and locally using Gemma3:27b 🌱 Energy used: 0.084 Wh

Yet another website ("Olo" online ordering app for restaurants) that refuses to work over a #VPN and lies about it.
(Text of the screenshot in the replies, since it's too long for alt text)
🧵1/7
#TechIsShitDispatch #infosec #privacy #Olo

Alt...

Screenshot of a web feedback form. Subject: "How you lost me as a customer" Message in the replies to this post, since it's too long to fit here in the alt text.

Final round of SeaGL talks in 30 min:

* GNU/Linux Loves All from Timmy James Barnett

* Let's create our own tech jobs together following open source principles from Jocelyn Graf

* No More Mystery Brownies: SBOMs, security errata, and the recipe for safer software from Brady Dibble

https://pretalx.seagl.org/2025/talk/

Join freely and anonymously - https://seagl.org/attend

#SeaGL #SeaGL2025 #FLOSSconf #FLOSSevent #Seattle #FediPact #Fediverse #FLOSSmusic #FLOSSbusiness #FLOSSjobs #InfoSec #SBOM

Mack Energy Corporation hit by ransomware attack

Mack Energy Corporation suffered a ransomware attack detected on July 9, 2025, claimed by the Cicada3301 group, which allegedly stole approximately 3.1 terabytes of sensitive data including full names and Social Security numbers. The breach affected at least 413 individuals in Texas but the total number of affected individuals is not disclosed.

****
#cybersecurity #infosec #incident #ransomware
https://beyondmachines.net/event_details/mack-energy-corporation-hit-by-ransomware-attack-i-w-m-f-o/gD2P6Ple2L

Apparemment la plateforme Mym a fuité (jusque là rien de surprenant) : https://bonjourlafuite.eu.org/#MYM-2025-11-07

Et là je lis « Mots de passes hachés en MD5 »… en 2025… Bon, la plateforme a été lancée en 2019, mais ça fait depuis 2004 que MD5 est caduque pour des applications cryptographiques et… 1996 pour les premiers indices de fragilité… ‍🤦

La French Tech 🐓

#fuite #leak #password #security #infosec #cryptographie #mym

Gemini sait maintenant farfouiller dans les emails et les documents persos pour faire des recherches approfondies

https://www.01net.com/actualites/gemini-sait-maintenant-farfouiller-dans-les-emails-et-les-documents-persos-pour-faire-des-recherches-approfondies.html

Que pourrait-il mal se passer ?

#InfoSec

#Meta is earning a fortune on a deluge of fraudulent ads, documents show
https://www.reuters.com/investigations/meta-is-earning-fortune-deluge-fraudulent-ads-documents-show-2025-11-06/
#InfoSec

tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
#infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

Mensch glaubt es kaum: Da veröffentlichte Der Postillon 2014 einen satirischen Beitrag zum sichersten Passwort der Welt, welches durch den ccc gekürt worden sein soll, nämlich dieses: Mb2.r50Hf-0t
https://www.der-postillon.com/2014/04/sicherstes-passwort.html
Und wenn das so sicher ist, dann kann ja nix passieren, oder?

https://haveibeenpwned.com/Passwords hat gerade neue geleakte Passwörter zur Datenbank hinzugefügt. Hier lässt sich checken, ob die eigenen Passwörter dabei sind. Sollte es Treffer geben, wäre es ratsam das Passwort/die Passwörter zu ändern.

Zurück zum SuperDuperSicheren Passwort Mb2.r5oHf-0t: 131 Blitzbirnen haben es mindestens genutzt.

#infosec #infosecnews #passwort #BeDiS

Alt...

IT-Experten küren Mb2.r50Hf-0t zum sichersten Passwort der Welt Mb2.r50Hf-0t

Alt...

Screenshot Pwned Passwords: Check if your password has appeared in known data breaches Oh no — pwned! This password has been seen 131 times before in data breaches! This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!

“Meta projected 10% of its 2024 revenue would come from ads for scams and banned goods, documents seen by Reuters show. And the social media giant internally estimates that its platforms show users 15 billion scam ads a day.”

https://www.reuters.com/investigations/meta-is-earning-fortune-deluge-fraudulent-ads-documents-show-2025-11-06/

#news #Meta #SocialMedia #infosec

When I use a rolling TOTP just after it expired but it still works due to the server side tolerance window.

#InfoSec #CyberSec #SysAdmin

Alt...

Starwars scene where Vader asks if they have a code clearance. Response is it's an older code but it checks out.

Famed Russian spy hunter Christo Grozev made an extraordinary claim on this podcast four months ago: North Korea hacked the Democratic National Committee in 2016 and passed the info to Russia, which in exchange divulged access to Bangladesh Bank. No evidence was offered but Grozev says the situation “will come up later.” 🤔 Transcript in the image. Passage starts at 13m 31s:
https://www.youtube.com/watch?v=dimhhRVbNec #infosec

Another Windows update, another fire drill. This time, the October 2025 update is kicking some users into BitLocker recovery mode, and if you don’t know where your recovery key lives, you could lose everything. What’s wild is that BitLocker is actually doing its job. The update just forgot to tell it to chill during reboot. It’s another reminder that the line between “secure” and “unusable” is thinner than most realize.

TL;DR
⚠️ October update breaks BitLocker flow
🔐 Missing key = locked-out data
🧠 Recovery key sits in your MS account
💡 Enterprise fix requires IT rollout

https://www.forbes.com/sites/zakdoffman/2025/11/05/you-could-be-in-trouble-microsoft-confirms-new-windows-update-mistake/

#Windows11 #InfoSec #CyberSecurity #Microsoft #security #privacy #cloud

Is the above #LinkedIn conversation legit or is it #phishing?
#infosec

Is this private #LinkedIn conversation legit, or has my contact's LinkedIn account been compromised? Vote in the poll in the reply!
#phishing #infosec

Alt...

LinkedIn private messaging conversation: HIM: Hi,Jonathan I hope everything is going well with you! I have a friend named [elided], and I’ve already given her a brief introduction about you. She is very eager to have the opportunity to connect with you. If it’s convenient, please share your phone number with me, and I’ll pass it on to her. Thank you very much! ME: Hi [elided]. Thanks for reaching out. Can you be a bit more specific about why Kalina wants to connect? HIM: She's building her network and making more friends You can send me your cell phone number, and I'll have her text you

(recommended reading)

China’s Vulnerability Research: What’s Different Now?

https://nattothoughts.substack.com/p/chinas-vulnerability-research-whats

#vulnerability #cybersecurity #infosec #informationsecurity #exploit #exploitation

Alt...

China’s Vulnerability Research: What’s Different Now

Regardez ce qu’on m’a offert :3.

#SécuritéInformatique #Infosec

Alt...

Un carnet à mots de passe sur la couverture duquel se trouve une gravure de méduse.

#Eleven11 : Le « fantôme #DDoS » vieux de quatre ans
https://www.undernews.fr/hacking-hacktivisme/eleven11-le-fantome-ddos-vieux-de-quatre-ans.html
#InfoSec

Source : https://www.netscout.com/blog/asert/161-days-eleven11

From yesterday, if you missed it:

"Microsoft Defender Application Guard’s Hyper-V malicious detection is being abandoned in favor of a faster rules-based design."

Computerworld: Microsoft confirms Office sandbox file security to disappear from enterprise Windows by late 2027 https://www.computerworld.com/article/4085166/office-sandbox-file-security-to-disappear-from-enterprise-windows-by-late-2027-microsoft-confirms.html #Microsoft #Windows #infosec

GCVE Vulnerability Format (Modified CVE Record Format) updated.

#gcve #cve #vulnerability #cybersecurity #infosec

🔗 https://gcve.eu/bcp/gcve-bcp-05/
🔗 Discussions https://discourse.ossbase.org/t/gcve-bcp-05-drafting-best-practices-for-the-container-format-modified-cve-record-format/121/27

If you're requiring everybody at the company to do training so you can show your auditors that everybody did the training, then you're missing the point.
The point of training is to equip people to do the right thing. If the training doesn't accomplish that, then making sure all the boxes are checked is worthless.
What problem is the training trying to solve? Is the training necessary and sufficient to solve it? If you're not answering these questions, you're doing it wrong.
#infosec #compliance

The schedule for #BSIDESLDN2025 / #BSidesLondon is out: https://cfp.bsides.london/bsides-london-2025/schedule/

#InfoSec

BSides Ume 2026 will take place on June 16-17th!

Event page: https://indico.neic.no/event/287/

Call For Papers and Call For Sponsors open. All details on the event page!

#BSidesUme #BSides #infosec #Umeå

This dumb password rule is from Lloyds Bank.

Max 15 characters, min 8. You cannot use **ANY** special characters -
alpha-numerics only. This amazingly terrible password policy combines
with a known phrase (The "Memorable Information") of which you will be
asked for a random 3 characters of if you get your password right.
This phrase has sim...

https://dumbpasswordrules.com/sites/lloyds-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Post-heist reports reveal the password for the Louvre's video surveillance was 'Louvre,' and suddenly the dumpster-tier opsec of videogame NPCs seems a lot less absurd

https://www.pcgamer.com/software/security/post-heist-reports-reveal-the-password-for-the-louvres-video-surveillance-was-louvre-and-suddenly-the-dumpster-tier-opsec-of-videogame-npcs-seems-a-lot-less-absurd/

#itsec #itsecurity #infosec

Someone asked me to hand-translate a publicly posted Chinese technical report about NSA shenanigans on the Chinese Center for Time-Keeping network. It took me a while, because it turns out translating technical corporatese from your third language is very hard when chronically sleep deprived, but it is done.

https://docs.google.com/document/d/1gk1fDLKrN3m5jOSk7QbpGL1SBcLvrm0FTN3H-5ZJZcY/edit?usp=sharing

#nsa #fiveeyes #opsec #infosec #threatintel

Quick question to the blue teamers out there:

What's your take on MITRE ATT&CK Tactics and Techniques? Do you find them useful? If yes, how and in what capacity do you use them? (To the extent that you can and want to share...)

If you could have tactics and techniques extracted from publicly available reports/articles, would that be useful? If yes, why?

(And imagine extracted not just by direct technique referencing, but also indirectly extracted through textual descriptions.)

#Cybersecurity #Infosec #Threatintel

Un fabricant arrête à distance un aspirateur connecté après la désactivation par son possesseur de la fonctionnalité de collecte des données,
L'ingénieur l'a réactivé à l'aide de scripts Python personnalisés

https://embarque.developpez.com/actu/377391/Un-fabricant-arrete-a-distance-un-aspirateur-connecte-apres-la-desactivation-par-son-possesseur-de-la-fonctionnalite-de-collecte-des-donnees-L-ingenieur-l-a-reactive-a-l-aide-de-scripts-Python-personnalises/

#InfoSec

Etonnant non ?
Ou pas...

And this, kids, is why we never ever set up easy-to-guess passwords. Even in testing, even temporarily. Just pwgen it, every time.

https://www.unionesarda.it/en/world/louvre-robbery-security-flaws-the-obviously-password-was-quot-louvrequot-ft1kkp6c

> accessing the museum's video surveillance server required typing the all-too-obvious word: LOUVRE

#InfoSec

Which #OpenSource #decentralized, group #chat which supports E2E (end-to-end) #encryption is best? #infosec
#fediverse #Matrix #XMPP #Deltachat #privacy #security #OMEMO

I got this banner at the #BlueShieldOfCA website this evening.
The website is asking me to consent to share my "navigation and use activity" with third-party service providers without telling me who they are or exactly what data are shared with them.
These details also don't seem to be available in the website's privacy policy.
This is a shitty, useless consent banner which purports to be there to protect my privacy when in fact it's doing no such thing.
#privacy #infosec #CCPA

Alt...

