Notices by SwiftOnSecurity (swiftonsecurity@infosec.exchange), page 3

They understand that AI is going to clone them for sexual ends and Internet-wide photo trawlers will index their biometrics in a database forever and the age of the selfie is coming to an end.

https://nypost.com/2024/01/11/lifestyle/what-is-nose-cover-and-why-are-gen-z-teens-doing-it-in-family-photos/

People are advertising AI cloning from just 10 good pictures. This is something a teenager with a mid-tier graphics card can learn in a few hours. Pretty soon it’s going to be on integrated graphics in a laptop. And there are already AI services that will do it for you. It is a new world. Please do not make choices your child cannot fix.

Millennials and uncool GenZ are just fucked forever but the younger ones know they have to opt-out as soon as possible.
The stuff from teenage spaces that leaks over into public is horrifying.
They know something older people who are too smart to tell the truth don’t. They know.

There was a time you could defeat almost all email account compromise by just… turning off legacy authentication in Exchange. You became a ghost. That’s how all attacker tools worked.
Now they have upgraded to account for modern authentication.
YOU CANNOT STOP improving. You are aging quickly.

AS DEFENSES INCREASE, other avenues of attack are unlocked as being cost-effective and needed. Suddenly your uniquely strong defense is the norm and defeating it is too.

The point is staying ahead of the curve. We are now at the stage where attackers invest in durable telco compromise to allow attackers in.

You MUST respond.

PUBLIC SERVICE ANNOUNCEMENT:

There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.

The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.

The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.

It was their cell phone provider.

Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.

I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.

In 1988, two men sit in a room. One of them is cryptographer Bob Morris, the father of Robert Morris, who had just released the first Internet worm.

"We were both aware a line had been crossed and the world we inhabited had changed."

(John McCumber, Assessing&Managing Security Risk in IT Systems)

(This did not happen)

You think automotive engineers ever go “good thing im an automotive engineer because it would be a fucking nightmare to drive this thing if I wasn’t” anyway that’s what working in IT is like

You either deploy adblocking or ransomware.

Periodic reminder just leaving shit unplugged for hours does fix things. Fucking capacitors are everywhere and you have to defeat them.

Fixed a washing machine like this. Just fixed my motherboard despite me hitting the reset to defaults button AND removing the battery.

Sometimes you got to just give things a time-out in a corner to think about what they did.

The Internet is sad because you’ll say something like “I could fight a chimp” and people will reply “no the chimp would kill you” and you realize they are directionless lost people who don’t believe in their own power and would absolutely surrender to stuff in a zoo. Keep your failure mindset to yourself.

Here’s my thread on stopping some of the hacks you see in the news by… just deploying uBlock Origin to every employee and browser. Like we do. I’m not talking theory. I’m the practitioner who does it as my day job today in production at a very large firm.

A lot of y’all gatekeeping instead of girlbossing

This is canon. If Microsoft didn’t like it they wouldn’t host it. I’m just sharing official corporate resources for professionals.

https://techcommunity.microsoft.com/t5/word/ok-if-clippy-was-pregnant-i-think-it-would-look-like-this/td-p/2062701

Okay I’ve changed my mind lack of QRT is basically why I have to leave most of my commentary on Twitter. I’m not typing out the summary of someone else’s entire point just to add to it. Microsoft Security posts here but gets no engagement because it’s an empty hole of inability to engage.

@renchap oh that’s cool

Like I really do want to make Mastodon my parity or even primary outlet. I often get more engagement here. But I just can’t keep on my threads of threads where I share rolling narratives, like my stuff about how so many hacking stories are actually caused by malicious ads you can just block on your company devices like we do.

@GossiTheDog But not with embedded posts that collect various linked information sources into a narrative you can see. I understand Mastodon is improving this.