Monday, July 17, 2023

Like stealing healthcare data from a law firm

from here and here

Apparently if you suffer a data breach, the data in question may at some point end up in the hands of a law firm. The problem, however, is that law firms are not magically secure, so it's possible for the data to be stolen a second time - which one law firm is finding out the hard way. As data breaches continue I have a feeling we may see this happen more frequently.

Thursday, July 13, 2023

The patches that never end

from here and here

Maybe you thought Internet Explorer would be ancient history by now, but unfortunately Microsoft is still making security updates for it.

Worst Wifi Password Ever


Watch on YouTube

Tricky passwords can be a double-edged sword. You have to make sure they aren't more trouble than they're worth.

Monday, July 3, 2023

Someone needs a longer sentence

from here and here

I've heard of individuals being threatened and harassed online before, but a dictionary? That takes a special sort of irrationality, which you'd think would make them extra dangerous, but apparently the judge felt otherwise.

Protection isn't always effective

found on Dump A Day

Something that we must all keep in mind is that there is no protective measure that is perfect. They all fail under the right (wrong) circumstances.

Friday, June 30, 2023

Time to sharpen some wooden stakes

from here and here (image source)

If you look closely at the right hand side it does seem to be bent outwards, which suggests the force came from inside the cemetery. It's also fairly low to the ground, which makes me wonder - is this a pet cemetery?

"Relevant" ads are creepy AF

found on Reddit

Presumably they can't actually read your mind. I assume they just correctly recognize that you're similar to people who have expressed the same thoughts you've only ever thought inside your head and are acting on that similarity, but it's still creepy.

Thursday, June 29, 2023

A little TOO 'universal'

from here and here

A lot of things went wrong with Kias and Hyundais to allow them to be stolen as easily as they have been, but one that stands out to me is that there's a receptacle the same size as a USB plug that you can just plug a USB charging cable into and twist like a key to start the engine.

Password policy frustration


Watch on YouTube

The better designed systems will show you the full set of password policies all at once rather than revealing them individually like this. That way the user should be able to create a new password with the fewest number of failed attempts.

Wednesday, June 28, 2023

What gave it away?

from here and here

I suppose you don't necessarily have to be a master of operational security to be a flight attendant, but if you're going to call in a bomb threat on the plane your ex-boyfriend is on then a bit of opsec would probably help.

Why we need end-to-end encrypted messaging

found on 9Gag

I think we can all agree that we'd like to be able to speak privately with the important people in our lives and that some of the things we share would be deeply embarrassing if they were revealed to a wider audience. I'm sure we'd all like to be able to enjoy the freedom to communicate that way, but it's hard to feel that free when we hear about how the authorities are spying on our communications.

Tuesday, June 27, 2023

Fundamentals First

from here and here

Yes, there is a novel side-channel attack that involves video recording of power LEDs, and yes I'm sure it's important to protect your smart card readers against such an attack, but I'm also fairly certain most information security departments are still struggling to deal with phishing and ransomware and aren't anywhere near being in a position where dealing with this novel (and frankly low probability) attack is the best use of their resources.

In OWASP We Trust mug

Product Page

If you're in software development, raise some awareness around the office of the OWASP Top 10 vulnerabilities. They're still being found in software even after all this time, which means not enough effort is being made to avoid them.

Monday, June 26, 2023

Stolen And Purchased

from here and here

I'm kind of surprised that SAP's first clue they had a data breach was when they purchased their own hard drive off of Ebay. But if people can just waltz out of their data center with hard drives in their pockets or something then I guess I shouldn't be surprised after all.

That mental image, though

found on Reddit

Deterrence is ultimately a mental exercise, it operates on the mind of the people you hope to deter. As such, it's probably a good thing to try things a little off the beaten path because "Danger!" and "Keep Out!" are things people have seen a million times and so are desensitized. This one paints a very evocative mental image, though maybe it sparks a bit too much curiosity.

Friday, June 23, 2023

"Smart" Armour

from here and here (image source)

Of course the person whose phone saved them from a bullet was actually just really, really lucky. Phones aren't bulletproof, and body armour made out of them would cost far more than they'd be worth. Of course if you did do it then you'd probably want the phones to partially overlap each other, like dragon skin body armour, rather than what the guy above was doing.

Sometimes the obvious countermeasures are the easiest ones to forget

found on Reddit

Stay out of the water, stay out of the bad part of town, stay out of untrustworthy websites, etc. If you always remember those sorts of obvious things, good for you, but plenty of people need reminders, and some never knew in the first place. So don't just remember for your own sake, remember to share those steps with others as well.

Thursday, June 22, 2023

One way to make cookies bite the biscuit

from here and here

Actually blocking cookies seems to create problems with a surprising number of sites, so using incognito mode or private browsing mode in other browsers to limit the lifetime of the cookies to as long as the browser window is open is the next best thing. Neither stop other forms of tracking, though.

The bear essentials of deterrence


Watch on YouTube

If you can scare away your adversary then your job is done.

