I know i’ve mentioned it before, but the most effective way to get any sort of priv escalation or additional access as part of an internal pen test, where you have a “low level” employee account is to go to the org’s Sharepoint and search all files for “password”.

95% of the time you will find improperly stored creds that’ll get you to new places, EDR be damned.

#infosec

This dumb password rule is from HSA Bank.

- Must be minimum 12 characters
- Must not be one of user's past 5 passwords
- Must contain uppercase and lowercase letters
- Must contain a number
- Must not be the same as user's account number or login/username

But also...
- Cannot be longer than 20 characters

https://dumbpasswordrules.com/sites/hsa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@hacks4pancakes @http_error_418 back in my day I could get into infosec because I am a white cishet dude with white cishet dude friends who helped me into #infosec. Admittedly I came from an IT background of a couple of years, but so did everybody else then.

I probably wouldn’t make it into this field nowadays. Not because white cishet dudes don’t gatekeep for and help other white cishet dudes any more. I’m sure that’s still exactly the same.

But because I would lack the experience and certifications required nowadays.

This dumb password rule is from University of Western Australia (Pheme).

Passwords:
1. Must contain at least 8 characters;
2. Must contain at least 3 out of 4 types of characters
(uppercase letters, lowercase letters, digits, special characters);
and
3. Must not contain
"the user's account name or parts of the user's full name
that exceed two consecutive characters".
...

https://dumbpasswordrules.com/sites/university-of-western-australia-pheme/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

ICE now owns roving vans with integrated cell site simulators

https://techcrunch.com/2025/10/07/ice-bought-vehicles-equipped-with-fake-cell-towers-to-spy-on-phones/

for commentary on this breaking news, i turn to my recently-made friend Ray Hunter

Luckily everyone else can too!

#infosec #privacy

https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying

This dumb password rule is from IBM TSO/E Logon terminal.

It might not be a web site, but that does not make it less dumb.
Since many don't know about IBM mainframes, it seems they don't think you need to up the policies.

Default old password policy is: 6-8 characters long, A-Z, 0-9

Over the last few years they have updated their policies a bit, but d...

https://dumbpasswordrules.com/sites/ibm-tso-e-logon-terminal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

We have a company that we use for third-party penetration testing and they are fantastic. But best practices says you should rotate between a few different companies since each company will have a slightly different methodology.

It has come to our attention that many, many companies, even huge best-of-breed companies, are simply running a big ol' vulnerability scan and calling it a Pen Test. Even companies that used to do actual Penetration Testing are doing this. It's enshitification. There is no other word for it.

So here is my ask: what penetration testing companies do you know of that still do actual penetration testing and have a track record of being "good at their job"?

I'm not talking about Red Teaming, just Penetration Testing.

So we provide a list of IP addresses, FQDNs, and websites, then they find the vulnerabilities and verify that they exist and are real. Then they risk rank them using human intelligence and conversations with us about mitigating controls and produce a report that isn't just a 300 page spreadsheet.

#InfoSec #InformationSecurity #PenetrationTesting #PenTesting

Passkeys aren't scary - passwords are. Let's bust some security myths | PCWorld

Passkeys are the informal name for the WebAuthn standard for authentication. It relies on asymmetrical encryption (aka public-key cryptography). When you create a passkey, a public-private key pair is generated. The website gets the public key. You own the private key, which remains secret. It facilitates the authentication process, but it’s never directly shared for the verification process to complete. Nor can it be extrapolated from the public key.

This is a really nice primer for how passkeys work and how they are different from passwords.

#InfoSec #PassKeys #PassWords #WebAuthN

NGINX has a variable named `$ssl_curve` & since the curve is what differs when using post-quantum crypto, I checked it would hold the PQC KM value so we can log it & determine when PQC is used.

Turns out that when the curve in play is the PQC KM which Chrome & Firefox support (`X25519MLKEM768`), the value of `$ssl_curve` is `0x11ec` which is the raw/internal curve name/ID.

Slightly frustrating but at least it differentiates PQC from normal KM.

https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html#name-x25519mlkem768

#PQC #InfoSec #WebDev

This dumb password rule is from Microsoft (work accounts).

What doesn't seem to be a problem for personal accounts, is for work
accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware
password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exoti...

https://dumbpasswordrules.com/sites/microsoft-work-accounts/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://github.com/macports/macports-ports/pull/28592

GitHub Continuous Integration checks passed OK!

Alas, the agent.patch that iamGavinJ had created, doesn't apply cleanly, in large part because ssh-agent.c has been reworked significantly with this release.

Subsequently, I closed this previous Pull Request: https://github.com/macports/macports-ports/pull/28592 not because I didn't want to restore that functionality to launchd, but because it will require more effort than I can give such things at this time.

But, check out these improvements to ssh-agent from the OpenSSH 10.1 release notes:

"ssh-agent(1)](https://man.openbsd.org/ssh-agent.1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).

This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.

Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.

To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will, by default, only clean up
sockets from the same hostname.

ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp."

Anyway, I updated this as well:

https://trac.macports.org/ticket/72482

I should probably actually close this ticket now that I think of it (fingers crossed that adding that to the PR is sufficient, since I forgot to add that note to the commit message as is typically preferred: https://trac.macports.org/ticket/73084).

#OpenSSH #MacPorts #SecureShell #macOS #encryption #security #infosec

This dumb password rule is from Virgin Mobile.

You can only use PIN as your password.

https://dumbpasswordrules.com/sites/virgin-mobile/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Honoured to partner with Thales for WICCON 2025. Their involvement will help us deliver a magical event!

#WICCON #womenintech #cybersecurity #infosec

This dumb password rule is from Red Hat.

Symbols. You keep using that word. I don't think it means what you think
it means.

https://dumbpasswordrules.com/sites/red-hat/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Somewhere in China, and elsewhere, there are a whole lot of people laughing their ass off.

We've already lost the cyberwar without firing a single bullet. #Infosec

Pentagon relaxes military cybersecurity training • The Register

https://www.theregister.com/2025/10/02/pentagon_relaxes_military_cybersecurity_training/

This dumb password rule is from Boligøen (Danish resident renting bureau).

Red text: "Your password has to be at least 6 characters, but NOT over 20 characters."

https://dumbpasswordrules.com/sites/boligoen-danish-resident-renting-bureau/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

How to stop Google from invading your privacy and others' when you share links

"share.google" links are evil. Here's how to get Google to stop spitting them at you.
#privacy #infosec #Google #Android

https://blog.kamens.us/2025/09/30/how-to-stop-google-from-invading-your-privacy-and-others-when-you-share-links/

This dumb password rule is from T-Mobile.

We prefer to not tell you which characters you can use up front.

https://dumbpasswordrules.com/sites/t-mobile/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of California San Diego.

Passwords must be between 8 and **11** characters long!

https://dumbpasswordrules.com/sites/university-of-california-san-diego/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Broadcom has stopped delivering automated updates to #VMware Fusion and Workstation. All updates have to be downloaded and installed manually from the Broadcom Support Portal (as a side note: This portal is one of the worst corporate "support" websites I've seen in the last decade).

This is terrible. It will lead to tens of thousands of VMware installations remaining vulnerable to trivially exploitable flaws, for example, local privilege escalation via CVE-2025-41244 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

BTW, Please note that to fix CVE-2025-41244 you must now manually download the correct VMware Tools package from the support portal, unpack the zip, mount the ISO image, and then execute the setup.exe from the mounted ISO image. There is currently no VMware releases that include the fixed VMware Tools, so if you create any new VMs you MUST install the update manually to each new VM. Did I already mention this is terrible?

#enshittification #infosec #cybersecurity

Alt...

VMWare Tools vulnerable to CVE-2025-41244 installed.

Yay!

@PagedOut Issue #7 has been released!
https://pagedout.institute/

PDF:
https://pagedout.institute/download/PagedOut_007.pdf #pagedout #ezine #hacking #infosec

This dumb password rule is from Suncorp.

