Infosec Press


Read the latest posts from Infosec Press.

from Dr. Sbaitso

Why I won't buy Androids

I was talking about new phones with a friend a few days ago, and he asked about Android choices. I told him I won't buy any Androids, for a bunch of reasons. This is social media, I'm into my second boozy eggnog. I figure I'll share those reasons here too. Most of the reasons are around Google itself, and some how it's handled Android. Only one is because I'm a petty bitch with a collection of heirloom grudges.

First and foremost, Google is an advertising company with a search engine and a browser and a video hosting service and a mobile operating system all designed to keep your eyes and ears on their advertisements. For FY2022, 80% of Google's revenue came from advertising. Given the lengths I go to avoid ads everywhere else, putting a little ad machine in my pocket doesn't make much sense.

Aside: I go to extreme lengths to block ads. I have a very aggressive PiHole setup. My daily browsing is through Vivaldi (which has a built-in ad blocker) (But the new Direct Match stuff defaulting to On is pretty fuckin' shitty, Vivaldi) and also running an over-packed μBlock extension. Secondary browsing goes through Firefox with a similarly-configured μBlock. I also have a WireGuard VPN running on my iPhone so whenever I'm not on my own WiFi network I'm tunneling back in just to use my PiHole. Vivaldi on iPhone also has a built-in ad-blocker.

Besides the ad biz, I don't trust Google overall. It started with Google Reader, but Google is quick to drop the blade on the neck of any product/service/app that doesn't have a VP championing it. The other recognizable names include Google Wave, Google+, Google Fiber, and Google Stadia. What's going to be the 300th entry in the Google Graveyard? They're at 293 right now, so I expect we'll hit 300 by April 2024.

Zooming back out to the state of the internet today, I honestly think Google and Facebook are tied for doing the most damage to the internet and society at large. Their pervasive advertising is enough for me to stay far away from them. But their stains run far deeper. Google Search is now completely useless. Everything is a webpage now. I've lost count of the companies they've either acquired and killed or cloned and killed. They've built data profiles to rival Facebook. And Youtube will gleefully auto-play viewers into misogyny, conspiracy, and rightwing fascism.

On Android specifically, Google has been an exceptionally poor steward of the ecosystem. Flagship devices now get a few years of updates, but anything down-market may get a year of updates before being forgotten like the fifth child at an after-school activity. Google could enforce feature and security updates for a minimum period of time, but they've chosen not to. And it's only improved to the shameful level now somewhat recently.

And they've been spreading this fast-fashion/ewaste-speedrun philosophy to the laptop formfactor too. They're goddamned laptops, not milk. I have an Alienware M11x R1. It's from 2010. It still runs Windows 10. Poorly. But it can still get OS and security updates 13 years after release. It's a functional print server for my old Brother laser printer that I bought in ~2007 that only has a USB-B interface.

Beyond the shameful state of Android updates, the Google app store is a fraudulent mess. It's been a problem for years and it's still a problem today. It's impacted millions of users at this point. If the Google Play store is going to be the premier source of Android apps, Google needs to get a lot better at protecting users from bad actors. For devices that contain so much of our lives, failures to protect against financial theft is unacceptable.

And Google themselves are part of the problem. We're over-due for Google's next chat app shakeup. I think. And that's just Google. The phone OEMs can replace it with their own uniquely crappy SMS/RCS/Proprietary pile of crap. Going back to the problem of executive champions and vision, nowhere is than absence clearer than the absolute clusterfuck of Google chat apps.

Finally, I mentioned above that I'm a petty bitch. My family holds onto grudges like most folks hold onto fine tableware or farmland. Case in point: My grandfather got screwed over by a Shell gasoline station. He wrote to corporate to explain the situation, and found their answer... unsatisfactory. Nobody in my family has gone to a Shell station since.

My grandfather died over a decade before I was born.

But I have a very personal grudge against Google. They blamed me for something they broke, and have never to my knowledge apologized for it.

Many, many years ago I worked at a small firm. This was when Windows 7 was at its peak, and Windows XP was still very common/well-supported. We had a line-of-business app that was dependent on certain components of Internet Explorer. If you tried to access the web launcher from something other than IE, it would break in really unpleasant ways. Since some of the LOB usage was time-critical, when it broke it was a priority issue.

This was also the time Google started to spread Chrome like herpes. We weren't a big firm, and we didn't have great tools for controlling third-party applications and their updates at the time. Remember, this was almost 15 years ago. I've learned a lot since then, and the toolsets have improved a lot since then.

So folks would just push the button to update Adobe reader, next next next finish. The work we did was highly technical, and again: ~15 years ago, small business, most folks had local admin. We didn't have the tools to do a good job controlling these things. And updating an existing Adobe reader install would “helpfully” install Chrome and set it as the default browser. The LOB “app” was a shortcut on the All Users desktop that pointed to the webpage.

Google Chrome could not support the critical application. So I'd get a panicked phone call from a user because the critical LOB app was failing. I'd either walk over to their desk or RDC into their machine and uninstall Chrome. They'd go back to work, fill out the time-sensitive information, everyone was acceptably content.

Until they tried to click a link outside IE. Say, a link to something important in Outlook. Turns out, Google did a shit job coding the Chrome uninstaller, and left HTML file associations (what Windows uses under the hood to understand it needs to pass data to a browser) just... empty. And in Windows 7, that leads to a specific error message: “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” Hey guess who the System Administrator was. Guess who everyone thought was blocking something they needed to do for work?

Eventually I got the tooling and controls in place to prevent Google Chrome from installing itself where it shouldn't (part of the user profile), and finally blocked the garbage of early Chrome from my corporate domain. It wasn't technically a virus, but it sure acted like one. It sure caused a lot more headache than any actual malware. And I still carry a grudge for the shitass job Google did when spreading their little browser-glitter all over my matte black Thinkpads.

So now my phone is built by Apple. They have plenty of different problems, but Google products are absolutely disqualified.

I really wish Microsoft hadn't given up on Windows Mobile/Phone. A third player with real marketshare would be good for everyone. And comparing the ROG Ally to the Steamdeck highlights how weak Windows is on smaller devices and interfaces that aren't keyboard & mouse. Having an ARM-based processor base would have put Microsoft in a better place to really compete with Apple's M processors. Having an XBox Mobile/Handheld/Go would be amazing. #RIPWindowsPhone

So yea. I don't trust Google for many reasons. Android itself is a mess. And I'm petty as fuck. That means an iPhone is my only option.


from Kevin Neely's Security Notes

I came across a post the other day by JWZ regarding the #billionaire behind one of the more infamous #hacking-for-hire companies around. It's been fairly well known for some time that people and companies were selling their offensive #cybersecurity skills like this, but what was news to me was that Rajat Khare was paying and bullying his way to wiping the slate clean by removing the articles regarding his involvement.

So, given that large language models are trained on data from a certain point in time, I thought it would be interesting to see what one “knew” about Rajat Khare’s activities. I used Mistral Instruct 7B and asked it to create an article regarding Khare’s involvement with funding hack-for-hire companies. The output seemed very good and accurate; I was able to quickly confirm nearly everything in the output below.

I also wanted the reporter’s voice to be hard-hitting, 50’s style journalism, which I don’t think came out very well. It did, however, lead me down a rabbit hole into Russian Oligarch Rybolovlev by linking him to some hacking-for-hire as a customer.

Mistral-Instruct 7B generated article

In the shadows of the digital world, there exists an insidious network of hackers who have been orchestrating a campaign of cybercrime that has left entire nations vulnerable. These hackers operate in secret, using sophisticated techniques to breach even the most secure systems and steal sensitive data from politicians, celebrities, and other high-profile figures around the world.

At the heart of this criminal enterprise is Rajat Khare, an Indian venture capitalist who has been funding firms that eventually became a widespread hack-for-hire enterprise known as Appin. Khare's involvement in these illicit activities has left him with a dark reputation and raised serious questions about his business practices.

Appin was founded by a group of former employees from the Indian cybersecurity firm, Hacking House. These individuals were highly skilled hackers who used their expertise to provide a range of services to clients around the world. However, as time went on, it became clear that Appin's true purpose was to carry out a campaign of cybercrime for hire.

One of the most notorious cases involving Appin occurred in 2018 when they were hired by a wealthy businessman named Dmitry Rybolovlev to hack into the email accounts of his former wife, Elena Okamoto. Using advanced techniques such as phishing and social engineering, Appin was able to gain access to Ms. Okamoto's emails and steal sensitive information about her personal life and financial dealings.

Another high-profile case involved a group of hackers who were hired by the Russian government to carry out cyberattacks against Western governments and political figures during the 2016 U.S. presidential election. It is believed that Appin played a key role in this operation, providing the hackers with access to sensitive information about their targets.

Despite these high-profile cases, Rajat Khare has continued to deny any involvement in Appin's criminal activities. However, evidence suggests otherwise. In 2019, it was revealed that Khare had invested heavily in a company called Cybereason, which provides advanced threat detection and response services. This investment raised suspicions that Khare may have been using his venture capital firm to fund cybercrime operations.

Furthermore, several former employees of Appin have come forward to describe the company's culture of criminality. They claim that the company was run by a group of ruthless hackers who were willing to do whatever it took to carry out their clients' requests, even if it meant breaking the law.

In conclusion, Rajat Khare's involvement in Appin and its criminal activities raises serious questions about his business practices and ethics. It is clear that he has been using his venture capital firm to fund a campaign of cybercrime that has left entire nations vulnerable. As such, it is important for law enforcement agencies around the world to take action against Khare and his associates in order to protect citizens from further harm.


Some real-world references: – Inside the global hack-for-hire industry Bureau of Investigative Journalism – Reuters article archived on How an Indian Startup Hacked the WorldWho Is Killing All These Stories About a Controversial Tech Mogul? from the DailyBeast – Swiss Prosecutors Investigating Russian Billionaire RybolovlevHow mercenary hackers sway litigation battles – Reuters Investigative report

edit: Jan 4, 2023: added link to the Reuters “Mercenary hackers” article


from Impossible Umbrella

A while back I bought a The C64 – and found it to have a broken (stuck) key.

The C64

In that thread expressed an interest in my posting some photos of how the keyboard mechanism works.

Well with Christmas coming I've had a few days off work, and have finally had time to do that.

The back of the machine

To open the case, you just need to undo the three screws along the front edge. It then opens like a book – you just need to carefully unclip the back edge. Note that all of the screws are just self-tapping screws so be careful not to over-tighten when putting it back together. Also note that there are a number of distinct sizes – so keep careful note of which screws go where!

Inside the C64

There's very little to see inside the machine. The keyboard is fixed to the “top”, there's a small PCB for the side ports of the bottom, and then everything else (inclduing the CPU) in on that tiny main board.

The 'the C64' main board

To remove they keyboard to work on it, undo the nine screws in the black plastic part that hold the keyboard to the case. (You can't see very well from the photo – but the 9th screw is in the top-left corner by the keyboard connector. You can (or at least I could on this model) undo that without removing the keyboard connector – but as you'll see I later took that off too, to make it easier to wok on the keyboard itself. There are two screws holding down that small metal bar, and there's a rubber piece underneath that. (Note for reassembly, that goes with the smoother side up, and the textured side down – I'm not sure it makes a huge difference – but always best to put things back the way you found them right!).

The keyboard removed

Having removed the keyboard, the next step is to disassemble it. For that, you'll need to remove the ten screws holding the metal plate in place. Given that this plate is the only thing holding the keyboard together, it might be worth propping the keyboard up so it's not resting on it's keys when you do this.

The keyboard membrane

It's just a membrane keyboard inside – with they keys actuated by their stems, and with little rubber domes to provide the return. It was one of these that was glued in upside down on my model, leading to my previously having removed it, and placed it back in without any glue.

The detail of the mechanism

You can see in this detailed close-up how they keyboard works. It's three layers of plastic film, with traces on the top and bottom sheet – and with the middle sheet providing just enough separation to keep them apart when a key isn't being pressed.

At this point I was now able to glue the loose dome in place. As suggested by # I used some RTV silicone, applied with a dental tool.

A close up of the glue repair

I don't think I did too bad a job of this – although you can clearly see which was the one that I glued. I make a very particular effort to avoid getting glue anywhere but this top sheet to plastic (I inserted a sheet of paper whilst I did the glueing).

Reassembly was just the reverse of the above – taking careful note (as I said at the top – but it's worth repeating!) to use the correct screws for each part of the operation. Helpfully there are a different number of each type of screw, so providing you don't drop them you should be okay.

24-hours later, I can report that the keyboard is working fine. They key works perfectly, and now feels the same as all of the other keys (unlike when it wasn't glue in – when it felt a bit wobbly in comparison).

Hopefully this & the accompanying photos is helpful and or interesting.


from beverageNotes

It's been a while!

This evening I've cracked open a bottle of Holladay One Barrel Bourbon. It is a result of a collaboration with The Saint Louis Bourbon Society and Barrel Blends—this is the “Nice” bottle. It's a Missouri Straight Bourbon Whisky, made with corn, wheat, and barley—percentages wasn't shared. It comes in at 120 proof and was aged six years, 2 months.

I'm a fan.

Trying it neat at first, I smell cherries, leather, cloves and black pepper. There are other aromas in there as well, but I haven't quite cottoned onto them. It starts with a smooth mouthfeel and I can taste cherries and maybe some cinnamon. The heat starts later and then sticks around after swallowing.

After adding some water, the cherry aroma dies off and the cloves pick up a bit. Checking the spice drawer—because there was something there I couldn't quite get—I check mace, nutmeg, and cardamom. Mace and nutmeg are there, but the cardamom's astringency is not there. The flyer did pitch “baking spices”. There's still a hint of black pepper at the finish.

Time to add a little more to my glass and add an ice cube. This is a good one!



from Sirius

Um tutorial sobre o recurso de criar listas no Mastodon.

O Mastodon oferece um importante recurso de organização dos perfis que você segue, permitindo que você crie listas, que funcionarão como um recorte da sua timeline principal.

Como a plataforma não possui timelines com algoritmos que detectam os seus interesses, e os posts na plataforma obedecem uma ordem estritamente cronológica, o recurso de criação de listas se mostra muito interessante para você não perder os posts de determinado assunto ou de determinados perfis de seu interesse, possibilitando que você navegue pelas notícias ou temas em que você está interessado naquele momento específico.

Com a versão 4.2 do Mastodon, você pode ocultar de sua timeline inicial os perfis que estão em uma lista que você criou, tornando-a menos poluída e lhe propiciando uma melhor experiência, pois você pode seguir centenas de perfis, sem ter a preocupação de ter uma página inicial caótica, em que posts interessantes são perdidos pelo caminho.

Para criar uma lista é muito simples. Vamos usar como exemplo a criação de uma lista cujo tema é “notícias científicas” e vamos ocultar essa lista da linha inicial, supondo que às vezes você só quer entrar e ler as notícias mais recentes do meio científico sem ter que ficar as procurando em meio aos posts dos seus amigos.

Você irá clicar na opção Listas no menu da plataforma, o que te levará para a aba de listas, onde são apresentadas todas as listas que você criou. Na parte de cima, você pode escrever o nome de uma nova lista que deseje criar (neste exemplo vamos criar a lista cujo nome é “Ciência”) e após clicar no botão de +, circulado na imagem, você a terá criado.


Uma vez criada a nova lista Ciência você clicará nela para a editar:


Clique no menu de Mostrar Configurações circulado em verde na imagem abaixo, para exibir as opões de edição, e então clique em Ocultar estes posts da página inicial, caso deseje que os perfis que irá adicionar a essa lista não sejam exibidos em sua timeline inicial.


Finalmente, você precisa seguir os perfis que pretende adicionar à sua lista. Você pode os incluir na lista de duas maneiras: na primeira forma, dentro do menu de opções da lista, conforme a imagem abaixo, você clica em Editar lista, o que abrirá a aba mostrada abaixo, onde você digita o nome do perfil e aperta enter para o localizar, clicando depois no sinal de + para adicionar o perfil à sua lista:


Na segunda forma, você entra diretamente na página do perfil que pretende incluir na lista, clica no ícone de três pontinhos, circulado na imagem abaixo, o que abrirá uma aba de opções, dentre as quais Adicionar ou remover de listas, em que você irá clicar para escolher em que lista deseja incluir o perfil selecionado, clicando em +, conforme está circulado na segunda imagem abaixo.



Pronto, você terá incluído o perfil à lista criada. Você pode adicionar vários perfis temáticos relacionados em uma mesma lista.

Como deve ter notado pelas imagens, é um recurso que utilizo bastante e possuo atualmente oito listas temáticas, nem todas ocultadas da minha linha inicial, visto que algumas uso apenas para focar em posts de determinados perfis que não me incomodarão se forem visualizados também na página inicial.

Espero que sua experiência no Mastodon seja cada vez mais divertida!

#Tutorial #MastoDicas

Leia mais...

from Hyperscale Security

I spent last week at Headquarters which is always great to talk directly with many security colleagues in a short amount of time – and not just in the office, but also dinner and drinks. That always allows for conversations that can go deeper and more passionate – and sometimes more honest – than you get in the day time, let alone when meeting virtually. Especially when you've known each other for years.

Thursday was the local Cybersecurity Awareness Month event, and I was invited for an Executive Q&A on our security strategy and direction. To continue the conversation, I invited those interested to dinner after to close out my week before flying back home. This is how I found myself opposite my oldest friend in the security organization, deeply engaged on one of his favorite topics: open source security.

“But That Stuff is Boring!”

He wanted to talk about protecting against zero days in the most common open source components used in our solutions. Admirable, but aside from the greater risks from known vulnerabilities, how would you do that? Not knowing they exist, such zero days by definition would have slipped through our SAST and DAST scanning. So, are you proposing we run continuous fuzzing tests against such components and dependent libraries, in addition?

We can engage the internal security community (another one of his favorite topics), he replied. They can submit vulnerabilities and pull requests to the maintainers. And we could patch our landscape even before the vulnerability is disclosed.

Wait, you're suggesting we fork the library and deploy a patch, rather than wait for the fix to be released by the maintainers? And then how do we get back on the official version? Do we force all the developer teams to patch twice for a zero day nobody knows about and we have no evidence is exploited in the wild? Why wouldn't we just manage it through the existing known vulnerability management processes with established SLAs, and if necessary deploy a temporary detection or mitigation?

Oh, but that stuff is boring...

Ignoring the Boring Makes Us Vulnerable

We have such a habit in infosec to chase after the esoteric and interesting. It is encouraged through conferences and social media fame. The cybersecurity industry adds to it, whether for marketing reasons or added features without guidance or consideration how to operationalize them but demo well. We like intellectually interesting problems we can solve on our own. But then we shouldn't be surprised when the basics aren't taken care of, and developer teams consider us burdensome and adding irrelevant toil.

I get that it may not be as much fun to chase after teams with reports on alerts or missing evidence for compliance controls, help teams to manage a never ending stream of newly reported vulnerabilities against SLAs, or to improve asset discovery and metadata management, rather than chase after zero days. But the boring basics are what truly reduces the attack surface. Ignoring the boring is what continues to make us vulnerable.

Finding Excitement in the Boring

To solve the big problems in security, we must find excitement in the boring. Let's focus our minds on how we implement and operationalize least-privilege IAM and secrets, how we can make CI/CD pipelines both more secure and efficient for developer teams to allow for greater code quality and higher velocity, and provide secure-by-default infrastructure, platforms and services that enable teams to be more productive without getting in their way. Find the intellectual challenge in security engineering and operations. We must work on the risks we face, not the threats we like.


from Hyperscale Security

Security is a tough discipline. To do it well requires focus, so we don't spin our wheels, spend effort and budget, or get distracted by the latest hype. It is unfortunate, therefore, that we often get caught in dogmas we tell ourselves, but we don't examine whether they are correct or even useful. Here are three such dogmas that are just plain wrong.

1. Defenders Have to be Right All the Time, Attackers Only Once

If this was ever true, it certainly isn't today. A quick look at the MITRE ATT&CK framework makes it very clear that there are many stages in attacks, from reconnaissance to initial access to execution and persistence, just to gain a first foothold in a defender's landscape. Before a threat actor gets to actual data collection and exfiltration, or a ransomware attack, he or she needs to get a lot of things right – all of which could potentially be detected.

A layered defense that presents multiple obstacles also means that the defender may not get it right all the time – a vulnerability in a container, a misconfiguration in the network architecture, an open RDP port – but should still have multiple opportunities to detect malicious activity before the attacker is at your crown jewels. Lateral movement, privilege escalation, creation of rogue resources or user accounts all give opportunities to detect an attack in progress, and as long as an attacker has no access to a KMS may never get to encrypted data or into databases.

The dogma doesn't recognize the advantages of defenders and ignores the obstacles attackers must overcome. Attackers need to be right all the time. Defenders have multiple opportunities to stop them.

2. No Security Through Obscurity

This is often repeated, but as a result prevents us from taking the benefits of obscurity as part of a layered defense. Run an SSH open to the public internet on port 22 and it will be hammered constantly by automated scripts. Run it on a high random port and it will see virtually no traffic. Only very persistent threat actors focused on a particular target victim will scan for all open ports.

And if defenders were diligent enough to run SSH on a high randomly chosen port, logs showing failed logins will present a far more valuable and reliable alert than the noise that comes with SSH on port 22.

3. Zero Trust Network Architecture

This is possibly the most controversial dogma at all, as it seems the entire industry has lost their mind over this. NIST SP 800-207, the relevant Zero Trust standard says:

Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource

So, it correctly starts with the premise that the network cannot be trusted... and yet spends most of the document discussion network controls, trying to re-establish trust in the network.

Trying to fix IAM, application context, and network security all at the same time, by adding a new policy control overlay in the network to implement the user access controls we should already have on application level. But why? Didn't we just declare the network no longer trusted? Especially in a cloud landscape, you may even end up creating network connections that don't need to exist. Why prevent a user access to a resource by network they already don't have access to on application level? The problem is IAM and that is hard enough. We can manage IAM and application context with Workload Identities for service accounts. Why complicate it further by adding the network back in?

Organizations struggle already with the basics. Why set them up for failure with a massive ZTNA implementation? IAM is boring and network security companies have products to sell?

Abandon the Idea that it's Not Good Enough Unless it's Perfect

There is this joke that goes that the only secure computer is one that is locked away in a separate room, does not have mouse, keyboard or screen, has no network connection, and is powered off. This is supposed to be instructive to get the balance of confidentiality and integrity right in relation to availability. It's intended to show that perfect security is not possible. It is not to be taken seriously as reasonable security guidance.

We supposedly moved at least a decade ago to a risk-based approach. However it seems a good portion of our industry continues to look for the perfect, and anything less is not good enough. Is it any surprise that there is such a gulf between security consultants, advisors and policy writers on the one hand and practitioners on the other? Let's abandon our perfect dogmas so we can focus on the actually important security operational problems.


from what

In the wake of his purchase, far-right billionaire Elon Musk has made many awful changes at Twitter. Kneecapping capabilities for viewing, researching, and archiving materials posted on the forum is certainly less immediately harmful than, say, stochastic terrorism against schools & childrens' hospitals, but it's still no good, and requires some stopgaps.

Twitter frequently now seems to block altogether; and even when it is possible to archive a tweet by other means, it is generally only viewable as a single post, devoid of any surrounding context in the form of threads or replies.

One intermittent way to currently get around this limitation is to use the open-source, alternative Twitter front-endNitter”, and specifically Chris McCormick's redirect proxy Twiiit.

The steps I've found useful are as follow:

  • For example, let's say I need to preserve this post along with some of its immediate context:
  • I replace the url's “twitter” domain with “twiiit” – e.g.
  • Before I hit “enter”, I COPY that modified URL. This is because Nitter instances themselves are regularly being blocked by Twitter, or are otherwise unable to dredge up a copy of the post. The “twiiit” re-direct will try various Nitter instances, though; so if the first couple don't function, I simply paste the URL and try again. It only saves a couple of seconds, but they can add up.
  • I find myself redirected to a functional Nitter front-end of the tweet, which includes replies and context, in this case it's this one:
  • I create an archive of that Nitter front-end by using and/or

If I'm trying to preserve a longer thread, I will sometimes archive every fourth or fifth post to ensure that the data is complete via overlapping captures.

As Musk continues to use his fortune in an apparent quest to singlehandedly reinvigorate the embers of the alt-right, it'll remain important to be able to document & preserve some of what is posted on his platform — this will likely require a continual stream of kludgy workarounds by diligent researchers who are much more clever than I am. So, thanks in advance.

P.S. – Nitter instances render timestamps as UTC, which is generally more reliable than the local timestamp which appears when I view the original tweet from the US West coast.


from CatSalad🐈🥗 (D.Burch)


This list only contains accounts for security bsides, events, and conferences found in the fediverse / Mastodon with some post history. I will regular update this post as more events migrate here. For hacker meet-ups and local DEFCON / 2600 groups, please refer to the link below.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)


⸻ Event Info – Call for Papers (#CFP) – #InfoCon – #InfoconDB archive – Security BSides Global

⸻ Online 🌐 – #ComfyCon – D.O. Conference – #PancakesCon

⸻ Canada 🇨🇦

@BSidesCalgary – #BSidesCalgary, AB @BSidesEdmonton – #BSidesEdmonton, AB @BSidesFredericton – BSidesFredericton, NB @BSidesMTL – #BSidesMTL Montreal, QC @BSidesOttawa – #BSidesOttawa, ON @BSidesRegina – #BSidesRegina, SK @BSidesStJohns– #BSidesStJohns, NL @BSidesTO – #BSidesTO Toronto, ON @BSidesVancouver – #BSidesVancouver, BC – #BSidesVI Vancouver Island, BC – #Hackfest Québec City, QC – #BSidesHalifax, NS – #NorthSec Montréal, QC – #PolQc POLAR Conf, QC – #SeQCure Québec, QC – #TheLongCon Winnipeg, MB

⸻ US – Northeast – #BSidesBoston, MA – #BSidesBuffalo, NY – #BSidesCambridge, MA – #BSidesCharm Towson, MD @BSidesCT – #BSidesCT Hamden, CT @BSidesFloodCity – #BSidesFloodCity Johnstown, PA @BSidesHBG – #BSidesHBG Harrisburg, PA – #BSidesNJ ? NJ – #BSidesNYC New York City, NY – #BSidesPhilly Philadelphia, PA – #BSidesPGH Pittsburgh, PA – #BSidesROC Rochester, NY – #HushCon New York City, NY – #JawnCon Philadelphia, PA – #PumpCon Philadelphia, PA – #ShmooCon Washington, DC – #SummerCon Brooklyn, NY

⸻ US – Midwest – #BlueTeamCon Chicago, IL – #BSides312 Chicago, IL @BSidesBloomington – #BSidesBloomington, IN – #BSides_BTown Bloomington, IN – #BSidesBoulder, CO – #BSidesChicago, IL @BSidesColoradoSprings – #BSidesColoradoSprings, CO @BSidesColumbus – #BSidesColumbus, OH – #BSidesDayton, OH – #BSidesDenver, CO @BSidesFtWayne – #BSidesFtWayne, IN – #BSidesKC Kansas City, MO @BSidesMilwaukee – #BSidesMilwaukee, WI @BSidesPeoria – #BSidesPeoria, IL – #BSidesSpfd Springfield, MO – #CircleCityCon Indianapolis, IN – #CypherCon Milwaukee, WI – #THOTCON Chicago, IL – #WWHackinFest Deadwood, SD

⸻ US – West – #BSidesCV Central Valley, CA @BSidesHawaii – #BSidesHawaii Honolulu, HI – #BSidesLA Los Angeles, CA – #BSidesPDX Portland, OR – #BSidesSD San Diego, CA – #BSidesSeattle, WA – #BSidesSF San Francisco, CA – #SOUPS Symposium on Usable Privacy and Security, Anaheim, CA

⸻ US – Southwest

@BSidesAlbuquerque – #BSidesAlbuquerque, NM – #BSidesAustin, TX – #BSidesDFW Dallas-Fort Worth, TX – #BSidesLV Las Vegas, NV – #BSidesRGV Rio Grande Valley, McAllen, TX – #BSidesSATX San Antonio, TX @BSidesSantaFe – #BSidesSantaFe, NM @BSidesTucson – #BSidesTucson, AZ – #CactusCon Mesa, AZ – #DEFCON Las Vegas, NV – #DianaInitiative Las Vegas, NV

⸻ US – Southeast – #BSidesATL Atlanta, GA – #BSidesAugusta, GA @BSidesBirmingham – #BSidesBirmingham, AL – #BSidesCharleston, SC – #BSidesCLT Charlotte, NC @BSidesCHS – #BSidesCHS Charleston, SC – #BSidesCharlotte, NC @BSidesGVL – #BSidesGVL Greenville, SC @BSidesHSV – #BSidesHSV Hunstville, AL @BSidesJAX – #BSidesJAX, Jacksonville, FL @BSidesKC – #BSidesKC Kansas City, MO – #BSidesKnoxville, TN @BSidesNOLA – BSidesNOLA New Orleans, LA @BSidesNoVA – #BSidesNoVA Arlington, VA – #BSidesOrlando, FL @BSidesRoanoke – #BSidesRoanoke, VA – #BSidesRDU Raleigh/Durham, NC – #BSidesSPFD Springfield, MO – #BSidesSTL St. Louis, MO @BSidesStPete – #BSidesStPete St. Petersburg, FL @BSidesTampa – #BSidesTampa, FL – #Cackalacky Con, Raleigh, NC – #CyberwarCon Arlington, VA – #SecurityOnion Con, Augusta, GA

⸻ US – Territories

@BSidesPR – #BSidesPR San Juan, PR 🇵🇷

⸻ Caribbean

@BSidesCaymanIslands – #BSidesCaymanIslands, KY 🇰🇾

⸻ Latin America

@BSidesArgentina – #BSidesArgentina Jujuy, Argentina 🇦🇷 – #BSidesCDMX Mexico City, Mexico 🇲🇽 @BSidesCO – #BSidesCO Bogotá, Colombia 🇨🇴 – #BSidesJoãoPessoa, Brazil 🇧🇷 @BSidesPeru – #BSidesPeru Lima, Peru 🇵🇪 @BSidesPanama – #BSidesPanama Panama City, Panama 🇵🇦 – #BSidesSP Sao Paulo, Brazil 🇧🇷 @BSidesVitória – #BSidesVitória, Brazil 🇧🇷

⸻ Europe 🇪🇺 – #Botconf Nice, FR 🇫🇷 – #BruCON Mechelen, BE 🇧🇪 @BSidesAthens – #BSidesAthens, GR 🇬🇷 @BSidesBUD – #BSidesBUD Budapest, HU 🇭🇺 @BSidesCyprus – #BSidesCyprus Limassol, CY 🇨🇾 @BSidesDublin – #BSidesDublin, IE 🇮🇪 @BSidesKraków~~ – #BSidesKraków, PL 🇵🇱 – #BSidesKbh København, DK 🇩🇰 – #BSidesLisbon, PT 🇵🇹 – #BSidesLjubljana, SI 🇸🇮 @BSidesMilano – #BSidesMilano, IT 🇮🇹 @BSidesOsijek – #BSidesOsijek, HR 🇭🇷 – #BSidesOslo, NO 🇳🇴 @BSidesPrishtina – #BSidesPrishtina, XK 🇽🇰 @BSidesRoma – #BSidesRoma, IT 🇮🇹 – #BSidesReykjavik, IS 🇮🇸 – #BSidesSOF Sofia, BG 🇧🇬 @BSidesTallinn – #BSidesTallinn, EE 🇪🇪 @BSidesTirana – #BSidesTirana, AL 🇦🇱 @BSidesTransylvania – #BSidesTransylvania Cluj-Napoca, RO 🇷🇴 @BSidesUmeå – #BSidesUmeå, SE 🇸🇪 – #BSidesVienna, AT 🇦🇹 – #BSidesZurich, CH 🇨🇭 – #DeepSec Con, Vienna, AT 🇦🇹 – #HackLu, LU 🇱🇺 – Pass the SALT Con, Lille, FR 🇫🇷 – #BSidesItalia IT 🇮🇹 – #TumpiCon Turin area, IT 🇮🇹

⸻ Germany 🇩🇪

@BSidesBerlin – #BSidesBerlin @BSidesFrankfurt – #BSidesFrankfurt am Main – #BSidesMunich @BSidesStuttgart – #BSidesStuttgart – #Elbsides BSides Hamburg – TROOPERS Conference, Heidelberg

⸻ United Kingdom 🇬🇧 – #44CON London 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #SecuriTay Abertay, Dundee, 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @BSidesBasingstoke – #BSidesBasingstoke @BSidesBelfast – #BSidesBelfast – #BSidesBham Birmingham 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesBristol – #BSidesBristol @BSidesCambridge – #BSidesCambridge – #BSidesCheltenham 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesDundee – #BSidesDundee 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @BSidesExeter – #BSidesExeter @BSidesLancashire – #BSidesLancashire – #BSidesLeeds 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesNewcastle – #BSidesNewcastle – #VB2024 VirusBulletin, London 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Africa

@BSidesCapeTown – #BSidesCapeTown, South Africa 🇿🇦 @BSidesNairobi – #BSidesNairobi, Kenya 🇰🇪

⸻ India 🇮🇳

@BSidesAhmedabad – #BSidesAhmedabad – #BSidesBangalore @BSidesChennai – #BSidesChennai @BSidesIndore – #BSidesIndore @BSidesJaipur – #BSidesJaipur – #BSidesOdisha

⸻ Asia

@BSidesMyanmar – #BSidesMyanmar, Myanmar 🇲🇲 @BSidesSG – #BSidesSG Singapore, China 🇨🇳 @BSidesTokyo – #BSidesTokyo, Japan 🇯🇵 @BSidesYerevan – #BSidesYerevan, Armenia 🇦🇲

⸻ Australasia – #BSides_Bne Brisbane, AU 🇦🇺 – #BSidesCanberra, AU 🇦🇺 – #BSidesMelbourne, AU 🇦🇺 – #BSidesPerth, AU 🇦🇺 – #BSidesSydney, AU 🇦🇺 – #CrikeyConAU Brisbane, AU 🇦🇺

⸻ For other events not in the fediverse try: ➡️⁠ ➡️⁠ by Xavier Santolaria

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. :cc_cc:​𝟶 “No Rights Reserved”

⸻ #InfoSec #CyberSecurity #BSides #CatSalad #cc0


from CatSalad🐈🥗 (D.Burch)


This list only contains local 2600, DEFCON, CCC, OWASP, LUG, and InfoSec groups with active fediverse / Mastodon accounts, including languages other than English. As more are created or discovered, I will update this message. For hackerspaces, see the link below.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)


⸻ InfoSec Groups – 2600 Community (Lemmy) – #BHRE (women only) – Chaos Computer Club – #CCC (friendica) – CCC events #cccRegio – Women In Cybersecurity (#WiCyS)

⸻ Canada 🇨🇦 – #DC902 Halifax, NS – OWASP Ottawa

⸻ US – Northeast – 2600, NH – Blacks In Cybersecurity™ (BIC), Washington, DC – #BIC DMV Metro Area, DC – #DC215, Philadelphia, PA – #DC201 North New Jersey – DC201 North NJ – DC201 North NJ – #DC610 Easton, PA – #HackDC Washington, DC – #NYC2600 NY – NYC 2600, NY – OWASP Boston, MA – #Philly2600 Philadelphia, PA – #Phillysec Philadelphia, PA

⸻ US – Midwest – #DC402 Nebraska – #DC608 Madison, WI – DC608 Madison, WI – #DC937 Dayton, OH – #DenverSec Denver, CO – #Lansing2600 Lansing, MI – Rocky Mountain LUG, CO

⸻ US – West – #DC503 Portland, OR – #DC510 Oakland, CA – #DC858 / #DC619 San Diego, CA – #PDX2600 Portland, OR – #RainSec PDX, Portland, OR

⸻ US – Southwest – #ASULUG ASU, AZ – Dallas Hackers Dallas, TX – #DC512, Austin, TX – #PLUG, Phoenix, AZ

⸻ US – Southeast – #DC404 Atlanta, GA – #DC443 Baltimore, MD – #DC540 Nova regional, VA – DC540 Nova regional, VA – #RTP2600 Raleigh, NC

⸻ Europe 🇪🇺 – #2600Malmo 2600 Malmö, SE 🇸🇪 – #2600stockholm Stockholm, SE 🇸🇪 – 2600 Madrid, ES 🇪🇸 – Chaos Amsterdam, NL 🇳🇱 – CCC Wien, Vienna, AT 🇦🇹 – CCC Basel, Muttenz, CH 🇨🇭 – #DC4822 Warsaw, PL 🇵🇱 – #DC9723, Tel-Aviv, IL 🇮🇱 – #LUGOS SI 🇸🇮 – #LUGV Vorarlberg, AT 🇦🇹 – #ULUG Uppsala, SE 🇸🇪

⸻ Germany 🇩🇪 – Chaostreff Amberg Sulzbach – CCC Dresden – CCC Aachen – CCC Darmstadt – CCC Frankfurt – CCC Freiburg – CCC Hamburg – CCC Potsdam – CCC Stuttgart – CCC Wiesbaden – Computer Club Itzehoe – CCC Essen – CCC Berlin – Chaostreff Alzey – Chaostreff Backnang – #ErLUG Erlangen – #Flipdot CCC Erfa-Kreis, Kassel – #Haecksen (Stuttgart, Hamburg, Hannover, Karlsruhe, Leibzig, Göttingen and Berlin) – #Geekfem Hamburg – #KiLUG Haslach im Kinzigtal – LUG Mayen-Koblenz – LUG Nürnberg – LUG Hannover – #LUGOR Oberhausen Rheinland – CCC Munich – OWASP DE – OWASP Karlsruhe

⸻ India 🇮🇳 – #DC9111, Delhi

⸻ United Kingdom 🇬🇧 – 2600 Glasgow 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – Abertay Hackers, Dundee 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – #DC44131 Edinburgh 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – OWASP London 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Australasia – Flinders Cybersecurity Society, Adelaide, AU 🇦🇺 – Linux Australia 🇦🇺 – OWASP Melbourne, AU 🇦🇺 – #PalmyLUG Palmerston North, NZ 🇳🇿

For other groups & meetups not in the fediverse: ➡️⁠ ➡️⁠ ➡️⁠ ➡️⁠

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. cc​𝟶 “No Rights Reserved”

#InfoSec #CyberSecurity #DEFCON #2600 #CCC #OWASP #WomenInCybersecurity #LUG #LinuxUserGroup #CatSalad #cc0


from CatSalad🐈🥗 (D.Burch)


This list contains hackspaces and hacklabs with active fediverse / Mastodon accounts. For monthly group meets, see the post link below. This list will be update as more workshops in the fediverse are discovered.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)


⸻ United States 🇺🇸 – #HackDC Washington, DC – Iffy Books – Philadelphia, PA – #Noisebridge Hackerspace – San Francisco, CA

⸻ Latin America – Laboratório Hacker de Campinas, Brazil 🇧🇷

⸻ Europe 🇪🇺 – #Coredump Hack- & Makerspace, Rapperswil-Jona, CH 🇨🇭 – F-HackLab, Rome, IT 🇮🇹 – #Hackeriet Oslo, NO 🇳🇴 – #Hackstub Strasbourg, FR 🇫🇷 – #HsPsh Hackerspace Pomorze, PL 🇵🇱 – #HsWaw Warsaw, PL 🇵🇱 – #KaouennNoz Rennes, FR 🇫🇷 – #LeBIB Montpellier, FR 🇫🇷 – #HSLodz Hakierspejs Łódź, PL 🇵🇱 – #TampereHacklab FI 🇫🇮

⸻ Austria 🇦🇹 – #DevLol Linz – #Itsyndikat Innsbrucks – #Metalab Vienna – #Realraum Graz – /usr/space, Leobersdorf

⸻ Germany 🇩🇪 – #ACMELabs Bielefeld – #Backspace CCC-Erfa, Bamberg – #BinHacken Hacker- & Makerspace, Bingen – #Bytespeicher Erfurt – #bytewerk Ingolstadt – CCC Cologne – c-base, Berlin – CCC Aachen – CCC Darmstadt – CCC Frankfurt – CCC Freiburg – CCC Hamburg – CCC Wiesbaden – Chaostreff Flensburg – #Chaosdorf Hackspace & CCC Erfa, Düsseldorf – Chaostreff Osnabrück – #Chaotikum Lübeck – Chaostreff Chemnitz – #ClubDiscordia CCC Berlin – #DasLabor Bochum – #Datenburg Bonner – Dezentrale Leipzig – #Eigenbaukombinat Halle, Saale – #Entropia Karlsruhe – #Flipdot Kassel – #Hacklabor Schwerin – #Hackershell 🌐 #Hacksaar Saarbrücken – #Hackzo Coburg – Hackspace Siegen – #Haxko Mayen-Koblenz – Hackerspace Bielefeld – K4 Computergruppe, Nuremberg – #Krautspace Jena – #LeineLab Hannover – #MagLab Magrathea Laboratories, Fulda – #Maschinenraum m18, Weimar – CCC Munich – Freifunk Neanderland, Wülfrath – #Neotopia Göttingen – #Nerdberg Nuernberg – #Netz39 Magdeburg – OpenLab, Augsburg – Offene Werkstatt Norderstedt – #Port39 Stralsund – Raumfahrt, Berlin – #Schaffenburg – #Space47 Duisburg – #Spline Berlin – #Stratum0 Braunschweig – #RaumZeitLabor Mannheim – Temporärhaus, Ulm – Toppoint Hackspace, Kiel – nachtsnochlicht@Turmlabor, Dresden – UN-Hack-Bar, Unna – warpzone, Münster – #WelcomeWerkstatt Hamburg – #Werkraum Zittau – #Westwoodlabs Westerwald – xHain Hack- Makerspace, Berlin – #zLabor Zwickau – Zentrum für Technikkultur Landau

⸻ Netherlands 🇳🇱 – Chaos Amsterdam – #Bitlair Amersfoort – #Hack42 Arnhem – #Hackalot Eindhoven – #Pixelbar Rotterdam – #RevSpace Hague – #TDvenlo Venlo – Technologia Incognita, Amsterdam – #TrrkLab Enschede

⸻ United Kingdom 🇬🇧 – #57n Hacklab, Aberdeen 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – #57North Hacklab, Aberdeen 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – Cheltenham Hackspace 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #EEHackSpace East Essex 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #HackHitchin Hitchin 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – Leigh Hackspace, Manchester 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #NottingHack Nottingham 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Australasia – Ballarat Hackerspace, AU 🇦🇺

For other hackerspaces not in the fediverse try: ➡️⁠

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. :cc_cc:​𝟶 “No Rights Reserved”

#CCC #ChaosComputerClub #Hacker #Hackspace #Hackerspace #CatSalad #cc0


from CatSalad🐈🥗 (D.Burch)

List of some useful links, news sites, and open web search engines that also provide .Onion service access through Tor :tor:. Each searx site varies on their up time, so it pays to visit the 🗂️⁠SearXNG Index to find alternatives.

📌⁠List of torified fedi instances (ᵃˡˢᵒ🦣ⷨ) 📌⁠List of useful torified sites (ᵃˡˢᵒ🦣ⷨ)

🗃️⁠Archive.Today⁠〰️→🧅⁠archivei… 💻⁠DEFCON Forums⁠→🧅⁠ezdhgsy… 💻⁠DEFCON Home⁠〰️→🧅⁠g7ejphhu… 💻⁠DEFCON Media⁠〰️→🧅⁠m6rqq6k… 🔐⁠⁠→🧅⁠zkaan2x… 🔖⁠⁠〰️〰️→🧅⁠redditorj…★ 📚⁠zLibrary Articles⁠→🧅⁠articles2… 📚⁠zLibrary Books⁠→🧅⁠bookszlib…


🗞️⁠BBC News⁠〰️〰️→🧅⁠bbcnewsd…★ 🗞️⁠DeutscheWelle⁠→🧅⁠dwnewsg…★ 🗞️⁠ProPublica⁠〰️〰️→🧅⁠p53lf57… 🗞️⁠The Guardian⁠〰️→🧅⁠guardian2…

🗂️⁠SearXNG Index⁠→🧅⁠searxspb… 🔍⁠divided-by-zero⁠→🧅⁠f4qfqajs… 🔍⁠⁠〰️〰️→🧅⁠lgmekfn…★ 🔍⁠⁠→🧅⁠4n53nafyi… 🔍⁠⁠〰️→🧅⁠searchvrz… 🔍⁠⁠〰️〰️〰️→🧅⁠privateoz… 🔍⁠⁠〰️〰️→🧅⁠rq2w52k… 🔍⁠⁠〰️〰️→🧅⁠gbat2pb… 🔍⁠⁠→🧅⁠z5vawdo… 🔍⁠thefloatinglab⁠→🧅⁠iziatwmt… 🔍⁠tiekoetter⁠〰️〰️→🧅⁠searx3ao…

⸻ (★ = Supports HTTPS-over-Onion) 🐈🥗

#TorProject #OnionService #OnionServices #Tor #Onion #Privacy #CatSalad


from CatSalad🐈🥗 (D.Burch)


List of fediverse instances that also provide access through .Onion servers using Tor Hidden Services. I will add more as I find them... Well, most of them anyway.

📌⁠List of torified fedi instances (ᵃˡˢᵒ🦣ⷨ) 📌⁠List of useful torified sites (ᵃˡˢᵒ🦣ⷨ)


⁠⛔⁠⁠〰️〰️〰️→🧅⁠alivebrntm… 💻⁠〰️→🧅⁠zpj4sjt4a…★ 💻⁠⁠〰️〰️〰️〰️→🧅⁠iejideks5z…★ 💻⁠⁠→🧅⁠7jaxqg6… ⛔⁠⁠⁠〰️→🧅⁠klktvbm… ⛔⁠⁠⁠〰️〰️〰️→🧅⁠yiynyc2ly…★ 💻⁠⁠〰️→🧅⁠c6usaa6… 💻⁠⁠→🧅⁠octodonic… ⛔⁠⁠⁠〰️→🧅⁠partyonl2… ⛔⁠⁠⁠〰️→🧅⁠nqt42rzz5… 💻⁠〰️〰️→🧅⁠irvqsc5bb… 💻⁠⁠〰️〰️〰️→🧅⁠ak.vernccv… 💻⁠⁠〰️→🧅⁠qm7a3tu…

⸻ (★ = Supports HTTPS-over-Onion) (⛔⁠ = Cloudflared)


#FediTor #TorProject #OnionService #OnionServices #Fedi #Tor #Onion #Privacy #CatSalad


from acrypthash

Incident Response: Scam Attack Against Retail Stores

Yesterday our stores experienced a scam attack via phone call claiming to be from the IT department and wanting to test refunds on high value items in order to get free money. Later in the campaign, they change story to claim they were from a VoIP provider. Unfortunately, one or two stores fell victim, but many others remained vigilant.

As a response, our security team deployed the following: – Created a war room for the few members involved. – Sent out communications to all employees involved (we have internal tools for this) – Used OSINT to investigate the phone number being used (the threat actor was dumb enough to use the same number for all attempts). – Blocked the number through our provider (though changing number is obviously very easy. This was done because it was the only number being used at the time.) – Did EDR scans on all store PCs from people that called in. Side Note – This is where communication with non tech savvy people can be difficult. During the social engineering process, the person at the register is instructed to reach a point in the process where you have to enter a credit card number. Reports from one end user claimed the that cc number was entered in automatically by the threat actor on the phone. They claimed no other assistance was given to access the PC, no mouse movement was performed, just the number entry. This does not make any sense to me. I did the following to investigate, but found zero IoCs: – full EDR scan on the endpoint – PCAP review for any malicious connections – RMM software installations – ELK log review – folder review – confirmed scheduled tasks Nothing substantial was found to show that a threat actor had accessed the PC and entered in the cc number. Personally, I think the end user reporting this claimed it happened this way to protect themselves. Regardless, nothing was found.

Through good communication and best security practices we were able to get this incident under control relatively fast. A big take away from this is going to be ACL build out for the feature that allows for the access of refunds through manual entry. Too many people seem to have access to this feature by default.

There is an obvious pattern that must be brought up so we as analysts and blue teamers can remain vigilant. Threat actors are starting to realize how easy social engineering truly is and the power that comes with it. We must keep our end users aware of these threats and train them to question the true intentions of people when something doesn't feel right. Typically when your gut questions something, you're usually right. For our team, we are going to be working closely with our help desk team over the next few weeks to improve their verification process and social skills to learn when something malicious is happening. Happy Hacking!