Old Fucking Punk @lwriemen@librem.one

The MGM attackers claimed they used one of the easiest ways to breach/ransom a company, a method I use often in my hacking:
1. Look up who works at a org on LinkedIn
2. Call Help Desk (spoof phone number of person I’m impersonating)
3. Tell Help Desk I lost access to work account & help me get back in

While we wait for attack method confirmation, I’ll say that the attack method they claim worked for them does indeed work for me. Most orgs aren’t ready for phone based social engineering.

Most companies focus on email based threats in their technical tools and protocols — many are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone based attacker in the act. Teams need protocols to verify identity before taking action.

The 1st teams I go after when hacking are the folks who deal with requests from people constantly — IT, Help Desk, Customer Support, etc.
I often pretend to be an internal teammate to convince them to give me access, and I usually start with phone attacks bc they work fast.

Email phishing attacks can get caught in good spam filters and reported.
The soft spot for many teams are the folks who handle the phone call requests.
There’s a perfect storm: lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests.

Questions to ask internally to see if your team is prepared to catch this attack:
- Do the folks who handle requests from team/customers use identity verification protocols?
- Do we rely on knowledge based authentication? DOB + caller ID matches ☎️ number in system, for example.
- Are our IT/Help Desk/Support teams compensated or promoted on the speed of saying yes to requests? Have we incentivized time for security protocols in Support?
- How do we verify identity first?

Remember, most folks at work want to do a good job and often times “good work” means “fast work”. We can’t expect every employee to be able to come up with their own identity verification protocols on the fly — it’s our job to provide the right human protocols to catch this fast.

We’ll need to wait to learn the details of the attack and get confirmation.
In the meantime, I can tell you I compromise orgs w/ the exact phone attack the attackers claim to use and many orgs don’t have phone call based identity protocols to catch it yet.

Update your phone based identity verification protocols to catch account takeover attempts!
You know your org best & there’s no one size fits all.
You can move from KBA (like DOB) to OTP on 2nd verified comm channel, call back to thwart spoof, service codes, pins, and much more.

After hacking & educating orgs on how they can catch me, the biggest task I spend my time on is updating verification protocols to spot me next time. It’s maddening to get caught on their new identity verification protocol on the next pentest but there’s also nothing I love more.
More details here: https://x.com/RachelTobac/status/1701801025940971792?s=20

Tom the Dancing Bug: One Day in France, 1940 - https://boingboing.net/2023/09/13/tom-the-dancing-bug-one-day-in-france-1940.html <zing/>

California passes right-to-repair act guaranteeing seven years of parts for your phone

https://www.theverge.com/2023/9/13/23871712/california-right-to-repair-act-sb-244

#RightToRepair

"You heard about overt acts from the judge during the instruction. An overt act. That you have to take a step in a conspiracy, you actually have to do something for it to happen. My first overt act in this alleged conspiracy is I was born into a particular class of workers that was severely exploited and subjected to certain kinds of conditions. And that left an imprint on my mind that I was going to have to do something about it, when a factory owner puts more value on his profits than your health and life. I think that those are priorities that need to be changed."

https://libcom.org/article/until-all-are-free-trial-statement-ray-luc-levasseur

Check out the Burning Planet Reading List

Save 40% on select titles to understand and fight climate change with coupon code LIST until 10/1.

See them all https://blog.pmpress.org/2023/09/04/starting-fires-reading-list-titles-for-troublemakers-40-off/#burning

Piñata Economics, I like it, I will now dedicate my life and entire personality to it

This one weird trick allows you to benefit from inequality while still feeling morally superior.

https://www.nakedcapitalism.com/2023/09/on-not-thinking-like-a-liberal-in-the-21st-century.html

#UK fails to ban 36 harmful #pesticides outlawed for use in #EU | Pesticides | The Guardian

A real benefit of #Brexit: to be able to #poison the land for profit.

https://www.theguardian.com/environment/2023/sep/13/uk-fails-ban-pesticides-outlawed-use-in-eu

#Neonicotinoids

📣 BOOM: CDC advisory panel recommends updated COVID-19 vaccine for *everyone* 6 months or older: https://acasignups.net/23/09/12/breaking-cdc-panel-recommends-updated-covid-19-vaccine-everyone-6-mo

This is disturbing: https://www.rnz.co.nz/national/programmes/ninetonoon/audio/2018904768/tech-companies-are-evolving-into-military-contractors a #Google engineer (from near where I come from) who became #whistleblower and quit on ethical grounds... he explains the issue to Kathryn Ryan on #RNZ.

USENET, one of the original -- and always decentralized -- social networks, never completely went away. Now it may be on the verge of a comeback. https://www.theregister.com/2023/08/30/usenet_revival/

David Davis & Caroline Lucas MPs are supporting an amendment to the Online Safety Bill that would seek to protect the end-to-end encrypted services. Many parents rely on these apps to safely and securely share family pictures. #onlinesafetybill #encryption #privacy #E2EE

1/3 of the junior class at the school in NYC where my daughter works was out with #covid yesterday. Mask up, #boston: we're likely next.

The only legitimate use of privilege is to help bring about the kind of world where you would not have had it to begin with.

#privilege

Baltimore people, come to @redemmas on Wednesday at 7pm for a reading of my indigenous futurist science fiction book SORDIDEZ followed by a spicy revolutionary conversation led by fellow angry boricua Karlo Yeager Rodriguez. #BookTour #bookstodon #scifibooks #queerbooks #latinxbooks #latineauthor #readpuertorican #boricuadon #IndigenousFuturism #taino #tainofuturism #SFF #booklaunchevent #AuthorEvent #decolonial

@StelliformPress

https://redemmas.org/events/e-g-cond-presents-sordidez-in-conversation-w-karlo-rodriguez/

Dozens of fraudulent public comments urging the state of #Ohio to allow fracking in state parks were sent in the names of people without their knowledge or permission. One was a 9-yr-old girl.

Republicans did this.

The story gets even deeper from there. Great reporting by #Jake_Zuckerman

https://www.cleveland.com/open/2023/09/their-names-appeared-on-letters-urging-fracking-ohios-state-parks-they-dont-know-how.html

On September 11, 1973, Chile was robbed of its democracy in a CIA-backed coup

I still can't fucking believe we have a Department of Homeland Security, I mean, Jesus, that's sort of thing you catch a glimpse of in a headline in the background and immediately realize oh, yeah, this is an alternate timeline episode, wonder how they'll ever get back.