To "improve security" and "be password savvy", passwords must:
- be six to eight characters long
- Contain both numbers and letters
- Include upper and lowercase letters

https://dumbpasswordrules.com/sites/suncorp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BinckBank.

Between 10 and 16 letters and/or digits. No special characters are allowed.
Must be renewed at least every 180 days, but you can configure to let the password expire sooner.
When changing the password, the new password cannot be too similar to the existing password.

https://dumbpasswordrules.com/sites/binckbank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Pam360.

"Enterprise privileged access management has never been easier."

- Must be 8 to 16 characters in length
- Must have mixed case alphabets
- Must have at least 1 upper and 1 lower case character(s)
- Must have at least 1 number(s)
- Must have at least 1 special character(s)
- Must star...

https://dumbpasswordrules.com/sites/pam360/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I recently discovered that rich assholes may have intimidated a security company into taking down excellent research they wrote three years ago.

There are far too many rich assholes attempting to intimidate people these days. Fuck all these guys.

And don't forget to archive shit in many locations.. locally. Archive.org. archive.today.. email it to others.. rewriting history is bad.

You should read this excellent paper. I don't know the researchers but it is good work..

Please boost for awareness of this great work and scare tactics

#threatintel #cybercrime #scam #malware #infosec #dns #phishing

https://web.archive.org/web/20250731051150/https://www.cyjax.com/wp-content/uploads/2022/11/Fangxiao-a-Chinese-threat-actor.pdf

This dumb password rule is from Mobility.

The username is the customer number, which is sequential and cannot be changed, currently 7 digits long for new customers.
The password has to be exactly 6 digits long, only numbers allowed.

https://dumbpasswordrules.com/sites/mobility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

New term: “camera snitch” (noun): that one person in a routine Teams meeting that turns the camera on, passive-aggressively forcing everyone else to turn their cameras on (to avoid looking suspicious).
#WFH
#InformationSecurity
#InfoSec

This dumb password rule is from E-Redes.

Portuguese power distribution company, which requires short passwords (10 to 15 characters), no repetition of the same character, not using the username, the word "PASS" or the word "SAP" in the password, and limiting which special characters can be used.

https://dumbpasswordrules.com/sites/e-redes/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Pleasantly surprised to find out that our commercial web CDN partner for www.bbc.com & www.bbc.co.uk has enabled Post-Quantum Crypto.

So if you're using a modern web browser (Chromium & Firefox both support it) & are outside the UK, you'll automatically be using a quantum computer-resistant TLS key exchange mechanism (ML-KEM AKA Kyber) and (as far as we know) your traffic cannot be intercepted, stored & latterly decrypted when viable quantum computers come along.

#TLS #PQC #InfoSec #Privacy

This dumb password rule is from Rushmore Loan Management Services.

Hmmm.. why are they afraid of double and single quotes in my passwords?

https://dumbpasswordrules.com/sites/rushmore-loan-management-services/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

We're seeing requests to www.bbc.com return to normal-looking levels from Afghanistan - since about midday UTC today (1st Oct 2025).

#Afghanistan #Censorship #WebDev #InfoSec #Taliban

Alt...

Graph of average (mean) requests per second to www.bbc.com from Afghanistan which goes from essentially zero all day today (beginning at midnight) to a regular-ish looking number of requests per second from about midday (UTC)

In retrospect, I'm frankly surprised it took so long for someone to name a worm "Shai-Hulud". I should have been waiting for it for years; it seems so obvious in hindsight.

#security #ComputerSecurity #malware #worm #ShaiHulud #infosec

This dumb password rule is from Parnassus Investments.

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

https://dumbpasswordrules.com/sites/parnassus-investments/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sprint.

Sprint "upgraded" their security and disallow special characters.

https://dumbpasswordrules.com/sites/sprint/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

> August received nearly 73,000 [DDOS] attacks, which breaks down to about 1.7 every minute of every day

Life on the modern internet is fun. Bear in mind this is just one CDN's view - Fastly.

#DDOS #InfoSec #WebDev #CDN

https://www.fastly.com/blog/ddos-in-august

VPNs aren’t all built the same. Many of you know this, and some of you don’t. For the latter, here’s a really informative report on a number of them. The “VPN Transparency Report 2025.”

