<invalid character>
- Why 0x56?
- It's a special number to me.
- Contributor to
- FactLayer. Links below👇
Joined Jun 2018
WTAF?
you can add extra characters to your password and it's still accepted?
a) no, that's not how passwords are supposed to work
b) no, you're storing the passwords
(not just wrong, but you're storing them in the first place)
c) you're not hashing them?
d) YOU ARE A F**KING BANK!
in case anybody was still unsure about this, Facebook and privacy are mutually exclusive concepts.
FB bug inadvertently gave access to photos that were never even shared to a single person.
Being that they took so long to disclose this, GDPR will come into play and come in hard. I really hope they get the max fine of 20% global profits.
Parents, please, don't buy things like this for your young children. As a parent I know they are a convenient 1/2 hour if quiet time, but they don't need them, *and* they are usually more susceptible than your average windows XP setup.
https://nakedsecurity.sophos.com/2018/12/07/kids-vtech-tablets-vulnerable-to-eavesdropping-hackers/
🇨🇦 Canadian friends:
payment card details lifted from 1-800 Flowers' Canadian site.
https://threatpost.com/1-800-flowers-becomes-latest-payment-breach-victim/139619/
And now you too can buy into the new and revolutionary "guerrilla printer advertising revolution"*
(*legality may vary, or be completely non-existent)
this is really scammy.
https://www.welivesecurity.com/2018/12/03/scam-ios-apps-promise-fitness-steal-money-instead/
App asks you to use a fingerprint to unlock something and then JUST as you're about to it pops open a "buy app upgrade for $100" window tricking you into buying the app for a very hefty fee.
With this Marriott breach, there's already a bunch of phishing attempts to screw over a second time.
Be wary of any email you get claiming to be from Marriott. Treat it with full skepticism, even if it looks legitimate. And don't click on any links in them until you're 175% sure it's legitimate.
Dunkin Donuts loyalty program breached via a credential stuffing attack.
https://go.newsfusion.com//security/item/1338925
yet another reminder, do not re-use passwords between systems
Some of the southern New England/eastern NY #CoSoSec people may be interested in this *free* event:
https://www.cvent.com/c/express/a32a8f52-f0e9-48ca-a56e-dd0f3e
Join Veracode's Mark Curphey, Founder of OWASP and VP of Strategy at Veracode in Hartford for some food, drinks, and talk on all things Open Source. He will join other experts in the hot seat to answer questions from you and your peers on why Open Source is risky and get to the truth behind some of the myths.
(may be an advertising event but still good networking)
Marriott/Starwood Database compromised 500M records breached
name, mailing address, phone number, email address, passport number, account information, date of birth, gender, arrival and departure information, encrypted payment card information, and they could not rule out the possibility that the encryption keys had also been stolen.
Devs - don't store encryption keys in the DB, or anywhere near the encrypted data! 🤦
Another in the wild attack against the UPnP protocol.
patch your routers, turn off UPnP
sign up for https://haveibeenpwned.com/ for every email you use - CoSoGuard will alert you of breaches involving the email you use here, but this caught my work email.
^^^ too angry to add #CoSoSec
Headphone software made by Sennheiser has been installing a root certificate, plus the private key, onto people's computers: https://www.secorvo.de/publikationen/headsetup-vulnerability-report-secorvo-2018.pdf …
The reason that this is bad is that anyone can use this key, which is the same on all installations, to forge certificates and impersonate websites.
It's very bad - remember the Sony DRM debacle about 15 years ago where criminals were abusing the DRM to install their own viruses? Yeah, this is the web equivalent.
something I've never considered before. Some people believe the "https lock icon" is a proof of validity rather than *only* a proof of encryption in transit.
Don't trust the lock to keep your data safe, but on the other hand, if it's missing, don't put in a password or a credit card number at all.
https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
Just received this from a vendor, but it's still good advice regardless of the source:
Black Friday and Cyber Monday are the busiest online shopping days and the bad guys are out to get rich with your money. After all, ‘tis the season for scams and phishing.
So how do I stay safe this holiday season?
1/2
this is a good, fun read. Long, but worth it to anybody in IT, especially those in #CoSoSec
This is bad.
A near realtime stream of SMS messages was sitting out on a server with little to no protection.
Some messages included 2 factor authentication codes and password resets, even a password sent in plain text.
Remember this when you think text message based 2 factor authentication is good enough.
https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
<invalid character>
- Why 0x56?
- It's a special number to me.
- Contributor to
- FactLayer. Links below👇
Joined Jun 2018