PUBLIC SERVICE ANNOUNCEMENT:
There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.
The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.
The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.
It was their cell phone provider.
Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.
I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.
@InfiniteHench oh that would be cool
Finally getting back to #Takahe after mumble weeks.
Tonight, I'm hoping to work on my HTTP client consolidation.
(Basically, Fedi involves a bunch of extensions to making HTTP requests. I'm making one canonical client within Takahē so that these extensions are applied easily and consistently.
@Alkaris @astraluma that's cheap
A few of the younger nerdy people on my discord were oo-ing and aah-ing over old ads for acoustic couplers, so I had to throw this photo in the mix.
[Media CW: Eye contact.]