If there was one feature in a vulnerability scanner that you could have that you don't currently, what would it be?
| pro-nouns | he/him |
| web | https://reverse.codes |
| ko-fi | https://ko-fi.com/seska |
| hackthebox | https://app.hackthebox.com/users/68877 |
jim 🐈⬛
- 62 Followers
- 45 Following
- 113 Posts
infosec, appdev & RE nerd. aka seska
@distantcam ah dang, so there are a tonne of infostealers lurking in dependencies and is a rising malware threat at the moment, it’s quite possible you picked it up in a library dependency and that’s how they got your login details.
Might be worth reviewing new stuff you’ve loaded into your code recently too lest it happen again.
Might be worth reviewing new stuff you’ve loaded into your code recently too lest it happen again.
@distantcam
Do you mean somebody spoofed your identity in a malicious commit? If so, not much other than turning on verification and others enabling vigilant mode.
If someone magically added a commit to a repo you own without a PR that sounds more like account takeover to me in which case rotate creds and tokens asap, use mfa if not already etc.
Either way if you have deets send them through to GitHub’s security team, it could be part of an active campaign. The former scenario is quite a common thing these days.
@GossiTheDog this is just wild. Sooo, if somebody 'accidentally' put the CS logo on a nazi website, they'd suddenly take it down?
Adding “your certificate provider discovers they messed up and gives you 24 hours to replace all of your certificates” to my list of tabletop scenarios.
https://www.theregister.com/2024/07/31/digicert_certificates_extension/
For the love of all things holy: I know the idea that 'passwords are dead' is a hip and trendy UX idea, but the reality is far from this.
I am currently dealing with a platform that I need to use daily, that doesn't and it is the pits.
To login, its a 6 six digit pin sent to a plain text email every time your session expires. This pin lasts 10 minutes. Another 6 digit pin for MFA, this time from your authenticator of choice.
In principle this is somewhat sound, although arguably, whatever APT has compromised my email account without me knowing it, has logged in and has a full days access, in this model. That or my hypothetically abusive significant other, or other miscellaneous stalker with physical access to my device.
The usability problem is far less exotic though, I am just a busy, time blind, person.
I go to the platform, start the login process, get sideswiped by 17 slack notifications. The email with the pin now is expired, but I have no idea, to me, 30 seconds flew by (it was really 15 minutes)
This would all be so much simpler if I could just use my password manager of choice.
Seriously, what is so wrong with something I know?
@interfluidity don’t get me started on QR codes
For all the pain narcissists cause it is somewhat hilarious watching one trying to gaslight a room of people who know more then they think.
Every now and again, when I have additional sources of intelligence, I see an audit report for a company that just makes me question how awake the auditors really were.
Related: if you can't confirm the SOC II report you are looking at came from a legit audit company, is it really a SOC II report?
SwiftOnSecurityAll my homies HATE Broadcom