Avoid the Hack! @[email protected]

Hi infosec.exchange, (and hi again #mastodon + the rest of the #fediverse )

I have successfully infiltrated your server and will load subsequent toots here for the foreseeable future.

(( DETECTED: #introduction ))

I am the same Avoid The Hack from #birdsite and run the website https://avoidthehack.com

Most of this feed is related to #cybersecurity and #privacy - generally for the individuals, families, and the super small organizations out there. I often focus on the intersection between the two.

Sometimes I post advice. Sometimes I share tools. Sometimes I share articles I have written. Sometimes I share articles featuring Avoid the Hack. Sometimes there is humor and memes.

Stay safe out there.

#security #privacymatters #infosec #opsec

Russian cyber gang mimics job candidates to steal #data

Targeting recruiters, using legitimate job vacancies, to build rapport and spear-phish victims into downloading #malware. Downloaded malware may introduce second-stage malware and spies on victim’s machines.

#cybersecurity #security #infosec

https://cybernews.com/news/russian-cyber-gang-mimics-job-candidates/

Hot off the press: CISA adds one to the Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation:

• CVE-2023-6448 [nvd.nist.gov] (9.8) Unitronics Vision PLC and HMI Insecure Default Password

CBS Pittsburgh reported [www.cbsnews.com] on 25 November that a booster station belonging to the Municipal Water Authority of Aliquippa Pennsylvania had been hacked by an Iranian-backed cyber group called "Cyber Av3ngers." CISA put out remediation steps [www.cisa.gov] for securing Unitronics PLCs. By Friday evening, the US Government publicly attributed the attacks and Cyber Av3ngers' persona to Iran's IRGC [www.cisa.gov].

"Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system"

It's December and that’s always a time for fancy food, drinks and... statistics! Since my job is focused on the cybersecurity of OT devices I did some number crunching based on the ICS (Industrial Control Systems) advisories published by CISA: here's a short thread
#ics #ot #cybersecurity

If you want to get your freak on, and use, or have used, #HULU, go to their privacy section and request a 'Right to Know' privacy report of the personal information they have about you. #Privacy

I did because I haven't used Hulu, or been to their website, for many, many years and they sent me a birthday discount coupon.

What is most alarming is who they think I am as determined by their "Tastes and Onboarding"
#algorithm.

https://secure.hulu.com/account/privacy

Meta’s new #AI image generator was trained on 1.1 billion #Instagram and #Facebook photos

Just remember, even if you don’t have or don’t actively use either, friends or family members _could_ have posted photos including you… which may have been included in this training data.

Then again, it’s not like they ask consent or notify you if your image/likeness is used.

According to #meta, if your instagram or Facebook photos are set to private then they weren’t included in training. No way to really verify (that I am aware of) and this policy could change at any time.

#privacy #privacymatters

https://arstechnica.com/information-technology/2023/12/metas-new-ai-image-generator-was-trained-on-1-1-billion-instagram-and-facebook-photos/

When I look at all the blocked tracking domains and sites on my pi-hole, I wish I'd set up the pi-hole a looooong time ago.

If you haven't set up a pi-hole for your home (or work) network yet, it's well past time...

Now if I could just get my wife to stop using Google and Chrome...

There's a link on how to set up your own pi-hole in this article:

#pihole #privacy #infosec

https://avoidthehack.com/best-pihole-blocklists

there is no such thing as a backdoor just for [insert group]

it's an exploitable opening for anyone determined and skilled enough

@avoidthehack Didn't cover push notifications here, but I do delve into why #metadata is actually important and how metadata collection/oversharing can still compromise your #privacy here.

Metadata is in everything you do on a computer. Most commonly, metadata is described as attached to messages (who + when a message was sent at its most basic), photos, and files.

https://avoidthehack.com/metadata-privacy

Apple reveals ‘push notification spying’ by foreign governments, after open letter

Apple (and #Google) have been getting served with requests for push notification data on user devices + gag orders surrounding the actual request.

This is a good example of #metadata and its impact on #privacy - in many cases, the requests won't be able to serve actual contents of something like a message (assuming end-to-end encryption is used), but the push notification itself is metadata.

In the future, #Apple says these types of requests will be disclosed in its transparency reports.

#privacymatters #ios #android

https://9to5mac.com/2023/12/06/push-notification-spying/

IVPN for iOS (v2.11.1) is out with blocking option for LAN traffic when connected to an untrusted network, improved widget prompt controls and numerous fixes. Full changelog: https://github.com/ivpn/ios-app/blob/develop/CHANGELOG.md

#Proton Pass Plus plan now includes the Proton Sentinel high-security program

The Proton Sentinel program uses machine-derived indicators and human intelligence to help prevent threat actors from accessing your data even if they have successfully stolen your Proton account credentials.

#cybersecurity #security #infosec #passwords

https://proton.me/blog/sentinel-included-pass-plus

absurdity levels are critical

(100%) ■■■■■■■■■■

Microsoft Outlook Blocking All Email from @tutanota.com Domain as #Spam

According to Tuta @Tutanota, Microsoft has flagged the entire `tutanota.com` domain as spam. Users are unable to deliver mail to Outlook accounts.

Similar as the problem around this time in 2022 where #Microsoft Teams did not allow users to register with a `tutanota.com` email address.

#privacy #privacymatters #email

https://tuta.com/blog/outlook-falsely-marks-tutanota-emails-as-junk

PSA: Fake CVE-2023-45124 #Phishing #Scam Tricks Users Into Installing Backdoor Plugin

Wordpress site administrators beware. This campaign tricks users into downloading a malicious #wordpress plugin creates a malicious admin user and opens a backdoor, establishing contact with the threat actor's command and control (C2) server.

Do not install updates using links from emails or websites. Always update programs/apps using the system's package handler or the update in the application itself!

#cybersecurity #infosec #security #malware

https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/