What is this? 2021?

#Log4Shell #InfoSec #WebStats

Alt...

Screenshot of some web server logs showing a user-agent string which contains a payload for the Log4Shell vulnerability.

This dumb password rule is from CenturyLink.

So many bad ideas: a low maximum length, requiring six specific character types while not accepting common symbols,
plus a weird restriction that makes random generation harder.

https://dumbpasswordrules.com/sites/centurylink/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Do the Germans have a word for the feeling you get when you’ve discovered very important private keys being stored unencrypted in one of your organization’s git repos?

sigh

#sysadmin #thisisfine #lazy #infosec

Alt...

An animated calmly dog sitting at a table in a room that is on fire. “This is fine”.

This dumb password rule is from NBC (National Bank of Canada).

- Password length must be 8 to 25 characters
- Password must contain at least one lower letter (any position)
- Password must contain at least one digit (any position)
- Password cannot contain spaces.
- Copy/paste is not allowed when trying to set a new password

https://dumbpasswordrules.com/sites/nbc-national-bank-of-canada/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from MarketWatch.

- Cannot be longer than 15 characters.
- Must contain one number.
- Cannot contain spaces, %, & or +.

https://dumbpasswordrules.com/sites/marketwatch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Comcast.

Your password should be difficult to guess as long as it's not over 16
characters long.

https://dumbpasswordrules.com/sites/comcast/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Air Miles.

- Exactly 4 numbers.

https://dumbpasswordrules.com/sites/air-miles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🤔 I have a "how long is a piece of string" question, how many abusive IPs is normal to encounter hitting your API? if you do banning, how many permanent bans are typical, and how many expiring bans (e.g. fail2ban) are typical? how was that different in the different environments you worked at? What tech did you prefer to use (e.g., fail2ban, redis, eventbridge)

#security #blueteam #fail2ban #firewall #threatintel #infosec

As a cybersecurity professional from where do you hail? I'm trying to understand the community around here.

My "feeling" is that there are quite a few Americans around here, but I would like to better understand the diaspora.

I know this is not the most intelligent of polls but as a start mkay? Boost if you don't mind :)

#Cybersecurity #Infosec

This dumb password rule is from Roll 20.

Your new password must be at least 4 characters long and no longer than 40 characters. Your password was not changed.

https://dumbpasswordrules.com/sites/roll-20/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sears.

"cAsE sensitive, no spaces, ! or ?
8 characters min - 1 letter, 1 number
Can't repeat same character more than 3 times in a row
Cannot be or contain your username or email address"

https://dumbpasswordrules.com/sites/sears/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@hacks4pancakes I always thought it was funny talking to people who were getting into cyber security "for the money". Like, dawg, where's that money at? It pays well enough but not "change my career" money, not "build my future around it" money.

Do cyber security because you love a new challenge every day against adversaries who are, in bulk, smarter than you and have more time, more people, and way less ethical boundaries.

Do it because you love tearing systems apart to understand how each individual piece connects to the next and how it could go wrong.

Do it because you want to beat on FOSS and industry tools, twisting them to do things even the original designers didn't expect, out of the necessity of novel solutions for unprecedented attacks.

Do it because you want to be the one who knows.

Do it because the world isn't scary enough.

Do it because you like being on-call, forever.

Do it so you can ruin people's fun whenever they talk about whatever the hot, new technology is.

Do it to stop getting invited to technology planning meetings.

Do it for the indigestion.

Don't do it for money.

You won't last six months.

#InfoSec

What kind of person emails someone to say "I can put your static site in an IFRAME", declare it a security vulnerability, and when told "it's a personal website..." demand a bug bounty and a mention on the front page?

Edit - even better, the "description of vulnerability" is a bunch of stuff copy-pasted from the OWASP TOP10.

#infosec

This dumb password rule is from Sprint.

Sprint "upgraded" their security and disallow special characters.

https://dumbpasswordrules.com/sites/sprint/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from La Banque Postale.