"We use trusted partners to improve your experience We use third-party service providers to help us operate and manage this website. By clicking Continue, you agree to the collection by and disclosure to third parties of your navigation and use activity on this website. We also use cookies and other tracking technologies to enhance your experience through analyzing our website performance and traffic. By continuing to use our website or mobile application, you understand our use of cookies as described on the Privacy page found at the bottom of this webpage. You can change your cookie settings by selecting Cookie preferences. ["Continue" button]"

The #infosec professionals who tell us that humans are the weakest link in infosec are, themselves, human, so they are the weakest link in infosec and should therefore not be trusted to tell us about the weakest link in infosec.

Happy Halloween (+1)

😱😱😱

#Scammed #OldPeople #AgingParents #InfoSec

Alt...

Text message thread from ’Mom’ Mom› Kamloops BC •-AM I signed up for X now l want to delete it as a whole bunch of charges are now on my mobile phone, I thought it was free, Wrong! So how do I do this please. Me: You've likely been scammed. Just stop doing things and l'Il be over in a bit. Delivered

Crisis averted. She saw ‘Mobil’ (the gas station) on her credit card statement and panicked because she had just set up an X account, after being constantly badgered into it by her Google searches. 🙃

#Scammed #OldPeople #AgingParents #InfoSec

Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).

Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.

The root cause of this bug is the incorrect use of == to match the password hash:

if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )

The fix is to use === for the comparison.

This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php

#CVE_2025_47776 #infosec #cybersecurity

Alt...

Root cause of CVE-2025-47776 vulnerability: Use of == instead of === to compare password hashes.

⚠️ Please update your site

We frequently observe numerous sites across the Fediverse running very outdated versions of Mastodon or Misskey. Some sites are even using versions over a year old.

Software updates include not only new features but also critical security fixes. To keep your site secure and stable, ensure you always use the latest version.

#Mastodon #Misskey #Fediverse #ActivityPub #PixelFed #PeerTube #Loops #InfoSec #Security #InfoSecurity

https://cybersecuritynews.com/phantomraven-attack-involves-126-malicious-npm-packages/

#NodeJS and especially the libary repository #NPM is really becoming the PHP security problem of 2025.

Another breach of libaries hosted on npm, this time 126 malicious npm packages that have collectively accumulated over 86000 downloads are affected

#infosec #cybersecurity #clownsecurity

Editing a draft of an internal #infosec policy spreadsheet. (I hate security-by-spreadsheet!)

I am seriously on a campaign to stomp out the use of the word comprehensive. It virtually never adds anything. It's rarely true. We routinely forego being "comprehensive" in order to be "efficient."

Like emdashes and 3-item bulleted lists, it's also a favourite output of LLMs.

Alt...

Screenshot showing Microsoft Excel's find and replace dialog. In the find box it says "comprehensive" and in the replace box it says nothing at all. There's a pop up that says "All done. We made 89 replacements." That is: we deleted 89 instances of the word comprehensive.

I just published a blog post summing up my most pertinent thoughts about dealing with badly-behaved web-scraping bots:

https://cryptography.dog/blog/AI-scrapers-request-commented-scripts/

It isn't exactly a Hallowe'en-themed article, but today is the 31st and the topic is concerned with pranking people who come knocking on my website's ports, so it's somewhat appropriate.

#infosec #bots #halloween #scrapers #AI #someMoreHashtagsHere

Looks like somebody broke into #atari's #Sendgrid account and used it to send a bunch of phishing emails.
No explanation given for how; perhaps @zackwhittaker can wheedle it out of them.
Since it says here that they've "secured" the account, my guess is a bad password (or infostealer) + no #2FA. The most obvious explanation is usually the correct one.
Though I suppose a cracked Lastpass vault is also a possibility.
#infosec #breach

Alt...

Email screenshot. From "Atari - Update <update@atari.com>". Subject "Official notice from Atari – Ignore recent phishing emails pretending to be us". Atari logo. Text: Earlier this week, an unauthorized party gained limited, temporary access to our third-party email service provider and used it to send phishing emails. These emails were not sent by anyone from Atari. We have already identified and resolved the issue, secured the account, and while our investigation is ongoing, upon initial review it appears that no personal information, customer data, or internal systems were accessed or compromised. If you received a suspicious or unexpected email from Atari between October 21 and October 30, please delete or ignore it. We sincerely apologize for any confusion or inconvenience this may have caused. Protecting our community’s trust and security is extremely important to us, and we are taking additional steps to further safeguard our systems going forward. If you have any questions or concerns, please feel free to reach out to us at https://atari.com/pages/contact.

ISO Tier 2 or 3 Technical Support Engineer

👉 Who doesn't love heading into the weekend in anticipation of submitting your resume?!

See if this opportunity to work with a great team (i.e., us 😉) is the right fit for you!

Please note preferred time zone coverage: UTC+3 to UTC-5

Please share!

https://quad9.net/about/jobs/

#GetFediHired #infosec #hiring #TSE

Alt...

Bright graphic announcing "Quad9 is hiring. Join our team" with a neon frame on a black background.

Who would win? A quarter-trillion dollar industry or these four horsemen?

#INFOSEC

Alt...

Bob's Burgers scene with four Equistricles; four men dressed up as Equistranauts. They are labeled "Default / Hardcoded Creds", "SQLi", "Running as root / admin / SYSTEM", and "../".

NEW, from DomainTools Investigations, today: Inside the Great Firewall Part 1: The Dump

I cannot tell you how excited I am to see this piece go live. Our researchers knocked it out of the park - and this is just part one.

#infosec #cybersecurity

https://dti.domaintools.com/inside-the-great-firewall-part-1-the-dump/

New "Brash" Exploit Crashes #Chromium Browsers Instantly with a Single Malicious URL

https://thehackernews.com/2025/10/new-brash-exploit-crashes-chromium.html

#InfoSec

RedTiger, un nouvel infostealer sur #Discord
https://www.undernews.fr/malwares-virus-antivirus/redtiger-un-nouvel-infostealer-sur-discord.html
#InfoSec

#PhantomRaven Malware Found in 126 npm Packages Stealing #GitHub Tokens From Devs
https://thehackernews.com/2025/10/phantomraven-malware-found-in-126-npm.html
#InfoSec

Le gouvernement a adressé une proposition de calendrier au parlement. L'examen de NIS 2 (sur le sujet cybersécurité) est prévu pour janvier 2026.

(oui, c'est une procédure accélérée, pour un texte qui devait être adopté en oct 2024 ;) )

#cybersecurite #infosec #rgpd #nis2

Yesterday I deployed a change on www.bbc.co.uk/.com, account.bbc.com, our main media mediation service etc. which soft-disabled TLS 1.0 & 1.1.

Requests over TLS 1.0/1.1 on ^ result in an error page (inc link to a feedback form).

So far I've uncovered a load of internet junk inc. a fleet of old TVs in Asia which poll our weather pages for their local forecast but nothing's been reported broken yet.

Really wish the web had a deprecation strategy. This is a lot of work.

#WebDev #InfoSec #BBC

23 days later, I'm trying to download my monthly Discover statement, and I still have to override the user agent string in my browser and claim that I"m using an _older_ version of the browser than I'm actually using in order to get the #Discover website to let me log in.
🤦
#infosec #fail

Tout va bien !

Les États-Unis sont désormais leaders mondiaux en matière d'investissement dans les logiciels de surveillance,
Tandis que les fonds publics européens affluent vers l'industrie des logiciels espions

https://securite.developpez.com/actu/377152/Les-Etats-Unis-sont-desormais-leaders-mondiaux-en-matiere-d-investissement-dans-les-logiciels-de-surveillance-tandis-que-les-fonds-publics-europeens-affluent-vers-l-industrie-des-logiciels-espions/

#InfoSec

Please for the love of fuck, do not under any circumstances give a surveillance app access to your address book/contacts. You are snitching out all of our personal information that we trusted you with.

Why am I reminded of this once again? Because I went on FB for one of the few groups that's only there and noticed the People You May Know had a suggestion for someone I went on two dates with a couple years ago. There is no other way they could've made that connection unless she granted access to their app.

I think from now on, I'm only going to give date matches my Signal username. If they don't or won't use Signal, we're probably not a match anyway. Or maybe I'll just get an anonymous virtual SIM for things like that.

#security #privacy #infosec

[Source] The Day My Smart Vacuum Turned Against Me

https://codetiger.github.io/blog/the-day-my-smart-vacuum-turned-against-me/

#InfoSec

En français 🇫🇷 ici : https://www.numerama.com/cyberguerre/2103247-le-jour-ou-mon-aspirateur-intelligent-sest-retourne-contre-moi-un-developpeur-raconte-comment-un-produit-bon-marche-a-cartographie-son-domicile.html

Qui aurait pu prédire ?

Les lunettes Ray-Ban Meta déjà transformées en outil d'espionnage

https://www.generation-nt.com/actualites/meta-lunettes-ray-ban-gen-2-display-piratage-led-vie-privee-2064958

#InfoSec

I would like to believe that if the US federal government weren't completely fucked up right now then OpenAI and the other AI parasites with a nexus in the US would have been criminally charged by now with violating the #CFAA by actively circumventing the crawling protections added recently to websites specifically to block them.
Alas, the government is too busy engaging in vindictive prosecution of #Trump's enemies who aren't actively bribing him.
#infosec #AI
Ref: https://darmstadt.social/@claudius/115436859378534835

What kind of person emails someone to say "I can put your static site in an IFRAME", declare it a security vulnerability, and when told "it's a personal website..." demand a bug bounty and a mention on the front page?

Edit - even better, the "description of vulnerability" is a bunch of stuff copy-pasted from the OWASP TOP10.

#infosec

Why websites shouldn't indiscriminately block VPN users

I convinced a state senator that government websites indiscriminately blocking VPN users is bad. Here's the case I made, which you can use yourself to keep fighting the good fight.

https://blog.kamens.us/2025/10/25/why-websites-shouldnt-indiscriminately-block-vpn-users/
#VPN #infosec #UserExperience #UX #MassachusettsRMV #WillBrownsberger

hop je suis en congés donc c'est pile poil le moment pour aborder un sujet professionnel ! ( ne cherchez pas, c'est une logique imparable).

at $dayjob, on réfléchi a regarder éventuellement a se fzire certifier iso27001 (mais on a un peu peur de la norme).

du coup, ceci est une request for comment (oui, une rfc) sur la norme iso27001,

• est ce que c'est toujours d'actualité ou il y a des certifications plus récentes (et plus agile™).
• est ce qu' ebios c'est dans la norme ou j'y comprends rien et c'est autre chose ?
• avez vous déjà fait une certification de ce type (retour très apprécié)
• connaisez vous des organismes qui accompagne ce genre de certification ?

Microsoft releases emergency patches for actively exploited critical WSUS Deserialization flaw

Microsoft released emergency patches for CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Services that has been actively exploited in the wild since October 24, 2025. The flaw was originally patched in October 2025 update, but the original patch proved insufficient. The flaw is potentially wormable across enterprise networks and affects all Windows Server versions with the WSUS Server Role enabled.

