ICYMI: T-Mobile #app glitch let users see other people's account info
Just T-Mobile things - but not a breach! (Wow!)
Customers could see other peoples' account information.
Exposed information included:
- Customer name
- Phone numbers
- Account balances
- Partial credit card details
Currently trying to build a Threat Intelligence compilation from diferent resources for Activists and Journalist (RSS feeds).
- Counter-Surveillance Resource Center (https://www.csrc.link/rss.xml)
- Freedom of the Press Foundation (https://freedom.press/news/feed/)
- Lucy Parson Labs (https://lucyparsonslabs.com/feed.xml)
- Privacy International (https://privacyinternational.org/rss.xml)
- The Citizen Lab (https://citizenlab.ca/feed/)
I am trying to compile specially around: legislation, surveillance, police tactics against opositors
Does anyone have other suggestions add?
[#OPSEC|#VPN] [Mullvad] have successfully completed our migration to RAM-only VPN infrastructure - Blog | Mullvad VPN https://mullvad.net/en/blog/2023/9/20/we-have-successfully-completed-our-migration-to-ram-only-vpn-infrastructure/
Don't be this guy. He could be impersonated, or this picture could be used as a template to forge a fake ID complete with a valid barcode to gain access to bank facilities or infrastructure.
I censored the bar code and ID#, they were visible in the original.
"Canada Post breaking law by gathering info from envelopes and parcels, privacy watchdog says"
And also breaking my Canadian heart. 🍁💔
Inside #ShadowDragon, The Tool That Lets ICE Monitor Pregnancy Tracking Sites and Fortnite Players
What a piece by @404mediaco
ShadowDragon: Feeding the mass surveillance machine by tracking people who play Fortnite (and probably, I guess, other popular online games), scraping images from BabyCenter (a site for expectant parents), and social media sites for the Black community, the bodybuilding community, and others.
ShadowDragon also has the capability to monitor/scrape information from hundreds of social media sites/games/websites. Who plays a game and expects to end up in an ICE database?
This is insane.
You are being watched.
#Telegram strikes again with documents from Dutch authorities saying that they can request hidden phone numbers and IP addresses at any time. Again, Telegram still claims on their homepage that they never gave up any data when that's not true at all, also for past requests like the one from the German police a while back.
Looking for a reliable TOTP Authenticator app? I've been using @ente auth for a while now.
Go to https://auth.ente.io to access your codes on your desktop. Make the switch to ente auth and take back control! 🛡️
The fake YouTube apps want some interesting permissions...
... because they're remote access trojans (RATs), of course.
Be extra cautious of apps from third-party sites. Also, as an aside, remember that everything found in any kind of App store is not 100% safe!
Here I would talk about an interesting thing about our security measures, but I won’t because of #opsec.
And you would reply with ‘huh’ to the thing.
Feeling like moving to a cabin in the woods with no internet...
Revealed: Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists
"A Haaretz investigation reveals that Israeli cyber companies developed technology that exploits the advertising system at the heart of the online economy to monitor civilians, hack into their phones and computers, and spy on them. This terrifying capability, against which no defense currently exists, has already been sold to a nondemocratic country"
Siiiiigh, leave the linux community alone please.
For example: most digital photos contain metadata that could potentially be used to tie your nsfw endeavors to your normie-world identity, sometimes with dire consequences.
Many platforms (e.g. mastodon) will normalize uploaded photos, stripping all such metadata in the process. However, others (e.g. manyvids) do *not* normalize media, instead offering to customers the exact files you upload, metadata fully intact.
⚠️ Alert: Voice deepfakes are revolutionizing banking scams! Cutting-edge AI lets fraudsters impersonate voices to fool even the experts.
Remember #opsec people! 🤫
Love how he leans into the image of him we adore so much 😅 #budanov 💪🇺🇦
Got a question to all you #infosec folks.
I just setup an encrypted USB drive with VeraCrypt (
exFAT file system) and i was wondering if there are other cross-platform volume/drive encryption solutions.
For personal use on Linux I’m fine with just using LUKS, but i need something to work on Linux and Windows (that’s why
exFAT filesystem choice) to store stuff like private keys and backups. An alternative would be nice since VeraCrypt is not entirely FOSS
Just a quick reminder that you should assume all of your electronic communications are being collected. You cannot assume #privacy if you are carrying electronics or near a phone or other networked device such an automobile, security camera. I also wouldn’t bet too much on #encryption. Security is not a yes/no thing. It depends on how careful you are and the resources of those who want to spy on you. #infosec #opsec #spyware
Revealed: The Country that Secretly Wiretapped the World for the FBI
The trojanized Telegram apps to steal user data, collecting information such as user ID, phone numbers, and contacts.
Same thing has happened with #Signal and other messaging apps.
Be cautious of what applications you are installing on your device - whether it is from an official app store or when sideloading. While many forks of well-known #opensource apps exist, there are also malicious ones.
Try to correlate any information on the app + developer descriptiona nd any other known resources. Be aware of the permissions the "fork" asks for. There are some really convincing fakes out there.
IVPN TunnelCrack #vulnerability assessment
@ivpn completes review/assessment of its apps for vulnerabilities unveiled by TunnelCrack research paper.
IVPN did not receive vulnerability disclosure, but good on them for sharing this!
[#PRIVACY] Extreme Privacy: VPNs & Firewalls
"Today, we published our fourth digital guide in the Extreme Privacy series. This time, it is all about VPNs and firewalls. 9 chapters | 34,000 words | 87 pages | $10. This digital (PDF) supplement to Extreme Privacy continues a new approach to our tutorials. It is not a replacement for the printed book, but a much more thorough guide about VPNs and firewalls."
Lockdown mode works fine, but without JIT, the browser is slower. You can also just disable iMessage. I did. This blocks all NSO group #exploits we have seen to date, and nobody uses it anyway, as they never released an android version.
Free online audio jammer. Interesting stuff.
Threat actors apparently targeting IT service desk staff at US-based customers. The goal is to get MFA reset for high-privileged users.
Social engineering help desk staff has been a thing for a while, but IMO it seems to be a not-talked-about-enough subject. A lot of info help desk are told to use for authentication for resets over the phone can be found in leaked information (like a #databreach)
Taka rada #OpSec ode mnie kochani.
Tak, jak wrzucanie fotę to ona jest zestripowana z EXIF.
*Ale* wasz admin dostaje fotę z EXIF, więc jak nie wyczyściliście przed Uploadem to admin wie, gdzie mieszkacie, geolokacje.
Ten admin może się zmienić.
Ten admin może być kraftowy i mieć dziurawy serwer, gdzie zdalnie inni sobie podejrzą.
Ten admin może zostać odwiedzony przez ABW kolegi zazdrosnego kochanka.
Stripujecie foty *przed* wgraniem na cudzy serwer jak chcecie minimalizować ww. sprawy.
#Hackers Are Selling Hacked Police Emails to Try to Grab Personal Data From TikTok, Facebook
Still want those backdoors in encryption now?
Your #VPN provider won't go to jail for you for 5 dollars
@ivpn explains how competent service providers can avoid sharing sensitive information about users...
Hint: It involves not collecting/storing that information in the first place. Unfortunately, most VPN providers are not worthy of trust.
(IVPN is pretty great and highly recommended in the privacy community, though.)
Briefly disable your adblocker. At the top right of your screen it should say: “Hot women from [YOUR EXIT NODE] want to meet you!”
The sheer fact that they choose to host their event in a location that would literally murder me for existing [and I'm just a white heterocisbinary dude] disqualifies said conference from being anything but a #shitshow that'll make it trivial for the islamofacist regime to earmark anyone with any #ITsec, #InfoSec, #OpSec and #ComSec skills for #surveillance with #Govware like #Pegasus as well as #harrassment...
1 hour ago, i wanted to get a chocolate bar and a lemonade, so i went to the fancy grocery store…
Why did he?
Please answer below or in comments.
But hey, whoever uses that shit has basically given up on #ITsec, #InfoSec, #OpSec & #ComSec anyway and naively believes that jst because "everydoy else does it too" it won't bite them in the ass once @noybeu is done with the #GAFAMs...
Was lernen wir daraus?
1. Sei kein ekelhaftes Arschloch (also #JulianReichelt)!
4. #Quellenschutz muss trotzdem gestärkt werden!
The Importance of Using Messaging Apps With End-to-End #Encryption, Which Ones to Use and Why
Comparing Threema, Signal, WhatsApp, and iMessage so users can make informed choices for themselves.
Response to "TunnelCrack" #vulnerability disclosure
From Mullvad @mullvadnet
"TLDR: On Windows, Linux, macOS and Android we are not vulnerable to the LocalNet attack. We never leak traffic to public IPs outside the VPN tunnel. However, on iOS we are affected by this attack vector."
TunnelCrack - tricks the #VPN client into using an attacker controlled IP address in place of the actual VPN server IP + also leaking traffic outside the VPN tunnel.
@sec_yote_agenda yeah, that's very sad and I sincerely hope this doesn't happen to anyone - whether they just wasted time waiting or even took money and ran...
Granted I'm more used in #IT and espechally #ITsec, #InfoSec, #OpSec and #ComSec where a minor fuckup will ruin decades of reputation-building in seconds and it's more or less impossible to recover from that...
So it's quite the opposite...
So #Escrow seems more than reasonable to enshure people ain't paying and/or working for nothing.
Guide to Mojeek @Mojeek Operators
Using search operators in the independent and private search alternative, Mojeek.
📣 New episode
Secrets can be extracted. PoC available. Microsoft won’t be patching because “extensions aren’t expected to be sandboxed in VS.”
Innocent pregnant woman jailed amid faulty facial recognition trend
Headline says it all.
Not a lawyer but something tells me "My software recognizes your face" shouldn't be the basis for an arrest...
#Zoom revises service terms so it could train AI on user data
Brave Search removes last remnant of #Bing from search results page
After shedding fallback mixing dependency on Bing/#Google for image/media search, @brave is now claiming to be a 100% independent alternative to “Big Tech search.”
So, now when searching using Brave Search, users should receive results only from Brave’s index.
@Mojeek has competition?!
How Malicious #Android Apps Slip Into Disguise
Bug in most Android versions that allows malware to corrupt components of an app, evading detection from scanning tools and being seen as legitimate by the operating system.
(Seems like it’s similar to DLL injection into malicious #windows processes to me.)
Apparently this is commonly used for banking trojans, but other #malware could also exploit this bug to evade detection.
We had a speaker come to school this week to talk about Cyber Safety.
It was essentially #OpSec for teenagers, and it was awesome.
It also contained the phrase "stop sending dick pics, nobody wants to see that" - and lead to the next point: most sextortion cases these days involve teenage boys, cause they're more than happy to send a picture of their penis to strangers on the internet, which makes sextortion so much easier for malicious parties.
User beware. Extensions often have privileged access to your browser, able to see (and potentially phone home) your browsing history or even modify pages visisted. It doesn't help that the Chrome Web Store is rife with #malware and suspicious extensions.
Good advice is to keep installed extensions to a minimum. The only extension I always advocate for is uBlock Origin. :D
In light of the California probe into connected cars and user #privacy, there’s a tool by “Privacy4Cars” which gives “privacy facts” of your make/models. Requires you to know/have the VIN number.
Odds are your new(er) car is something like a #smartphone on wheels.
Canon warns of Wi-Fi #security risks when discarding inkjet printers
Many many models and submodels of Canon printers retain Wi-Fi settings, which contains data such as:
- IP address assigned
- SSID name (Wi-Fi name)
- Wi-Fi #password
- Network type
- Network profile
This information could allow a threat actor access to a user's Wi-Fi network.
Canon recommends wiping the Wi-Fi settings of the printer prior to letting a third-party access it - such as for repairs, when selling, trading in, warranty RMA, etc.
I have successfully infiltrated your server and will load subsequent toots here for the foreseeable future.
(( DETECTED: #introduction ))
Sometimes I post advice. Sometimes I share tools. Sometimes I share articles I have written. Sometimes I share articles featuring Avoid the Hack. Sometimes there is humor and memes.
Stay safe out there.
Like even if I wanted to enter the #USA [which I don't considering the fact that more and more states try to criminalize the very existance of several of my mutuals and don't get any repercussions for doing so!] I'd certainly not bring any device with me with any data on it!
* Are you sharing a shitposting group with said group of friends? You may only share minecraft memes there, but the mere fact that you have it together links you together.
* Did you all take time off from work the day after planning your op? That information could be put together with information about your meeting to give a strong signal who your planning committee is.
* Did your spouse say on social media about going on vacation?
* Did you share something w/ "72 hours remaining"?
It seems timely to talk about what #OpSec is rather than just what it isn't.
OPSEC is about preventing leaks of _metadata_ or _auxiliary data_ in order to prevent revealing your underlying secret. OPSEC is about preventing an adversary from determining your actions from things that are not information about the operation itself.
OPSEC is a process, not a plugin.
For example, if you are worried about plans around an action leaking out, OPSEC asks about elements such as:
SMS Phishers Harvested Phone Numbers, Shipment Data from UPS Tracking Tool
Benign (and "good") tools can be used to carry out phishing campaigns, such as this #smishing campaign targeting Canadian users who've placed legitimate orders with legitimate retailers.
Avoidthehack updates mobile browser recommendations.
Getting Started: Basic Personal Cybersecurity for Everyone (3 Easy Tips)
Happy to (finally) something out for people really looking for where to start.
None of these actionable steps for upping your #cybersecurity posture include threat modeling; threat modeling is to be done after taking steps outlined here.
Share with your friends!
If you get a sales call about your information security stack, you really don't have to answer their questions about what you are using today.
I bet if I cold-called 100 companies I would have solid information about to attack 75% of them by just pretending to sell them a fake product and asking them what they are using currently and why.
Strategies for Countering Police Access to #DNA Data (Chapter 10)
"#OPSEC is military and intelligence jargon for "operational security" and refers to techniques designed to prevent their people being caught during or after an "operation".
The fact that we have to talk about such things at all when it comes to issues like exercising the fundamental right to freedom of assembly or small acts of civil disobedience is a clear indication of how far the state's mania for security and collection has already developed. It is generally better to invest resources on pushing back the security apparatus than in a technical arms race with state agencies!"
Download: PDF (read, A4 booklet, letter booklet) • TEXT
Pretty good security advice for activists on the latest Renegade Cut video. Some of it may feel “paranoid” to the average person but it does make sense to take these steps as an activist who runs a high risk of clashing with law enforcement.
Some of it isn’t realistically possible in some countries, e.g. you can’t get a SIM card from a store without formal identification. A lot of these precautions are also pretty expensive, although some have DIY alternatives.
I’d add one thing he doesn’t mention: don’t carry your burner phone and your everyday phone together while both are active. It’s easy to correlate the two devices when they share enough of a movement profile. Turn your burner phone off (fully disconnected like described in the video) far enough away from your home and workplace so it’s not correlated to where you live.
The #Teixeira affair is most unsettling to me in how spectacularly weak the #OpSec was of a dude who was supposed to be a trained military expert. Right behind that is how long it went on with #FBI and #DoD apparently not noticing and/or not taking it seriously enough to nail him before @Bellingcat, @washingtonpost , and #NYT hung him out in public.
I'm taking my smartphone from the US to the UK. I'm planning on leaving most apps logged in, but removing Nextcloud as that has access to my password safe and other things.
What other #OpSec precautions should a reasonably cautious hacker take?
I don't really have anything to hide, but it would be a huge pain to reset everything just because some TSA minion tried cloning my phone.
That's why one should not manage sensitive stuff on publicly accessible servers.
In fact, every employer I worked for put their repos internally on their own servers and restricted access to only devs within corporate network/VPN to reduce the issue.
Just switched to @protonmail & using it in combination with @simplelogin. While I was at it I also bought a subscription for @mullvadnet & created a mastodon account. I think I made some good decisions this month <3
Also using @bitwarden in combination with a Yubikey.