The CDC isn't going to email you personally. The WHO isn't going to ask you to click on download and open documents.

https://www.vice.com/en_us/article/n7jdxw/hackers-are-using-the-coronavirus-panic-to-spread-malware

#CoSoSec

#WeToldYouSo #CoSoSec #MobileVoting

Mobile voting app used in WV has more holes and is easier to break than a chain link fence.

https://www.vice.com/en_us/article/akw7mp/sloppy-mobile-voting-app-used-in-four-states-has-elementary-security-flaws

c.c. @Heucuva8 @Mrs_Bones

I'm not saying don't use Ring.
I'm just putting this out here:

https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

#CoSoSec

Hey, here's an idea. Instead of trusting our students and professors, lets force them to use tracking apps to make sure they say where they are!

There's no downsides to this!
There's no way that this information won't be used illicitly.
There's no way for this system to be hacked.
There's no way to tell your phone to report a fake location!

https://www.campusreform.org/?ID=14274

#CoSoSec

Holy cow. So much #CoSoSec Fail in a single device that you can't "just" throw away.

http://solarcybersecurity.com/

The inverter pwds used are short and do not differ between units.

The network protocols used ... are unencrypted

attacker can read a customer’s WiFi access creds from the SolarInfo wifi dongle.

settings can be accessed via the ... the smartphone app ... . Intentional misconfiguration of these settings could lead to Battery explosion and fire.

Samsung Phone users:
https://hackaday.com/2020/01/09/spyware-discovered-on-all-samsung-phones/

not much you can do about this (I won't recommend anybody inexperienced rooting their phone)

#CoSoSec

All Wawa PoS (point of sale e.g. cash registers) had malware stealing credit cards on it from March until December.

I don't know if using chip readers makes you immune from the fallout, but if your card doesn't have a chip yet and you used your card at Wawa, get a new one ASAP.

#CoSoSec

https://6abc.com/wawa-announces-data-breach-potentially-all-locations-affected-ceo-/5769537/

#cososec

Some of you might have gotten the notice that your email appeared in the Zynga breach.

It's ok, they got salted hashed passwords. This means that unless the attackers also got the salt value, they can't look up your hash in a rainbow table to find your password. (Think of a dictionary with a random order where each word is a password, but only the entry number was saved and the salt value being the specific edition of the dictionary)

Got a Ring device?

Think hard about it's security.

#CoSoSec

https://www.vice.com/en_us/article/z3bbq4/podcast-livestreams-hacked-ring-cameras-nulledcast

it's Krebs, but I haven't found another source yet:

Krystal, Moes, McAlister’s Schlotzsky’s succumbed to a credit card skimming attack.

My Moe's was affected for 1 week.

https://krebsonsecurity.com/2019/11/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/

#CoSoSec

New CC info grabbing technique found in the wild.

This time, instead of skimming your CC info while you're typing it in, attackers are now sending you to their site pretending to be a 3rd party payment provider where you gladly type in your CC#.

You probably won't notice until they redirect you to the actual payment provider and are asked to type in your CC# again.

https://arstechnica.com/information-technology/2019/11/scammers-try-a-new-way-to-steal-online-shoppers-payment-card-data/

#CoSoSec

Stop Stalker Ware

https://stopstalkerware.org/

#CoSoSec

There's few, if any, legitimate reasons to use stalkerware. And *0* reasons to use it against a lucid adult.

I'm sure there are even better alternatives to the "legitimate" reasons.

ok, #CoSoSec time.

Android phones were susceptible to an attack which allowed a malicious app to use the microphone, camera and if geo-tagging photos was on, your location even if you didn't give the app permissions to use the camera and mic.

Google has fixed this on their Pixel line, and Samsung has confirmed a fix. No word as to who else may have been or still is affected.

https://arstechnica.com/information-technology/2019/11/google-samsung-fix-android-spying-flaw-other-makers-may-still-be-vulnerable

It's confirmed: The Disney + hack was due to credential stuffing.

Yet another reason to USE A PASSWORD MANAGER AND A UNIQUE PASSWORD PER SITE!

#CoSoSec
#SecurityHygiene

A bunch of Kali linux-based books just dropped on Humble Bundle.

#CoSoSec

#CoSoSec folk in Southern New England:

BSides CT is tomorrow at CCSU - only $20. I'll be there, if you want to meet up or collaborate on the CTF.

https://www.bsidesct.org/
(edited to add link, fix typo)

So that SMS snafu where valentines messages were delivered a yesterday?

https://arstechnica.com/information-technology/2019/11/why-168149-valentines-day-text-messages-arrived-in-november/

This highlights yet another reason not to use SMS as a 2FA if it can be avoided. This is not the only 3rd party carrier to handle your data. Who's to say there's not a trusted insider threat who placed a back door in one of these systems?

#CoSoSec

#CoSoSec

If you run TrendMicro at home, don't fall for an ongoing phone scam.

They had a malicious insider threat steal a bunch of phone #'s and are calling people under the guise of being TrendMicro support. They also took names, emails and support ticket numbers.

https://blog.trendmicro.com/trend-micro-discloses-insider-threat-impacting-some-of-its-consumer-customers/

#CoSoSec

Don't be these people.

Use a password manager. Make sure you use it to create random passwords that even you can't remember.

longer is better

#CoSoSec
#SecurityHygiene