Password must be 6 digits and entered on custom pad.

https://dumbpasswordrules.com/sites/la-banque-postale/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Premera Blue Cross.

Password must contain 8-30 characters, including one letter and one number.
"Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error `-_'.@`

https://dumbpasswordrules.com/sites/premera-blue-cross/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The Oracle EBS stuff gave me a weird kind of MOVEit nostalgia (?), so I looked at the recent campaign and exposed EBS instances to understand more about possible fallout across industries and geography:

https://censys.com/blog/unpacking-the-oracle-ebs-debacle-industries-geography-and-moveit-comparisons

#security #infosec #oracle

Alt...

Horizontal bar graph of Oracle EBS exposures by industry

ARIA job post for a "Technical Specialist - Cyber-Physical Multi-Agent Systems", London, 70-100K https://aria.pinpointhq.com/en/postings/ea382be3-f6fc-41ad-93ed-9d554443b95f

"You have a hacker-like, DIY mindset; a tinkerer by nature, can prototype quickly, and red-team effectively."

Thinking of @gsuberland for this if they're still looking, or @tef ?

I'm not affiliated, just a big fan of #ARIA :)

#GetFediHired #infosec

@simontatham

SSH certificates are a thing! They’re a good thing! You can use them right now!!

#infosec

This dumb password rule is from Sky Ticket.

Sky is a german pay-TV provider with over 23 million subscribed users worldwide. They also have an online streaming service called "Sky Ticket".

You can only set a **4 digit long PIN** with no option for two-factor authentication or any additional security mechanisms.

https://dumbpasswordrules.com/sites/sky-ticket/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The crowdsec use case is a good excuse to get me shipping logs properly which I should be doing anyway.

I think I can do that with Loki+Alloy for everything in-cluster, and it looks like Loki can accept syslog so I can ship logs from the ssh-endpoints and maybe router as well.

Looks like I'll need to learn a bit about Alloy and install it separately via its own helm chart.

Then I can let crowdsec chew on the logs stored in Loki along with other alerting tools (open to suggestions!).
#Homelab #InfoSec #Grafana

This dumb password rule is from Scandinavian Airlines.

The password rules itself is fine, but, it doesn't inform about the max length of the password.
Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it.
In this case, I changed my password to **Super_l0ng_password_that_fits_all_criteri...

https://dumbpasswordrules.com/sites/scandinavian-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Merrill Lynch.

Passwords must be between 8 and 20 characters, and some special characters are allowed. Users with randomly-generated passwords may find it particularly annoying to generate a password that works for their password safe.

https://dumbpasswordrules.com/sites/merrill-lynch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There's also a lot going on at ARIA - i'm surprised at how positively I'm responding to some of it.

This small funding call looks interesting for creative #infosec folks - up to £20K for a 3 month project helping decide what "Trust Everything, Everywhere" could look like (there's a webinar about the thinking behind it at 4pm today)

https://www.aria.org.uk/opportunity-spaces/trust-everything-everywhere#preprogrammediscovery

Just been catching up on the news.

#JLR #Ransomware #infosec

https://www.bbc.co.uk/news/articles/cy9pdld4y81o

Alt...

4-panel "Anakin and Padme" meme, reading: "The JLR incident cost £2B" "So orgs will finally take InfoSec seriously now, right?" ... "Right"

This dumb password rule is from ANZ Bank.

Your password needs to be between 8 and 16 characters long - no special characters allowed.

https://dumbpasswordrules.com/sites/anz-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

#introduction

Alright people, let's start at the beginning one last time. The name's Sylvie. I was bitten by a radioactive spider octopus while surfing. These days I find myself surfing the web, trying to make the world better through music, pro-bono privacy and security counseling, and fighting for the user using my #infosec and #hacker chops. Experienced some horrible tragedies and haven't always had it easy, but I'm not the only one.

