@patrickcmiller You missed the opportunity on this one... Should have been... "Simple hack doesn't help SimpleHelp victims."
Sova
Infosec related work in the Entertainment industry + 20 years doing it other places.
@jonobie "What does democracy look like!!?"
When an organization has a bunch of standards but they are not enforced...
In these difficult times, it's important to remember the violence and protests at the #StonewallRiots that lead to the freedoms that are now under attack. Pride is not just about showing you're out and proud, but also to remember those that fought to give us the ability to do so! Happy Pride Month everyone!!
Finishing up an @owasp #SAMM assessment and validation report for a major company in APAC region.
Built a lot of new templates and tools to assist with the process and looking forward to doing more of these assessments.
The #OWASPSAMM framework is solid and takes a very different approach to web-application security than more traditional compliance or audit frameworks. I'd recommend taking a look at it if your company primarily is an application developer or SaaS provider.
One of the stronger points for it is that it is geared towards self-assessment with a focus on continual improvement and a maturity approach. We kept telling our client, "We are not auditors and this is not an audit. We are here to help you document where you are today and where you want to be in the future." This lead to a very collaborative and non-adversarial engagement and lots of deep knowledge being freely shared by the development staff that you'd not see in a compliance audit (Trust me, I've done a lot of those too). We even had the
#InfoSec team tell us several times, "This is great because you're helping to validate our concerns and budget requests. Your vast experience from other companies is helping to guide us in solutions and bolsters our budget requests to executive management."
Again, if you are primarily developing #webapps for clients or running a #SaaS definitely consider doing your own self-assessment using the #OWASPSAMM toolkit. @owasp provides it for FREE in various flavors including Google Docs, Excel, and Docker. There is even the ability to use the JavaScript to build internal tools around it easily. Then if you decide you want a third-party validation, you can contract from the OWASP SAMM Practitioners list at: https://owaspsamm.org/practitioners/.
If you end up finding any of it useful or want more information, or to contribute you can also join @owasp and their SAMM meetings too. Find out more at: https://owaspsamm.org/contributing/
OAuth login process in browsers being used to distribute malware through major authentication domains, including Google.com ---> https://cside.dev/blog/weaponized-google-oauth-triggers-malicious-websocket
@patrickcmiller AI is a speed multiplier. It makes sense that it would multiply bias as much as anything else it it has consumed. Garbage (or racism/bias/hate) in. Garbage (or racism/bias/hate) out.
@deviantollam has a new video out about Day Locking and no, that's not locksport people's equivalent of day drinking.
(Although, it might be a fun new way to describe doing locksport practice during the day)
I do not think I could be more clear. In addition to this giant sign, there is a sign at the gate of the fence that has all the logos for delivery companies and a big arrow pointing to walk about the fence and the words "Deliveries at side door."
UPS and FedEx never have an issue and even follow the instructions to use their codes to deliver packages INSIDE the mailroom that was built for deliveries.
If I could chose my shipping provider at checkout, I'd pay more for UPS or FedEx because Amazon always blames ME when packages are stolen, even with the signage and VIDEO of it being stolen.
@patrickcmiller I'm sure that disparate agencies without tools for secure coordination will work better than the coordination of international and state funded hacking groups... #sarcasm
Frequently, I hear people state their opinion that they don't worry about computer security because "I only use Macs." The fallacy that only PCs and servers are vulnerable continues to allow malware to spread on Mac OS. North Korean is the latest group to be specifically targeting Macs, this time with some stealthy spyware.
https://www.tomsguide.com/news/macs-under-attack-by-north-korean-spies-how-to-protect-yourself
Robots can't be tricked into installing malware, so hackers are using reCaptcha to trick humans instead.
Apple complies with secret UK government order for backdoor access to customer data.
@codejake none of the Fortinet devices I installed should have admin access from the Internet. All accounts used external access control with MFA.
I think that IP belonged to my home lab in 2022? Do you have a copy of the data release?
I present a speaker designed to sit on the ground and be hidden from view by being camouflaged as a rock... mounted on a wall above head height.
This is a failure on so many levels, including literal levels.
@frankie or you could use Signal.app and have a secure open message platform that has none of the problems of RCS, WhatsApp, or iMessage. Want to sent me a message, you can send it via Signal, or you can email me. Simple.
Sova boosted:
Google’s RCS Nightmare—Why You Need A New App https://www.forbes.com/sites/zakdoffman/2024/12/06/googles-rcs-nightmare-why-you-need-a-new-app/ #news #google #RCS #security #technology
@techhelpkb except it isn't, because it is broken and too little too late. RCS promises much but delivers nothing. There are no RCS apps besides Google Messages and now iPhone Messages. Neither do end to end encryption between each other. Images and videos are still heavily compressed. Messages require going through Google's servers because no carrier runs their own RCS servers. Google is wrapping messages sent between two Google message users to add encryption, but it doesn't work reliably. In fact, since the last update notifications don't even work at all. Messages fail to deliver all the time. The only use of SMS now is stupid companies using it for activating or authentication requests, except that it isn't secure and has been hacked repeatedly. RCS is garbage and every carrier knows it. Get Signal.app and stop using closed broken systems.
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst