#Bluesky continues to be entirely non-responsive to the numerous security vulnerabilities I've reported to them, so I spent the evening writing up a nice README and a framework with exploit modules, and just made it all public.
Had a person send me their number as an interested buyer and told me to text them. I did (first mistake), and we arranged a meetup time. Then they asked if, for their safety, they could send me a six digit code (some of you already know where this is going) that I could repeat back to them to verify myself.
I said, "absolutely!" And sure enough, I got a Google Voice verification number. lol
If you're not familiar with the scam, shady people will take your phone number and try to create a Google Voice account with it. If you provide them with the 6-digit code that Google sends you, they can "verify" that they are you, and then basically use your phone number to run scams, commit fraud, etc. It's nasty business.
I called them out, blocked them, then reported them to the marketplace website and to the FTC--though, almost certainly, they were using the phone number of another poor soul to carry this out.
I used to work as a social engineer, running phishing campaigns (ethically, with consent lol), against Fortune 1000 companies to assess their level of vulnerability. Luckily for me, I was super familiar with this, but most of the people I told about it have said, "Oh, I probably would have fallen for that...", and even I set myself up for it.
So that is why I'm posting this. Please be aware of sketchy shit like this. If someone is asking you for a verification code over SMS or email, tread with EXTREME caution. Also, it's usually pretty shady if a stranger you're already chatting with wants to move to a new platform. Not always, but if someone emails or messages you on Facebook to ask you to text them, that's a little weird. I'd had legitimate buyers/sellers do that, so it's not unheard of, but it should put you on guard.
If you buy/sell/trade online frequently, it's a good idea to use a dedicated MySudo number, VOIP number, and/or a burner phone for that.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.
🙏 Boosting this post will help spread the word. Thank you!
If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A lot of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.
The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.
This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.
A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24
Random Website: You need to set up #2FA with your phone number!
Me: Why?
Website: In case we get hacked!
Me: I don't really care, no one even knows about this account and it doesn't have my personal information.
Website: You misunderstand, it's so that in case we get hacked, we HAVE your information to leak to the hackers. They worked hard and deserve it! Also we sell your account to ad companies but they're not interested unless they can tie it to a real person.
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
went down to the hotel lobby to retrieve my dinner delivery in a yoga outfit + snuggly cardigan + face mask.
some men with #RSAC2024 lanyards exited the elevator as I re-entered; they turned back to look at me and one said (very loudly, very pointedly staring at me) to the other, “I was like, did you hire me a hooker?”
if you are a man attending #rsac, please shut that kind of shit down when your peers do it. let’s not let insecurity rule our #security industry.
🚨 ⚠️ Emergency PSA: A critical security exploit was discovered in the xz package recently, used for compression and decompression on nearly all Linux distributions.
Rawhide users ARE impacted and should immediately STOP using Rawhide until the package update is fully rolled back. (1/3)
✍️ Firefox Isn't Just a Browser; It Is a Web Resistance, and It's Now at Version 119
I'm baffled as to why Google Chrome still dominates the browser market when Firefox, a faster and privacy-conscious open-source browser, is readily available!
In the previous update, Firefox introduced a long-awaited feature – an automatic and customizable built-in translation. With this addition, Firefox fills a significant gap that was once held against it.
Now, with the latest update, Firefox 119 not only surpasses Chrome (I'm confident it does) but also competes with PDF editors. With great excitement, let's explore what this latest version has in store.