**If you have Windows servers with WSUS enabled, prioritize patching with the Microsoft's October 23, 2025 out-of-band security update for CVE-2025-59287 and reboot - this vulnerability is actively exploited in the wild. Even if you already installed October's regular patches, you must apply this emergency update since the initial fix was incomplete.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/microsoft-releases-emergency-patches-for-actively-exploited-critical-wsus-deserialization-flaw-6-z-d-p-u/gD2P6Ple2L

I'm going to put this out there to all the #infosec people who want to disagree: I still prefer a password plus USB-connected #2FA token to the #passkey system, and I wish websites would stop trying to push me to what is effectively a single point of failure.

#security #passwords

Qui aurait pu prédire ?

« Un cauchemar pour la vie privée » : #ChatGPT #Atlas est accusé de collecter des données sensibles

https://www.01net.com/actualites/cauchemar-vie-privee-chatgpt-atlas-collecter-donnees-privees.html

#InfoSec

SpaceX disables 2,500 Starlink terminals allegedly used by Asian scam centers
https://arstechnica.com/tech-policy/2025/10/starlink-blocks-2500-dishes-allegedly-used-by-myanmars-notorious-scam-centers/
#InfoSec

Le site officiel de Xubuntu piraté pour distribuer un malware Windows
https://www.generation-nt.com/actualites/xubuntu-piratage-malware-windows-cryptomonnaie-2064616
#InfoSec #gnu #Linux

Ceci expliquant celà !

#Amazon aurait remplacé 40 % de ses effectifs DevOps #AWS par l'#IA quelques jours avant la panne majeure qui a mis hors service un large pan d'Internet

https://intelligence-artificielle.developpez.com/actu/377006/Amazon-aurait-remplace-40-pourcent-de-ses-effectifs-DevOps-AWS-par-l-IA-quelques-jours-avant-la-panne-majeure-qui-a-mis-hors-service-un-large-pan-d-Internet-et-paralyse-des-institutions-financieres/

#InfoSec

@GossiTheDog @campuscodi critics question why the basic flaws being exploited — buffer overflows, command injections, SQL injections — remain prevalent in mission-critical codebases maintained by companies whose core business is cybersecurity.
#infosec #firewall #f5 Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall, and Juniper.

131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign
https://thehackernews.com/2025/10/131-chrome-extensions-caught-hijacking.html
#InfoSec #Hijack

Deux failles importantes de sécurité découvertes dans 7-Zip
https://next.ink/brief_article/deux-failles-importantes-de-securite-decouvertes-dans-7-zip/
#InfoSec

@debacle @yourautisticlife I also highly dislike how bloated, and slow, and node.js-tastic the #Signal Desktop client is. In the node.js ecosystem, supply-chain attacks are moreso a risk. There was a recent serious dumpster fire in the npm/node.js ecosystem:
https://www.youtube.com/watch?v=QVqIx-Y8s-s
#node #OpenSource #infosec

Anyone else headed to #RIPE91? Quad9's @farrokhi will be out and about, including the @globalcyberalliance workshop: https://infosec.exchange/@globalcyberalliance/115390718486923052

#DNS #infosec #internetintegrity

The DOJ just seized $15B from a “pig butchering” 🐷 scam so large it reads like fiction. But the worst part isn’t the money — it’s that much of it ran on forced labor. People are trafficked into compounds, running fake romances to scam others online. What’s striking is the scale: well-educated professionals lost life savings to criminals who themselves were victims. It’s a grim feedback loop of exploitation, loneliness, and tech-enabled deceit.

⚠️ $15B seized from crypto scam
💔 Forced labor behind the fraud
🔐 Victims on both sides of the screen
🌍 FBI: “Human suffering” at global scale

https://arstechnica.com/tech-policy/2025/10/feds-seize-15-billion-from-alleged-forced-labor-scam-built-on-human-suffering/
#Cybercrime #HumanTrafficking #OnlineSafety #Fraud #security #privacy #cloud #infosec #cybersecurity #RomanceScam #PigButchering

🛡️ Tor Browser 15.0 will remove all AI features from Firefox, citing privacy & auditability risks. ❌🤖

⚠️ This follows Firefox’s integration of Perplexity AI—an LLM-powered assistant—into the address bar.

🔐 Tor says such tools conflict with its mission of anonymity and surveillance resistance.

@torproject

🔗 https://cyberinsider.com/tor-browser-rejects-ai-over-privacy-concerns-in-upcoming-15-0-release/

#Tor #Privacy #AI #TechNews #Firefox #Perplexity #Surveillance #Anonymity #OpenSource #CyberSecurity #Browser #FOSS #Infosec #Encryption #DigitalRights

ipgrep is a #linux CLI tool that doesn't search by regex, but by IP-CIDR:

https://github.com/ossobv/ipgrep

It can come in handy when you're debugging route tables, firewalls, extracting IPs or networks from text files...

Example:

```
$ ipgrep -m within 127.0.1.0/24 /etc/hosts
127.0.1.1 wortel.kiwi wortel
```

Written in #rust #rustlang . My #infosec #cybersecurity peers might appreciate it.

Alt...

The image shows a prompt of ipcalc piped to ipgrep. ipcalc outputs IP network information, in this case 192.168.32.0/19 among others. ipgrep searches for 192.168.43.21 and finds 192.168.32.0/19. The match is colorized, as with regular grep. And 1 line of context is shown above and below the match.

***infosec specialists are needed in the resistance ***

The world needs tech security specialists to run workshops at public libraries for all ages & abilities to remove spyware, AI, reduce surveillance, understand the issues, & for more advanced, move to Linux, degooglefy, etc.

(Some) Libraries will pay for these workshops. There may be grants too.
If you have these skills, please consider offering them.

#libraries #library #tech #infosec #privacy #security #activism #antifa #resistance

DomainTools Investigations published research on NPM developer-targeted phishing today, highlighting a multi-stage attack intended to compromise supply chain developers. Very worth taking a look.

#infosec #cybersecurity #threatintel

https://dti.domaintools.com/securitysnack-repo-the-repo-npm-phishing/

Suivi réseau : comparer des scans #Nmap avec l’outil #ndiff
https://www.it-connect.fr/ndiff-comparer-des-scans-nmap/
#InfoSec

If you use F5 anything, run, do not walk: https://my.f5.com/manage/s/article/K000156572

#f5 #infosec

F5 piratée (et pas qu’un peu) par un État-nation : des mises à jour à installer d’urgence !
https://next.ink/204777/f5-piratee-et-pas-quun-peu-par-un-etat-nation-des-mises-a-jour-a-installer-durgence/
#InfoSec

#memes #InfoSec #cybersecurity

Alt...

This is a meme about old-school computer security. The top of the image features text that reads, "IT security in 1990s". Below this text is a photo of a beige and clear plastic storage box filled with 3.5-inch floppy disks. The box has a small lock on the front with a key in it, which is highlighted by a red circle. The bottom half of the image is a screenshot of a tweet from a user named Bear (@BearJFK). The tweet says, "Laugh all you want, but the information on those floppies can't be hacked from half a world away." The joke contrasts the simple, physical security of the past with the modern threat of remote digital hacking.

I knew that HTTPS Everywhere was basically obsolete due to browsers adopting that setting natively.

What I didn’t know was that the original domain that shipped HTTPS Everywhere rulesets, had been:

• abandoned by the maintainers,
• since obtained by someone else
• made to redirect to a known malware site

https://lists.debian.org/debian-lts-announce/2025/10/msg00011.html

#HTTPSEverywhere
#MalwareEverywhere
#Infosec

Pixnapping: a new Class of Attacks that allows a malicious Android App to stealthily leak Information displayed by other Android Apps or arbitrary Websites. Sucessfull demos on Google and Samsung phones #Infosec #Hacking #Android https://www.pixnapping.com/

Alt...

Android logo and banner

Secure Boot bypass flaw affects 200K+ Linux Framework laptops ⚠️🐧
Signed UEFI shell lets attackers disable signature checks via mm command 🛠️

🔓 Bootkits like BlackLotus can persist & evade OS controls
🛑 Impacts Framework 13/16 (Intel & AMD)
🛠️ Fixes rolling out—update firmware ASAP
🧰 Workaround: delete DB key in BIOS

🔗 https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-nearly-200-000-linux-framework-sytems/

#TechNews #Linux #Firmware #Security #Framework #UEFI #Cybersecurity #SecureBoot #OpenSource #Privacy #Vulnerability #Hacking #InfoSec

Why am I not surprised? If you missed this:

"Researchers found a stunning variety of data—including thousands of T-Mobile users’ calls and texts and even US military communications—sent by satellites unencrypted."

Wired: Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data https://www.wired.com/story/satellites-are-leaking-the-worlds-secrets-calls-texts-military-and-corporate-data/ @WIRED @agreenberg @mattburgess #cybersecurity #Infosec #privacy

#TLDR: Quad9 will be discontinuing support within DNS-over-HTTPS (DOH) using HTTP/1.1 on December 15, 2025.

Mark your calendar 🗓️ and please share, especially if you know someone who will be affected!

Full story here 👉 https://quad9.net/news/blog/doh-http-1-1-retirement/

#DOH #DNS #infosec

Alt...

Quad9 logo centered in bold white and pink against a circuit-themed purple and blue background.

2 ans après sa découverte, la campagne de Cyberspionnage par clés USB infectées (potentiellement distribuées lors de salons professionnels) menée par le groupe de Hackers chinois Mustang Panda continue de hanter l'industrie maritime #Infosec #Malwares https://www.clubic.com/actualite-582661-les-goodies-gratuits-deguises-en-cles-usb-sont-bien-devenus-le-cauchemar-du-monde-maritime.html

Most of you reading this probably won't be surprised by this, but it's worth spreading the word (along with recommendations to mitigate risks) ....

🗨️ "Law enforcement officials may have deployed a secretive cellphone surveillance technology last weekend at Portland’s Immigration and Customs Enforcement (ICE) facility."

https://san.com/cc/exclusive-fake-cellphone-tower-likely-surveilled-protesters-at-portland-ice-facility/

#Portland #PDX #PortlandOR #PortlandOregon #Oregon #ICE #privacy #infosec #Stringray

"Die österreichische Datenschutzbehörde (DSB) hat in einer Entscheidung festgestellt, dass Microsoft 365 Education Schüler illegal trackt und Daten von Schüler:innen auch für eigene Zwecke verwendet." Beschwerde hatte noyb eingelegt, nachdem eine Schule ein Datenauskunftsersuchen nicht beantworten konnte. Wie denn auch? Denn auf die Daten, die MS speichert, hat die Schule keinen Einfluss.

Nimm doch LibreOffice.

Und wie ist es in Deutschland? Das wird in den nächsten Monaten sicher spannend, denn die Argumente der DSB dürften auch in Deutschland verfangen. Nebenbei: Wenn ein Digitalprodukt nicht als offizielle Lösung von der Behörde oder dem KM zur Verfügung gestellt wird, sind die Schulen - hier die Schulleitenden - in der vollen Verantwortung in allen Datenschutzfragen. Ob sich dem alle Schulleiterinnen und Schulleiter tatsächlich bewusst sind?

https://noyb.eu/de/noyb-win-microsoft-365-education-tracks-school-children

#MS365Edu #tracking #schule #FediLZ #noyb #infosec

GitHub continues war against own users.

Next: Remove support for standard 2FA/TOPT protocol, and introduce weekly expiry for <s>passwords</s> API tokens.

https://github.com/orgs/community/discussions/174505

https://github.com/orgs/community/discussions/174506

Context:
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/

#github #SupplyChain #npm #infosec

Nuts.

"Nearly one in five high schoolers in the US — 19 percent — say that they or a friend have used AI to have a romantic relationship,"

"Over a third of the teenagers said it was easier to talk to AI than to their parents. Those parents, by contrast, feel left in the dark: two thirds of them said that they have no idea how their kids are using AI."

Futurism: Research: An Astonishing Proportion of High Schoolers Have Had a “Romantic Relationship” With an AI https://futurism.com/artificial-intelligence/high-schoolers-romantic-relationship-with-ai @Futurism

Center for Democracy and Technology survey, from October 8: Hand in Hand: Schools’ Embrace of AI Connected to Increased Risks to Students https://cdt.org/insights/hand-in-hand-schools-embrace-of-ai-connected-to-increased-risks-to-students/ #AI #cybersecurity #infosec

@mttaggart

I don't know if this is explicitly a problem per se, but it is wild how useless the #cybersecurity, #infosec, and #threatintel hashtags have become. All I see is the most insipid LinkedIn-level clickbait. It's a shame that one of our best discovery methods in Fedi has been coopted by engagement farmers.

Understanding the Efficacy of Phishing Training in Practice

"Combined with the bulk of empirical evidence from other studies involving
real-world, controlled experiments, our results suggests that organizations should not expect large anti-phishing benefits from either annual security awareness training or embedded phishing as commonly deployed today."

In addition, the overall cost on third-party organisations doing incident response should not exclude the impact of false-positive reports, pre-notifications of phishing campaigns, or even worse, attackers abusing such awareness campaigns.

#cybersecurity #infosec

🔗 https://people.cs.uchicago.edu/~grantho/papers/oakland2025_phishing-training.pdf

RE: https://infosec.exchange/@UYBHYS/115342659808677542

Glad to present at #UYBHYS with @cedric our work on GCVE and Vulnerability Lookup, facilitating vulnerability management and publishing through a fully open-source stack.

🔗 Online version https://vulnerability.circl.lu/
🔗 github.com/vulnerability-lookup
🔗 https://gcve.eu/

#vulnerability #vulnerabilitymanagement #cybersecurity #infosec #cve #gcve

@gcve @circl

In the hope that this might reach someone who might some day be in a position to decide whether to allow #VPN traffic to their app…
Please understand that this does not just impact your app.
Most devices run background apps that use the network frequently, including privacy-critical apps like Signal.
When you make someone turn off their VPN to use your app, the background traffic for all those _other_ apps also stops using the VPN.
Don't be an #infosec asshole. Stop blocking VPN traffic.

I wish companies would involve people who actually understand the fundamentals of #infosec and #UX design when building functionality like this, instead of just letting loose clueless engineers who look at the problem, say to themselves, "Six digits good. Ten letters BETTER!" and build stupid shit.

When you log into #Bluesky, it emails a security code you need to enter.
Here's a recent code I was sent: FPTQS-MPJJG
This is dumb.
6-digit codes are the gold standard for two critical reasons: (1) the range of a million possible codes is more than enough for adequate security; (2) most people can briefly memorize a 6-digit code almost instantaneously for long enough to enter it into another app.
10-letter codes are harder to use and add no appreciable security.
#infosec #UX

Electronics giant Avnet reports data breach affecting EMEA operations

Electronics distributor Avnet confirmd a data breach involving externally hosted cloud storage where threat actors stole approximately 1.3TB of compressed data (7-12TB raw) containing PII and operational details. The company claims the data isn't easily readable without proprietary tools but that's contradicted by threat actors publishing plaintext samples on dark web leak sites.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/electronics-giant-avnet-reports-data-breach-affecting-emea-operations-i-v-y-j-f/gD2P6Ple2L

Les autorités des USA en charge de l'immigration envisagent de créer une équipe de surveillance des réseaux sociaux,
Une initiative similaire au projet de surveillance de masse dénommé ChatControl en UE
https://securite.developpez.com/actu/376483/Les-autorites-des-USA-en-charge-de-l-immigration-envisagent-de-creer-une-equipe-de-surveillance-des-reseaux-sociaux-une-initiative-similaire-au-projet-de-surveillance-de-masse-denomme-ChatControl-en-UE/
#InfoSec #InfoTech

🆕 openSUSE Leap 16 is out, featuring major upgrades:
– Built on SUSE Linux Enterprise 16 for seamless migration & enterprise-level QA 🔧
– 24 months free support, with updates planned till 2032 🛡️
– New web-based Agama installer supports remote setups 🌐
– SELinux now default for stronger security 🔒
– Wayland-first, 64-bit only, Y2038-ready 💻

🔗 https://news.itsfoss.com/opensuse-leap-16-release/

#TechNews #Linux #OpenSUSE #FOSS #OpenSource #CyberSecurity #Wayland #SELinux #InfoSec #SysAdmin #DevOps #Privacy #Cloud #Software

#Discord reconnait une fuite de données personnelles et de documents internes
https://next.ink/203013/discord-reconnait-une-fuite-de-donnees-personnelles-et-de-documents-internes/
#InfoSec

Broadcom has stopped delivering automated updates to #VMware Fusion and Workstation. All updates have to be downloaded and installed manually from the Broadcom Support Portal (as a side note: This portal is one of the worst corporate "support" websites I've seen in the last decade).

This is terrible. It will lead to tens of thousands of VMware installations remaining vulnerable to trivially exploitable flaws, for example, local privilege escalation via CVE-2025-41244 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

BTW, Please note that to fix CVE-2025-41244 you must now manually download the correct VMware Tools package from the support portal, unpack the zip, mount the ISO image, and then execute the setup.exe from the mounted ISO image. There is currently no VMware releases that include the fixed VMware Tools, so if you create any new VMs you MUST install the update manually to each new VM. Did I already mention this is terrible?

#enshittification #infosec #cybersecurity

Alt...

VMWare Tools vulnerable to CVE-2025-41244 installed.

We're seeing requests to www.bbc.com return to normal-looking levels from Afghanistan - since about midday UTC today (1st Oct 2025).

#Afghanistan #Censorship #WebDev #InfoSec #Taliban

Alt...

Graph of average (mean) requests per second to www.bbc.com from Afghanistan which goes from essentially zero all day today (beginning at midnight) to a regular-ish looking number of requests per second from about midday (UTC)

I find it mind-boggling that any sales rep at any company would think that an unsolicited #LinkedIn connection request like this would accomplish anything other than to seem creepy and repel the recipient.
I mean, I reject connection requests from sales reps in general, but "I tried to call but was unable to reach you"? Seriously? This is just gross.
I don't want your calls. I don't want to connect with you on LinkedIn. Just leave me the fuck alone.
#infosec #ThreatSpike

Alt...

Screenshot of LinkedIn connection request from "Nathan Taylor", "Security Representative, ThreatSpike". It reads as follows: "I tried to call but was unable to reach you. I was curious as to how often you run penetration tests? Here at ThreatSpike we offer a fixed-price, subscription-based Pen Testing & Red Teaming service. It’s unlimited, human-led (not automated), and eliminates the need for lengthy scoping calls."

Pleasantly surprised to find out that our commercial web CDN partner for www.bbc.com & www.bbc.co.uk has enabled Post-Quantum Crypto.

So if you're using a modern web browser (Chromium & Firefox both support it) & are outside the UK, you'll automatically be using a quantum computer-resistant TLS key exchange mechanism (ML-KEM AKA Kyber) and (as far as we know) your traffic cannot be intercepted, stored & latterly decrypted when viable quantum computers come along.

#TLS #PQC #InfoSec #Privacy

« Recently, security researcher Dirk-Jan Mollema disclosed CVE-2025–55241, a vulnerability so catastrophic that it reads like fiction : a single token, obtained from any test tenant, could have granted complete administrative control over every Microsoft Entra ID (Azure AD) tenant in the world. Every. Single. One. »

› https://tide.org/blog/god-mode-vulnerability-microsoft-authorityless-security

#Microsoft #Flaw #InfoSec #CyberSecurity #CVE #Azure #Cloud

How to stop Google from invading your privacy and others' when you share links

"share.google" links are evil. Here's how to get Google to stop spitting them at you.
#privacy #infosec #Google #Android

https://blog.kamens.us/2025/09/30/how-to-stop-google-from-invading-your-privacy-and-others-when-you-share-links/

EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations
https://thehackernews.com/2025/09/evilai-malware-masquerades-as-ai-tools.html
#InfoSec

Should I call myself a dev if I've only been writing in interpreted languages for 40+ years, i. e. "scripting"? I haven't compiled code since college in the 90s, but I've written so much BASIC, Pascal, Perl, SQL, and PowerShell before moving into stuff like Alteryx and other janky "No Code" solutions where you still end up writing Python or JavaScript if you want to be efficient. Not to mention one off solutions in things like AutoHotKey,BAT files, REXX, bash, and freakin' KiXtart.

I think in loops, subroutines, and if ... then ... else statements. I'm teaching myself jq and JSONPath because automation with REST APIs is easier when you know it.

I have never had a job where I am called a "developer". I've never had a job where writing code was an official part of my duties.

But every IT job I've ever had is made easier—made better—when I am allowed to use and build solutions using coding techniques and interpreters.

And I did it without genAI, just Google, O'Reilly books, and patient coworkers.

#InfoSec #AuDHD #ActuallyAutistic

The witch’s robes flapped in the gale as she knelt on the beach. Waves crashed and she squinted as the sea spray lashed her face.

She withdrew a small syringe from the water as the magic started to work. As she stood, the wind calmed to a gentle breeze. The ocean settled until it was smooth as glass.

“This spell,” she said, knocking sand off her knees, “I call ‘sea quell injection’”

#microfiction #dadjoke #infosec #sqlinjection

This dumb password rule is from BCV.

Username is randomly generated, example: 'H2487414'. The password must have **6** digits only.

Password can only be changed from the mobile application:

https://dumbpasswordrules.com/sites/bcv/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Another credit reporting agency breach, another terrible breach notification letter

TransUnion is bad at security and bad at handling security breaches and none of this is going to get better until we have a real federal data privacy law with meaningful penalties for companies which leak people's data.
#TransUnion #Cyberscout #infosec #privacy #dataBreach #TechIsShitDispatch
https://blog.kamens.us/2025/09/25/another-credit-reporting-agency-breach-another-terrible-breach-notification-letter/

I wrote an article about what I wish juniors in cybersecurity would ask for and contribute when asking for a mentor and career guidance, in light of the terrible tech jobs market.

https://tisiphone.net/2025/09/24/reasonable-expectations-for-cybersecurity-mentees/

#Cybersecurity #Infosec #MentoringMonday #Mentoring #CybersecurityCareers

Hey y’all, another status update on @catbailey ’s situation. Apologies for any mistakes but I’m working from phone and memory, so if I get anything wrong I’ll correct the post.

Storage Units containing her kid’s inheritance are going up for auction in a matter of days if not day. Moving anything out of them would require becoming current on payments ($1350), having help, and either her car or use of one. Becoming current here is her highest priority.

Her car was repossessed early last week or late the week before after the bank with the loan took 9 days to draft their ACH against her account, allowing some other charges to hit first and dip her into insufficient funds. She can still reinstate the payment plan by becoming current before it sells in ~early November, to the tune of $2200.

Her internet faces cutoff immediately, $100, and phone is due soon, $120.

And, y’know, there’s the whole feeding her kids, her cats, and herself bit, in that order if I know her, plus the other essentials like cat litter, toilet paper, and so on. Adding it all up I’m bumping the goal again, because nothing ever gets cheaper.

$110/4500 raised

Best to use Venmo/PayPal/CashApp, but GoFundMe is appreciated too and good for higher latency needs.

GoFundMe: https://www.gofundme.com/f/aid-for-cat-and-her-kids-in-crisis?lang=en_US
PayPal: https://paypal.me/catalystediting
Venmo: @BlackCatHackers
CashApp: $BlackCatOps

#MutualAid #MutualAidRequest #InfoSec #HelpCatAndCo

So the Secret Service just rolled up a massive SIM farm in NYC, and it looks like a nation-state operation. We're not talking about some small time fraud, but an infrastructure play with 100,000 SIM cards, apparently capable of taking down the city's cellular grid. This feels less like simple espionage and more like preparation for some kind of offensive cyber or information warfare campaign. The fact that it was discovered during an investigation into threats against officials makes you wonder what the primary mission really was.
TL;DR
⚠️ A massive SIM farm with 100,000 cards was seized in New York City.
🕵️ The operation is believed to be the work of a nation-state actor.
💥 The setup was powerful enough to potentially disable cell towers and launch denial of service attacks.
🤔 The ultimate goal is still unclear, but it points toward offensive capabilities, not just simple fraud. 
https://arstechnica.com/security/2025/09/us-uncovers-100000-sim-cards-that-could-have-shut-down-nyc-cell-network/
#CyberSecurity #ThreatIntel #NationalSecurity #Infrastructure #security #privacy #cloud #infosec

#infosec nerds, what would be genuine good reasons to use #IPSec over something simpler like #Wireguard?

Europe’s cookie law messed up the internet. Brussels wants to fix it.
https://www.politico.eu/article/europe-cookie-law-messed-up-the-internet-brussels-sets-out-to-fix-it/
#InfoSec

Quand un simple mot de passe faible suffit à briser Active Directory : de RC4 aux comptes de service mal protégés, comment un grand groupe hospitalier a été plongé dans le chaos
https://securite.developpez.com/actu/376029/Quand-un-simple-mot-de-passe-faible-suffit-a-briser-Active-Directory-de-RC4-aux-comptes-de-service-mal-proteges-comment-un-grand-groupe-hospitalier-a-ete-plonge-dans-le-chaos/
#InfoSec

the other day I was trying to look up the common name for a bad UX pattern which leaks information about whether a platform has an account registered with a particular email address, so I searched something like "OWASP registered account information leak"...

I did not find what I was looking for because all the search results were instead about how OWASP (The Open Worldwide Application Security Project) accidentally leaked a bunch of people's resumes due to a misconfiguration:

https://owasp.org/blog/2024/03/29/OWASP-data-breach-notification

I somehow didn't hear anything about this when it happened in 2024, but now that I have I am very amused.

#infosec

This dumb password rule is from Ameli.fr (French national health insurance).

This was very painful to find a password that works with this one and that I can actually remember (I ended-up using my bank-account number because everything else failed). It took me maybe one hour and I thought I would become crazy (and yes, the session expires frequently while you are actually...

https://dumbpasswordrules.com/sites/ameli-fr-french-national-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

As #Android developer verification gets ready to go, here's a new reason to be worried
https://www.androidauthority.com/android-sideload-offline-3598988/
#InfoSec

Hey #bookstodon, what's your most exciting vintage computer book?

Anything computer-y goes: programming, video games, fiction, manuals, hacking, (sub)cultures, networking, etc.

#retrocomputing #retrogaming #infosec #programming

Is anyone else getting a huge number of bot visits from servers in the Fastly network? I'm seeing junk traffic that approaches low level dDOS numbers and a huge chunk of it is coming from Fastly data centers.

#fastly #infosec #ddos #sysadmin

Just went to check on the latest Google Chrome CVE and see if I need to update or mitigate.

I see that this PC doesn't even have Google Chrome installed. I remember electing not to install it when this OS was rebuilt a while ago.

Clearly, I've not needed WebUSB or anything else that only the Chromium engine supports, so far.

The best form of protection is not to install what isn't actually needed.

How many apps, modules, libraries or frameworks or other code are you installing, just in case it might be needed?

#Infosec #IT #ThoughtForTheDay

To be frank, I’ve become extremely frustrated since the acquisition because now the environment combines the worst aspects of a make-it-up-as-you-go small company with the worst aspects of a faceless corporate overlord. I love my coworkers, I don’t love the general approach to projects and customers.

I live in the Netherlands, I have a skilled worker visa as well as a Dutch marriage, I’m transitioning to citizenship in a year. I need a primarily WFH job but I can hybrid in Amsterdam. I have broad general infosec skills, with the most experience in C source code review but I am familiar with reverse engineering and interested in threat intel. I can provide unlimited access to Mastodon’s most popular dog for morale. #infosec #FediHire #jobs #jobsearch

@paco

#AI systems can never be secure and safe.
And I say that as an AI moderate and #infosec person.

Working on another sticker for #37c3 - found this image a while ago, but only as a lowres jpg, so I re-did it as a vector graphic.

#infosec #devops #sticker
We do not test on animals, we test in production.

EDIT: Here's the SVG for all of you who asked https://blog.kohler.is/sticker-we-do-not-test-on-animals-we-test-in-production/

Alt...

A green no parking sign with the inscription we do not test on animals we test in production showing a bunny, a red heart and a stack of servers going up in flames Original idea found on https://www.reddit.com/r/ProgrammerHumor/comments/z1z43b/ive_made_a_new_sticker_so_your_projects_has_no by u/AlFlakky (AlexBlintsov)&#10;Used sources from Flaticon.com: Star Icons by Pixel perfect, Hase by torskaya, hacken by juicy_fish, dedizierter Server by Design Circle, Herz by IconBaandar

Why use a URL shortener when you can use a phishy URL extender?

https://phishyurl.com/

Keep your security people alert and awake, generate phishing-looking redirecting links

#infosec

Alt...

https://cheap-bitcoin.online/backdoor-loader/rat-controller/malware_patch.exe?cachecontrol=inject&cookievalue=steal&file=poison&id=fc3188fb&payload=%28function%28%29%7B+return+Math.floor%284.9%29%3B+%7D%29%28%29%3B&port=scan

À la demande d'une agence de cybersécurité, Proton Mail a suspendu les comptes de journalistes qui enquêtaient sur des pirates informatiques nord-coréens présumés

https://securite.developpez.com/actu/375781/A-la-demande-d-une-agence-de-cybersecurite-Proton-Mail-a-suspendu-les-comptes-de-journalistes-qui-enquetaient-sur-des-pirates-informatiques-nord-coreens-presumes-declenchant-une-nouvelle-polemique/

#InfoSec

HELP I TYPED wc -l WHEN I MEANT nc -l AND NOW I KNOW HOW MANY LINES ARE ON THE INTERNET IT IS FORBIDDEN KNOWLEDGE

#unix #infosec #shitpost

"Tout va bien" on ne marche pas sur la tête...
Ou alors si !

Des codeurs sont embauchés pour réparer les erreurs commises par l'IA qui provoque leurs licenciements,
Spécialiste en nettoyage de code généré par l'IA est le nouveau titre d'emploi en vogue sur les CV

https://emploi.developpez.com/actu/375760/Des-codeurs-sont-embauches-pour-reparer-les-erreurs-commises-par-l-IA-qui-provoque-leurs-licenciements-specialiste-en-nettoyage-de-code-genere-par-l-IA-est-le-nouveau-titre-d-emploi-en-vogue-sur-les-CV/

#InfoSec

The web has a new system for making AI companies pay up
https://www.theverge.com/news/775072/rsl-standard-licensing-ai-publishing-reddit-yahoo-medium
#InfoSec

OS-level sandboxing provides kernel-enforced isolation that restricts processes, filesystems, and resources, ensuring applications run in contained and controlled environments

Here is a comparison of sandboxing support across different OS 😎👇 #infosec #linux #macos #freebsd #windows

Find a high-res pdf book with all my #cybersecurity related infographics from https://study-notes.org/cybersecurity-ebook.html

Need-to-know, from yesterday.

According to Crunchbase, the foudner of FlexSpy spyware is Atir Raihan, from Wilmington, Delaware https://www.crunchbase.com/organization/flexispy/profiles_and_contacts

From June: "FlexiSpy is an unfunded company based in Victoria (Seychelles), founded in 2005 by Atir Raihan. It operates as a Monitoring app for mobile phones and PCs. FlexiSPY has not raised any funding yet."

FlexSpy company profile: https://tracxn.com/d/companies/flexispy/__RYUIoDOd66yFyuEa5E6PtDDSwHchxhFmQxp7dlvF6b8

iVerify had a post on FlexSpy late last year:

FlexiSPY - The Spyware Tool Crossing the Line Between Security and Crime https://iverify.io/blog/flexispy-the-spyware-tool-crossing-the-line-between-security-and-crime @iverify

The Record: Researchers find spyware on phones belonging to Kenyan filmmakers https://therecord.media/researchers-spyware-kenya-filmmaker-phone

Atlantic Council: Mythical Beasts: Diving into the depths of the global spyware market https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/mythical-beasts-diving-into-the-depths-of-the-global-spyware-market/ @AtlanticCouncil

"The U.S. is the largest investor in the spyware market."

The Record: Report: US investors in spyware firms nearly tripled in 2024 https://therecord.media/us-investors-in-spyware-tripled-in-2024 https://therecord.media/us-investors-in-spyware-tripled-in-2024 #cybersecurity #spyware #infosec #Android #iOS

This morning I received a rather suspicious email from "root@overlinux.com" purporting to be about a tool for monitoring processes on Linux.
I am not convinced that's all the tool does.
I've written about my suspicions on my blog: https://blog.kamens.us/2025/09/10/suspicious-email-from-pulse-rootoverlinux-com-malicious-or-just-dumb/
If you're the kind of person who likes to dig into stuff like this, you may enjoy reverse-engineering the "spikemon" executable provided by the sender of the email to see if it's doing anything nefarious.
#infosec #phishing #spam #malware

I see we're doing "supply chain" discourse again

#infosec

Alt...

Scooby Doo mask reveal meme format. The gang has captured a person pretending to be a ghost (labeled as yet another "supply-chain attack") and is removing their mask to see who they really are (labeled with the text from the MIT software license about how the software is provided "as is" without warranty of any kind, express or implied)

Tomorrow we drop details on the DNSSEC signer we built.
Today, we're dropping the pretence.

Before we wrote a line of code, we asked 16 TLDs:
"What keeps you up at night?"

We expected shop talk.
We got meaningful discussions that taught us DNSSEC in 2025 isn’t just a tech issue.
It’s a control issue.
And the fear of losing it is real.

👉 Read the full report: https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/

#DNS #DNSSEC #infosec #TLD #devops #OpenSource

Those “we’ve updated our privacy policy” notifications feel like a trap. And who has time to read every sentence in every one of them? And even if we do, most of us aren’t attorneys, making them nebulous anyway.

Thankfully, @Em0nM4stodon has your back with this guide on what to look for.

https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/

#Privacy #PrivacyPolicies #RedFlags #InfoSec #WatchingTheWatchers

Please help. @catbailey is facing immediate loss of her kid’s inheritance due to auction of a storage unit. $730/670 raised for this specific, immediate need. Please donate via CashApp $BlackCatOps, Venmo @BlackCatHackers, or PayPal @catalystediting, the timeline for payments from the GoFundMe is too long to make a difference.

Edit: Please, if you can’t give money, at least a boost? Maybe someone in your network can.

Edit2: Please share on Bluesky as well. I’m not there, but there may be folks willing to help who are. Her handle there is @blackcatswhitehats.com over there.

Edit3: I’ll update the number as we make progress! If you’ve boosted, please consider un/reboosting, chronological timelines are the best but not for this particular task 😅

Final edit: And a big jump overnight! Thank you all! Last thing I’ll leave with is a link to the GFM, because while we’ve stopped bad things from happening here, now, Cat still needs ongoing support until she lands on her feet. https://www.gofundme.com/f/aid-for-cat-and-her-kids-in-crisis
Final Edit 2: Cat has decided to move elsewhere in the Jerryverse, so updating reference to her profile.

#MutualAid #InfoSec #HelpCatAndCo

Edit: See update 1 posted in the thread below

OP: Howdy y'all! New month, new ask for support for @catbailey Y'all were a big help in sharing and donating last month, but there's still some carry-over in needs she wasn't able to address last month. The big asks remain the same (gas bill, storage unit) but in addition her family is about out of groceries, and will need to visit her doctor and pay out-of-pocket to get one of her medications refilled. Additionally there's a car payment and insurance to get sorted, and the other day-to-day costs of living.

I'm resetting the progress for the new month and upping the overall goal based on what we know went unmet last month, but don't be discouraged. Please, if you can afford even $5, every bit helps get us a step closer, and if even that's too much, we'd appreciate you sharing with your network on the Fediverse and/or Bluesky where she's @blackcatswhitehats.org

$348.26/3000 raised

Best to use Venmo/PayPal/CashApp, but GoFundMe is appreciated too and good for higher latency needs.

GoFundMe: https://www.gofundme.com/f/aid-for-cat-and-her-kids-in-crisis?lang=en_US
PayPal: https://paypal.me/catalystediting
Venmo: @BlackCatHackers
CashApp: $BlackCatOps

Edit: Cat has decided to move elsewhere in the Jerryverse, so updating reference to her profile.

#InfoSec #HelpCatAndCo #MutualAid #MutualAidRequest

I'm glad #Signal is rolling out a secure backup service <https://signal.org/blog/introducing-secure-backups/>, and you should be throwing some money Signal's way on a regular basis regardless of whether you use their paid backup service.
However, if you use Android and Google Drive, you can backup Signal into the cloud daily for free with Tasker.
#infosec #privacy #backups #Tasker #Android
🧵1/4

My many friends in #infosec: get there.

https://www.eventbrite.com/e/empirical-security-now-with-dr-ariana-mirian-tickets-1670289674379

The #SSL certificate for the links redirect URL ( https://links.ssa.gov/ ) in emails from #SocialSecurity is expired.

Even if they are using a different link url now, they need to keep the old one secure. This is from an email not that long ago.

This particular email link redirects you to the Social Security my SSA login in page which then has buttons to take you to Login.gov or ID.me.

#InfoSec #SSL #CyberSecurity

Alt...

Your connection isn't private Attackers might be trying to steal your information from links.ssa.gov (for example, passwords, messages, or credit cards). Learn more about this warning NETLERR CERT DATE INVALID Subject: links ssa gov Issuer: GoGetSSL RSA DV CA Expires on: July 16,2025 Current date: Sep 7, 2025 PEM encoded chain:

Alt...

® Social Security Sign In or Create an Account By signing in or creating an account, you agree to the Privacy Act Statement and If you already have a IEeiR NR ABRLE account, do not create a new one. You c Security services. sign in with ID.me © The Social Security usemame sign-in option is no longer available. Please us [Z Create an account with Login.gov [2 Create an account with ID.me © Sign in Help and Support External Site Disclaimer OMB No. 0960-0789 Privacy Policy Accessibility Help

My presentation titled "Weird Code Injection Techniques on #FreeBSD Using #libhijack" has been accepted at #BSidesCOS!

#infosec

#Oracle is rolling out mandatory#MFA for its portals. Great!
But rather than supporting even a single industry standard medium or strong MFA type, they're supporting only two deprecated types and Yet Another Proprietary MFA App. Not great! Really awful, actually!
God damn it, why do companies that absolutely know better keep pulling this shit.
Oracle proves, yet again, that they suck.
#infosec

Alt...

Screenshot of email from Oracle with the below text. The words "Oracle Mobile Authenticator, Mobile SMS or email ID-based One-Time Password" are highlighted in the screenshot. MFA is a quick extra step to keep your account—and data—safer. Why MFA? * Stops unauthorized logins—even if your password is known. * Easy setup in under 5 minutes. How will this affect you? * MFA adds an extra layer of security by requiring a second verification step when signing into Oracle owned portals (like Cloud Customer Connect, My Oracle Support, Oracle Customer Center, etc.) * This will not affect products purchased from Oracle. * MFA helps prevent unauthorized access even if your account password is compromised. * You will use MFA each time you log in to any Oracle owned applications. How to prepare: * Once enabled, you will be prompted to enroll in MFA upon your first login at any Oracle portal. Watch this video to see the setup process. * Follow the on-screen guide to choose your preferred MFA method (Oracle Mobile Authenticator, Mobile SMS or email ID-based One-Time Password), enter details, and verify your code. * Oracle Mobile Authenticator (OMA) is available on Windows, Android, and Apple * That’s it—next login you’ll enter your password plus complete your MFA method of choice.

Well, the dumb scammer saga continues. Yesterday the same people sent me a poor attempt at phishing, but forgot to update the default subject line from the free service they were using to help them create these fraudulent emails.

So today, they resent the email with the correct subject. I'm surprised the idiots didn't also update the email to apologize for hitting send too quickly.

#infosec #phishing #funny

Alt...

This is another email from some scammers pretending to be from a law firm accusing me of using copyrighted music and insisting that I take it down or face immediate international litigation. The whole point is to get me to click a malicious link. They screwed this up the day before by forgetting to change the default subject line since they're using a free service to help them compose these fraudulent emails. Today, the subject line is updated, but someone messed up the email body by typing in a random "F" at the start.

@thomasfuchs it doesn't seem to dawn on anyone that enormous, sprawling attack surfaces are a bad thing, when you care about #infosec

Today's #TechIsShitDispatch is about telephone scammers and the shitty tech that enables them.
I have an eldery relative whom I help pretty extensively with managing his medical care and his everyday life. I currently have his home phone forwarding to mine while he's in rehab.
In the past 24 hours I have received no less than *** 17 *** scam/spam calls to that phone number. That's a typical, not at all unusual volume for these calls.
#telephony #infosec #CallerIDSpoofing #Vonage
🧵1/7

Over the past few days Cloudflare has been notified through our vulnerability disclosure program and the certificate transparency mailing list that unauthorized certificates were issued by Fina CA for 1.1.1.1, one of the IP addresses used by our public DNS resolver service.

https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/

This is a general reminder that you don't need Cloudflare or any central DNS provider.

#security #infosec #dns

Whomever sent me this phishing email wins my dumbest scammers of the week award. They forgot to update the default subject line before sending this email.

#phishing #infosec #cybersecurity #funny

Alt...

Screenshot of a phishing email. It's a take DMCA takedown request ordering you to cease and desist use of a certain copyrighted song in a video you posted to Facebook. A lot of it looks believable, but the subject line reads "I found a mail merge tool for Gmail."

La police aux frontières des États-Unis peut utiliser les logiciels espion de #Paragon
https://next.ink/198382/limmigration-des-etats-unis-peut-utiliser-les-logiciels-espion-de-paragon/
#InfoSec

@HalvarFlake a (the?) Respected hacker shares razor-sharp reflections: cybersecurity tooling is still artisanal; the exploit market is exploding—few can deliver, demand is inelastic, and governments pay big; AI helps, but only in expert hands (“a sherpa”); drones aren’t cheap planes—they’re expensive bullets; and Western manufacturing lost its edge by abandoning scale for boutique precision. Efficiency ≠ resilience. Essential listening for the next-gen hackers. Learn from those who shaped the scene. #Infosec #Cybersecurity #AI #Exploits #Manufacturing #Hacking ▶️ a rare chance to step back and reflect (so take time to watch this interview IMHO) 👍

I’m excited to share my latest article, published in Forbes: Deepfakes And Social Engineering: A Growing Threat To Everyone.

This piece is personal to me because I’ve seen how quickly deepfake technology is moving from novelty to real-world attacks. It’s not just companies at risk—families are being targeted with AI-cloned voices and fake video calls.

In the article, I break down the real cases we’re seeing, why multifactor authentication (MFA) is essential, and what both organizations and individuals like you and me can do to protect ourselves.

In the piece, I cover:
🔍 Real-world scams driven by AI voice and video
🔐 Why multifactor authentication (MFA) is essential
📱 How both organizations and families can verify smarter
🧠 The mindset shift from trusting appearances to verifying identities

Deepfakes aren’t a future problem. They’re here. And the time to prepare is now.

https://www.forbes.com/councils/forbestechcouncil/2025/08/25/deepfakes-and-social-engineering-a-growing-threat-to-everyone/
#Forbes #cybersecurity #deepfakes #MFA #security #privacy #cloud #infosec #AI #leadership
@forbes@flipboard.com @Forbes@newsie.social @forbestechcncl

Critical Bluetooth vulnerability reported in SunPower Solar Inverters

A critical unpatched vulnerability (CVE-2025-9696) in SunPower PVS6 photovoltaic inverters allows attackers within Bluetooth range to exploit hard-coded credentials and bypass authentication to gain unauthorized control over critical functions including firmware replacement, power production disabling, and grid settings modification. CISA recommends isolating inverter networks and disabling Bluetooth interfaces when not needed. SunPower has not responded to coordinated disclosure attempts.

**If you have SunPower PVS6 inverters, review the advisory and if not actively needed disable their Bluetooth interface when not actively servicing. Implement strong physical security around the devices since attackers can take control from up to 170 feet away. Make sure that the wired connections are isolated from the internet. Use VPN-based wired connections instead of Bluetooth for remote management.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-bluetooth-vulnerability-reported-in-sunpower-solar-inverters-v-2-d-n-f/gD2P6Ple2L

Freeradical.zone is a Mastodon server about infosec, privacy, technology, leftward politics, cats and dogs.

This server has been online since 2017.

https://freeradical.zone

You can find out more at https://freeradical.zone/about or contact the admin @tek

#FeaturedServer #InfoSec #Privacy #Technology #Mastodon #Fediverse #FreeFediverse

#INFOSEC

Alt...

Angry chihuahua: INFOSEC industry talking about preventing evil. Happy chihuahua: INFOSEC industry when actual evil does something evil.

„username and password aren’t secure enough!“

„No, no OTPs, I need a second device and in an imaginary scenario I maneuvered myself into I don’t have access to it“

„No, not via email, that’s insecure and not available, because I use company hardware privately.“

„Passkeys are big tech vendor trash! Syncing them? Please! That defeats t3h security AND invalidates all my arguments!“

„I know what I am doing, my password is surperior so I am safe!“

I love #infosec

#infosec #cartoons #humour

Alt...

A cartoon of Aladdin standing in front of closed the cave, shouting "OPEN SESAME!" A speech bubble from inside the cave says, "YOUR PASSWORD SHOULD CONTAIN A MIX OF UPPER AND LOWER-CASE LETTERS AND AT LEAST ONE NUMBER."

