sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Server stats:

596
active users

#infosec

479 posts158 participants37 posts today

Worried about npm supply chain attacks?

Here's how to mitigate:

Limit the more riskier packages to Dev or Test- only inclusions! These packages aren't deployed to prod, keeping customer data safe.

Dev-only package compromise only impacts developers' machines where there's less to worry about. There's no customer data. Just ssh and pgp keys, browser localstorage, or already being VPNed into corporate.

Don't risk customer data. ISO 27001 and SOC2 are counting on YOU!

For those attending @defcon the special edition of Casey Erdmann's Red Team Engineering will be available at our booth! Many resources out there focus on either tooling or infrastructure, but rarely both in practical detail.

This book aims to bridge that gap, providing hands-on instruction for writing custom offensive tools and then engineering the infrastructure to use them effectively.

I share the same common view of online ID verification as most other #infosec people: it's a ludicrous situation that *increases* risk to everybody, handing data over to a mish-mash of organisations with very little transparency or rigour.

But I am enjoying the particular absurdity of seeing it in implementation. I hit a site that requires ID verification, I tell my Tailscale/Headscale config to route through one of my servers in Europe, and no more need to provide ID.

Ok for some reason when I mentioned non-human identities and tracking them, a number of people assumed aliens or something, or just AI agents. What I am looking for are some insights into authentication actions on computer systems - using tokens, APIs, stored secrets, and so on - where a human is not directly involved in the interaction. Yes, AI could be involved, think MCP especially. I know there are tools out there to manage this, just wondering. Think using Okta SSO etc but not human users at all. Thoughts? Opinions? To me this is the next step in zero trust, in that one should have the same principles in place between any and all systems be they human or automated in that are they who or what they claim to be and are they authorized to do go forward and do what they are trying to do. #infosec #security #zerotrust

Attack on United Australia Party and Trumpet of Patriots also breached the business entites of Clive Palmer

A ransomware attack discovered June 23, 2025, compromised email servers across 11 business entities associated with Australian politician Clive Palmer, potentially affecting up to 80,000 individuals and exposing financial records, identity documents, and confidential correspondence.

**Do you want your companies to be descibed as having "breathtaking lack of care" for a cybersecurity incident? It seems if one is a rich enough, that's acceptable. Think of this before you give out your data to companies with huge budgets - will they care at all if they get breached?**
#cybersecurity #infosec #incident #databreach
beyondmachines.net/event_detai

BeyondMachinesAttack on United Australia Party and Trumpet of Patriots also breached the business entites of Clive PalmerA ransomware attack discovered June 23, 2025, compromised email servers across 11 business entities associated with Australian politician Clive Palmer, potentially affecting up to 80,000 individuals and exposing financial records, identity documents, and confidential correspondence.

Finnish technology company Exel Composites reports cyberattack exposing employee and shareholder data

Finnish composite materials technology company Exel Composites confirmed a cyberattack discovered on July 18, 2025, that compromised a limited number of workstations and servers, exposing personal information of staff and shareholders along with sensitive business materials. The company has reported the incident to police and data protection authorities but has not disclosed the nature of the attack or the number of affected individuals.

****
#cybersecurity #infosec #incident #databreach
beyondmachines.net/event_detai

BeyondMachinesFinnish technology company Exel Composites reports cyberattack exposing employee and shareholder dataFinnish composite materials technology company Exel Composites confirmed a cyberattack discovered on July 18, 2025, that compromised a limited number of workstations and servers, exposing personal information of staff and shareholders along with sensitive business materials. The company has reported the incident to police and data protection authorities but has not disclosed the nature of the attack or the number of affected individuals.

Wait, so any app on Android with network access can just open a localhost port and then a browser script can share all your private browsing data via that port? Even on GrapheneOS? How is that not restricted?? What's stopping your banking apps or "sandboxed" Google Play store from doing this and tracking everything?

theregister.com/2025/06/03/met

The Register · Meta pauses mobile port tracking tech on Android after researchers cry foulBy Thomas Claburn

Women dating safety app Tea data leak exposes thousands of women's IDs and selfies

Tea, a women-only dating safety app, suffered a massive data breach exposing 72,000 images including verification selfies and government IDs through an improperly secured Firebase database that required no authentication to access. The vulnerability was discovered by 4chan users. The database was secured within hours but the sensitive data has already been exfiltrated and is being shared across social media platforms.

**Do you really feel confident giving out your photo IDs to random platforms on the internet? Even if they claim to be about safety and security?**
#cybersecurity #infosec #incident #databreach
beyondmachines.net/event_detai

BeyondMachinesWomen dating safety app Tea data leak exposes thousands of women's IDs and selfiesTea, a women-only dating safety app, suffered a massive data breach exposing 72,000 images including verification selfies and government IDs through an improperly secured Firebase database that required no authentication to access. The vulnerability was discovered by 4chan users. The database was secured within hours but the sensitive data has already been exfiltrated and is being shared across social media platforms.

Multiple vulnerabilities reported in Tridium Niagara Framework

Researchers discovered 10 critical vulnerabilities (CVE-2025-3936 through CVE-2025-3945) in Tridium's widely-deployed Niagara Framework, an IoT middleware platform connecting HVAC, lighting, and security systems. The vulnerabilities can be chained together to enable complete system compromise, allowing adjacent attackers to intercept tokens, hijack administrator sessions, and execute arbitrary code with root privileges.

**If you use Tridium Niagara Framework systems (common in HVAC, lighting, and building automation), check to confirm that the system is isolated from the internet and accessible only from trusted networks. Then plan an update to the latest patched versions. Also check for proper encrypted communication between Tridium Niagara and all other components to prevent interception of sensitive data.**
#cybersecurity #infosec #advisory #vulnerability
beyondmachines.net/event_detai

BeyondMachinesMultiple vulnerabilities reported in Tridium Niagara FrameworkResearchers discovered 10 critical vulnerabilities (CVE-2025-3936 through CVE-2025-3945) in Tridium's widely-deployed Niagara Framework, an IoT middleware platform connecting HVAC, lighting, and security systems. The vulnerabilities can be chained together to enable complete system compromise, allowing adjacent attackers to intercept tokens, hijack administrator sessions, and execute arbitrary code with root privileges.