Cybersecurity Tips

Share this post

Twitter CISO whistleblower, LastPass security incident and PayPal phishing- Newsletter #5

cyb3rsecurity.tips

Twitter CISO whistleblower, LastPass security incident and PayPal phishing- Newsletter #5

Plus: the silence of risk management victory and free web security resources.

Nuno
Sep 17, 2022
2
Share this post

Twitter CISO whistleblower, LastPass security incident and PayPal phishing- Newsletter #5

cyb3rsecurity.tips

With a small delay, here’s this month’s newsletter, looking at what happened in August. As I got some positive feedback about the new format, I'll keep it this way.

This was a month marked by the Twitter whistleblower that claimed less than appropriate security measures at the company. The complaint was done to the FTC by the former head of security Peiter Zatko, a respected security researcher known as “Mudge”.

Here’s some of his claims, according to the Washington Post:

(…) thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.

and it continues with a:

(…) the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam.

These allegations come very handy for the Elon Musk vs. Twitter case as they support Musk’s claims of excessive bots and spammers on the platform. To be followed.

What I read last month

  • What’s going on with security at PayPal (christianvarga.com)

  • Notice of Recent Security Incident (LastPass)

  • Study Finds Apple Collects the Least Amount of User Data Among Top Five Tech Giants (Mac Observer)

  • Your online identity is owned by your email provider (Ctrl.blog)

  • PayPal Phishing Scam Uses Invoices Sent Via PayPal (Krebs on Security)

  • Freedom and Privacy (Dergigi)

On Substack

This is an excellent article about Risk Management. Strongly recommended:

Risk Musings
The Silence of Risk Management Victory
Sometimes risk mitigation works. It doesn’t feel that way because when risk mitigation works, nothing happens. But not all risks lead to catastrophe, as long as people tasked with mitigating those risks keep their eyes on the goal. For example, it’s possible that the Y2K computer bug actually…
Read more
7 months ago · 4 likes · 5 comments · Stephanie Losi

Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.


On Twitter

Twitter avatar for @javarevisited
Javarevisited @javarevisited
How to securely store passwords in the database?
Image
5:15 AM ∙ Aug 8, 2022
2,018Likes350Retweets

A great technical article about storing passwords in databases. In a time where more and more developers use external services to take care of user authentication (Auth0, Okta, etc.), a bit of knowledge about how it’s done doesn’t hurt.

Twitter avatar for @ericlaw
Eric Lawrence 🎻 @ericlaw
BigCorp: You should recognize a phishing attack. BigCorp: This is a legitimate and mandatory URL.
Image
12:22 AM ∙ Aug 13, 2022
5,647Likes1,071Retweets

This is something that grinds my gears. I would totally fail this test.

Twitter avatar for @lukOlejnik
Lukasz Olejnik @lukOlejnik
Emojis can be used to deliver malicious payloads (i.e. to hack systems). Clever. î.fr/defcon/DEF%20C…
Image
Image
Image
7:19 AM ∙ Aug 16, 2022
1,199Likes317Retweets

Very interesting one.

Twitter avatar for @denicmarko
Marko ⚡ Denic @denicmarko
Stanford University offers this free course on Web Security. The course covers: 1. HTTP, Cookies, Sessions 2. Same Origin Policy 3. Cross-Site Scripting (XSS) 4. Denial-of-service, Phishing, Side Channels 5. WebAuthn 6. Server security and more... Link:
stanford.ioCS253 - Web SecurityPrinciples of web security. The fundamentals and state-of-the-art in web security. Attacks and countermeasures. Topics include: the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentic…
4:09 PM ∙ Aug 23, 2022
6,895Likes1,873Retweets

There’s a ton of useful Cybersecurity resources online and from reputable resources. This is a great example of a course taught by Standford University called “Principles of web security.”

Twitter avatar for @troyhunt
Troy Hunt @troyhunt
Data breach at @autodoc_de. I really dislike disclosure messages that begin with "lots of companies are being hacked these days", what do you think the purpose of that statement is?
Image
Image
Image
7:43 AM ∙ Aug 24, 2022
37Likes4Retweets

Totally agree with Troy on this. We all know a lot of companies are being hacked, that doesn’t justify poor security measures.

Twitter avatar for @brianwhelton
𝔅͛𝔯͛𝔦͛𝔞͛𝔫͛ ͛𝔚͛𝔥͛𝔢͛𝔩͛𝔱͛𝔬͛𝔫͛ @brianwhelton
#Cloud
3:38 PM ∙ Aug 20, 2022
702Likes122Retweets

This is exactly right 😂😂

Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.

Share this post

Twitter CISO whistleblower, LastPass security incident and PayPal phishing- Newsletter #5

cyb3rsecurity.tips
Previous
Next
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Nuno Batista
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing