Oh, and there are over 1 billion info-stealer records exposed at the moment between a couple of IPs. This is so common, I'm surprised this was even on the news in the last few weeks for a rather small server.
180 million is really on the low end of what usually shows up exposed. I've seen servers with over 3.5 billion logs running before being wiped by wiperware.
#cybersecurity #infosec #responsibledisclosure #threatintel #readyouremail
Some wild things I found exposed recently that I am actively trying to close down:
1) 🇺🇸 Criminal Defense firm with archived case files exposed (evidence, discovery, court docs, etc) includes crash reports with dead people - Contacted the Law firm last week and nothing done.
2) 🇺🇸 Phone extracts for multiple cases that have been on the news, including a case of a cop suicide, sexual abuse cases - Looking at who to notify about this one, being extra careful as the file listing suggests illegal stuff gathered as evidence might be exposed on it.
3) 🇳🇿 A database backup with a table that includes someone's diary, with a lot of entries about their sexual life.
This backup also includes ~1,500 logins for a police association on other tables and credentials to multiple companies & websites - Contacted higher-ups in the police association for help identifying who is responsible, but so far, no reply.
Just a few more servers to add to the list of dozens of pending cases. Will start escalating contacts until stuff gets fixed.
#cybersecurity #infosec #responsibledisclosure #threatintel #readyouremail
@bkastl +9001&
Und selbst dann sind aktive #Audits und #Pemtesting nur Methoden.das #Hellfeld zu vergrößern.
Ich kann ja an sowas nicht vorbeigehen, also Bugs in POS-Systemen..
2.95€ Bürgermenü :)
What's the new / current place for publishing vulnerability reports (as part of responsible disclosure; I already got a CVE ID)?
Last time I published something, BugTraq still was a thing.
:BoostOK:
Happy Birthday (nachträglich) zu drei Jahren #Datenleck, lieber Tuev Nord
https://lims.tuv-nord.co.th/main_app/.env
https://185.39.106.141/main_app/google-credential.json
https://185.39.106.141/.git/config
inetnum: 185.39.106.0 - 185.39.106.255
netname: DE-TUEVNORD-H-106
Looking for some help, boosts appreciated:
Anyone with a security contact at Disney or ABC Network?
I know Disney has a bug bounty program, but the issue is with a third-party software leaking data from multiple companies.
Found no information as to who owns the software online and would like some help figuring out who to notify.
#cybersecurity #infosec #disney #abc #responsibledisclosure #vulnerability #bugbounty
@JayeLTee Just to add some context about my attempt to get Mango's Place to lock down their data back in 2022:
I had been contacted by a researcher with info on the exposed data. Because that researcher was not in the U.S., I followed up on unsuccessful notifications with a phone call. I even made a note of who I spoke to in August 2022.
But alerting entities to their leaks is not my job, and when they didn't get back to me, I eventually forgot about them. I had waited to report anything because -- unlike a site that all-too-often reports on leaks that are still exposed --- I didn't want to publish about a leak where the still-exposed data had their name in the storage location's URL.
Whether Mango's Place will get sued by any irate parents remains to be seen. If they are, their failure to respond in 2022 may become part of any case.
#databreach #incidentresponse #responsibledisclosure #cybersecurity
Immer noch eins meiner liebsten T-Shirts
#ResponsibleDisclosure
Ich liebe Responsible Disclosure bei deutschen Unternehmen einfach. Aber hey, sind ja auch nur Ausweise und Finanzdaten...
Man könnte sich ja auch mal an seine eigene responsible disclosure policy halten und wenigstens antworten.
🔒 How to Report Security Issues in Open Source—Responsibly
Security flaws happen—but how we handle disclosure matters.
In this smart and timely guide, Jacob Kaplan-Moss outlines the three-step process for responsible vulnerability reporting in open source software (OSS):
✔️ Report the issue privately to maintainers
⏳ Allow a reasonable time frame (up to 3 months) for a fix
📢 If needed, publicly disclose to protect users
Kaplan-Moss also explains how to find contact info, the ethics of disclosure timelines, and tools available to OSS maintainers.
This is must-read content for anyone in security, development, or open source governance.
👉 https://jacobian.org/2025/mar/27/reporting-security-issues-in-oss/
#CyberSecurity #OpenSource #DevSecOps #ResponsibleDisclosure #InfoSec
Great thanks to @adamshostack for getting people together to think about this issue and to make recommendations to #HHS under the #HIPAA Security Rule.
https://shostack.org/blog/security-researcher-comment-on-hipaa-security-rules/
Direct link to comments to HHS by @adamshostack, @dykstra, Fred Jennings, Chloé Messdaghi, and me:
https://downloads.regulations.gov/HHS-OCR-2024-0020-4673/attachment_1.pdf
#ResponsibleDisclosure also means to share if you have been diagnosed with an infectious disease while at or after an event or conference, ideally posted in a way that as many possible visitors of said event will notice (e.g. post here with a hashtag of the event, like #FOSDEM). There is no embargo on sharing such a vulnerability ;)
@cirriustech We try not to use the laden term #responsibledisclosure, which puts a burden only on researchers but not the receiving parts. Use #CVD instead :)?
OpenAI and Microsoft show a remarkable disinterest in a reportedly major security flaw in the #ChatGPT API #ResponsibleDisclosure $MSFT
https://informationsecuritybuzz.com/critical-vulnerability-chatgpt-api-reflective-ddos-attacks/
Executive Summary (TL;DR): HackerOne requires SMS, documentation is bad, and support doesn't.
"Please let us know your HackerOne email address", I was asked. Everyone (who matters) knows HackerOne ( @Hacker0x01 ?), so I rush to https://hackerone.com/ to sign up.
Signup was typical, with praiseworthy indication that passwords are limited to the BCrypt hash limit of 72 characters. With email confirmed, the next step was of course to set up 2FA because if we Hackers™ know one thing, it's "2FA good. TOTP good. SMS bad.". On the Account Security page,
Two-factor authentication [ Turn on ]
but that [ Turn on ] button is greyed out. Above is
Account recovery: Disabled [ Set up ]
A bit odd to get recovery codes before setting up TOTP, but seems harmless. I clicked [ Set up ].
Add your phone number
We need to set up a way for you to recover your account in case you lose access to your two-factor
authentication device. We do this by confirming your phone number. We'll send you a numeric code
to this number to verify your account. Message and data rates may apply.
In this year of our Lord twenty twenty-five, that is the only option.
Before bothering anyone, I know to RTFM, so I do. The "Two-Factor Authentication" page described the setup process in full detail with no mention of telephones or short message services. The other (almost identical) "Two-Factor Authentication" page described the same process, but mentions the telephone.
HackerOne uses a (something)Desk platform for support, so I signed up there and opened an issue explaining that I want to use TOTP and don't use SMS, and that there are two pages with instructions of which half are wrong. The automated email acknowledgement arrived promptly.
Early the next day email arrived from H1 Support <support@hackerone.com> with a response I can accurately paraphrase as, "We are sorry to hear that you are incompetent. Please RTFM." with a link to the more accurate of the two pages. Replying to this email, I politely explained that I appreciated the response, but that they seem to have missed both the issue I reported and the documentation problem, then clearly identified each in a more structured fashion.
The reply to my email was almost instant.
#HackerOne #Hacker1 #BugBounty #ResponsibleDisclosure #Authentication #2FA #MFA #TOTP #SMS #InfoSec #InformationSecurity #CyberSecurity #TogetherWeHitHarder
If you haven't read this post by @gcluley about a proposed Turkish law and you are a researcher or journalist reporting on breaches, read it:
New Law Could Mean Prison for Reporting Data Leaks:
https://www.tripwire.com/state-of-security/new-law-could-mean-prison-reporting-data-leaks
#ResponsibleDisclosure #research #journalism #freepress #censorship #intimidation
FTR. I still believe in #ResponsibleDisclosure with a 90 day limit after the first acknowledged receipt. If the company/government/organisation won't move 90 days after they've acknowledged receiving your info, you should be free to go public. But going 0day is a different story.
@dbof Their "friction" is mere lazyness to distribute the Secret Key among their devs.
And if #JitsiMeet devs can't be assed to do something that trivial then maybe folks who want to stay anonymous won't contact them, but instead send their exploit in a #PGP/MIME-encrypted eMail to #Zerodium where they get paid in #XMR with no questions asked.
I asked on behalf of a friend who wanted to stay anonymous and doesn't have a #GitHub or #HackerOne account and can't signup to either due to unacceptable #ToS.
Seriously, WTF #JitsiMeet?
I've never seen such a level of ignorance from any #FLOSS project to this day...
#NotCool #ResponsibleDisclosure #ITsec #InfoSec #OpSec #ComSec #rant #vent #venting
