Avoid the Hack!
source link: https://infosec.exchange/@avoidthehack
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Avoid the Hack! @[email protected]
An initiative promoting the intersection of internet #privacy and #cybersecurity for all users.
Based in the USA.
You’re more than just a data point.
Operated by: @ashwrites
Established in 2020.
Hi infosec.exchange, (and hi again #mastodon + the rest of the #fediverse )
I have successfully infiltrated your server and will load subsequent toots here for the foreseeable future.
(( DETECTED: #introduction ))
I am the same Avoid The Hack from #birdsite and run the website https://avoidthehack.com
Most of this feed is related to #cybersecurity and #privacy - generally for the individuals, families, and the super small organizations out there. I often focus on the intersection between the two.
Sometimes I post advice. Sometimes I share tools. Sometimes I share articles I have written. Sometimes I share articles featuring Avoid the Hack. Sometimes there is humor and memes.
Stay safe out there.
Russian cyber gang mimics job candidates to steal #data
Targeting recruiters, using legitimate job vacancies, to build rapport and spear-phish victims into downloading #malware. Downloaded malware may introduce second-stage malware and spies on victim’s machines.
#cybersecurity #security #infosec
https://cybernews.com/news/russian-cyber-gang-mimics-job-candidates/
Hot off the press: CISA adds one to the Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation:
- CVE-2023-6448 [nvd.nist.gov] (9.8) Unitronics Vision PLC and HMI Insecure Default Password
CBS Pittsburgh reported [www.cbsnews.com] on 25 November that a booster station belonging to the Municipal Water Authority of Aliquippa Pennsylvania had been hacked by an Iranian-backed cyber group called "Cyber Av3ngers." CISA put out remediation steps [www.cisa.gov] for securing Unitronics PLCs. By Friday evening, the US Government publicly attributed the attacks and Cyber Av3ngers' persona to Iran's IRGC [www.cisa.gov].
"Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system"
It's December and that’s always a time for fancy food, drinks and... statistics! Since my job is focused on the cybersecurity of OT devices I did some number crunching based on the ICS (Industrial Control Systems) advisories published by CISA: here's a short thread
#ics #ot #cybersecurity
If you want to get your freak on, and use, or have used, #HULU, go to their privacy section and request a 'Right to Know' privacy report of the personal information they have about you. #Privacy
I did because I haven't used Hulu, or been to their website, for many, many years and they sent me a birthday discount coupon.
What is most alarming is who they think I am as determined by their "Tastes and Onboarding"
#algorithm.
Meta’s new #AI image generator was trained on 1.1 billion #Instagram and #Facebook photos
Just remember, even if you don’t have or don’t actively use either, friends or family members _could_ have posted photos including you… which may have been included in this training data.
Then again, it’s not like they ask consent or notify you if your image/likeness is used.
According to #meta, if your instagram or Facebook photos are set to private then they weren’t included in training. No way to really verify (that I am aware of) and this policy could change at any time.
When I look at all the blocked tracking domains and sites on my pi-hole, I wish I'd set up the pi-hole a looooong time ago.
If you haven't set up a pi-hole for your home (or work) network yet, it's well past time...
Now if I could just get my wife to stop using Google and Chrome...
There's a link on how to set up your own pi-hole in this article:
there is no such thing as a backdoor just for [insert group]
it's an exploitable opening for anyone determined and skilled enough
@avoidthehack Didn't cover push notifications here, but I do delve into why #metadata is actually important and how metadata collection/oversharing can still compromise your #privacy here.
Metadata is in everything you do on a computer. Most commonly, metadata is described as attached to messages (who + when a message was sent at its most basic), photos, and files.
Apple reveals ‘push notification spying’ by foreign governments, after open letter
Apple (and #Google) have been getting served with requests for push notification data on user devices + gag orders surrounding the actual request.
This is a good example of #metadata and its impact on #privacy - in many cases, the requests won't be able to serve actual contents of something like a message (assuming end-to-end encryption is used), but the push notification itself is metadata.
In the future, #Apple says these types of requests will be disclosed in its transparency reports.
IVPN for iOS (v2.11.1) is out with blocking option for LAN traffic when connected to an untrusted network, improved widget prompt controls and numerous fixes. Full changelog: https://github.com/ivpn/ios-app/blob/develop/CHANGELOG.md
#Proton Pass Plus plan now includes the Proton Sentinel high-security program
The Proton Sentinel program uses machine-derived indicators and human intelligence to help prevent threat actors from accessing your data even if they have successfully stolen your Proton account credentials.
absurdity levels are critical
(100%) ■■■■■■■■■■
Microsoft Outlook Blocking All Email from @tutanota.com Domain as #Spam
According to Tuta @Tutanota, Microsoft has flagged the entire `tutanota.com` domain as spam. Users are unable to deliver mail to Outlook accounts.
Similar as the problem around this time in 2022 where #Microsoft Teams did not allow users to register with a `tutanota.com` email address.
#privacy #privacymatters #email
https://tuta.com/blog/outlook-falsely-marks-tutanota-emails-as-junk
PSA: Fake CVE-2023-45124 #Phishing #Scam Tricks Users Into Installing Backdoor Plugin
Wordpress site administrators beware. This campaign tricks users into downloading a malicious #wordpress plugin creates a malicious admin user and opens a backdoor, establishing contact with the threat actor's command and control (C2) server.
Do not install updates using links from emails or websites. Always update programs/apps using the system's package handler or the update in the application itself!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK