Show more

Any time a data breach occurs, watch out for piggyback scams. Scams which use recent breaches to try to trick you into giving up your data *again*.

Criminals don't care if you just got hurt, it makes you an easier target.

If an email asks you to sign in to update your credentials from a breach, treat it suspiciously.

ProTip: when upgrading your yubikey or similar device, make sure you go through *every* account.

I was locked out of my work password manager for 2 days because I forgot that account.


With all the ransomware out there, remember: your second (and perhaps final) line of defence is to
do backups to _non-connected_ media.

I think most people here know better, but remind those less technical. Don't click on ads claiming to speed up, clean, or otherwise "fix" your computer.

infosecurity-magazine.com/news

/

Every single contributor to has said it before.

Don't plug random sticks into your USB ports! Even if you get them from a company you trust.

vice.com/en_us/article/pajv5k/

FFS, these are infosec guys giving up their info!

betanews.com/2019/06/07/data-f

Here's a little tip. You *can* be tricked into giving personal info up, so don't use it to create a password. Don't use real personal information to fill in those stupid account recovery questions.

For both of those, use a password manager with a strong password generator and an encrypted vault to put the recovery question answers into.

Bruce Schneier uncharacteristically giving up... but still give you some good advice on securing what little identity you have left.

* Enable two-factor authentication
* Don't reuse passwords
* Get a password manager
* Disable the "secret questions" and other backup authentication mechanisms
* Watch your credit reports and your bank accounts for suspicious activity
* Set up credit freezes
* Be wary of email and phone calls you get

schneier.com/blog/archives/201

/

If you want to be safe from credential stuffing, you need to make sure that every single password is absolutely unique and unguessable.

And theres only one way to do that.. use a password manager. If you want an extra layer of protection, also use unique usernames and email addresses. Many email providers accept a plus and some arbitrary characters between the username and @ sign. If not then something like guerrillamail.com can help you be unique.

A gentle / reminder.

Don't let your browser save your passwords, use a full password manager.

techrepublic.com/article/why-y

The article misses one point... if you're using chrome and signed in to google, then it *does* prompt you with a password request, however, this comes with another attack vector. If your gmail password is compromised, then your passwords are too.

(myself, my chrome passwords are all fake - a sort of honeypot)

ok, I haven't done one of these in a while, but here's a / post.

A reminder: turn on 2 Factor Authentication (2FA) this makes sure that if an attacker has your password, they still can't get in without a token that you should physically possess.

If given a choice, do not use email or SMS as this 2nd factor. They are easily intercepted.
Use TOTP (app based 2FA list here: protectimus.com/blog/10-most-p)

Or if you feel like dropping $50 for real security, get a FIDO2 key.

Facebook knowingly charged parents credit cards when children unwittingly purchased in-game microtransactions, then refused to refund the money.

gizmodo.com/report-facebook-kn

tip: think very carefully about where you allow your credit card data to be saved. Not all vendors are PCI compliant, and others can easily be manipulated by a trusted 3rd party (like your child).

Remember that Town Of Salem breach earlier?

Yeah, well, if you were affected, then as if right now there is a 27% chance that your password is unhashed. (Now readable)

Devs.. don't use MD5 for hashing, but if you must, salt your passwords.

Everybody else... You don't know what kind of password security any given site is using so make sure that the password is unique and not guessable on another site.

bleepingcomputer.com/news/secu

Reminder - Tax season is upon us.

Watch out for IRS themed scams preying on fear or laziness.

With this Marriott breach, there's already a bunch of phishing attempts to screw over a second time.

Be wary of any email you get claiming to be from Marriott. Treat it with full skepticism, even if it looks legitimate. And don't click on any links in them until you're 175% sure it's legitimate.

sign up for haveibeenpwned.com/ for every email you use - CoSoGuard will alert you of breaches involving the email you use here, but this caught my work email.

Show more

<invalid character>

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.