Google unfixed the download bomb exploit scam sites use to attempt to get you to call their "fix hotlines"

"The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page."

It affects Firefox, Opera, Vivaldi, and Brave as well.

https://www.bleepingcomputer.com/news/security/download-bomb-trick-returns-in-chrome-also-affects-firefox-opera-vivaldi-and-brave/

#CoSoSec

FB temporarily unblocked users or raised the privacy level of messages from 800,000 user. and it went on for 8 days.

I'm going to bet that there's going to be a few angry conversations after that.

https://gizmodo.com/facebook-admits-to-major-screw-up-that-silently-unblock-1827292198

#CoSoSec

Just a reminder, as Just @White_Rabbit used to say:

Please don't use URL shorteners.

And please, for your sake, don't click on shortened URLs. Criminals often utilize them to obfuscate/legitimize web addresses that would otherwise be dead giveaways that the link is malicious.

#CoSoSec

Well, there's a good bet every single person in America has just had thier data breached (Again)

Names, how much you make, religion, mortgage lender, color of your kitchen, you name it, just not SSNs.

https://www.mercurynews.com/2018/06/28/massive-data-leak-could-affect-nearly-all-american-adults-security-researcher-says/

#CoSoSec

Forgive me if I missed this posted earlier.

Ticketmaster UK's payment page had been breached for months. Or more specifically, a third party JavaScript library they used was breached, allowing criminals to log the credit cards of victims.

https://security.ticketmaster.co.uk

Devs: host all the JS assets you can yourself. Use content security policies and research your vendors thoroughly when you can't.

#CoSoSec

Web Devs, Security ppl, Builders, Breakers, Defenders, especially those on the west coast.

OWASP AppSecUSA just released the pricing and training/presentation programs.

https://2018.appsecusa.org/program/

#CoSoSec

Campaigns are alarmingly lax with securing voter personal data.

"There's no real concern on our end. If a Dem were to jump into our [volunteer] list, there's no concern that they're going to rip off our data, as they would have access to the same data."

So, because you don't have the imagination to recognize the data is misused, it can't be?

https://arstechnica.com/tech-policy/2018/06/campaigns-are-totally-reckless-with-voter-data-activist-tells-ars/

#CoSoSec

Mac users who use encrypted drives:

There's a hole in your encryption. It's not huge, but you need to be aware of it.

If you preview a file on your encrypted drive, that file is now cached on your primary drive.

If this is concerning, then remove the cache and reboot when you're done with the drive.

https://www.bleepingcomputer.com/news/apple/macos-breaks-your-opsec-by-caching-data-from-encrypted-hard-drives/

#CoSoSec

Aussies 🇦🇺:

The biometric database Australia was planning on building is no more. Citing budget overruns, the project in cancelled. They didn't cite the fact that's an invasion of privacy or that no matter what there will be too many false positives.

https://www.gizmodo.com.au/2018/06/the-australian-government-acic-terminates-its-national-biometric-identification-project/

#CoSoSec

If you don't like companies tracking you online, there's a place where you can opt out of most online advertising tracking.

http://www.aboutads.info/choices/

It won't remove you from every list, but it's more comprehensive than I would have expected, and a fairly easy process.

#CoSoSec

TIL: Hackers take a break to watch the world cup, but only until their team has all but lost, at which point, they double down on any attacks.

https://www.axios.com/how-the-world-cup-plays-out-among-hackers-c9d38887-476e-4583-ae46-ad71e46841b7.html

#CoSoSec

An interesting side effect of apple locking down data-transfers via the lightning port.

Due to the fact LE only has an hour window, they can now claim "exigent need" to bypass necessitating warrant.

Note: the link is behind a paywall.

https://twitter.com/ericgeller/status/1007032030381641731

#CoSoSec

Yesterdays XKCD (https://xkcd.com/2006/) brings light to what you're selling when you sign up for a store loyalty program, "like" a store on facebook, or "check-in".

I get it - the lure of almost free money is a siren song.

But when doing the like/check-in thing - setup a sock puppet account which is only used for these things.

When signing up for a loyalty card or the like - lie or omit as much as you can!

#CoSoSec

Spanish Football (soccer in American) League uses their app to make the public into unwitting police.

https://www.bbc.com/news/technology-44453382

This is a great example of a counterpoint to the "But I never do anything wrong, so I don't care" argument.

If your favorite watering hole was closed down because it had the game on, and it's your fault because you had an app on your phone listening for such things, would you then care?

#CoSoSec

(edited to remove typos)

If you're on a Mac and use any of these:
Google Santa
Facebook OSquery
Little Snitch
xFence
Yelp’s OSXCollector
Carbon Black’s Cb Response
Objective See’s tools

Then update your tools, a vulnerability has been discovered which allows malware to masquerade as valid Apple-signed code.

https://motherboard.vice.com/en_us/article/evkq3m/apple-macos-malware-okta-research

#CoSoSec

Detecting Lateral Movements in a Windows Vista/7/8 Infrastructure

Full disclosure: I haven't had a chance to read it cover to cover yet, and it's dense.

http://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf

#CoSoSec

Warning: Google's new login screen is not a bad phishing attempt. It might have gotten my attention in a bad way.

https://gsuiteupdates.googleblog.com/2018/06/a-new-look-for-google-sign-in-screens.html?m=1

#CoSoSec