The BBC TV Apps folks told me today that me they've recently disabled TLS versions older than 1.2.
That means if you are using iPlayer on your TV, you're definitely using a much more secure TLS version now - so good on you for having a TV with a decent TLS library 🙌🏻.
Next up will be the web, I'll be running a time-limited experiment, probably in October which'll aim to demonstrate that we don't need TLS 1.0/1.1 any more 🤞🏻.
#InfoSec #TLS #BBC #iPlayer

This dumb password rule is from College Board.

Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.

https://dumbpasswordrules.com/sites/college-board/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Are you using #Chrome? Are you using the #ChromeVPN extension? You should stop. The last update changed some stuff and now it’s exfiltrating data via screenshot every few seconds. The screenshots are being sent to server that was in clear, but is now encrypted.

As a rule, unknown vpns are a security risk. Do not allow extensions or apps to have permissions if you don’t know what they do.

https://www.theregister.com/2025/08/21/freevpn_privacy_research/

#infosec #TheRegister #koiSecurity

Sincere question for InfoSec friend: If you use a password manager that's vulnerable to unpatched clickjacking flaws, what are you supposed to do? Just cross your fingers and hope?

https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/

#Infosec

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The Record: Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet https://therecord.media/feds-charge-botnet-admin @therecord_media

KrebsonSecurity: Oregon Man Charged in ‘Rapper Bot’ DDoS Service https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/ @briankrebs

DoJ, from yesterday: http://justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet #cybersecurity #infosec

This dumb password rule is from AOK (German Health Insurance).

This is the online customer portal of the German health insurance company AOK. They have an extensive set of rules for both passwords and usernames.
The password rules are:
- Length between 8 and 14 characters
- At least one letter, one number and one special character
- Special characters are: !...

https://dumbpasswordrules.com/sites/aok-german-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TrendMicro has published an analysis of Warlock, the ransomware group that most likely was behind the attack on Colt.

https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html

@GossiTheDog @campuscodi
#ThreatIntel #Cybersecurity #Infosec

This research by Marek Tóth presented at #DEFCON is good. The vulnerability he discusses is real.
However, exploiting it requires the attacker to compromise a website and add phantom workflows to it that the victim doesn't notice as suspicious. Not impossible, but also IMO not likely unless you visit shady websites frequently.
Personally, I do not think the likelihood is high enough to disrupt my existing workflows to protect against the attack.
#clickjacking #infosec
https://marektoth.com/blog/dom-based-extension-clickjacking/

This dumb password rule is from NordVPN.

- Password cannot be longer than 48 characters.

https://dumbpasswordrules.com/sites/nordvpn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

i really really wish #infosec companies would stop sending boxes full of packing materials and a card with a promise of a gift in return for a call - I’ve yet to find anyone in the industry who likes this approach.

A) it’s a massive waste of material/resources - a giant box and packing to deliver a bit of card.

B) it’s like they looked at the method used by kidnappers where they slowly drip stuff through the mail and were like, “hey we should apply that model to our direct marketing!”

Alt...

a box that appears to have headphones in it

Alt...

but alas it is a card with a thing to schedule a demo

This dumb password rule is from CWT Business Travel Management Company.

Password:
- 8 to 32 characters long
- Must contain a combination of letters, numbers and symbols
- Must be different from your username
- Must be different from 5 previous passwords

https://dumbpasswordrules.com/sites/cwt-business-travel-management-company/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

One of the most effective security controls you can ever invest in, is a decent work computer for your employees.

Yep, it’s a bit more cash up front to get a bit more RAM or a bit more CPU poke, but your job in IT/Security is to get people the gear they need to do their jobs without thinking ‘this would be quicker if I used….’

Because we all know what happens when your VP of Finance decides to prep the W2’s on their kids Alienware gaming desktop full of Minecraft plugins downloaded from every corner of the internet.

#infosec

https://help.iinet.net.au/information-on-cyber-incident

#infosec #australia

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec

Mini Pen Test Diaries story, happened in the last couple of years. The debrief meeting went like this:

“In your report you said you we’re able to crack the domain admin account instantly because the password was stored using the LM hash?”

“That’s right, yes.”

“But we’ve had LM hashing disabled for like 15 years, that can’t be possible?!”

“When was the last time that password was changed?”

“Well it’s been the same since I got here, 20 years ago.”

“And what hashing mechanism do you think was used back then?”

“Oh no."

For more, less mini stories like this, check out https://infosecdiaries.com.

#infosec #pentest #pentesting #redteam

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

https://dumbpasswordrules.com/sites/centurylink-residential/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I used to think that phishing tests and training were pretty pointless (like this study says), but I recently changed my mind.

Most people use tests as a (misguided) way to train employees. Instead, the value in tests is finding out how often phishing doesn't work, and how quickly employees will detect and report a non-targeted phishing attempt. This aids risk analysis and scoring, when phishing is the initial attack vector.

#infosec #phishing

https://www.scworld.com/news/phishing-training-is-pretty-pointless-researchers-find

This dumb password rule is from SAS Eurobonus.

The best thing about rules, is that you can multiple different ones!
Like SAS that allows you to have a long password at least when signing
up, but you'll be sorry if you want to change your password later on.

https://dumbpasswordrules.com/sites/sas-eurobonus/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@shodan this is a no-brainer for anyone in any #infosec role or who may one day be in an #infosec role or tbh anyone who uses a device connected to the internet

This dumb password rule is from California Department of Motor Vehicles.

They also prohibit pasting into the password field by using a JavaScript
`alert()` whenever you right-click or press the `Ctrl` button, so
you can't use a password manager.

https://dumbpasswordrules.com/sites/california-department-of-motor-vehicles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ING Australia.

4 numeric digits.
"Added security" by randomising the positions on the keypad. Must be clicked.

https://dumbpasswordrules.com/sites/ing-australia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ASN Bank.

Your password needs to be between 8 and 20 characters long - at least 1 number, 1 lower case letter, 1 upper case letter, 1 special character.

https://dumbpasswordrules.com/sites/asn-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Every time I go on a flight I post a bullet pointed list of all the things I learned about various other companies from the laptop screens around me, to our own Slack, as a reminder of the importance of being aware of surroundings when working on stuff in public.

Along with an additional reminder that we provide privacy screens.

#infosec

This dumb password rule is from Hetzner.

- 8 or more characters
- At least one uppercase and one lowercase letter
- At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:
- Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ?...

https://dumbpasswordrules.com/sites/hetzner/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Oopsie! It's Signal Gate, the sequel. A random person was added to a law enforcement group chat that included officers from Immigration and Customs Enforcement (ICE). In it, they discussed highly sensitive information about an active search for an individual seemingly marked for deportation. Here's more from @404mediaco

https://flip.it/4O2FqQ

#Immigration #Technology #Encryption #LawEnforcement #ICE #InfoSec

there's lots of research that meets this criteria, but this is specifically the piece I had in mind when I wrote yesterday about reading excellent work that makes you feel energized.

go read it! I guarantee you'll learn something.

https://censys.com/blog/2025-state-of-the-internet-digging-into-residential-proxy-infrastructure

#security #infosec

This dumb password rule is from College Board.

Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.

https://dumbpasswordrules.com/sites/college-board/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Williams-Sonoma.

25 maximum characters and disallowing some specials.

https://dumbpasswordrules.com/sites/williams-sonoma/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So yesterday, I emailed a state court system that appears to be linked to the exposed data I mentioned recently and that the host notified on or about July 28.

No reply was received.

Today, I sent a contact form message to the lawyer for a juvenile whose records were sealed. Sealed, except 11 of them were exposed to anyone who can access the data. I told him what was going on and suggested he contact the court and tell them to get the data secured.

No reply was received.

Today, I sent an email to the judge who ordered the juvenile's records sealed and I cc:d the district attorney. I gave them the juvenile's name, case number and that I could see all the sealed records. I urged them to have their IT or vendor call me and I could give them the IP address over the phone, etc.

No reply was received.

Dear Russia, China, and North Korea:

You do not need to hack our courts. They are leaking like sieves and do not respond when we try to tell them they need to secure the data.

Yours in total frustration,

/Dissent

#infosec #cybersecurity #incident_response #dataleak #databreach #WAKETHEFUCKUP

I understand that one strategy employed by spammers and phishers is to make their messages stupid and absurd on purpose, so that only gullible and stupid people will fall for them, thus ensuring the scammers won't waste their time trying to scam people smart enough to figure it out.
Nevertheless, the mind boggles at how stupid someone would have to be to fall for a message like the one below, which I received this morning.
#spam #phishing #infosec

Alt...

Phishing spam message from "Ms. Anita Mbambazi <93293371a@pracharath.ac.th>", to "undisclosed-recipients:;", reply-to "um307549@gmail.com", subject line "ATTENTION DEAR". The body of the message is too large to include in full in the alt text, but here are some excerpts: ATTENTION DEAR This message is from the Department of Blacklist Removal office USA, why we decided to communicate with you today is because we have discovered that you are pursuing too many transactions in internet in which all are failing you after wasting too much money in pursuing them , some of these transactions are FAKE and Some are REAL [elided] your name is in US.BLACKLIST which makes it impossible for you to send money out and also receive your inheritance funds out of the country or within,so it is better you stop wasting your money in the name of receiving your inheritance funds until your name is removed from the BLACKLIST and enter into the US.WHITELIST [elided] So if you want to remove your name from the blacklist and place it in American white-list then contact this office [elided] The requirement for removing your name from the Blacklist are as follow Your full Name....... Your home address... Cell Phone number... Your occupation... Country..... Your international passport/or drivers license /or state I.D Above all, you are obliged to pay the sum of $100 for the insurance [elided] and after that we shall facilitate the clearance of your total fund $9,500,000.00 [elided] Regards,