Tag security

from @BlackHatEvents USA 2016: A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh blackhat.com/docs/us-16/mat… now the exploit vector presented in 2016 is the #log4jRCE. attached slide #11 from the presentation below. :)

an0n (@an0n_r0)Sat, 11 Dec 2021 12:23 GMT

I see folks making fun of the CVE issued for the default password on Raspberry Pi I personally want to see CVEs for EVERY _static_ default credential. I want it to show up in searches for the vendor name or product, CVE counts for a vendor, and in risk ratings for the product.

Tom Sellers (@TomSellers)Wed, 08 Dec 2021 16:54 GMT

I'm a tech guy and I can say with confidence I've lost every private key I've ever held within three years or so. Excited to see this important technology go mainstream with no recourse and tied to real assets. Please share your own stories in the comments!

Post details

One of the most significant side-effects of the rise of crypto is we're *finally* giving everyone a public/private key pair What cypherpunks had tried unsuccessfully to do for yrs w/ ideology is happening w/ crypto incentives This has *far* reaching consequences warning long🧵

brantly.eth (@BrantlyMillegan)Mon, 03 May 2021 17:26 +0000

Pinboard (@Pinboard)Sun, 28 Nov 2021 01:32 GMT

What attackers don't want you to know

Brains93 (@Brains933)Fri, 26 Nov 2021 09:25 GMT

This is (one of many reasons) why Government websites need proper vulnerability disclosure programmes. We (CDDO) are looking at security.txt github.com/alphagov/open-… It's already deployed on some .gov.uk websites.

Post details

A reporter at @stltoday discovered a flaw in a state website that risked exposure of teacher Social Security numbers. He notified the state of the problem and it was fixed. Today, @GovParsonMO labeled the reporter a 'hacker' & vowed criminal prosecution. missouriindependent.com/2021/10/14/mis…

Jason Hancock (@J_Hancock)Thu, 14 Oct 2021 15:32 +0000

Terence Eden (@edent)Thu, 14 Oct 2021 17:24 +0000

https://twitter.com/GovParsonMO/status/1448697775068229635

Nothing was "converted" or "decoded." You literally open a web page, right click, and select "view source code." The SSNs were plainly visible.

This Is Exhausting (@SHockeyfan)Thu, 14 Oct 2021 17:23 +0000

https://twitter.com/GovParsonMO/status/1448697775068229635

Accessing publicly available information is not hacking. By having the information so easily available, the website did implicitly grant permission to view it.

Ryan King (@rexaliquid)Thu, 14 Oct 2021 17:42 +0000

Oh word? Every time I've accidentally hit F12 I was hacking? I am a master hacker now. Bow before me.

Post details

https://twitter.com/GovParsonMO/status/1448697772799049730

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.

Governor Mike Parson (@GovParsonMO)Thu, 14 Oct 2021 17:10 +0000

High King Pilnokula, An Even Meaner Bisexual 🦇 (@Pilnok)Thu, 14 Oct 2021 17:29 +0000

Web developers, if you’d like iCloud Keychain, Google Chrome, or 1Password to take your users directly to your site’s change password page when their password manager encourages them to change their password, you can implement one simple URL redirect. web.dev/change-passwor…

Ricky Mondello (@rmondello)Fri, 08 Oct 2021 15:55 +0000

Site: Choose a password Me: oGUWi4!N^*5!y7MkiZnr Site: Must be under 13 letters Me: Pye8z#&9F2Ta Site: No symbols Me: TrbqhSVthFoP Site: No pasting Me: 123456

Jon Kuperman (@jkup)Sat, 17 Jul 2021 20:22 +0000

A telco injecting ads into 2FA SMSs feels… wrong (see thread)

Post details

I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam. What a shameful money grab.

Chris Lacy (@chrismlacy)Tue, 29 Jun 2021 04:18 +0000

Troy Hunt (@troyhunt)Tue, 29 Jun 2021 20:05 +0000

New emojis in iOS 14.5 means that BILLIONS of security patches will be applied today. Incentives matter.

Ryan Naraine (@ryanaraine)Mon, 26 Apr 2021 15:44 +0000

Yesterday I announced HACKED - Fixing hacked WordPress site Workshop. For details eventbrite.co.uk/e/hacked-fixin… TLDR; Join me on the 22nd & 29th of April for 2 sessions on identifying & fixing hacked WordPress sites. Early bird tickets on sale now.

Tim Nash (@tnash)Wed, 17 Mar 2021 09:33 GMT

Followed a tutorial and put JWTs in localStorage? If the guy behind UNPKG wanted to, he could inject code to JS requests and collect all of your users JWTs. Same w/ any 3rd party scripts you use. 2B req/mo is a lot of tokens. I put that crap in signed, https, SameSite cookies.

Ryan Florence (@ryanflorence)Fri, 12 Mar 2021 18:02 GMT