OK. Real question here about #privacy and I guess #opsec.
Most of us know that the use of apps to do MFA (multifactor authentication) is a useful thing to protect someone from guessing/using our passwords on sites.
Many of the password managers now include a helpful MFA feature where you can store your password AND do MFA in their app.
My question is, doesn't this defeat the purpose of MFA if they are stored in the same app/location?
At least 18 different malicious extensions (as of 30 MAY and this post) identified by @WPalant
Remember extensions have privileged access to the browser (and data in the browser). Choose your extensions wisely... they could be #spyware or #malware in disguise.
Interesting detail: the #SteamDeck comes with a branded seal on the case double zipper. I assume this is so a MITM has to steal the whole thing or nothing. In fact, this prevents physical access to the handheld altogether (without breaking the seal or case). Nice #opsec detail, although I guess it would still be possible to do something by hacking the power adapter, whose box had a simple unbranded seal.
Are there any interesting #redteam or offensive security reports on cracking #guix or #nixos? I've always been curious what kind of challenges it would present in practice/how much difficulty the immutable store and containerization of packages would really pose, or if there are minor faults throughout the codebase they can easily be tracked down and exploit for professionals. But haven't found any good posts on the matter.
What's the current state of the art in terms of identity verification?
With Twitter blue checks pointless now, we don't have much awareness of what is useful for average individuals to publish their own identity or verify that of others. And with LLMs flooding the web with fake info, I think this is going to become more & more important.
I'd like to look into ensuring my own online identity is as authenticated as possible.
I'm pretty hyped for #passkey adoption, not gonna lie. I know passkeys have drawbacks (especially when synced to the cloud, and if not, issues when a device is lost/stolen). These passwords have gotta go.
It seems timely to talk about what #OpSec is rather than just what it isn't.
OPSEC is about preventing leaks of metadata or auxiliary data in order to prevent revealing your underlying secret. OPSEC is about preventing an adversary from determining your actions from things that are not information about the operation itself.
OPSEC is a process, not a plugin.
For example, if you are worried about plans around an action leaking out, OPSEC asks about elements such as:
Any of you fedi wizards that know of good account to follow to learn more about #cybersecurity, #infosec, #opsec etc? I'd follow the tags, but I've often found that following big tags drowns my entire feed in one topic
I currently read some crime #novels again. Fiction literature. And there are many encounters with police gaining access to someone's (either criminal or victim) #email content, private messages on #SocialMedia, text messages on #phone etc. I wonder if it could be really possible in real world.
Or what would happen if someone use hard disk encryption? Do they have these #data from service providers? Could using encrypted email service like #Protonmail or #Tutanota prevent this? If I understand correctly, emails content is encrypted in rest.
Are regular data deletion, history cleaning and/or disappearing messages (like #signal features) effective for this?
If someone avoid big mainstream services, only niche/encrypted/self-hosted ones are they safe?
Is it possible to become immune to this both via software/service choices and online habits? How to achieve this if so?
I don't want to commit crimes, only become "invincible" :blobcatjoy:
🆕 blog! “There's nothing you can do to prevent a SIM-swap attack”
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...! Yes, users should probably take better care of their digital credentials and bury t…
If you ever want to feel depressed about humanity, just do a search for things like #newbadge on your social media platform of choice. I found this one on #Facebook. This guy works for a bank.
Don't be this guy. He could be impersonated, or this picture could be used as a template to forge a fake ID complete with a valid barcode to gain access to bank facilities or infrastructure.
I censored the bar code and ID#, they were visible in the original.
Huh. iOS 17 allows you to keep using your old passcode for 72 hours after you’ve changed it.
That seems like a non-ideal thing to do by default. And it certainly seems like something that should be highlighted really prominently when changing the passcode 🤔
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...!
Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack.
You probably have your phone-number tied to all sorts of important services. If you want to recover your email, log in to a bank, or prove your identity - you'll probably need to receive a call or SMS. If an attacker can take over your phone number, they're one step closer to taking over your accounts.
I keep saying "your phone number", but that's a clever lie. The phone number does not belong to you. It belongs to the network operator and they define which SIM the number points to.
This means a suitably authorised person at the telco can point "your" number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.
What can you do to stop this attack? Nothing.
Oh, you can have a strong and unique password on your account, and you can hope your telco uses TOTP and PassKeys. But it turns out that it is possible to bribe telco employees for the low, low price of US$1000.
If your security rests on a phone number, you've effectively outsourced your security to the most bribeable manager employed by your telco.
Now, I said there's nothing you can do. That isn't quite true. You can attempt to pen-test yourself.
Go to your phone company's account. Set a long password and complex password. Change your mother's maiden name to HK2BY@]'PU,:!VQ;}baTj. Turn on every security measure you can find. Call the phone company from a different phone and explain that you lost your phone and want a new SIM card. If they ask for your mother's maiden name, say "Oh, I set it to a long stream of gibberish". If they ask where to send the SIM, give a trusted friend's address. If your phone company is negligent and send out a new SIM on the basis of poor verification, then you should move your number to a more reputable provider.
It's good fun to try and social-engineer a call-centre worker for your own details. But it's probably illegal to try and bribe someone to hijack yourself.
Anyway, please try to remove your phone number as a critical lynchpin in your security regime.
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.
I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦♂️
With QR codes everywhere, there's a rising concern about their misuse. 🚨 How do you protect yourself from malicious QR codes? What are your go-to security measures before scanning? Please share your best practices & tips!
Així que Espanya va enviar una de les seves ordres xusques a Suïssa (d'aquelles que anomenen terroristes a Tsunami –LOL), Suïssa va requerir a #ProtonMail i això va acabar descobrint la identitat d'una persona (a través del seu mail de recuperacio i un requeriment a Apple), i en la seva detenció.
Aneu amb compte i no doneu per fet que un servei segur/encriptat us converteix en anònims.
(Notícia de fa mínim dos setmanes que pel que sigui no m'havia arribat fins avui)