I'll never see a #StarTrek future, and it seems we're increasingly further from things like hope coming from collaborations like the International Space Station, and excitement of learning brought on by things like transparent electronics. Nonetheless, I refuse to be dragged down in to the doomerism and slop, and seek to make things more accessible, secure, and private and while fanning humanity's creativity.

What is everyone's thoughts on Crowdsec? Worth it on exposed endpoints? Stick with something more basic?

I've been slowly working on getting it working via traefik middleware. I'll probably have to end up rebuilding the deployment yet again, uggh.

I have one Crowdsec per edge node because I didn't want to ship access logs over the links, but maybe that makes more sense?
#Homelab #InfoSec

🚀 The CybersecKyle Community is live! A friendly Discord where security + tech meet: news breakdowns, labs, tools, cloud/automation chats, chill coffee breaks, and so much more! Beginners → pros welcome.

Read more: https://www.kylereddoch.me/blog/the-cyberseckyle-community-is-live-security-and-tech-together/

Join: https://purl.kylereddoch.me/cyberseckyle_community

#infosec #cybersecurity #tech #discord

This dumb password rule is from AirAsia.

- Between 8 and 16 characters
- Must contain a number, a lowercase letter, and an uppercase letter
- Special characters allowed, but not periods, commas, tildes, or angle brackets

https://dumbpasswordrules.com/sites/airasia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@GossiTheDog @campuscodi critics question why the basic flaws being exploited — buffer overflows, command injections, SQL injections — remain prevalent in mission-critical codebases maintained by companies whose core business is cybersecurity.
#infosec #firewall #f5 Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall, and Juniper.

This dumb password rule is from MTS Serbia.

MTS is a national mobile and internet provider in Serbia and they have bad password rules.
Translation: The password must have more than 6 character, less than 17 characters and one
of the following combinations: upper case or lower case letter and a number, upper case or
lower case letter and a ...

https://dumbpasswordrules.com/sites/mts-serbia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myRTA.

The Roads and Traffic Authority's 'Online Services' website for New South Wales, Australia.
Password rules:
- Must be between 6 and *10* characters long
- Must be a combination of letters and numbers
- Cannot be the same as any of the previous two passwords, including the current password
- Is ca...

https://dumbpasswordrules.com/sites/myrta/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@delta also #deltaChat natively supports #Proxies, #VPN|s and @torproject / #Tor so not only can people use it that way but also use any other bypass method.

• Obviously, the classic #Sneakernet with people doing uucp with foreign mobile networks near borders works just as well...

I'd not be surprised if delta Chat is also used by #RimjinGang* and #38North** for a "contactless sneakernet" tho I am convinced they won't confirm or deny that for #OpSec, #InfoSec & #ComSec reasons alone...

• I mean, both #Iran and #NorthKorea ain't #Iraq and #Syria where one could just take a phat satellite dish, strap an LTE stick or even external antennas on and just point it at turkish or lebanese radio towers near the border, as owning any satellite equipment in these places is a guarantee to get publicly executed for "espionage"...

This dumb password rule is from Virgin Trains.

Your password needs to be between 8 and 10 characters long. Previously
this would silently truncate the password without warning, causing
confusion when the password wouldn't work.

https://dumbpasswordrules.com/sites/virgin-trains/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BMW ConnectedDrive.

Although the prompt suggests good things, after many failed attempts to
set a new password, it turns out you can ONLY use the special characters
shown in the prompt

https://dumbpasswordrules.com/sites/bmw-connecteddrive/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Bloomingdale's.

16 characters maximum, no `.` `,` `-` `|` `/` `=` or `_` allowed.

https://dumbpasswordrules.com/sites/bloomingdales/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Arbeitnehmeronline.

Service for managing employment documents of the German company Datev.

Only the following character categories are allowed: Letters, numbers and this special
characters set: !#$%&()*+,-./:;<=>?@[\]^_`{|}~äöüßÄÖÜ

https://dumbpasswordrules.com/sites/arbeitnehmeronline/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules