When did it become law to require #2FA if customer info is on a server??
Alternately, what companies are making that shit up so that they can force 2FA??
And stop this madness convincing people to use 2FA when they don't even know what it's called or how it actually works other than "they send a code to your phone"!!
Most of these are here for having length maximums and/or restrictions on special characters which, given we live in Ye Moderne Times and best practice password advice is to use pass phrases, is, uh. Yeah.
@carlypage Maybe it’s overly draconian, but my first impulse when I see things like this is to legally forbid vendors that lose control of patient data like that from calling their products and services HIPAA-compliant. Because they no longer are, and the stakes are just so high. #uspolitics #healthcare #InfoSec
The Pen Test Diaries allow you to follow penetration tester Laura Knight through the technical, and non-technical processes involved in testing an organisations information security measures.
Based on the author's real world experiences, the diaries tell fictionalised versions of penetration testing discoveries.
Excellent analysis, explanation and exploitation of CVE-2019-5736: vulnerability in runC (Docker) that allow to gain root privileges
(credits Yuval Avrahami)
Two weeks ago I had the chance to learn new recon techniques from the great Jason Haddix at #RSAC2023 and now I have more domains than I can handle. I built a tool to organize and sort the data called Recon MindMap.
Recon MindMap (RMM) can receive data from pipe or read from a file, it will automatically organize the data in a hierarchy and sort it alphabetically, it generates output in json, markdown or plain text compatible with mind map tools like Obsidian or Xmind
It's 2023 and yet password hashes can be trivially dumped from memory and decoded since they use known-broken algorithms. And information exfiltration can defeat so-called endpoint protection by being fast enough. What?!
Running any kind of business-critical process on windows systems is nothing but gross negligence. If you have a ransomware attack you're the problem, not the victim. #infosec
For anyone with a youtube channel specifically for hacking/infosec... did you guys start out with a set path?
I'm going to be working off of some very budget setup, but my idea is to start out small with 15 to 20 minute videos. I want to cover several topics specifically hacking on a budget (I have a lot to share on this), hardware, osint, talk about recent news possibly, talk about recent hacks by gangs, apts, hacking groups, etc.
I'm kind of going off into the unknown with this and not expecting to become big anytime soon, but I want to at least try.
I am also trying to figure out what to do with a Patreon and at the moment I don't even have a phone plan so not even sure if the content I will make will be any good.
Just witnessed this guy trying to explain ARP Poisoning (incorrectly) to a female network admin/#redteam#infosec friend and I admit, I was torn between calling him on it or checking to see if anyone had invented the term LAN-splaining yet.
DataBreaches looks for provisions in settlements that require improved data security. Some settlements do not seem to include much provision for that. And some keep those provisions confidential. In these two cases, one kept it confidential but the other one spelled out changes.
Would love to see some lawyers go through all the settlements involving patient data and see how much improvement in data protection is being written into settlements to reduce risk of future attacks.
Digital wellbeing move of the week: I set up an e-mail address for the sole purpose of signing up to newsletters. From idea to action in just 3 years, wow.