Another 0 day presents another opportunity to remind everybody:

*don't trust WiFi you don't control*

Whitehats have been able to grab "deleted" photos off an iPhone which connected to a WiFi point under their control. Other pieces of info are on the table to, but photos were the first things they could get to.

https://www.engadget.com/2018/11/15/iphone-x-bug-hackers-deleted-photos-files-apple/

#CoSoSec #SecurityHygiene

sorry if this has already been posted.

🇺🇸 US 'nauts - Sign up for the USPS informed delivery before crooks do it for you.

ID thieves are signing up for this service on your behalf to sign up for credit cards in your name and then using it to find out when to grab the new card out of your mailbox.

https://www.csoonline.com/article/3319640/cyber-attacks-espionage/cyber-criminals-abuse-us-postal-service-informed-delivery-for-id-theft.html

#CoSoSec

I know @White_Rabbit and i differed on opinions on this subject. Personally I thought the repudiation was a difficult hurdle, and a potential attachment vector itself, he thought that it was rapidly becoming the only deterrent. (He's not wrong there)

https://www.theatlantic.com/business/archive/2017/07/hacking-back-active-defense/533679/

#CoSoSec

Healthcare.gov breach

Data exposed may have included Social Security numbers and a variety of other personal information, such as income, tax filing status, family relationships, and immigration status.

https://gizmodo.com/healthcare-gov-breach-included-social-security-numbers-1830347696

#CoSoSec

#CoSoSec

Make sure you only enable browser extensions you fully trust.

At least 81k users private messages were stolen using a malicious plugin, and then sold for 10¢ a piece.

https://gizmodo.com/a-browser-extension-apparently-stole-the-private-facebo-1830175571

🇪🇺 🇭🇺 🇬🇷 🇱🇻
"Hey, guys, I got an idea. This whole AI thing is taking off. Lets see if we can use it to see if people are lying when they're crossing the boarder!"

"Hmm, I see no problems with this"

https://gizmodo.com/an-ai-lie-detector-is-going-to-start-questioning-travel-1830126881

#CoSoSec

Mac forums data breach.

326k records records breached in 2016 that included usernames, IP and email addresses, dates of birth and passwords stored as salted MD5s.

https://twitter.com/haveibeenpwned/status/1057058067420917760

#CoSoSec

This article starts off one way (warning conservatives about scam PACs), but reading into it, I found something I never knew before.

Apparently to become a PAC, you just have to register, and then give *some* money to a candidate, doesn't matter how much, or what percent.

Scam PACs are a thing, they take donations and then put 99.99% of those donations into "operating costs" or "administration salaries"

https://workplacetablet.com/2018/10/29/conservatives-targeted-for-midterm-election-scams/

#CoSoSec

This is an example of "in the wild" phishing based on people's need to help others. The info-graphic at the bottom is a good refresher for those not living and breathing this stuff every day.

https://go.newsfusion.com//cloud-computing/item/1313331

#CoSoSec

This looks to be an interesting product. Over-all it's fairly expensive for an email server, but for the less-technical, but still privacy minded folk, it may be a solution.

https://www.theverge.com/circuitbreaker/2018/10/17/17983018/helm-private-email-server-calendar-contacts-data

#CoSoSec

#CoSoSec

This is still unconfirmed but Brian Krebs is reporting that some people are gaining access Experian's credit freeze PINs without authorization.

https://twitter.com/briankrebs/status/1048247264152621061

(screenshot because link eventually goes to FB)

Northwest folks, hope you haven't used a card in Burgerville recently.

https://www.opb.org/news/article/burgerville-cybersecurity-breach/

#CoSoSec

Good news, guys! California just fixed the Russian bot problem for us!

They now have to tell us they are bots before they attempt to influence.

https://www.nbcnews.com/tech/tech-news/can-t-spot-bot-california-automated-accounts-have-reveal-themselves-n915556

#CoSoSec

Facebook security tokens abused.

Facebook really doesn't care about your privacy that much, so they are downplaying it by saying *only* 50 million people impacted.

https://threatbrief.com/facebook-50-million-accounts-impacted-by-security-flaw/

#CoSoSec

well then.

Chrome won't delete google cookies when you ask to "delete all"

TBH, I haven't tested this (I don't do "nuke all" with my cookies) But if it's true, it's pretty damning.

https://news.ycombinator.com/item?id=18064537

#CoSoSec

Newegg was exposing Credit Card info for a month.

Some persistent XSS was detected on the checkout page skimming credit card info and sending it to a third party server.

https://www.theverge.com/2018/9/19/17879630/newegg-user-credit-card-info-data-breach-hack

#CoSoSec

In the coming hours you may hear about a new attack on your computer called ColdBoot.

https://en.wikipedia.org/wiki/Cold_boot_attack

While it's a pretty bad vulnerability - it's not the worst thing ever. Don't get caught up in the hype. The attacker needs extended access to your machine (e.g. it needs to be stolen) while it's on or very shortly after it's been turned off.

#CoSoSec

The guy who got this endorsement is no joke!

#CoSoSec humor

https://www.theverge.com/2018/9/13/17855074/project-verify-passwords-mobile-login-att-sprint-tmobile-verizon

I don't have the attention span to digest this right now. but it seems to me like a bad idea.

Any pros want to comment on this?

#CoSoSec

Just a reminder - in the coming days, you'll be inundated with reminders/requests/hints to help the victims of Florence monetarily.

Be careful: while most are legit, many will be scams. Do your homework if you choose to donate your hard earned money.

Additionally, they may not even ask for donations, they may pull on your heartstrings to trick you into giving up pieces of your identity.

Give, but be smart in giving.

#CoSoSec #securityHygiene