Never thought about it before, but I just turned on app-based 2FA on my Amazon account.

Problem... they force you to use a backup phone number for backup 2FA, completely removing the security of app-based 2FA

#CoSoSec
#CoSoSecFail

Getting a real kick out of NordVPN advertisements:

"You're not safe without a VPN"

#CoSoSec
#snark

Just sent a set of instructions to a non-tech person who thinks her "computer has been hacked" She's panicking and can't give me good details about what's happening.

So I threw a full set of emergency response instructions at her.

I can see why people tend to get overwhelmed by us now. There's a lot of stuff I gave her - a good 20 hours worth of work... to me.

And then I threw @daniel's one-a-day items at her for when she's finished.

#CoSoSec

#CoSoSec, In southern New England on Nov. 9 and looking for an inexpensive security conference? (only $23)

Meet me* at BSides CT (https://www.bsidesct.org/).

*I may or may not actually make my presence known.

Galaxy S10 fingerprint reader rendered useless after adding a screen protector.

https://www.bbc.com/news/technology-50080586

#CoSoSec

#CoSoSec

Web Developers: Jim Manico (OWASP, Manicode, among others) and others at OWASP have put together a real good set of security cheat sheets.

https://cheatsheetseries.owasp.org/cheatsheets/Index.html

#CoSoSec Has all chimed in before: don't trust URL shorteners.

Don't use them, and never click on a shortened URL.

Here's why: https://www.hackread.com/mastermana-botnet-evades-detection-url-shorteners/

Important thread on electronic locks.

https://twitter.com/cybergibbons/status/1176419262325501953

They're easily defeated (they don't take physical security as seriously as traditional locks) and when they malfunction, there may be some serious safety issues (think being trapped inside during a fire)

#CoSoSec

Massive breach detailing almost everything important (gov tax IDs, bank accounts, phone numbers, marriage records, work history, education, family records, etc) for every single Ecuadorian citizen.

https://www.bbc.com/news/technology-49715478

I really don't know how Ecuadorians can recover from this, I just hope that it was found by the white hat first (but wouldn't count on it).

#CoSoSec

Pentesters:

Check your contractual scope and get it in writing.

https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/

#CoSoSec

Huawei, LG, Samsung and Sony Android phones susceptible to a bug which allows a sms message to steal your emails.

https://www.engadget.com/2019/09/06/sms-phishing-attack-android/

Samsung and LG have already patched the vulnerability, Huawei will only patch it on phones that are yet to come out, and Sony refuses to acknowledge that it's a problem.

#CoSoSec

XKCD Forums have been breached.

https://www.vice.com/en_us/article/vb5v7d/xkcd-forum-data-breach

If you signed up for echochamber.me/xkcd and reused a password... go change that password on every site you used it on.

In fact, if you've reused any password anywhere, go change it on every site you used them on.

#CoSoSec

Drive-by-downloads have been attacking iOS devices for years.

Uploading everything from images to current location to passwords contained in your keychain.

https://www.theguardian.com/technology/2019/aug/30/hackers-monitoring-implants-iphones-google-says

#CoSoSec

A good first step. But can gas pumps and ATMs add similar logic and shut down if tampering is detected?

https://techcrunch.com/2019/08/14/bluetana-card-skimmer-gas-pump/

#CoSoSec

Any time a data breach occurs, watch out for piggyback scams. Scams which use recent breaches to try to trick you into giving up your data *again*.

Criminals don't care if you just got hurt, it makes you an easier target.

If an email asks you to sign in to update your credentials from a breach, treat it suspiciously.

#CoSoSec #SecurityHygiene

Once again people, be very careful about what you put on your phone.

https://techcrunch.com/2019/08/09/many-robocall-blocking-apps-send-your-private-data-without-permission/

#CoSoSec #SecurityHygiene

Oops... remember non-critical systems can touch critical systems.... systems like flight control.

https://arstechnica.com/information-technology/2019/08/a-boeing-code-leak-exposes-security-flaws-deep-in-a-787s-guts/

#CoSoSec

If you use State Farms, make sure you are using a unique password. If not change it immediately!

"State Farm has quietly let customers know that attackers launched a cred stuffing attack against their login forms."

https://twitter.com/hrbrmstr/status/1159439142922661888

#CoSoSec

Any devs out there using the have I Been Pwned APIs?

https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/

You /may/ want to check your code soon.

#CoSoSec

Anybody working in tech security/compliance/development/PR, don't be Timi Health.

https://twitter.com/TimiHealth/status/1158760610957615104

#CoSoSec