Nighed @ Nighed @sffa.community

Posts

291

Comments

977

Joined

2 yr. ago

Moderating

---

You can probably get the URL for a companies SharePoint pretty easily, but you need a login. You are able to get a PAs credentials through a phishing link etc but need the 2fa code.

You do the IT phishing attack (enter this code for me to fix your laptop being slow...), get them to enter the code and now you have access to a SharePoint instance full of confidential docs etc.

I'm not saying it's a great attack vector, but it's not that different to a standard phishing attack.

You could attack anything that's using the single sign on. Attack their build infrastructure and you now have a supply chain attack against all of their customers etc.

It helps but its not enough to counter the limits of human gullibility.

Do you have integration with other health and fitness apps to retrieve non phone step counts?

I have a Garmin watch that does all my health tracking etc.

It requires the bad guy to go to the page and ask the user to enter the code the bad guy gets

Kinda negates all those weight gains (losses) from that fancy bike though!

A camera is a good investment though!

It's not that different is it? You still need to get a user to share/enter a live code?

From a practical PoV - most people have their phone on them all the time. A work phone or a physical token can (and will) get forgotten, a personal phone much less.

Bad actor goes to super secret page while working on 'fixing' and issue for the user. They then get the 2 digit request code and ask the user to input it to 'resolve' the issue.

Mostly the same as any other 2fa social engineering attack I guess, but the users phone does display what the code is for on the screen which could help.... But if your falling for it probably not.

Remember, they are not expecting to win, so this isn't a policy they are expecting to have to implement, just using it to attract more of the right wing vote they are losing to the Reform UK party.

Have you seen how slow their site is normally? Just request loads of obscure random pages and it will just eat their IO.

Throw some standard ddos on top to obscure things and your good? (Bad)

Edit: I know nothing about their storage, so I may be wrong. It just feels like they are held together with spit and prayers at the best of times.

They said that the option to use other authenticators were disabled by their company

The ms authenticator works in 'reverse' in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can't be social engineered into giving out a 2fa token. It also has a "no this wasn't me" button to allow you to (I assume) notify IT if you are getting requests that are not you.

I don't believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?

Is this the team they moved it to, or the team they moved it from?

Then you don't get any new people at all. (Or very few)

I don't think Google has a road/mountain bike toggle for navigation does it? ☹️

The pose is from another artist who based it on Howls moving castle (see the description on the instagram link - you can also see the pose sources on there)

The in story bit is when wax takes Steris on a flight with him at some point, I thought it was in the Lost Metal book, but I can't immediately find a reference for it...

There goes my fantasy F1 team for this week...

That's on used from McLaren?

I would split digital privacy from the foss and Linux discussions. They attract the same people, but are fundamentally different topics.

It also means you could get deeper into the digital privacy topic which is more useful to most people.

For the digital privacy one, ask for a volunteer (or do you!) ahead of time and get them to do GDPR requests for apple, Google, Microsoft, Meta etc. sanitizer anything they want to hide, but do a demo of what big tech actually knows about them.

Then go though how to prevent that and have a discussion on the pros and cons of that data collection. (Eg I don't care about Google data tracking as I find the Google location history really useful)

I'm somewhat cynical about their actual commitment to this issue after they scrapped the investment fund.... It's an investment can we not spend money on some more risky schemes and give them legislative/planning assistance to help them succeed and generate the government money back?

Or was it all meant to be subsidies for things that wouldn't give money back to the govt?

It would be good to know the actual questions asked, it's suspicious how low green/libdems/reform are in almost everything.

Shouldn't a question like this have a neutral midpoint with trust/distrust on either side? This looks like it's penalising parties people are less aware of the policies of.

Edit: oh, it's the bit at the top "which party would you trust most to:"

Naff question really what was the point of including the smaller parties there? Should have just been the main parties for that question or a graded version with all parties.