New Darknet Diaries dropped today, with Maddie Stone!
https://darknetdiaries.com/episode/127/

Jack and Maddie would both be great members here. Maybe other members of the #cososec community who know them might extend an invite?

Lock Picking Lawyer takes down an expensive smart lock sold at the Apple store using two of the most low-skill techniques.

This thing also has a hollow bolt cylinder, which is a ridiculously stupid idea.

[1480] $329 Smart Lock Opened in Seconds (Level Lock) - YouTube
https://www.youtube.com/watch?v=m_MX96MVD00&feature=youtu.be

#cososec

Many people fleeing the birdsite have said they are creating accounts on Counter.Social along with Bluesky, Tribel, and Mastodon. Please take a moment to read about each one, and ask yourself whether or not you think your privacy and safety will be protected on these other platforms.

Bluesky
https://davetroy.medium.com/no-elon-and-jack-are-not-competitors-theyre-collaborating-3e88cde5267d

Tribel
https://twitter.com/travisakers/status/1584359435765710849
https://www.thedailybeast.com/lefts-new-free-of-hate-social-media-proves-impossible-to-police

Mastodon
https://www.dailydot.com/debug/mastodon-fediverse-eugen-rochko/

#cososec
#Twexit
#twitfugee
#twitterrefugee
#cstips

For those leaving Twitter, you should keep your account there open for the reasons @kel suggests, but you might want to "zero it out". To do this:

1. Bulk-delete your tweets. (Note that the archive procedure described here is required for deleting ALL your tweets; otherwise Twitter API only allows access to the last 3200.)
https://tweetdeleter.com/features/delete-tweets-from-archive

2. Remove retweets with the "Using a Script" option here:
https://www.alphr.com/delete-all-retweets-twitter/

3. Remove favorites:
https://jeffreifman.com/2018/04/12/how-to-delete-your-twitter-favorites-with-javascript/

#cososec

Clever #OSINT by this person who finds out someone's full name using TikTok and Twitter, even though they no longer had any personal info on either account besides their picture.

#cososec

https://twitter.com/notshenetworks/status/1586483480816365569

"Help us protect your account" by giving us more of your personal information.

Nope. Get bent.

#cososec

This Is the ‘GrayKey 2.0,’ the Tool Cops Use to Hack Phones
https://www.vice.com/en/article/93an8a/this-is-the-graykey-20-the-tool-cops-use-to-hack-phones

#cososec

Hurricane-Related Scams  | CISA
https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/hurricane-related-scams

#cososec

TIL that I cannot have 2FA enabled for my no-ip.com account, because then my router can't access it to update my WAN IP when it changes.

I had been wondering why my Wireguard tunnels suddenly stopped working, and it was because my DDNS address was still on the old IP.

So either I disable 2FA on my no-ip account, or I have to manually log into the account and change the IP every time there's a change. Which kind of defeats the purpose of dynamic DNS address.

#cososec

Instagram is putting all kinds of into out there with posts if you know where to look. #cososec

https://twitter.com/GONZOs_int/status/1570147802751311873

All your SSH sessions are belong to us!
#cososec

Trojanized versions of PuTTY utility being used to spread backdoor | Ars Technica
https://arstechnica.com/information-technology/2022/09/trojanized-versions-of-putty-utility-being-used-to-spread-backdoor/

#CoSoSec PSA for everyone with Google accounts:

You can use whatever kind of 2FA you would like to secure your Google account, including any third-party OTP authenticator app.

The thing is, that option is hidden by default. When initially setting up 2-Step, the options are a hardware key (very good), Google unlock (less good only because it requires you to be logged in on another phone or other device), or text/phone codes (bad).

This matters because...

1/x

This sounds very clever. #cososec

"When you create a DNS based Canarytoken, the system gives you a unique Internet resolvable domain name.

Anyone attempting to resolve this domain name, will now trigger an alert.

Why does this matter? Once you are able to get an alert for a web-based token, or a DNS based token, you have the building blocks for squillions of possible tripwires."

DNS Token | Canarytokens
https://docs.canarytokens.org/guide/dns-token.html#what-is-a-dns-token

I think the infosec pros, particularly those who manage security for large institutions, will get a good eye roll out of this one.

I work for a large school district, which uses GSuite Education and also a separate SSO portal for all the other apps we use.

First teacher in service day it was mentioned that the district would be finally implementing 2FA for all accounts. Great.

Today, we all receive an email from our head of tech. By the end of the month, we must set up 2FA.

1/x

#cososec

Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press.

AP News: Tech tool offers police ‘mass surveillance on a budget’
https://apnews.com/article/technology-police-government-surveillance-d395409ef5a8c6c3f6cdab5b1d0e27ef

#cososec

I think someone in my neighborhood is running a honeypot. FiOS doesn't offer free services, and this MAC address comes back without a vendor assignment, which may mean it's randomized. #cososec

Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost
https://threatpost.com/facebook-ios-tracks-anything/180395/

#cososec

Plex users: Change your passwords.
While you're at it, enable TOTP 2FA.

Plex breached: Change your passwords now | ZDNET
https://www.zdnet.com/article/plex-breached-change-your-passwords-now/

#cososec

The new USB Rubber Ducky is more dangerous than ever - The Verge
https://www.theverge.com/23308394/usb-rubber-ducky-review-hack5-defcon-duckyscript

#cososec

Until Signal no longer requires phone numbers for accounts, users will be vulnerable to things like this. People have been pushing them to move to a simple username / password system for years, like every other E2EE messenger out there.

While using Signal is safer than using standard SMS, don't think for a minute you are anonymous.

1,900 Signal users’ phone numbers exposed by Twilio phishing | Ars Technica
https://arstechnica.com/information-technology/2022/08/twilio-phishing-attack-exposes-phone-numbers-for-1900-signal-users/

#cososec