Signs of a stroke
#infosec #cybersec #humor

I just discovered that "Employer on the Go", a website I am required to use by my employer for downloading pay stubs and entering time-off requests, implements "remember me" by saving my username and password in a plaintext browser cookie.
yhgtbfkmwts
It gets worse. They use "&" in the cookie as the separator between key/value pairs, and it's not quoted in values, so if there's a "&" in your password then they truncate it and don't pre-fill it properly on the login page.
#infosec #fail #smdh

"Jeffrey Epstein, the guy who never dies"

(tl;dr someone hacked former Israeli prime minister Ehud Barak’s private emails and published all of his communications with Epstein (and everyone else he ever emailed))

https://reason.com/2025/08/27/inside-jeffrey-epsteins-spy-industry-connections/

#epstein #epsteinFiles #epsteinCoverUp #israel #ehudbarak #uspol #uspolitics #spyware #surveillance #infosec #cybersecurity #peterthiel #valarventures #reporty #SergeyBelyakov #FSB #putin #russia #vladimirputin

Alt...

Inside Jeffrey Epstein's Spy Industry Connections Leaked emails show Epstein’s attempts to dabble in security tech—across borders—in the last years of his life.

everyone calm down, the enormous #NPM supply chain attack of the incredibly popular (27,000 #github stars) #nx #AI build tool thingamajig is probably aimed solely at crypto bros. if you don't have any crypto you (hopefully) don't have anything to worry about.

my fact free, completely unsupported by evidence hunch is that we will find this came from #NorthKorea (because if it's a well orchestrated attempt to steal a bunch of crypto it's pretty much always north korea).

https://universeodon.com/@cryptadamist/115102035321832152

#crypto #cryptocurrency #ethereum #npm #nodejs #node #js #javascript #webdev #DPRK #LazarusGroup #cybersecurity #infosec #threatintel #claude #gemini

ExtraHop Networks - a former employer, who I like and would work for again -- is looking for a senior eng manager for their framework team.

EH is queer friendly, has great people, interesting tech, and is remote/hybrid. I suspect, but do not know, the position is restricted to US-based individuals. EH is based in Seattle and some roles are fully remote.

I am merely the messenger but happy to chat about my time at the company, just DM me.

https://job-boards.greenhouse.io/extrahopnetworks/jobs/5505247004

#fediJobs #fediHire #infosec

"Just use common sense" 👏

#Linux #Infosec #CyberSecurity #OpenSource #FOSS #LinuxMemes #Meme #Programming #Hacking #SysAdmin #TechHumor #Ubuntu #Debian #Fedora #LinuxMint #Arch #ArchLinux #Terminal #CyberAwareness #DevOps #Antivirus #GitHub #Desktop #Privacy #Security #TechNews #Microsoft #Windows #Apple #MacOS #iOS #OS #OperatingSystem

Alt...

Four-panel comic: A drowning hand labeled "Linux users asking for antivirus" reaches up. A hand labeled "Redditors" reaches out to help. Instead of helping, the hand pats the drowning hand and says, "You just need to be a programmer to understand what this random script from GitHub does." The drowning hand disappears underwater.

*puts the tinfoil hat on*

What if "AI" is just a pretext for building out massive GPU datacenters to create insane capacity for cracking cryptographic keys? 🤔

*takes the tinfoil hat off*

#InfoSec

I'm getting a bit salty with the scammers today.
There are others besides North Korean hackers who engage in this particular scam, but my understanding is that the North Koreans are the most likely perps.
My reply about Kim Jong Un sounds funny, but it's actually serious. Ref: https://www.zmescience.com/science/news-science/north-korean-job-fraud-missile-funding/
#phishing #scam #infosec #NorthKorea

Alt...

Screenshot of email being composed from me to "Ken Chen <ken729272@gmail.com>" with the subject "Re: Proposal for Collaboration". The body of the email starts, "Please send me a reply to this email in which you talk about how fat and ugly Kim Jong Un is." Below that is the email from "Ken" quoted: Hi Jonathan, I'm a software engineer who recently immigrated to the United States after working as a freelancer in Europe. I found your email address on GitHub. I'd like to continue my freelance career and would love to work with you in this. Based on my experience as a freelancer, I know that high incomes are possible. For example, on Upwork, a US freelancer with a top-rated (JSS: 100%) account can earn $20,000. However, not everyone can manage an Upwork account effectively. It requires experience and a sense of freelancing. If you don't have time to manage your Upwork account directly due to a full-time job, or if you don't currently manage your Upwork account yourself, I can help. That's why I'd like to talk to you about this. Looking forward to hearing from you! Best, Ken

Secure Messaging Apps: a very complete Comparison with juridiction, funding, transparency report, privacy, collect of customer's data... #Infosec #Privacy https://www.securemessagingapps.com

New Sni5Gect Attack Crashes Phones and Downgrades 5G to 4G without Rogue Base Station
https://thehackernews.com/2025/08/new-sni5gect-attack-crashes-phones-and.html
#InfoSec

P.S. I should mention that although I fixed our family mail server to work with the #Windows Mail app, I don't actually think my daughter or anyone else should be using it, because it's a #privacy and #infosec nightmare. The app stores the user's credentials and emails on #Microsoft servers; logs into the user's email account from those servers; and displays targeted ads that look just like email messages and can't be disabled. It's a case study in shitty tech. Use Thunderbird!

🇫🇷
#Codeberg sous l’assaut de robots #IA : Le système de défense #Anubis contourné.

Le 15 août 2025, The Register a révélé que Codeberg, une plateforme d’hébergement de code axée sur la gratuité et l’open source, se trouve confrontée à un problème croissant : une prolifération de robots alimentés par l’intelligence artificielle (IA). Ces robots parviennent désormais à déjouer les mesures de sécurité mises en place par Codeberg, notamment son système de défense surnommé « Anubis ».

https://fr.itb.co.jp/2025/08/19/codeberg-sous-lassaut-de-robots-ia-le-systeme-de-defense-anubis-contournethe-register/

🇬🇧
Codeberg beset by AI bots that now bypass Anubis tarpit

Codeberg, a Berlin-based code hosting community, is struggling to cope with a deluge of AI bots that can now bypass previously effective defenses.

In a series of posts to the Mastodon social network on Friday, Codeberg volunteer staff said AI crawlers are no longer being kept at bay by Anubis, an AI bot tarpit.

"It seems like the #AI crawlers learned how to solve the Anubis challenges," the Codeberg account said.

#Anubis #OpenSource #CyberSecurity #Security #InfoSec #IA #NoAI #Technology

Alt...

🇫🇷 #Codeberg sous l’assaut de robots #IA : Le système de défense #Anubis contourné. Le 15 août 2025, The Register a révélé que Codeberg, une plateforme d’hébergement de code axée sur la gratuité et l’open source, se trouve confrontée à un problème croissant : une prolifération de robots alimentés par l’intelligence artificielle (IA). Ces robots parviennent désormais à déjouer les mesures de sécurité mises en place par Codeberg, notamment son système de défense surnommé « Anubis ». https://fr.itb.co.jp/2025/08/19/codeberg-sous-lassaut-de-robots-ia-le-systeme-de-defense-anubis-contournethe-register/ 🇬🇧 Codeberg beset by AI bots that now bypass Anubis tarpit Codeberg, a Berlin-based code hosting community, is struggling to cope with a deluge of AI bots that can now bypass previously effective defenses. In a series of posts to the Mastodon social network on Friday, Codeberg volunteer staff said AI crawlers are no longer being kept at bay by Anubis, an AI bot tarpit. "It seems like the #AI crawlers learned how to solve the Anubis challenges," the Codeberg account said. #Anubis #OpenSource #CyberSecurity #Security #InfoSec #IA #NoAI #Technology

Okay fediverse, here's a fun one: what vulnerabilities have you seen in a *network interface*? An Ethernet card, a Bluetooth adapter, even a virtual network interface like the one containers or VPNs use. Bonus points for a link to a CVE.

The best I've found so far is a broad CVE about wired network adapters commonly having a bug where they copy data from main memory beyond the end of the packet and send it on the network.

#infosec #CRA

Work funded by EFTA and EC

4 pack of Firefox updates out

3 high, one moderate

The 4th also hits Thunderbird

https://www.mozilla.org/en-US/security/advisories/mfsa2025-66/

#GetYerUpdates #Firefox #CVE #InfoSec #Thunderbird #Mozilla

@ErikJonker @geopolitics In #uk shipping ports, like #felixstowe are a huge target, if not the biggest targets for Russian cyber ops in UK.

#cyberwarfare #infosec #iiss

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

OTP mode isn't the only mode that causes a #Yubikey to present as a keyboard. Static password mode also does that.

For my system, I use a Yubikey in static password mode. I first enter my memorized master password, then I have to touch the Yubikey to append the static password stored there.

I wonder if this #OpenBSD change would now lock me out of my system (if I were to use OpenBSD, that is): http://undeadly.org/cgi?action=article;sid=20250822064253

#infosec

⚠️ Major password manager extensions—1Password, Bitwarden, LastPass, Enpass, iCloud Passwords & LogMeOnce—are vulnerable to clickjacking attacks that risk exposing login credentials & sensitive data. 🔐🕵️‍♂️

Bitwarden patched the flaw ✅; others lag behind. Users should update extensions & disable autofill until fixes. 🛡️🔄

@1password
@bitwarden

https://www.techspot.com/news/109149-lastpass-1password-bitwarden-extensions-vulnerable-clickjacking-attacks.html

#CyberSecurity #Privacy #Security #PasswordManager #Infosec #1Password #Bitwarden #Browser #InfoSec #TechNews #Clickjacking #Tech

6 major Password Managers with Tens of Millions of Users are currently vulnerable to unpatched Clickjacking Flaws that could allow Attackers to steal your Secrets - Public disclosure by Marek Tóth at DEF CON 33 #Infosec #Vulnerability https://socket.dev/blog/password-manager-clickjacking

And that's a wrap! The maximum score on today's #SpotThePhish is 15. How did you do?
Did I miss any? Reply and let us know!
🧵 12/12
#infosec #phishing #SecurityAwareness

It's time for today's edition of #SpotThePhish! Can you spot the many tells in this very bad phishing email that made it through my spam filters today? Spoilers in the replies, so write down your answers before reading on so you can score yourself.
🧵 1/?
#phishing #infosec #securityAwareness

Alt...

Phishing email ostensibly from Wells Fargo From: Wells Fargo Support <info@thetechtales.com> To: jik@[elided] 5:39PM Subject: Action Required: Account Access Disabled DKIM: Invalid (Signature is wrong) Dear, User, Your Wells Fargo account requires immediate attention. Due to recent issues detected on your account, we have temporarily disabled access to ensure the security and integrity of your information. To restore access, please sign in hitps://wellsfargo.com to your account and complete the necessary verification process. This step is essential to confirm your identity and address any potential concerns related to your account activity. Thank you for your prompt attention to this important matter. Wells Fargo | Security Center | Contact Us Wells Fargo Bank, N.A. Member FDIC. Equal Housing Lender PM-09282026-7793084.1.1 LRC-0325 ©1999 - 2025 Wells Fargo. NMLSR ID 399801

The Record: Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet https://therecord.media/feds-charge-botnet-admin @therecord_media

KrebsonSecurity: Oregon Man Charged in ‘Rapper Bot’ DDoS Service https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/ @briankrebs

DoJ, from yesterday: http://justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet #cybersecurity #infosec

so… has mosh been audited yet?

how do we feel about it, security-wise?

