Cloudflare DDoS protections ironically bypassed using Cloudflare

#CoSoSec

To make matters worse, the only requirement for the attack is for the hackers to create a free Cloudflare account, which is used as part of the attack.

Certitude's researcher Stefan Proksch discovered that the source of the issue is Cloudflare's strategy to use shared infrastructure that accepts connections from all tenants.

https://certitude.consulting/blog/en/using-cloudflare-to-bypass-cloudflare/

A China-linked hacking group, dubbed BlackTech, is compromising routers in the US and Japan, secretly modifying their firmware and moving around company networks, according to a warning issued by cybersecurity officials this week.

#CoSoSec

https://therecord.media/us-japan-say-chinese-hackers-routers

Advisory helps organizations protect against PRC-linked actors hiding in router firmware

https://www.cisa.gov/news-events/news/cisa-nsa-fbi-and-japan-release-advisory-warning-blacktech-prc-linked-cyber-activity

A team of university researchers has devised a new optical-acoustic side channel attack dubbed ‘Side Eye,’ which can extract ambient sound from the environment at the time an image was taken.

#CoSoSec

https://restoreprivacy.com/side-eye-attack-extracting-audio-from-still-smartphone-images/

Is Side Eye a real threat?

Many attack concepts of this kind are limited to the theoretical realm. However, documenting them is crucial given the accelerated technological progress across various domains constantly opening up new practical capabilities

#iPhone users beware

an HDMI adaptor that brazenly demands your location, browsing, photos, and spams you with ads. Used with a test phone but wild amount of data collection. Privacy policy straight up says it sends the data to "China"

#CoSoSec

https://www.404media.co/i-tested-an-hdmi-adapter-that-demands-your-location-browsing-data-photos-and-spams-you-with-ads/

A deep dive into the Encrypted Client Hello, a standard that encrypts privacy-sensitive parameters sent by the client, as part of the TLS handshake.

#Cloudflare #CoSoSec

https://blog.cloudflare.com/encrypted-client-hello/

Sneak preview of the official Veilid chat app. Creating an account is just that easy. No phone numbers, no contact list imports- just the the things you want to share with the folks you want to chat with.

#CoSoSec

https://twitter.com/VeilidNetwork/status/1707216714415342062?

those food delivery robots that are armed with cameras and driving all over sidewalks in LA? They're providing filmed footage to the LAPD, according to internal emails we got. Food delivery robots just became surveillance devices

#CoSoSec

https://www.404media.co/serve-food-delivery-robots-are-feeding-camera-footage-to-the-lapd-internal-emails-show/

Almost half of organizations have failed to report cyber-attacks to the appropriate authorities in 2023

🤫 🤫 🤫 seekrits 🤫 🤫 🤫

#CoSoSec

https://www.infosecurity-magazine.com/news/half-cyberattacks-go-unreported/

U.S. Counterintel Buys Access to the Backbone of the Internet to Hunt Foreign Hackers

#CoSoSec #Infosec

Getting information from the NSA would take too long, according to internal documents from a counterintelligence agency. So it turned to Team Cymru to buy netflow data that can allow analysts to track activity through virtual private networks

https://www.404media.co/us-counterintel-buys-netflow-data-team-cymru-track-vpns/

Today someone operating under the name "MajorNelson", a nod to the former Director of Programming for the Microsoft gaming network Xbox Live, asserts RansomVC is lying.

He then released all the content RansomVC claimed to have into the general public.

tl;dr another Sony leak?

-- VX-Underground

#CoSoSec

#SimpleX Chat v5.3 released: desktop app, local file encryption and improved groups with directory service

#CoSoSec

There are a lot of other improvements and fixes in this release:

https://simplex.chat/blog/20230925-simplex-chat-v5-3-desktop-app-local-file-encryption-directory-service.html

New: a TikTok account is using facial recognition to dox random people simply for clout with its millions of viewers.

- spoke to multiple victims, "violated"
- TikTok refuses to remove because says doesn't violate policies

#CoSoSec

https://www.404media.co/the-end-of-privacy-is-a-taylor-swift-fan-tiktok-account-armed-with-facial-recognition-tech/

Who is peeking over your shoulder while you work, watch videos, learn, explore, and shop on the internet?

Enter the address of any website, and Blacklight will scan it and reveal the specific user-tracking technologies on the site—and who’s getting your data. You may be surprised at what you learn.

#CoSoSec #TipsAndTricks

A Real-Time Website Privacy Inspector: Blacklight

https://themarkup.org/blacklight

Test your browser to see how well you are protected from tracking and fingerprinting:

#CoSoSec

https://coveryourtracks.eff.org/

Have you ever wondered how much of your personal information is available online?

Here’s your chance to find out.

#CoSoSec

we’ve used Hunt’s, have-i-been-pwned, database to help you:

Find out what data breaches you’ve been caught up in
See a visual summary of the potential scale of the leaked information out there about you
Understand how something known as “the mosaic effect” can increase the risks we all face online

https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688

The EFF (Electronic Frontier Foundation) has announced the availability of a new version of ‘Privacy Badger’ that features better link-tracking blocks for Google services

#CoSoSec

the latest version released this week, EFF has overhauled link tracking protection for Google services such as Google Docs, Gmail, Maps, Images, and Search results, which are widely used and omnipresent on the internet.

https://www.eff.org/deeplinks/2023/09/new-privacy-badger-prevents-google-mangling-more-your-links-and-invading-your

Issue 70 of

https://privacytests.org/

is out

#CoSoSec

Proton Pass password manager follows the bad practice of keeping unencrypted usernames and passwords in the computer’s memory.

#CoSoSec

To make matters worse, this sensitive data is not wiped from the memory when the vault is locked post-login, making it susceptible to exfiltration by info-stealer malware or attackers with physical access to the target machine

Seems they promised this would be fixed BUT several updates later still no fix

https://restoreprivacy.com/proton-pass-retains-passwords-in-cleartext-form-in-memory

The International Criminal Court (ICC) in The Hague has suffered a cyber attack. One source says a large trove of sensitive information has been stolen in the attack.

#CoSoSec

https://nos.nl/artikel/2491054-computersystemen-van-internationaal-strafhof-aangevallen

oh Vilvaldi browser uses the "I don’t care about cookies" in it's settings to skip the cookie process

thing is that extension was purchased by Avast

i really wouldn't trust using that setting btw

https://www.theregister.com/2022/09/21/avast_buys_i_dont_care_about_cookies_addon/

instal "I still don't care about cookies" extension instead

Fork of the popular "I don't care about cookies" extension

https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies

#Browsers #CoSoSec