0x40k<p>Oh man, Fortinet *yet again*! 😅 A symlink bug that *still grants* read-only access even after updates? Seriously, that's my kind of 'funny'! 😂</p><p>It just goes to show how crucial manual testing really is. You know, the kind of thing automated scans often just don't catch. Our clients are *always* relieved when we spot these things before a malicious actor does! 👌</p><p>So yeah, updates are vital, but *don't forget* to double-check those configs! Otherwise, attackers might still have a foothold, even after you've 'patched'.</p><p>Just remember: Security isn't just a product you buy; it's an ongoing process. And let's be real, it also needs to fit the budget. 🤷♂️</p><p>What persistence tricks do you all have up your sleeve? 🤔</p><p><a href="https://infosec.exchange/tags/Pentest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Pentest</span></a> <a href="https://infosec.exchange/tags/Fortinet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fortinet</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://infosec.exchange/tags/OffensiveSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OffensiveSecurity</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a></p>
Recent searches
No recent searches
Search options
Not available on dice.camp.
dice.camp is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon server for RPG folks to hang out and talk. Not owned by a billionaire.
Administered by:
Server stats:
1.7Kactive users
dice.camp: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#securityfail
0 posts · 0 participants · 0 posts today
XenoPhage :verified:<p>Why is it that Home Depot has passkey support and my bank still wants me to answer those three questions?</p><p><a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://infosec.exchange/tags/FacePalm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FacePalm</span></a></p>
Suzanne Aldrich (she/her)<p>Critical Next.js Middleware Vulnerability (CVE-2025-29927)</p><p>A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.</p><p>Patch. Now. Or block the header manually.</p><p>GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.</p><p>Details + POC: <a href="https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">zeropath.com/blog/nextjs-middl</span><span class="invisible">eware-cve-2025-29927-auth-bypass</span></a><br>NVD: <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-29927" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nvd.nist.gov/vuln/detail/CVE-2</span><span class="invisible">025-29927</span></a></p><p>Security theater is easy. Secure defaults and transparency are harder—but essential.</p><p><a href="https://hachyderm.io/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://hachyderm.io/tags/AppSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AppSec</span></a> <a href="https://hachyderm.io/tags/NextJS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NextJS</span></a> <a href="https://hachyderm.io/tags/CVE202529927" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE202529927</span></a> <a href="https://hachyderm.io/tags/middleware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>middleware</span></a> <a href="https://hachyderm.io/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a></p>
Todd A. Jacobs | Pragmatic Cybersecurity<p>This isn't Apple's fault, as it still has to follow local laws to sell its products. However, this is a huge <a href="https://infosec.exchange/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a>.</p><p>Even though Apple no longer fights for mindshare in the enterprise computing market as it once did, this will force companies that require secure data to either avoid iCloud-enabled apps altogether—which can be hard to do on a Mac—or stop using Macs altogether for anything that processes <a href="https://infosec.exchange/tags/PII" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PII</span></a>, <a href="https://infosec.exchange/tags/PHI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PHI</span></a>, or even proprietary <a href="https://infosec.exchange/tags/sourcecode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sourcecode</span></a>. </p><p>In particular, many <a href="https://infosec.exchange/tags/softwaredevelopers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>softwaredevelopers</span></a> prefer <a href="https://infosec.exchange/tags/MacBooks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MacBooks</span></a> since they offer a mainstream user experience but run <a href="https://infosec.exchange/tags/Unix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Unix</span></a> under the hood. If they can't use MacBooks anymore for security reasons, companies will have to rethink some of their long-standing laptop and desktop <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> practices.</p><p><a href="https://www.bbc.com/news/articles/cgj54eq4vejo" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bbc.com/news/articles/cgj54eq4</span><span class="invisible">vejo</span></a></p>
Frank Filippone<p>Was slightly amused earlier today when looking at Task Manager on a Windows server and found a properly ancient version of TeamViewer running on it.</p><p>Did I mention this server has direct internet access?</p><p>And is part of the security system for this site?</p><p><a href="https://aus.social/tags/it" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>it</span></a> <a href="https://aus.social/tags/itsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>itsecurity</span></a> <a href="https://aus.social/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a></p>
🅰🅻🅸🅲🅴 (🗑️🔥)<p>I know I'm late to the NPD-bashing party, but the complete disregard for other's privacy they've shown warrants another go at them.</p><p>The fact that these companies buy, scrape, and steal our data, then compile it into a dox-bomb and secure it behind a "do not breach k thx" high-security post-it note, just fucking riles me.</p><p>And because it's "publicly available" data, the repercussions of any breach typically amount to having to write a whoopsie apology email and maybe offer an identity scraping—er protection—subscription.</p><p>It blows my mind that these parasites are legal-ish businesses. They basically provide doxxing as a service.</p><p><a href="https://infosec.exchange/tags/NPD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NPD</span></a> <a href="https://infosec.exchange/tags/Data" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Data</span></a> <a href="https://infosec.exchange/tags/Breach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Breach</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Asta McCarthy<p><span class="h-card" translate="no"><a href="https://mastodon.nl/@AlmereSP" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>AlmereSP</span></a></span> Want USA "publieke"cloud bedrijven zijn echt de enige die veilig een mailserver kunnen draaien :blobfacepalm:<br><a href="https://arstechnica.com/information-technology/2024/04/microsoft-blamed-for-a-cascade-of-security-failures-in-exchange-breach-report/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/information-te</span><span class="invisible">chnology/2024/04/microsoft-blamed-for-a-cascade-of-security-failures-in-exchange-breach-report/</span></a><br><a href="https://mastodon.pirateparty.be/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://mastodon.pirateparty.be/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://mastodon.pirateparty.be/tags/cascadefailures" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cascadefailures</span></a> <a href="https://mastodon.pirateparty.be/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Andres S<p>I installed <a href="https://social.ridetrans.it/tags/LibreElec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LibreElec</span></a> on a pi4. During setup, it asked if I wanted to enable sshd (which, like, *of course* I do).</p><p>Then it told me the default login and password, and suggested that I change the password. Okay, sure, good idea. I tried a shared, memorable password I use for home appliance devices (NAT'd & only accessible via sudo, as I use ssh keys). "Password too weak", and it didn't allow it. I tried two other passwords, both rejected. So I left it at the default. <a href="https://social.ridetrans.it/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Asta McCarthy<p><span class="h-card" translate="no"><a href="https://mastodon.online/@bartgroothuis" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>bartgroothuis</span></a></span> Security by obscurity is een slecht idee.<br><a href="https://mastodon.pirateparty.be/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opensource</span></a> werken en onafhankelijke code reviews zijn een veel veiligere aanpak. <br><a href="https://mastodon.pirateparty.be/tags/microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>microsoft</span></a> <a href="https://mastodon.pirateparty.be/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a></p>
Emelia 👸🏻<p>This form here transmits your encryption key to Backblaze's servers, but they pinky promise never to use it or store it. <a href="https://hachyderm.io/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://hachyderm.io/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://hachyderm.io/tags/Backblaze" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Backblaze</span></a></p>
Emelia 👸🏻<p>I'm trying out Backblaze for backups, and setup an encryption key. Turns out if you ever use the “View/Restore Files" feature on their website, they send the full encryption key to their remote server.</p><p>Which completely and absolutely defeats the point of the encryption key, because now they have a copy of the encryption key.</p><p><a href="https://hachyderm.io/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://hachyderm.io/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://hachyderm.io/tags/Backblaze" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Backblaze</span></a></p>
C.<p>Bank emails: Never click links in emails claiming to be from us, your bank! It's not safe.</p><p>Also Bank emails: To complete this transaction, click this link.</p><p><a href="https://mindly.social/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://mindly.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://mindly.social/tags/fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fail</span></a> <a href="https://mindly.social/tags/stupidity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>stupidity</span></a> <a href="https://mindly.social/tags/idiocy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>idiocy</span></a> <a href="https://mindly.social/tags/email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>email</span></a> <a href="https://mindly.social/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a></p>
Claudius Link<p>Moving on to <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> <a href="https://infosec.exchange/tags/Guidance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Guidance</span></a> in general</p><p>Microsoft offers the following Password Guidance<br><a href="https://www.microsoft.com/en-us/research/publication/password-guidance/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">microsoft.com/en-us/research/p</span><span class="invisible">ublication/password-guidance/</span></a></p><p>Side note, the PDF contains no (visible) version information or date :-(<br>Please, if you publish guidance, especially if you are an influential company, include a date in your documents. I treat a guidance form 2016 differently than a guidance from 2023</p><p>Back to the recommendations. Most of the are solid but some stick out</p><p>1. Maintain an 8-character minimum</p><p>That seem awfully short. <a href="https://infosec.exchange/tags/NIST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NIST</span></a> states "Longer is better", the <a href="https://infosec.exchange/tags/HPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HPI</span></a> recommends 15+ characters and, wait for it, Microsoft themself recommends 12 or better 14+ characters.</p><p>4. Ban common passwords, to keep the most vulnerable passwords out of your system.</p><p>The <a href="https://infosec.exchange/tags/NIST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NIST</span></a> recommendation check against "commonly used and compromised passwords" considerably extends this!</p><p>Microsoft at other places recommends "Not a word that can be found in a dictionary or the name of a person, character, product, or organization."</p><p>5. Educate your users not to re-use their password for non-work-related purposes.</p><p>Work related reuse is OK????</p><p>I would love to know if <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> internally really follows these password rule. Or if they enforce a stricter set. If anyone knows about this, please let me know (but don't if this would get you fired)</p><p>BTW, the other place where Microsoft recommends a different/stronger set of password rules is here (again no date):<br><a href="https://support.microsoft.com/en-us/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">support.microsoft.com/en-us/wi</span><span class="invisible">ndows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb</span></a></p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>Some more context to my rant about the shortcomings of <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection:</p><p>1. The risk is greatly reduced if you use <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> </p><p>BUT while I'm not sure if <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> enforces MFA they enforce the weak password rules. </p><p>And a recent event caused me to reevaluate my assumption on how well know <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a>/MFA really is:</p><p>I gave <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> talk to non-IT people (still technical so) and closed it with a set of recommendation. One was to enable Second Factor Authentication wherever possible. Which lead to the question from one participant "What is Second Factor Authentication"</p><p>That was quite a 😵 moment. I had the wrong assumptions. How can I assume that MFA reduces a risk if many people don't know about it.</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>One more thing</p><p>Another shortcoming of <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection, I can't wrap my head around:</p><p>They recommend to not mandate regular password changes (good) BUT they check the password against known bad passwords ONLY when changing it!</p><p>So, to detect weak passwords I have to enforce a password change which is (rightfully) not recommended 🤡</p><p>You could simply do this on entry. Every time (or once a day) the user enters the password it is checked if it isn't well known and complies to the current rules.</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>Sleeping over it I noticed another issue with <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/Entra" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Entra</span></a> ID <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> </p><p>Regarding the Global banned password list they write "The contents of the global banned password list aren't based on any external data source, but on the results of Microsoft Entra security telemetry and analysis."<br>(<a href="https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">learn.microsoft.com/en-us/entr</span><span class="invisible">a/identity/authentication/concept-password-ban-bad</span></a>)</p><p>Now I have more questions:</p><p>WHY are passwords part of the security telemetry data?</p><p>The only case where I see this as ok, would be in a honeypot.