I don't buy LastPass' statement that this breach of master passwords was due to credential stuffing. If that were the case, then LastPass users who feel victim would have been using their master passwords for something else. The victims who posted in the HN thread specifically said they did not do that.
#cososec

LastPass Says It Didn’t Leak Your Master Password
https://www.howtogeek.com/776450/lastpass-says-it-didnt-leak-your-master-password/

Pi-hole FTL v5.12, Web v5.9 and Core v5.7 released – Pi-hole
https://pi-hole.net/2021/12/22/pi-hole-ftl-v5-12-web-v5-9-and-core-v5-7-released/

#cososec

Just received a "suspicious activity" password reset prompt email from PayPal.

I went to PP manually rather than clicking the link the email (on phishing suspicion). Email was legit; it prompted me to change password immediately.

So, I fired up Bitwarden to generate a new password with my default settings.

Nope. Needed to adjust down, because PayPal STILL has a 20-character limit on passwords! 🤬

SERIOUSLY, PayPal?!?!

At least they support 2FA, but get with the program, people.

#cososec​

🚨 Heads up, TP-Link router owners:

You might have a mesh network automatically enabled that you didn't know existed. #cososec

Hidden Networks in TP-Link Routers | Jahed Ahmed
https://jahed.dev/2021/12/19/hidden-networks-in-tp-link-routers/

Here is some really neat AirTag analysis on what / when it is broadcasting.
#cososec

A great undergrad I work with, @wentian23731747 (who is applying for PhD programs this year) made a quick writeup of AirTag BLE activity https://t.co/ZG0JEVPRs9
AirTags are kinda complex, but the short story is a *lost* tag's MAC rotates 10-30min, but public key doesn't

https://twitter.com/skateprofessor/status/1472699856841891840

Are your home security cameras vulnerable to hacking? - CNET
https://www.cnet.com/home/security/stop-home-security-camera-hacking/

#cososec

I never would have thought about someone doing this, but I sure as hell aren't going to forget it. #cososec

Verizon overrides users’ opt-out preferences in push to collect browsing history – Ars Technica
https://arstechnica.com/information-technology/2021/12/verizon-ignored-users-previous-opt-outs-in-latest-push-to-scan-web-browsing/

#cososec

🚨 Heads up, Tor users! 🚨

A mysterious threat actor is running hundreds of malicious Tor relays - The Record by Recorded Future
https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays/

#cososec

Hackers Steal $119M From ‘Web3’ Crypto Project With Old School Attack
https://www.vice.com/en/article/pkpp4n/hackers-steal-dollar119m-from-web3-crypto-project-with-old-school-attack

#cososec

Really stupid “smart contract” bug let hackers steal $31 million in digital coin | Ars Technica
https://arstechnica.com/information-technology/2021/12/hackers-drain-31-million-from-cryptocurrency-service-monox-finance/

#cososec

Funny how I don't miss that 70% of DNS requests...
#cososec

👋Welcome, new CoSoNauts!

Time to crack those eggs. Upload a profile pic, and say hello. Check out the user guide:
https://counter.social/userguide.pdf

Some tags to follow:

Infosec discussion: #cososec.

Music lovers and musicians: check out #cosomusic, #cosoclassical, and #musictheory.

If you love good drinks, follow #caffeineclub #winetime #beerme #spirited and #mixmeup.

Animal lovers: #petsofcoso, #dogsofcoso, #catsofcoso.

We're glad you made it here. Enjoy the realness!

Insulin pumps may be vulnerable to control override by nearby attackers. #cososec

https://twitter.com/gabsmashh/status/1464688339173490696

New Windows zero-day with public exploit lets you become an admin

https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/

#cososec

Your Fingerprint Can Be Hacked For $5. Here’s How. - Kraken Blog
https://blog.kraken.com/post/11905/your-fingerprint-can-be-hacked-for-5-heres-how/

#cososec

A "deep scrub"? Do tweets embed origin IPs in metadata? I would expect IPs to be logged, but not in a way that is accessible to third-parties.
#cososec

Divide & conquer: A sample of 32,315 pro-Rittenhouse hashtag tweets, Nov 19-20, showed 29,609 with disabled geolocation. Of those, 17,701 were listed as "foreign", but a deep scrub revealed most of those were in Russia, China, and the EU.

https://twitter.com/FrankFigliuzzi1/status/1462512685145198593

It's backup day. Running BD-R, DVD-R DL, and even a couple CDs (rescue and repair discs).

When have YOU last backed up?
#cososec #cosotech

As an XMPP fan, I support this:

"What if we could make a Signal that was a little more open? And an XMPP that was a little bit less diverse? Accept that we would trade some of the agility for robustness, and some of our diversity in favour of consistent usability.

Can we move beyond Signal’s flaws to build something that is open, interoperable, user-friendly, consistent and decentralized? I believe so, and as they say, there’s only one way to find out."

https://snikket.org/blog/products-vs-protocols/

#cososec

Calling on #cososec hive mind:

I am looking for an Android solution for creating encrypted local containers that can later be mounted by VeraCrypt or similar apps after copying to desktop.

So far I am only seeing one option. Anyone know of any others?

https://play.google.com/store/apps/details?id=com.sovworks.edslite

nosanitize