The TLDR is on page 50, but I recommend at least skimming all of it. Especially if you want to use a VPN with integrity.

I use Mullvad, so I was happy to see it near the top in most sections.

https://www.opentech.fund/wp-content/uploads/2025/08/VPN-Transparency-Report.pdf

#VPN #Privacy #InfoSec #InternetSafety

This dumb password rule is from Bank Millennium.

Passwords limited to 8 digits.

https://dumbpasswordrules.com/sites/bank-millennium/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Aetna Health Insurance.

- Password cannot be longer than 20 characters
- Password cannot have spaces and more 2 characters repeated in a row
- Password cannot have user's first name, last name or username

https://dumbpasswordrules.com/sites/aetna-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

> 'You'll never need to work again': Criminals offer reporter money to hack BBC

#InfoSec #Security #Ransomware #BBC

https://www.bbc.co.uk/news/articles/c3w5n903447o

This dumb password rule is from Westpac Live Online Banking.

Password rules:
- be between 8 and 30 characters
- include at least 1 number, 1 letter and 1 special character (@#%^ etc)
- have no more than 2 repeating characters (AAB not AAA)
- not contain spaces
- not be the same as your last 3 passwords

https://dumbpasswordrules.com/sites/westpac-live-online-banking/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NordVPN.

- Password cannot be longer than 48 characters.

https://dumbpasswordrules.com/sites/nordvpn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Thames Water.

Can only use the "special" characters on that very limited list, excluding symbols so exotic as an underscore, even. This is despite their own strength checker saying the password is strong.

https://dumbpasswordrules.com/sites/thames-water/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NVV (Nordhessische VerkehrsVerbund).

Password length must be 4 to 10 characters with only a few special characters allowed.

https://dumbpasswordrules.com/sites/nvv-nordhessische-verkehrsverbund/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

My heart is breaking for @catbailey .

Her bad luck just got much worse. The storage units are being auctioned and the family will lose A lot of memories and family records.

This is devastating to a mum. Losing baby pictures and baby things from her kids, and more.

I mean it is seriously devastaing and heartbreaking.

All you mums out there certainly know how terrible it is to lose it all.

There is still a slim chance of saving at least something.

The bill stands, so far, at $1350. It all has to be paid to rescue it.

Please help them save their legacy. Every bit bit helps.

Best to use Venmo/PayPal/CashApp, but GoFundMe is appreciated too and good for higher latency needs.

GoFundMe: https://www.gofundme.com/f/aid-for-cat-and-her-kids-in-crisis?lang=en_US
PayPal: https://paypal.me/catalystediting
Venmo: @BlackCatHackers
CashApp: $BlackCatOps

#MutualAid
#MutualAidRequest
#InfoSec
#HelpCatAndCo

if anyone either works at, or knows someone who works at Sleep Number in an #infosec capacity, please have them reach out to me...

Also...come on....can we all just agree to set up security@ emails....

Alt...

email address security@sleepnumber.com was not found...

it has been 0 days since i accidentally found a stupid vulnerability that exposes PII #infosec

If you’re using LinkedIn, privacy policy changes are coming. As you might expect, they’re not good. One allows tracking you off the site.

Here’s the info page:

https://www.linkedin.com/help/linkedin/answer/a8059228

If you’re in the U.S. here are direct links to all of the relevant opt-out settings (most new, some old):

https://www.linkedin.com/mypreferences/d/settings/ads-interactions-with-business

https://www.linkedin.com/mypreferences/d/settings/share-data-with-select-partners

https://www.linkedin.com/mypreferences/d/settings/ads-beyond-linkedin

https://www.linkedin.com/mypreferences/d/settings/ads-related-actions

https://www.linkedin.com/mypreferences/d/settings/data-for-ai-improvement

#LinkedIn #Privacy #PrivacyPolicy #AI #Data #InfoSec #Microsoft

Alt...

Screenshot of the top of the terms and conditions info page which is the first link in this post.