🍍David Longenecker🍍 @dnlongen@mastodon.social
This is a strange future. I thought I was talking with a hearing-impaired friend last night. It turned out he didn't hear a word I said - but not for the typical reason.
He was streaming a baseball game to his bluetooth-equipped hearing aids!
It is claimed Ernest Hemingway once wrote a six-word short story that could make people cry for a bet. The wager was ten dollars, which Hemingway won with the following: Show more
Whiskey.
With a side of Tango.
And a heaping helping of Foxtrot.
"For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a client...but Tanium never had permission...a company selling security actually was giving outsiders an unauthorized look at information from inside its customer’s system"
[ Yes! I know! You -can- get the money back on a fraudulent debit charge....
....after the bank has investigated, etc.
Why bother going through that hassle? Use a credit card so they act as a firewall to soak any fraudulent charges, and pay it off immediately after.]
IHG done got pwned again.
https://threatpost.com/ihg-confirms-second-credit-card-breach-impacting-1000-plus-hotels/125033/
So if you stayed at a Holiday Inn Express [or Crowne Plaza, or... ] then you probably should pay attention to your card statements.
This is why it's always better to use a credit card rather'n a debit card if possible - gamble with the bank's money, not yours.
@dnlongen Yeah. I'm just saying I think a mutually authenticated channel would be neat. Is there such a thing as diffie-hellman for humans?
I just heard that USAA is adding multifactor authentication for human-to-human customer service calls. Nice move!
Anyone know of any other banks that do this?
In March, crooks made off with personal information on around 100,000 taxpayers by breaching a website tool intended t help with the FAFSA.
This letter sent by the IRS to affected taxpayers implies the crooks made off with far more than just income data. Credit monitoring is OK for detecting fraudulent new accounts - but does nothing if the crook has enough information to social engineer your bank.
https://www.securityforrealpeople.com/2017/04/a-letter-from-irs.html
Over the weekend, a well-known security vendor had their LinkedIn business page hijacked. Inevitably, out came shaming calls of "you should have used two-factor."
I put together some thoughts at Peerlyst; TL;DR is, shaming is easy, but properly securing multiple authorized users' access to organization social media pages takes some planning. Does *every* authorized admin or content publisher have 2FA enabled?
Please, please, please, please, please do NOT issue short leases [>24h] to everything on the network because you're "running out of IPs"
That is not a game you want to be playing, and it will make me very sad.
So hey! For the record: in situations where you have a set of workstations and a set of BYOD laptops/smartphones/PDAs/whatever is new this years?
Do yourself a favor:
Set up TWO subnets. They can be visible to each other if that's what you really want, but make it so that the workstations have long or static leases, and the BYOD idiocy has short leases.
The 14-hour DHCP lease thing is a horrible abomination, yes, but to their credit, Frip and Frappe -did- have a logical explanation for why it was in place.
BYOD was involved.
I....gently suggested a means to ameliorate this situation.
@dnlongen we have products like this quite widespread and then I hear pundits saying "people give away their data voluntarily, maybe they don't care that match" :pineapple:
I literally returned a Cisco/Linksys SoHo router several years ago because it could not be administered locally without creating an online service account.
*Caveat: this was several years ago. I don't know if these routers are still this way.
I can kinda see the company's perspective: they want to introduce new features, such as voice operation and the ability to operate more than one device.
The problem is, they didn't consider consumer use cases, and that many consumers are very privacy-aware.
Sure, offer optional added features with an account, but don't brick a perfectly functional kitchen gadget if customers don't want to trade PII for extra features.
Dang. "Ownership" of #IoT devices keeps getting murkier and murkier. Apparently this pressure cooker can be controlled via a mobile app. The manufacturer updated the software recently, so the cooker -- including cookers that worked yesterday -- will no longer operate unless the owner now registers an account with personally identifying information.
And on that note, would you like to know what recruiters earn my respect? It's those that look at my body of work, my blog, my vulnerability disclosures, and my work history, that approach me with something relevant and interesting - and most importantly that are respectful that I'm not on the market but probably have connections that are.
Hey recruiters, if you're going to pitch me a position, do some OSINT on me first. I don't hide what I'm doing and what I'm good at.
For the record, I'm quite happy where I am, but I periodically have connections that are indeed looking; when I hear of something fitting, I'm not against sending your information along to a friend.
Pitching me a 3-month contract on the other side of the country in a junior field unrelated to my expertise not only gets you ignored, it puts you on my "lame" list.
This is wicked-cool pentesting. Web app request parameters are encrypted, meaning plaintext SQLi is useless.
But the app has a sharing function that will encrypt a user-generated share name.
So use the sharing function to generate cipher text for a SQLi exploit string, then use that cipher text to inject commands into the database.
Redteaming FTW...
