Reminder that my collection of short stories based on real world #infosec adventures, InfoSec Diaries (https://infosecdiaries.com), should not be confused with the place that has InfoSec themed dairy products, InfoSec Dairies (infosecdairies.com).
NEW SECURITY CONTENT
App Store Connect 3.0 - 1 bug fixed
https://support.apple.com/en-us/123356
New month, new goals, new family. Helping this domestic violence family with medical bills, groceries, and new devices. We're 18% to our goal so far! 
If you're looking for something to feel better, this is one way you can. https://ko-fi.com/lockdownyourlife
I do take refurbed devices. :)
If I do acting coaching with my clients remotely with @signalapp, can I say I use defense grade security?
ASN: AS153697
Location: Mojokerto, ID
Added: 2025-07-09T10:07
@briankrebs i've seen some IR figures get squirrely about the name. some argue Scattered Spider is a loose confederation, others an attack methodology. i don't have a strong opinion on that but i've seen the absolute bedlam these crews drop everywhere they go. #infosec #scatteredSpider
New research! Getchya new research heah!
DomainTools Investigations spent a month observing nameservers for notorious Russian bulletproof host DDoS-Guard to provide numerous acute threat intel observations as well as larger trends and traffic flows.
#threatintel #cybersecurity #infosec
https://dti.domaintools.com/where-everybody-knows-your-name-observing-malice-complicit-nameservers/
Oh hey that shitty company, Flock, is looking for a Director of Security. Remember they're the ones cooperating with ICE and have license plate readers in their "community" camera systems.
JFrog, from yesterday: Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/
More:
The Hacker News: Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads @thehackernews #cybersecurity #infosec #LLM #AI
A friend told me that #Lego is hiring a #CISO. If I were allowed to move to Denmark I would have applied on the spot. Maybe an escape route from fascism for one of you instead? #infosec #GetFediHired
Hey infosec.exchange! We’re the CHERI Alliance — excited to join the community!
We’re all about CHERI (Capability Hardware Enhanced RISC Instructions) — a powerful hardware-based approach to making memory safety and software security actually enforceable, by design.
CHERI helps stop things like buffer overflows and use-after-free bugs before they cause trouble — with hardware-enforced protections built right into the architecture.
We’re here to:
- Share news about the CHERI community in general
- Talk about what our members are building with CHERI
- Connect with folks who care about deep, meaningful security improvements
Check us out 
cherialliance.org
Give us a follow if this sounds like your kind of thing!
You can pee every hour from 5 am to 10 pm weekdays and 8 am to 4 am on the weekends.
Every pee is fine, no problems.
Then one time, for no apparent reason, the stream is different and splashes everywhere.
So, do you wear depends as a safeguard, even though that doesn’t change the stream or splash? Do you need a funnel for the rest of your life?
#InfoSec #risk #mitigation #compensatingcontrols
"When we talk about #farm #loan application records, there is no more #PersonalInformation anywhere than in that database," Scott Marlow, a fmr snr ofcl in the US Dept of #Agriculture, told NPR. "The #farmer's entire #financial life & the life of their kids & their #family, every time they've missed a payment, every time they've had a hard time, every time they've gotten in financial trouble…it's there."
#DOGE keeps gaining access to sensitive #data. Now, it can cut off billions to #farmers
A staffer from…DOGE recently got high-level access to view & change the contents of a #payments system that controls tens of billions of dollars in government payments & #loans to farmers & #ranchers across the #UnitedStates, according to internal access logs reviewed by NPR.
#Trump #law #economy #InfoSec #FederalGovernment #funding #Congress #SeparationOfPowers
https://www.npr.org/2025/07/10/nx-s1-5455779/doge-usda-farmers-data
My local #school system, affected by the #PowerSchoolBreach is migrating to a new platform called Infinite Campus.
How, in the Year of Our Lord 2025, does this system not support ANY KIND of multi-factor authentication???
But don't worry, according to their website, they absolutely take my security and privacy seriously...
ASN: AS47453
Location: Pleven, BG
Added: 2025-07-07T11:34
McDonald's AI hiring platform found to be vulnerable, risking 64 million job applications
Security researchers discovered vulnerabilities in McDonald's McHire hiring platform developed by Paradox.ai, including an insecure direct object reference (IDOR) flaw and trivial default credentials ("123456:123456") that potentially exposed personal data of up to 64 million job applicants across McDonald's franchises.
**Make sure to authenticate and authorize every single request to your APIs. And don't use integer auto-incrementing IDs for users, too easy to guess. Naturally, NEVER use trivial credentials for test systems.**
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/mcdonald-s-ai-hiring-chatbot-breached-exposes-64-million-job-applications-v-p-b-2-y/gD2P6Ple2L
ASN: AS12593
Location: Kyiv, UA
Added: 2025-07-07T09:13
Makes you wonder if #McDonalds even has a #VendorManagement program or hell an #InfoSec program for that matter.
Do they even conduct #SecurityAudits of their vendors? Do they have an #ArchitectureReviewBoard for new projects and initiatives?
Why aren't baseline/ minimum #SecurityStandards spelled out in their SOWs?
None of this is rocket-science, or even that costly, but you have to be willing to put forth the effort.
https://yro.slashdot.org/story/25/07/09/2014234/mcdonalds-ai-hiring-bot-exposed-millions-of-applicants-data-to-hackers
Focus: Stop Killing Games! | Warframe | Tech & Chill: OSS, Gaming on Linux, Radio, Cybersecurity. Join: 