Wednesday, June 21, 2023

Got it, got it, need it, got it

from here and here (source article)

I knew crooks used the MOVEit vulnerability to breach a lot of organizations, but when the number is so high that you start assuming all breaches are the same group, then things start to get a little ridiculous.

Magical "Security"

found on Harry Potter Fandom

When your security practices are informed by magical thinking, even children will find a way around your protective measures.

Tuesday, June 20, 2023

Moving your data into their hands

from here and here (image source)

The MOVEit vulnerability has been exploited far and wide, but this latest one involving the DMV seems particularly far reaching.

Mom & Hacker tote bag

Product Page

Don't sell moms short when it comes to technology in general and hacking in particular. My mom may not have been a malware reverser, but she was certainly able to exploit technological loopholes.

Monday, June 19, 2023

Jeepers creepers where'd you get those peepers

from here and here (image source)

If it weren't for the normalization of surveillance we wouldn't get amazingly disturbing images like this one.

Cursed Camouflage

found on Dump A Day

Yes, you can definitely disguise one inappropriate thing as another inappropriate thing, but when people eventually realize what they were staring at they're going to hate themselves.

Friday, June 16, 2023

You've probably never heard of it

from here and here

Whenever the topic of password managers comes up, people generally promote the one they use, but I never hear anyone promote the one I use. That's fine, it doesn't need to be popular to do it's job, and in fact it might actually be better if it flies under the radar, because then it's a less tempting target for the bad guys.

The most mischievous key on the keyboard

found on Reddit

Someone needs to make a keyboard where the entire caps lock key lights up (not just a little light but the whole key) to make it more obvious when this sneaky bastard is messing things up.

Thursday, June 15, 2023

I'm in

from here and here

You shouldn't even need to do this if you're using a password manager, but lots of people don't, so if they can manage this (without reusing passwords) then more power to them.

Calling two scammers at the same time to talk to each other


Watch on YouTube

What's interesting to me is how the scammers drop all pretenses when they think they're the only ones on the line. If you ever wondered if they were aware they were scamming people, now you know.

Wednesday, June 14, 2023

Who'll be next?

from here and here

A hospital in Illinois is closing it's doors (in part) because of a ransomware attack that took them offline for weeks and prevented them from submitting insurance claims, which means they couldn't make money. I'm sure the crooks responsible aren't losing any sleep over the new medical desert they've created and the deaths that will probably result when people having medical emergencies can't hold on for the now half hour it will take to get to the next closest emergency room. And because they aren't losing any sleep over it, they're probably not going to do anything to avoid doing it again.

Bring your own privacy

found on 9 Gag

I'm of two minds, here. On the one hand, being able to bring your own privacy out and about could be useful for a whole range of applications, but on the other hand, some of those applications probably shouldn't be done out in public. 

Also, it occurs to me that not being able to see what you're doing could make things problematic unless you're good at doing things by feel.

Tuesday, June 13, 2023

Should have used triangulation to find it

from here and here

The Operation Triangulation malware is far from the first malware for the iPhone, but the fact that we've reached the point that we can no longer wait for Apple to take care of such things themselves must really be eating at the old-school Apple fanbois. 

We're still stuck in a position that anti-malware apps can't scan the iPhone directly, though. That's going to make detection much less likely since few are going to go through the aggravation of making a backup so they can scan that.

Do You Even SSH? sticker

Product Page

I guess using a secure shell must be like exercising a muscle. And you definitely don't want to skip that day.

Monday, June 12, 2023

Choose your email provider wisely

from here and here

So apparently the settlement checks from the class action lawsuit against Yahoo! are finally going out, and it sounds like they're not quite the pittance I was expecting, although they're not as big as I would have hoped for either.

And what a view it is

found on Evil Milk

Imagine hating privacy... I could stop there, but imagine hating privacy so much that you do this to a space that is already notorious for not being private enough. It seems alien, but this clearly took extra effort above and beyond just erecting normal bathroom stalls.

Friday, June 9, 2023

Make some room for other things

from here and here

There's a life hack that says you should get things out of your head by writing them down so you no longer have to waste energy worrying about forgetting them, but when that comes to passwords you might want to take a little extra care and not simply write them in a notebook.

He won't suspect a thing

found on Reddit

I could see hiding packages from porch pirates, but hiding them from an occupant represents a much different threat model. In the event that you really need to hide packages from your husband, it might be better to use a strategy that focuses on you retrieving them before your husband has a chance to become aware of them rather than hoping the delivery person finds a good hiding spot that you can find but your husband can't. 

Thursday, June 8, 2023

Suddenly privacy is the least of my worries

from here and here (image source)

Isn't it funny how one small mistake can completely subvert a security control. 

Is there a good reason for bathroom stalls to lock from the outside? Maybe, but I wouldn't want to risk getting trapped in the crapper.


Never underestimate your adversary


Watch on YouTube

I'm not calling capybaras the enemy, but if you're trying to keep them in an enclosure and they're working against you then adversary definitely seems like the appropriate classification

Wednesday, June 7, 2023

Privacy? What's that?

from here and here

Ring is in some serious trouble over it's abject failure to protect the privacy of it's customers from it's own employees and others, but the thing that stood out to me wasn't that there was an employee abusing his/her access to the video feeds, but rather the mere fact that there were video feeds coming from people's bedrooms and bathrooms. I don't know about you but I wouldn't want people peeping on me while I poop.

It's not just you, nobody likes updates

found on Izismile

Leaving aside what I think is an uncontroversial take about applying system updates, I can't help but notice that this is eerily similar to this one I made in January of this year. The caption on the distracted boyfriend is literally the only difference and it makes me wonder if making memes more personal would also make them more relatable and thus by extension more successful. Perhaps there was a perception that by addressing all computer users I was punching down, which violates the humour principle that I generally try to follow of not punching down. I didn't think of it as a punch at all, in this case, but perhaps I misjudged. It's definitely something for me to keep in mind. 

Tuesday, June 6, 2023

Which is the real one?

from here and here (image source)

Presumably one of those doors is an actual entrance and the rest are just decoys, but you'll have to figure out which is which before you can try breaking in.

Your Hash Needs More Salt mug

Product Page

For those who get it, great, they'll understand what your mug means, and for those who don't well hopefully it'll keep them away from your coffee mug.

Monday, June 5, 2023

Low Profile Fail

from here and here

Learning that a bunch of drugs were seized with Nazi flags on them really only brings to mind one question: Who the fuck is putting Nazi flags on things in 2023? You've got to be living under a really big rock to think people in the outside world are just going to let that slide. You could put the Nazi flag on peanut butter and it's still going to draw suspicion.

Authorized Pets Only

found on Reddit

Having seen how difficult face recognition can be in humans, I don't have a lot of faith in this application either. Among all the other problems, have fun enrolling your pets when they're soaking wet, because that's what they're going to look like when they want in in a hurry.

Friday, June 2, 2023

As if you need more reasons to hate going to the dentist

from here and here

A dental health insurance company was breached and ransomed, but because they didn't pay, the data got leaked. I suppose if the crooks are going to ransom a company over it's data a health insurance company seems like a pretty good bet. They've got lots of money and I don't think they can arbitrarily pass on the additional cost to their customers.

Somehow it's both more and less private than its modern counterparts

found on Izismile

It's more private because your privates have more cover, but simultaneously far more public because it's not hidden away in a public restroom somewhere. I'm not how I would feel if faced with the prospect of using something like this.

Thursday, June 1, 2023

No honour among thieves

from here and here

Of all the databases to leak on your hacking forum, one that exposes you and/or your own forum's users seems like one that would be considered off limits, but apparently the ExposeForums admin who leaked the RaidForums user database didn't feel the same way. If they wanted to just notify the members that their data had been breached there were other, more privacy-preserving ways they could have done it than to post the database where all could see it and misuse it.

Cutting edge security

@normalmemess #phone #joke #funnyvideos ♬ Originalton - Normal Memes
Something no one really wants to talk about is the fact that most biometric authentication is just one knife accident away from being token-based authentication.

Wednesday, May 31, 2023

I hope they protect health information better than they protect baggage

from here and here

I would probably have a pretty cavalier attitude towards an airline asking me to get on a scale, but that doesn't change the fact that it is protected health information and I'm really not sure I trust an airline to protect my health information. Also, just because I'm cavalier about it doesn't mean other people would be or should be.

Did they hand out complimentary lollipops too?

found on Dump A Day

You've got to be a special sort of sucker to not realize why the thing everyone calls a pyramid scheme gives out pyramid-shaped awards

Tuesday, May 30, 2023

Investing in products but not people

from here and here

Too many people, especially decision makers in companies, engage in magical thinking when it comes to security software. They think you just have to "have" it or that it just has to be "active" in order to get the security benefits from it. It doesn't work that way. Security isn't a technology problem, it's a people problem, the technology is just a tool to help the people fighting the security threats. If your company doesn't have enough of those for someone to properly monitor and manage the security software...

Free Shell With Exploit sticker

Product Page

You'd probably put this on a laptop rather than a water bottle, unless you have one of those smart water bottles.

Monday, May 29, 2023

Still gotta be careful to avoid shells

from here (image source)

Long walks on the beach aren't just fun, they'll give you the strongest passwords, too.

The Deliverance Deterrent

found on Reddit

They may not know how to spell, but they sure now how to spook people.

Friday, May 26, 2023

Simon says: HODL

from here and here (image source)

 Apparently the CEO of an AI company is also involved in a project that will give free cryptocurrency to people in exchange for scans of their eyeballs. They really want you to believe that it's not a dystopian nightmare, but all I can think of is how Simon Phoenix broke out of prison in Demolition Man. Even if the technology can spot attempts to trick it, some people are still going to try.