Securityferret

@[email protected]
22 Followers
12 Following
24 Posts
Making things more secure, advising on architectures. #SABSA #CISSP #CEH #ADHD #Dyslexia.#cybersecurity
SecurityferretMar 13, 2023
PancakesCon Infosec ConferenceMar 13, 2023

This is it! #pancakesCon 2023 virtual conference is THIS SUNDAY! Some final helpful notes can be found here: https://pancakescon.com/2023/03/11/final-2023-pre-con-reminders/

We are super excited to share what we have built with you. #cyberSecurity #infosec

Final 2023 Pre-Con Reminders!

PancakesCon 4
SecurityferretFeb 2, 2023
MooseFeb 2, 2023
New social engineering phish tactic just dropped on social media.
This one gets people to gut-react click and leads to a stealer (Raccoon, Redline, Vidar).
Coach those you know not to click, but if they do to immediately reset everything that was saved in their browser (all online accounts or apps accessed via browser) and move to 2FA where possible
SecurityferretDec 27, 2022
BrianKrebsDec 27, 2022

Notified Experian on Dec. 23 that their site was allowing anyone to see the credit report for, well, basically anyone, completely bypassing their lame 4-5 multiple guess questions and other security.

Or even in cases (like mine) where trying to get your credit report generates an error saying you have 3 other options for getting your free report from them (calling, mailing, or chat w/ rep). The site said Experian didn't have enough info to validate my identity, but when I changed the url slightly, it showed me my entire report. Glad I checked, too, because the info in there is so completely wrong I don't even know where to start.

So it's Dec. 27, and I still haven't heard anything from Experian. All you needed was the person's name, address, SSN and DOB. This info has been exposed on pretty much most Americans for many years now.

BTW, I checked this with several friends who volunteered to check their own reports, and they were able to fully replicate what I did.

It's bad enough that we can't stop companies like Experian from making $2B a quarter collecting and selling our info, but there has to be some real accountability. And as we saw with the Equifax settlement, class-actions and more laughable "credit monitoring" services aren't going to cut it.

Experian has shown this year especially that it gives exactly zero fscks about securing access to the data that drives its entire business.

https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Class Action Targets Experian Over Account Security – Krebs on Security

SecurityferretDec 14, 2022
CySecurity NewsDec 14, 2022
Users' Data was Breached in 2021, Twitter Confirms https://www.cysecurity.news/2022/12/users-data-was-breached-in-2021-twitter.html #CyberSecurity #SecurityNews #infosec
Users' Data was Breached in 2021, Twitter Confirms

Twitter published an update about the data breach of the twitter's user from 2021.

CySecurity News - Latest Information Security and Hacking Incidents
SecurityferretDec 2, 2022
Zate 🦘🇦🇺Dec 1, 2022

I'm seeing a lot of hot takes on #LastPass, from people in #infosec coming to the conclusion that LastPass transparently disclosing breaches, or near breaches, or any incidents, is a sign of something terrible.

I think those people have not been at this long.

All companies eventually get hacked. All companies eventually will be breached, and it's not if; it's when.

And if you are a company storing millions of passwords, you better believe you are being attacked constantly.

Given that world, I want a company that:

  • is transparent and lets their users know immediately when something is up and gives as many details as they can.
  • can actually detect incidents and has a solid process to follow in dealing with them and communicating about them

If you think a company that never says, "hey, we had an incident," is more secure. .. oh boy.

It merely means they either a) can't detect incidents or b) are hiding them from you

If you are using a password manager that is silent about breaches, near misses, incidents, etc., That should be cause for concern.

SecurityferretNov 17, 2022
BrianKrebsNov 17, 2022
The latest update in Google's legal efforts to go after the cybercrooks behind the Glupteba botnet is surreal. "Defendants [said] they could potentially help Google by taking the botnet offline." Glupteba facilitates ad fraud, spam, malware proxies, etc. https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/
The Link Between AWM Proxy & the Glupteba Botnet – Krebs on Security

SecurityferretNov 16, 2022
https://www.theguardian.com/society/2022/nov/16/neurodiverse-women-sought-for-jobs-at-gchq-and-bae-systems?CMP=Share_AndroidApp_Other
Neurodivergent women sought for jobs at GCHQ and BAE Systems

Organisations want to recruit more autistic women and those with dyslexia and ADHD to work in cybersecurity roles

The Guardian
SecurityferretNov 11, 2022
banned for burgerpostingJul 14, 2019
A: dns record
AA: battery
AAA: battery
AAAA: dns record
SecurityferretNov 10, 2022
Let's put a protective ring around #MatHancock. And ensure he does every task on #Iamacelebrity.
SecurityferretNov 9, 2022
CyberGingey 🤖Nov 9, 2022

MITRE have released a new version of Cyber Resilience Engineering Framework navigator, which has mapping to MITRE ATT&CK.

It is pretty nice! Make sure to add some filters, as there is a lot in it!

https://crefnavigator.mitre.org/tree2