</p><p>And what kind of data would be in the security telemetry data? Usually it's failed attempts, so you risk overestimating passwords attacks which fail (anyway). Again, this would only be OK with honeypots.</p><p>But if you are getting your data solely from honeypots, I fear you're getting a pre-selected type of data. Namely opportunistic, random attacks not targeted attacks.</p><p>While I think it's valuable to protect against these kind ob attacks, I really would like passwords to withstand even targeted attacks, even from the inside.<br>E.g when the attackers are in the Lateral Movement or Privilege Escalation. Especially if the attackers can start to crack hashes.</p><p>For this Microsoft Entra ID Password Protection seems completely useless there.</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>And the Custom banned password list of <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection just continues the joke.</p><p>First, it can only contain 1000 entries. And yes, I really don't want to manage a big custom list.</p><p>And it gets even worse. The list is intended to contain company specific banned words like brand or product names, company-specific internal terms as well as abbreviations. Entries must be at least 4 characters. </p><p>WTF, half the companies I worked for had 3 letter names. And there are many other BWM, KIA, SAP, IBM, GM, BBC, NBA, NFL, UPS, DHL, ...</p><p>And don't get me started on acronyms. <a href="https://infosec.exchange/tags/TLA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLA</span></a> (Three-Letter-Acronym) is a term for a reason.</p><p>This means, taking my current company as an example, that SMA12 would be an accepted password (if it would be for the length) because 'SMA' 3 points + '12' 2 points is 5 points).</p><p>To reach the necessary length you could simply combine it. E.g. 'SMASolar1' would be an accepted password even if 'Solar' was a banned word.</p><p>And I CAN'T do ANYTHING!!!</p><p>Or at least not anything sensible. If I start to put combinations of 'SMA*' in the custom banned pw list, I'm back at an inadequate big list I have to manage myself 🤮.</p><p>And even then SMASolar1234 stays valid 🤬<br><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> </p><p>Call for <a href="https://infosec.exchange/tags/Help" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Help</span></a>: I would be very happy if someone can show me that I'm wrong. The state of Microsoft Entra ID Password Protection is a MUCH bigger pain than that I would have been wrong 😜.</p>
Claudius Link<p>I'm not sure if I get something wrong, but I think <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.</p><p>Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.</p><p>This leads to:<br>Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!</p><p>Not sure if this applies only to German dictionary words.</p><p>It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF </p><p>Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).</p><p>This leads to the question how many points do none-banned words give?</p><p>If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)</p><p>Or a real-life example: The <a href="https://infosec.exchange/tags/SolarWInds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SolarWInds</span></a> <a href="https://infosec.exchange/tags/SupplyChain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SupplyChain</span></a> attach which affected Microsoft, US government agency and countless other organizations worldwide, was cause by a weak FTP server password.<br>Namely "solarwinds123", which would be accepted by <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.</p><p>And you can't do anything against it.</p><p>I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but just 1 point, as they are consecutive numbers. But this would make it only marginal better (2023</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Stuart Longland (VK4MSL)<p><span class="h-card" translate="no"><a href="https://social.taupehat.com/@me" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>me</span></a></span> <span class="h-card" translate="no"><a href="https://m.ai6yr.org/@ai6yr" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ai6yr</span></a></span> </p><p>Not only is that a denial-of-service vulnerability… but if it then came to "trust" that "face"… anyone could defeat your security system by buying and wearing an identical T-shirt.</p><p><a href="https://mastodon.longlandclan.id.au/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
T.M. Baumgartner<p>Anyone have a preferred method for physically disabling the microphone on an indoor security camera? (Wansview Q5)</p><p>I have the microphone turned off according to the app, but I'm getting audio feedback when I have the app running in the same room as the camera, so... I don't think it's really off.</p><p>Would polymer clay in the hole do the trick?</p><p><a href="https://mstdn.social/tags/Wansview" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wansview</span></a> <a href="https://mstdn.social/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://mstdn.social/tags/Microphone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microphone</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload