woland @woland@infosec.exchange

Let's see. When I was younger I liked telephones. A lot. I still do. That included exploring the PSTN and causing general mischief. I have a Western Electric 1D2 payphone in my bedroom. Among other hobbies... I'm an amateur radio operator, Linux user, open source supporter and electronics meddler. I admire any human who has the patience to work in infosec.

I can't really stomach the wallowing echo chamber of Twitter, so maybe this will be better.

#introductions #infosec #linux #opensource

"New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS"

Looks like SimJacker has been used for quite a while. Full report comes out in October.

"What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries."

https://thehackernews.com/2019/09/simjacker-mobile-hacking.html

So I was watching #ITChapterTwo and there are multiple scenes with a phone number from one of the characters in the movie - 207-159-4557. That's a real Maine area code/NPA too. Called it but it doesn't go anywhere. Just disconnected. 😓

It's been a great day so far! Started sparring again (I'm an amateur boxer when not reading technical manuals) and then when I got out of the ring I checked my phone and saw I got off the waiting list for my local BSides. I'll be going to my first ever infosec/hacking conference in a few weeks! I'm excited to meet people locally.

Last night I was playing bar trivia (presented on the bar's TVs via PowerPoint) with some friends and realized the trivia company's website had some hidden directories and in them were images that they used on their slides when revealing answers for that day, which gave me the answers to all the questions. I looked at the first 3 and when I realized what they were I stopped. Didn't want to ruin the fun. Your welcome, trivia company.

I would love it if journalists could pose as law enforcement like these people did and see how many times the teclos would give over the GPS data, but of course that would be very illegal. It's scary stuff.

So generally, all you have to do to get someone's current GPS data from a telco is 1: find the telco's law enforcement outreach number, which is not difficult 2: create a fake Web site that looks like you belong to a legitimate law enforcement entity 3: call and tell the telco representative that the matter is urgent and could lead to the immediate death of someone if the info is not handed over. -- It has worked over and over again, and these are only the cases they caught.

Then there's this story out of Colorado, where another guy posing as law enforcement fooled a number of telephone giants into giving him a victim's current GPS location:

https://www.thedailybeast.com/feds-say-bounty-hunter-matthew-marre-used-suicide-hoax-to-con-verizon-t-mobile-out-of-customer-data

Over the past week there have been a few stories about telcos royally fucking up and giving out current GPS data to people posing as law enforcement. Take this article for example, where a woman was stalked by a guy who used the con on T-Mobile

https://www.vice.com/en_ca/article/8xwngb/t-mobile-put-my-life-in-danger-says-victim-of-black-market-location-data

If only more cities did this. I'm sure we could find some volunteers. "NYC has hired hackers to hit back at stalkerware -- A New York City government pilot program is bringing technologists and domestic abuse victims together for good."

https://www.technologyreview.com/s/614168/nyc-hires-hackers-to-hit-back-at-stalkerware

Hey all, just thought I'd share - Python programming bundle available from No Starch Press, check it out. For $8 I got ten books. I'm going to use Python to decode ciphers! I'm a fan of No Starch and it seems like a good deal #infosec #python

https://www.humblebundle.com/books/python-programming-no-starch-books

So, apparently users of that *one white nationalist Web site that's been in the news* moved to a P2P service and some users deicided not to use Tor or a VPN and this became a news story for Kevin Poulsen. Although I'm not really sure if the results are that interesting, tbh.

https://www.thedailybeast.com/8chan-users-migrating-to-zeronet-are-accidentally-revealing-their-locations

While hacker summer camp happens there's a bomb shell report on US election security

"Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials"

https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials

"Who Owns Your Wireless Service? Crooks Do.

"Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptick in SIM-swapping attacks that lead to multi-million dollar cyberheists."

https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/

The only local infosec event near me (a bsides) is doing "registration" via Eventbrite and tickets are already gone within an hour. You know, it may have been helpful to at least have announced when the tickets would become available on their official website, so I would have known to try to register at that specific time. Instead, they opted to announce that important detail via Twitter, and I don't really use Twitter all that much. Frustrating.

"You don't hack a bank across state lines from your house, you'll get nailed by the FBI​." #capitalone #infosec

Welp, that was dumb. Was she trying to create a manual on things to not do when commiting a felony? #capitalone #infosec

https://www.cnn.com/2019/07/30/business/paige-thompson-capital-one/index.html

What? The class action Web site is saying I wasn't a part of the Equifax breach. How is that even possible? Did I get lucky? Surely this must be a site error! #equifax #infosec