shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

251
active users

#spoofing

0 posts0 participants0 posts today

Viele Unternehmen könnten mit wenig Aufwand ihre E-Mail-Sicherheit verbessern:

✅ SPF, DKIM & DMARC korrekt umsetzen

✅ moderne E-Mail-Infrastruktur nutzen

So schützt man sich besser vor #Spoofing, #Phishing und sogenannten Person-in-the Middle-Angriffen.

👉 Praxisnahe Tipps gibt's hier: ➡️ www.bsi.bund.de/dok/1147322

1. Hacker News, a #CyberSecurity newsletter, is sent from a domain where DMARC policy is p=none, which tells email providers, like gmail, to deliver all email that is screaming, "I am a Hacker News spoof email sent by a POS scammer" to the intended recipient anyway. p=none means take no action, even if you know it's a scam. Spam folder optional. Email services and clients will oblige. WTF Hacker News?

2. Hacker News is also using an insecure signature algorithm for signing their newsletter.

3. An extremely well-known Cybersecurity expert is sending the newsletter from a domain that has no DMARC record at all, so all spoof emails claiming to be from them will be delivered. And likely this is being constantly exploited. A DMARC policy of p="reject" would have those spoof emails trashed and not delivered. But no DMARC policy means "whatever, and I don't want to know". So, spoof emails go through unstopped and no reports of abuse are being sent to this person either. And it's their job to tell us how to stay secure and not be fooled by spoof emails. WTF?

Sometimes I don't understand how things work in the world.

"GNSS under attack: Recognizing and mitigating jamming and spoofing threats" by GPS World - As costs come down on GPS signal jamming and spoofing techniques, it no longer requires nation-state resources for doing it any more. As attacks become more common, defenses such as signal filters for countermeasures increase too. Self-driving cars and farm machinery may adopt RAIM already in use in aircraft. gpsworld.com/gnss-under-attack #GNSS #GPS #Galileo #jamming #spoofing #tech #aviation

GPS World · GNSS under attack: Recognizing and mitigating jamming and spoofing threats - GPS WorldRecognizing GNSS signal attacks and implementing protective measures has become critical for industries depending on precise positioning.
Replied in thread

@aral : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.

They're the ultimate manifestation of evil big tech.

They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.

DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).

Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).

However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.

Decent online authentication is HARD. Get used to it instead of denying it.

REASONS/EXAMPLES

🔹 Troy Hunt fell in the DV trap: infosec.exchange/@ErikvanStrat

🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: infosec.exchange/@ErikvanStrat

🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: infosec.exchange/@ErikvanStrat

🔹 Stop phishing proposal: infosec.exchange/@ErikvanStrat

🔹 Lots of reasons why LE sucks:
infosec.exchange/@ErikvanStrat (corrected link 09:20 UTC)

🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): newly-registered-domains.abtdo. However, this gang is still active, open the RELATIONS tab in virustotal.com/gui/ip-address/. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: bleepingcomputer.com/news/secu

@EUCommission @letsencrypt @nlnet

Replied in thread

@mariemini C'est du #spoofing oui. Les opérateurs ont en effet l'obligation de l'empêcher depuis l'année dernière… sur les téléphones fixes seulement → quechoisir.org/actualite-arnaq

Vous pouvez essayer des apps comme Carrion → f-droid.org/fr/packages/us.spo ou SpamBlocker → f-droid.org/fr/packages/spam.b mais leur fonctionnement dépend du modèle de votre téléphone, de votre version d'Android, de votre opérateur… donc c'est loin d'être une garantie.

UFC-Que Choisir · Arnaque téléphonique - La lutte contre le spoofing avance - ActualitéBy Marie Bourdellès

Interesting. Hackers are mistaking Mastodon user profile account addresses for email addresses and sending fake roundcube phishing emails to the few accounts I have on my self-hosted instance in hopes of getting credentials.

"Roundcube Found Several Undelivered Messages"

I only received it because my domain has catch-all email turned on that will forward any email for email accounts that don't exist to a special email address.

The emails come from "Restoredesk.oldfriends.live <info@ecmtincinc.live>", pass spf and ip 79.141.160.47. Link below, which is Dropbox owned "DocSendDotCom"

Be careful if you host your own instance and have catch-all email setup and this slips past your little grey cells.