#InfoSec #SysAdmin #Linux

This research by Marek Tóth presented at #DEFCON is good. The vulnerability he discusses is real.
However, exploiting it requires the attacker to compromise a website and add phantom workflows to it that the victim doesn't notice as suspicious. Not impossible, but also IMO not likely unless you visit shady websites frequently.
Personally, I do not think the likelihood is high enough to disrupt my existing workflows to protect against the attack.
#clickjacking #infosec
https://marektoth.com/blog/dom-based-extension-clickjacking/

One of the most effective security controls you can ever invest in, is a decent work computer for your employees.

Yep, it’s a bit more cash up front to get a bit more RAM or a bit more CPU poke, but your job in IT/Security is to get people the gear they need to do their jobs without thinking ‘this would be quicker if I used….’

Because we all know what happens when your VP of Finance decides to prep the W2’s on their kids Alienware gaming desktop full of Minecraft plugins downloaded from every corner of the internet.

#infosec

I understand why I don't, and actively advise everyone to keep doing what they are doing for their own #infosec and safety, but I find myself wanting to know who the real people behind the accounts I only know from Fedi are.

Derrière la disparition programmée des réseaux 2G et 3G se cache une réalité bien plus inquiétante que celle des vieux téléphones. Des dispositifs vitaux, encore dépendants de ces anciennes technologies, risquent tout simplement de tomber en panne.
https://www.lesnumeriques.com/societe-numerique/la-fin-de-la-2g-sera-une-rupture-dramatique-ascenseurs-teleassistance-rien-n-est-pret-n241104.html
#InfoSec

Meta’s AI rules have let bots hold ‘sensual’ chats with kids, offer false medical info
https://www.reuters.com/investigates/special-report/meta-ai-chatbot-guidelines/
#InfoSec

#InfoSec practitioners: "You should use a #VPN! It will make you safer!"
Also InfoSec practitioners: "If you use a VPN, random websites you need to log into on a regular basis will prevent you from logging in and lie to you about why they're doing it, so you just kinda have to guess "Hey, maybe it's the VPN that I was supposed to be able to set and forget, I guess I'll try turning that off and try to remember to turn it back on later" whenever a website says it can't log you in for any reason."

Here we see that Discover is a member of the cursed club of websites that block access through VPNs and then lie about why they're blocking access.
If I listened to the error displayed here, I'd wait, try again later, it would fail again, etc. Who knows how long it would take before I figured out it was the VPN or called Discover, at which point the agent would probably tell me their website is working fine and they have no idea why I can't log in.
#infosec #Discover #VPN

Alt...

A screenshot of the Discover login pop-up with an error above it: "We're sorry. Your request cannot be completed at this time. We sincerely apologize for this inconvenience and are working to resolve the issue soon."

La société de surveillance Flock utilise désormais l'IA pour signaler une personne à la police lorsqu'elle estime que ses déplacements sont « suspects »
https://securite.developpez.com/actu/374659/La-societe-de-surveillance-Flock-utilise-desormais-l-IA-pour-signaler-une-personne-a-la-police-lorsqu-elle-estime-que-ses-deplacements-sont-suspects-d-apres-l-ACLU/
#InfoSec

Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec

Trop de bruit avec Signal : les métadonnées en cause dans les messageries chiffrées

https://blogs.mediapart.fr/xcli/blog/160725/trop-de-bruit-avec-signal-les-metadonnees-en-cause-dans-les-messageries-chiffrees

#Signal est régulièrement désigné comme LA meilleure application de messagerie sécurisée. Pour autant, cette supériorité universelle et présentée sans nuance relève d'un manque de finesse de l'analyse. Pire, elle met en danger les journalistes et leurs sources, les activistes et certaines minorités. Nous voyons pourquoi dans cet article.

#infosec #cybersecurite #simplex #matrix #olvid

Não adianta querer vencer essa praga por poder de processamento e/ou perturbação às pessoas de carne e osso. Pois eles [usurpadores] têm a força nesse quesito, financiados pelo alto Capital. Só falta deixarem o recado antes de nos atacarem para assimilar nosso conhecimento:

We are the Borg. Lower your shields and surrender your ships. Resistance is futile.

#botnet #IA #AI #Borg #StarTrek #DDoS #InfoSec

Alt...

Patrick Stewart como Locutus, o Borg, em cena do episódio "Emissário" de Jornada nas Estrelas: Deep Space Nine.

Here's a better Magic Quadrant. #magicquadrant #infosec #shitposting

Alt...

a gartner magic quadrant but the Y axis is "ability to execute arbitrary commands" and the X axis is "completeness of filesystem access"

Huh, felt like I had been seeing more badness from TLD .es lately but didn’t dig deeper; Cofense did though.

#infosec #threatintel

https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance

Here we see that Vanguard is a member of the cursed club of websites that block access through VPNs and then lie about why they're blocking access.
I was not "logging in using a script," and when I turned off my VPN I was able to log in just fine, after several logins in a row failed with the VPN active.
Assholes.
#Vanguard #infosec #VPN

Alt...

Screenshot of error message from Vanguard website: You can't log in using a script For your security, we stop any logins that act like bots. Stop running your script before trying again. [button that says "Try again"]

I understand that one strategy employed by spammers and phishers is to make their messages stupid and absurd on purpose, so that only gullible and stupid people will fall for them, thus ensuring the scammers won't waste their time trying to scam people smart enough to figure it out.
Nevertheless, the mind boggles at how stupid someone would have to be to fall for a message like the one below, which I received this morning.
#spam #phishing #infosec

Alt...

Phishing spam message from "Ms. Anita Mbambazi <93293371a@pracharath.ac.th>", to "undisclosed-recipients:;", reply-to "um307549@gmail.com", subject line "ATTENTION DEAR". The body of the message is too large to include in full in the alt text, but here are some excerpts: ATTENTION DEAR This message is from the Department of Blacklist Removal office USA, why we decided to communicate with you today is because we have discovered that you are pursuing too many transactions in internet in which all are failing you after wasting too much money in pursuing them , some of these transactions are FAKE and Some are REAL [elided] your name is in US.BLACKLIST which makes it impossible for you to send money out and also receive your inheritance funds out of the country or within,so it is better you stop wasting your money in the name of receiving your inheritance funds until your name is removed from the BLACKLIST and enter into the US.WHITELIST [elided] So if you want to remove your name from the blacklist and place it in American white-list then contact this office [elided] The requirement for removing your name from the Blacklist are as follow Your full Name....... Your home address... Cell Phone number... Your occupation... Country..... Your international passport/or drivers license /or state I.D Above all, you are obliged to pay the sum of $100 for the insurance [elided] and after that we shall facilitate the clearance of your total fund $9,500,000.00 [elided] Regards,

New, by me: Digital Pollution: The Hidden Cost of Insecurity

What do smoke signals, toxic rivers, and data breaches have in common? More than you think.

The internet has a pollution problem...and it’s not the kind you can just scroll past.

Why are breaches so routine? Why do companies shrug and move on? Spoiler: it’s all about who pays the price.

Let's take a deep breath and dive into the digital smog in which we’re all living. And what it will take to fix it.

#digitalpollution #cybersecurity #infosec #moralhazard #securityeconomics

https://www.securityeconomist.com/digital-pollution-the-hidden-cost-of-insecurity/

I'm slightly amused by this phishing email. It's spoofing the "suspicious login activity" emails that we all get, but because it's fake and you obviously are not the person who is said to have logged in, the button can't say "This was me."

Instead, the prompt is reversed to say "This Wasn't Me."

I have to imagine the first version of this malicious email was composed in error and it actually did read "This Was Me" which would result in even the most gullible person not clicking it.

#malware #phishing #infosec #spam

Alt...

Screen capture of an email informing you that someone logged into your account, but it's forged. Normally these emails have a button that say "This was me" that you click to dismiss the activity as legitimate, but this one has a button that says "This wasn't me."

🚨 Cybersecurity breakthrough! Profero cracked the encryption behind MuddyWater's DarkBit ransomware, enabling FREE data recovery for victims without paying ransom. This win disrupts nation-state tactics linked to Iran-backed hackers. Stay alert and read more: https://www.bleepingcomputer.com/news/security/muddywaters-darkbit-ransomware-cracked-for-free-data-recovery/ 🛡️🔓 #Cybersecurity #Ransomware #DarkBit #Infosec
#newz

Any #infosec folks wanna help me with some decent data to backup the following point? I am trying to make the point to some executives that a #password policy requiring minimum 8 characters with 1 symbol, mixed case, and 1 number is just not reasonable in 2025. (I'm commenting on another company's policy, not my own!)

What is a good example of a policy (e.g., NIST 800-63 or whatever) that said 49 bits was no good?

I currently say: 49 bits of entropy was unacceptably low in 2005. It is unthinkably low in 2025. What can I point to that might resonate better than "bits of entropy?"

Using the classic method with Shannon's estimate, I figure it's on the order of 49 bits of entropy but that's only if it's purely random from the full character set, and we konw that's not true.

I'm not looking for rhetorical suggestions. I'm good at rhetoric. I'm looking for references I can point to (like "XYZ published in 2011 that the minimum acceptable password was 56 bits of entropy")

feel free to boost for fun
#security #cybersecurity

Introduction to Qubes OS when you do not know what it is: a free and open-source, security-oriented Operating System for single-user Desktop Computing using Xen-based virtualization - Blog post by Solène Rapenne @solene #Infosec https://dataswamp.org/~solene/2025-08-03-introduction-to-qubes-os.html

Vulnerability in 7-Zip archive software enables arbitrary file write and code execution

A security vulnerability (CVE-2025-55188) in 7-Zip allows attackers to execute arbitrary code and overwrite system files like SSH keys through maliciously crafted archives that exploit unsafe symbolic link handling during extraction. Even though the CVSS score is low and is under debate, it's wise to update.

**Unless there is some breaking relationship in your code, update your 7-Zip software to version 25.01 or later. Even though there are prerequisites to this exploit and a debate on the severity, a malicious archive has the risk to harm your system. So better safe than sorry.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/vulnerability-in-7-zip-archive-software-enables-arbitrary-file-write-and-code-execution-0-a-d-2-f/gD2P6Ple2L

A reminder that upgrading your server might shut down parts of the security related components and leave services unintentionally exposed.

Upgrading should not be done without proper filtering of unwanted incoming traffic (via for example a firewall in front of the server).

Here we can see some database passwords and cryptographic secrets exposed during #debian13 upgrade due to PHP being down while the httpd was not.

#infosec #cybersecurity

Alt...

Database credentials and cryptographic secrets exposed during Debian system upgrade. The secrets have been censored with red blocks.

#USA : les défenseurs de la neutralité du Net ne feront pas appel devant la Cour suprême
https://next.ink/brief_article/usa-les-defenseurs-de-la-neutralite-du-net-ne-feront-pas-appel-devant-la-cour-supreme/
/v @manhack
#InfoSec #NetNeutrality

Des scripts en libre accès pour pirater Disney+, Netflix, Amazon et autres https://www.generation-nt.com/widevinedump-piratage-scripts-outils-contenus-hd-streaming-github-actualite-1996260.html #InfoSec

Critical PostgreSQL bug tied to zero-day attack on US Treasury

A high-severity SQL injection bug in the #PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.

Rapid7's principal security researcher, Stephen Fewer, disclosed CVE-2025-1094 (8.1) on Thursday, saying it was a key part of the exploit chain that also included the BeyondTrust zero-day (CVE-2024-12356).

https://www.theregister.com/2025/02/14/postgresql_bug_treasury/ #infosec