tkteo

I am just a paranoid end-user. When it comes to cybersecurity/infosec, no such thing as totally secure, no such thing as too secure, but there is such a thing as not secure enough. (Cough cough at LastPass)

As seen from my profile images, I am an otaku. #anime #manga #kamenrider #kamenriderblacksun #gundam #giantrobo #macross and of course #onepunchman

2023-04-28

Earlier this week, Google updated its Authenticator app to enable the backup and syncing of 2FA codes across devices using a Google Account. Now an examination by Mysk security researchers has found that the sensitive one-time passcodes being synced to the cloud aren't end-to-end encrypted, leaving them potentially exposed to bad actors.

macrumors.com/2023/04/27/googl

tkteo boosted:
SANS Internet Storm Center - SANS.edu - Go Sentinels!sans_isc@infosec.exchange
2023-04-28

Veeam Vuln Ransomware; Google Authenticator Sync; Keycloak Vuln;
i5c.us/p8474

tkteo boosted:
2023-04-28

Scoop, new, etc: Many Public Salesforce Sites are Leaking Private Data:

A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.

Confirmed victims included the state of Vermont, the District of Columbia, and TCF Bank, now Huntington Bank.

krebsonsecurity.com/2023/04/ma

A screenshot of the DC Health website that exposed SSN and other data on health professionals in the District.
tkteo boosted:
2023-04-25

"Treasury Targets Actors Facilitating Illicit DPRK Financial Activity in Support of Weapons Programs" published by USTreasury. #News, #Sanctions, #Cryptocurrency, #CTI, #OSINT, #LAZARUS home.treasury.gov/news/press-r

tkteo boosted:
2023-04-25

"North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies" published by USJustice. #News, #Cryptocurrency, #CTI, #OSINT, #LAZARUS justice.gov/opa/pr/north-korea

tkteo boosted:
2023-04-25

*Edit*: I am being ridiculous here: I forgot to run with --release flag. 🤦‍♂️​ So while the performance differences are really there, it’s more like factor four from fastest (just-argon2) to slowest (argon2) implementation.

Interesting conclusion on the state of the #rustlang ecosystem: the only #Argon2 implementation still under active development (argon2) is also by far the slowest one. Unless I mixed up some numbers, it is six times slower than rust-argon2 and four times slower than argon2rs.

The really fast implementations are the ones wrapping the argon2 C library, these haven’t been updated in years however and often provide a really awkward API. While argonautica has non-trivial system dependencies, just-argon2 works without.

Well, guess just-argon2 it is…

tkteo boosted:
2023-04-25

Simona Weinglass of The Times of Israel is my new hero. Her video reporting on crypto investment scams is well worth watching.

Tl;dw, it appears the biggest crypto investment scams targeting people in the UK were promoted by at least a half dozen of England's premiere football (soccer) leagues. These scammers managed to rake in at least a billion dollars, and could afford lucrative sponsorships that got their brand everywhere. As the former scammers explained, there's nothing real about the investment "earnings" shown to people who get roped into these scams: It's all just a digital mirage, and any money invested is gone.

Her video series on the BBC zeroes in on who's responsible. Involves ride-alongs with German police as they worked w/ investigators in the country of Georgia to raid call centers working the phones for these fraudsters.

youtube.com/watch?v=w6JXZ3GzSC

A chart showing how 8 of the premiere football leagues in the UK had sponsorship deals w/ the investment scammers, including Chelsea, Everton, Fulham, Leeds United, Liverpool, Manchester City, Southhampton and Tottenham.
tkteo boosted:
2023-04-25

1Password to begin collection anonymous telemetry (no user/site/vault info) to help measure application performance.

I can appreciate their over-the-top transparency and commitment to not collect actual user data, but making this opt-out versus opt-in is a head scratcher.

Give your users the option to actively opt-in, not an opt-out they will probably never see. @1password

blog.1password.com/privacy-pre #1password

tkteo boosted:
2023-04-22

Since new information came out last night about the 3CX and Trading Technologies hacks, I decided to put together a timeline of what we now so far: zetter.substack.com/p/updates-

tkteo boosted:
Patrick C Miller :donor:patrickcmiller@infosec.exchange
2023-04-22
tkteo boosted:
2023-04-22

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

krebsonsecurity.com/2023/04/3c

A phony job offer from HSBC pretended to be a PDF file but was actually malware from the North Korean hacking group Lazarus.A graphic depiction of the North Korean hacking group Lazarus, aka UNC4736, attacking Trading Technologies, compromising its X_Trader software package, which was then downloaded by a 3CX employee.
tkteo boosted:
sjvnsjvn
2023-04-22

Kubernetes 1.27 Arrives: thenewstack.io/kubernetes-1-27 by @sjvn

The new arrives with a new Registry and better container .

tkteo boosted:
2023-04-22

From NSA and Five Eyes: “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default,” to raise awareness and facilitate international conversations about key priorities, investments, and decisions necessary to manufacture technology that is safe, secure, and resilient. nsa.gov/Press-Room/Press-Relea

tkteo boosted:
2023-04-22

What are we working on? An Import Wizard of course! This will be introduced in 2.7.5 along with support for importing 1PUX and Bitwarden JSON files.

tkteo boosted:
2023-04-22

Today we are announcing the release of our first Audit Report conducted by an independent security consultant: keepassxc.org/blog/2023-04-15-

tkteo boosted:
2023-04-22

@fosstodon is now our primary social network. Twitter pulled the final straw with their hostile treatment of their development community. twitter.com/KeePassXC/status/1

2023-04-22

@atoponce @keepassxc

yeah I read the Proton Pass announcement and I figured another password management vendor would call out Proton for the inaccurate advertising claims.

Previously the Proton people took aim at Tutanota via a sponsored article and the Tuta folks shot back.

I personally pointed out some errors on a Proton blog post waxing lyrical on their use of E2EE but i didn't get a reply. (On hindsight, I was too hopeful).

tkteo boosted:
Aaron Toponce ⚛️:debian:atoponce@fosstodon.org
2023-04-22

@keepassxc has a few things to say to Proton about their new "Proton Pass" announcement.

twitter.com/KeePassXC/status/1

tkteo boosted:
2023-04-20

Telegram having weak/non-default E2E encryption made a little sense five years ago, but at this point it’s a pretty opinionated and purposeful decision.

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst