Tootfinder

#infosec and #networking friends local and abroad, I hope this captures in part what some of you are fearing, sensing, or seeing. There is a lot more one could say, but topically relevant here, an excerpt to locally elected government officials:
"[...] I'm seeing and experiencing…

Dominos Pizza database got leaked. I started receiving spam on my dedicated email address for them.
#infosec #leak #dominos

How is this still happening?
We all knew that hard-coded credentials were BAD and WRONG 35ya.
#InfoSec https://infosec.exchange/@offseq/115528481041007501

Offensive Sequence (@offseq@infosec.exchange)
Attached: 1 image ⚠️ CRITICAL: CVE-2025-42890 in SAP SQL Anywhere Monitor 17.0 (Non-GUI) — hard-coded credentials let attackers bypass auth remotely for RCE & full system takeover. Audit & restrict access now. Await SAP patches. https://radar.offseq.com/threat/cve-2025-42890-cwe-798-use-of-hard-coded-credentia-91b98cfd #OffSeq #SAP #Infosec #CVE202542890

Stop Breaking TLS
#infosec

You are an experienced Dev(Sec)Ops. How well do you know Kubernetes?
#devops #devsecop #infosec #it…

In case you had not yet seen this elsewhere.
#gmail #ai #privacy #infosec

Moin #Infosec-Community in #Hamburg: Ich werde am 9.12. beim #OWASP Stammtisch Hamburg (zu Gast beim #CCC …

Was man so findet im Netz / Absicherung von Keycloak, Tue, Dec 9, 2025, 6:30 PM | Meetup
Moin Hamburg etc. ! Das Jahr geht leider manchmal schneller zu Ende als man denkt, und es war höchste Zeit für ein Treffen . Wir haben diesmal wieder zwei spannende Vortr

OH on slack: sometimes you think, "Oh, a regex could solve this." Now you have two ~problems~ administrators on your github repos
#devoops #sre #infosec

Also my #infosec friends could learn a thing or two here from disaster prep if this isn't already a familiar idea.
Do you have a MISL for a large scale cvss 9 0-Day that's being exploited in the wild? Have you run a table top? You fucking should. Especially since we've all been through that shit several times now. You should absolutely have a clear plan of what's gonna happen, and your whole team should be able to respond.

The most obvious tell of this sort of incident is the phone call.
The only IT or #infosec folks who will proactively call you about an attempt at hijacking an account are those of your employer or *maybe* your access provider.
Google, Microsoft,Apple, etc. are not calling everyone with suspicious activity on their accounts. There are not enough support agents on the planet to do that…

#infosec
They've mindlessly set it to be a password entry field so it can't be seen, but the 2FA app I'm copying the code from displays it in a nice large font.
They're checking the box for the sake of checking the box, not because it adds any security.
But at least it's inconvenient for all the users, so the policy has that going for it.

#infosec annoyance of the day - I use a tool for work that requires me to put in a rolling one-time code for 2fa, and doesn't show the code as I'm typing it.
That would be ok, except if I switch apps to copy the code so I can paste it in, it usually forces me to re-enter my username and password, then even though I'm in the 30 second validity window, it refuses the code.
So I have to wait till the 30 seconds roll over, copy the code, switch to the tool, re-enter my username/password, hope it doesn't take so long to negotiate with the back end that the code in my clipboard expires, then finally paste the code.
Conveniently I only have to do it multiple times a day, every work day.

I so hope this blows up in his face spectacularly.
Note that I do not believe that any LLM can become as skilled as the least skilled #InfoSec professional using conventional tools, so I’m quite confident this will not reach any useful goal.
I’m saying he needs to learn a lesson, and it would be great if it were useful for others as well. @…

I'm using #Anubis to protect our Forgejo instance from scrapper #bots, but it doesn't seem to be enough for "classic" malicious scanners that try thousands of paths looking for vulnerabilities.
Granted, presenting a challenge increases the cost for the malicious scanners, but at some point I'd like a smarter tool that detects what's happening and blocks any further attempt.
Does anyone know about good solutions for this? I'm sure there must be something out there, I'm just ignorant about it.
#infosec #WebSecurity