Rep. Jeffries: There are more than 300 bipartisan votes in the House to pass the #National#Security bill today. It’s not too much to ask that we get a #vote and actually let the House work its will as opposed to allowing Trump to work his will and block our National Security priorities.
"An operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office [UK] know in advance."
Secure IT systems prevent fraud in commercial transactions and protect our private lives from undue intrusions.
If the UK government were concerned about national security, they’d want to encourage (rather than delay) security updates or end to end encryption.
@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.
:BoostOK: Do not kill the password! In the US at least, passwords are considered knowledge, so you are constitutionally protected from revealing passwords as per the 5th amendment of the US Constitution. That means the government can't legally get the password out of you. Biometrics on the other hand, is not considered knowledge, and the government can force your hand (sometimes literally) for your biometrics to unlock something.
Smartphones using the Snapdragon 630 chip were found to call home to Qualcomm without the consent of the user, bypassing the whole operating system. Data includes unique hardware ID, current IP, country, your ISP, list of installed apps and other data.
Hey friends, software updates are really important, so make sure you're grabbing them when they're available. This is a reminder to check for updates for your phone, your computer, your web browser, and anything else that you might be using. If you're not using something regularly, consider uninstalling or removing it.
Regarding xz-utils backdoor (liblzma5): Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. Debian #Linux 12/11/10 appears safe. Taken from https://lists.debian.org/debian-security-announce/2024/msg00057.html#infosec#security
The Speaker of the US House of Representatives Mike Johnson has given the Ukrainian city of Avdiivka to Russia. He did this by blocking a bill that would supply ammunition to Ukrainian soldiers, despite the widespread support in Congress and the American people.
“White House National Security Council spokesperson Adrienne Watson called the withdrawal ‘the cost of Congressional inaction.’”
"KDE advises extreme caution after theme wipes Linux user's files"
"It executes rm -rf on your behalf [and] deletes all personal data immediately. No questions asked. I canceled this when it asked for my root password, but it was too late for my personal data. All drives mounted under my user were gone, down to 0 bytes. [G]ames, configurations, browser data, [and the] home folder [are] all gone."
I got laid off, along with about 10% of the company.
I'm in good shape with savings and was feeling burnt out anyway, so it's time to enjoy some time off, and figure out what I'm doing next.
Don't have a current resume, and really don't want to start looking just yet, but if you hear of an awesome, remote, senior, #infosec#security opportunity, please let me know.
Former title was Senior Security Engineer, and I'd love to find an architect role.
Reminder: 2FA is not a replacement or a supplement for a weak or reused password. 2FA will not protect you in the event that your data itself is leaked. 2FA will not somehow protect your device from malware.
2FA does not ensure that you will be safe online. It's a great security feature, but it's not magic. You should enable it when you can, but that's not all you should be doing.
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.
"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.
"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."
Your phone buzzes. You tap the notification and this pops up on screen:
This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.
Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?
Right!
This is a genuine notification. It was sent by the bank.
You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.
This is reasonably sophisticated, and it is easy to see why people fall for it.
The scammer calls you up. They keep you on the phone while...
The scammer's accomplice calls your bank. They pretend to be you. So...
The bank sends you an in-app alert.
You confirm the alert.
The scammer on the phone to your bank now has control of your account.
Look closer at what that pop is actually asking you to confirm.
We need to check it is you on the phone to us.
It isn't saying "This is us calling you - it is quite the opposite!
This pop-up is a security disaster. It should say something like:
Did you call us?
If someone has called you claiming to be from us hang up now
[Yes, I am calling Chase] - [No, someone called me]
I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.
But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.
Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.
And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.