An initiative promoting the intersection of internet #privacy and #cybersecurity for all users.
MOVED to infosec.exchange -> @avoidthehack
How to share files and sensitive information securely
@bitwarden shows you how to use Bitwarden Send to share files and sensitive information in a more secure way.
In most cases, you should avoid sending sensitive information via email (even if not a file).
#opsec #cybersecurity #security
https://bitwarden.com/blog/how-to-share-files-and-sensitive-information-securely/
Avoidthehack updates #private #browser Comparison Tool
- Added Mullvad @mullvadnet browser
- Added Comodo IceDragon
- Fixed image display issues on some #browsers
- Corrected existing information
CISA Adds Five Known #Vulnerabilities to Catalog
CVE-2023-32046 Microsoft Windows MSHTML Platform Privilege Escalation
CVE-2023-32049 Microsoft Windows Defender SmartScreen Security Feature Bypass
CVE-2023-35311 Microsoft Outlook Security Feature Bypass
CVE-2023-36874 Microsoft Windows Error Reporting Service Privilege Escalation
CVE-2022-31199 Netwrix Auditor Insecure Object Deserialization
#cybersecurity #infosec #security
https://www.cisa.gov/news-events/alerts/2023/07/11/cisa-adds-five-known-vulnerabilities-catalog
@briankrebs #patchemifyougotem đ đ đ
Also the WebKit 0-day is tracked as CVE-2023-37450, for anybody wondering.
Microsoft today issued security updates to fix a whopping 130 flaws in Windows etc, including 4 zero-day vulnerabilities. MSFT issued an advisory for but did not patch a fifth zero-day that is being exploited by ransomware crooks reportedly working in support of Russian intelligence operations. Meanwhile, Apple issued and then pulled a patch for a zero-day flaw in iOS and macOS. The Apple flaw is fixed in iOS/iPadOS 16.5.1, macOS 13.4.1, and Safari 16.5.2.
https://krebsonsecurity.com/2023/07/apple-microsoft-patch-tuesday-july-2023-edition/
Whoa. Sophos researchers just announced that theyâve uncovered 133 malicious drivers signed with legitimate digital certificates, and found 100 of of those 133 drivers were signed by Microsoft.
From the post:
"Today, Microsoft issued Security Advisory ADV230001 as part of their July Windows Update that addresses Sophosâ discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021."
"They also released Knowledge Base article 5029033, which includes new, more detailed information on the technical measures Microsoft has taken to protect against these malicious signed drivers."
https://msrc.microsoft.com/update-guide/vulnerability/ADV230001
https://support.microsoft.com/help/5029033
Today's post about patches from Microsoft and Apple to quash zero-day bugs:
https://krebsonsecurity.com/2023/07/apple-microsoft-patch-tuesday-july-2023-edition/
I wrote recently about one of the bigger names in signing malware as a service:
https://krebsonsecurity.com/2023/06/ask-fitis-the-bear-real-crooks-sign-their-malware/
@GossiTheDog Git off yer phone
#Apple releases emergency #update to fix zero-day exploited in attacks
CVE-2023-37450 - code execution in the WebKit browser engine (which powers Safari).
How to block emails on #Gmail, Outlook, Proton Mail, Yahoo Mail, and #Apple Mail
From @protonmail
@ancatdubh exactly. Connecting #threads to the fediverse for exposure is okay⊠but the cost for users to do so (through threads) is very high and concerningâŠ
New âBig Headâ ransomware displays fake Windows update alert
Suspected to be spreading primarily through *gasp* Malvertising.
During the encryption stage, this #ransomware displays a loading screen similar to a #windows update.
How Threadsâ #privacy policy compares to Twitterâs (and its rivalsâ)
#threads has abysmal privacy... just reading the list in this article is exhausting.
I fail to see how it is an "acceptable middleground" for users being introduced into the #fediverse (with the talk of ActivityPub integration.)
Critical TootRoot bug lets attackers hijack #Mastodon servers
> bad actor sends malicious toot
> instances process malicious toot
> spawns webshell
> bad actor uses webshell to assume control over the server
There is a #security patch for this - all Mastodon server admins should update if they haven't already.
CISA Adds One Known #Vulnerability to Catalog
CVE-2021-29256 Arm Mali GPU #Kernel Driver Use-After-Free
#cybersecurity #security #infosec #exploit
https://www.cisa.gov/news-events/alerts/2023/07/07/cisa-adds-one-known-vulnerability-catalog
@dostalcody @briankrebs What Iâm gathering is that these are the equivalent of âweâve been trying to reach you about your carâs extended warrantyâŠâ calls. Lol.
Also, thanks for clarification on the IP address issue. I mentioned it because it would be an issue for the small(er) servers. Same user profile + same IP address (of a small or single-user server) could be an easy identifier. I should have mentioned this when I brought it up.
At the end of the day, they are asking Mastodon admins to federate for *some* reason. They could just scrape what is public, but I don't think that gives them the real time metadata.
Their business model relies on it. The core of the issue is that this data wouldn't exist in a vacuum - whatever is ingested from interaction with #threads users goes back to Meta.
They are tracking their own millions of users so closely, even while interacting with the fediverse, that it will have implications for users on other instances.
Pile on that the concerns of lack of moderation on the threads platform and high potential for abuse and wow, we have a problem.
With #threads and the fediverse, over time gives the "how" and "how often." Do you DM? Boosts and favorites? Bookmark? Does the third-party interact with the #threads user? When and how often?
It's the power of metadata and collection + correlation over time I'm stressing here. Still speculation, but I am positive they will use/process/share/sell the metadata - especially because tracking their own users will give them a front row seat, an easy ingestion point.
I agree with you Mastodon is not private, but it lends itself more to #privacy than traditional social media.
There is still absolutely the threat of #metadata collection from #threads - just not first-party collection (if you are not on their platform.)
Similar context: you may not use WhatsApp, but I do. I have your contact info... and I share that info with WhatsApp. Well, now WhatsApp has it too. And they can infer we interact.
