VRed

Did you know, Las Vegas locals and students qualify for discounted badge rates? Locals and students can get a BSidesLV badge for $35. More information is available online in the FAQ: bsideslv.org/registration

No stage fright? No problem! Mentor speakers at BsidesLV Proving Ground to navigate the unpredictable currents of audience engagement. pretalx.com/security-bside…

Submitting a talk to the BSidesLV Proving Ground is like nothing else in the industry. Get help from a dedicated mentor who has speaking experience to help make your first talk experience amazing! pretalx.com/security-bside…

The term “Hacker” originated from a bunch of MIT students obsessed with model trains. In the late 1950s, the Tech Model Railroad Club was split into two primary factions: - Knife and Paintbrush - Signals and Power (S&P) S&P played fast and loose; disliking authority.

Calling all cybersecurity sages! Share your wisdom and become a Proving Ground mentor for the betterment of all. Proving Ground Call for Mentors pretalx.com/security-bside…

My latest: on Game Theory, mixed strategies, and my attempts to solve a weird three-handed toy game. (Link in next post)

Got a brilliant presentation idea but terrified of your first talk? We've got your back! Submit a talk to our mentored speaking program at Proving Ground and rock that stage like a seasoned pro. pretalx.com/security-bside…

INFOSEC CONTENT CREATORS! Do you have a YouTube channel, Twitch stream, blog, magazine, or anything else where you share your knowledge and insights on cybersecurity, please drop the link in the comments. We want to help you find more people to help. We're all in this together!

T-Mobile has confirmed they've been compromised (again). This time it was slightly different — they were compromised by Chinese state-sponsored Threat Actors. The United States Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) put out a statement regarding the matter on November 13th. This makes this the 9th time T-Mobile (or a T-Mobile partner) has been compromised since 2019. We've actually lost count on the number of compromises, but thankfully @BleepinComputer has archived and/or documented them really well. Our hearts go out to the cybersecurity employees at T-Mobile. Following some of the more recent breaches we became familiar with some of the employees there and the difference they're trying to make with the organization. We wholeheartedly believe they're trying to improve the security posture of the organization... but APT Salt Typhoon a/k/a UNC2286 is a heavy hitter and is no joke.

Applications for the KR Developmental Editing Fellowship for Emerging Writers open November 1st! Learn all about this opportunity, 2024's fellows, and eligibility requirements here: kenyonreview.org/fellowship/dev…

you've heard of MITRE ATT&CK, but what about ATLAS? ATLAS is one of the matrices managed by the team at MITRE. it stands for Adversarial Threat Landscape for Artificial Intelligence Systems & maps adversarial TTPs that are specific to AI-enabled systems! api.cyfluencer.com/s/understand-a…

🚀 WiCyS is looking for presenters to lead engaging sessions at the 2025 conference! 🌟 Submit your proposal by November 4 and make an impact in cybersecurity. 💡 🔗 Find out how to submit here – ow.ly/sFfe50TKH9R #WiCyS2025 #womenincybersecurity

InfoSec Institute is offering $5K (full scholarships!) to attend their LIVE bootcamps in Security+, CISM, CISA, Cloud, AWS, Azure, PMP, ITIL, CGRC, Pentest+ and a lot more! 🎊 You'll also receive practice exam attempts, an exam voucher, and recordings to the boot camp.

@fr0gger_ I also like to include an intel/susceptibility assessment that includes all compensating and mitigating controls so there isn't an over emphasis on EDR.

🤔 Hey Infosec! What is your ideal Threat Report structure? Here’s mine (I am conscious this will be in an ideal world😅)👇 #threatintel #CyberSecurity

@IanColdwater I am constantly explaining to people that so much of this roller coaster is put together with duct tape. Wait until they see what an actual vulnerability management program looks like and not just the theoretical model. Or any program (including TPRM and BCP) for that matter.

Please share this far and wide. As far and wide as you can. NIST Password Guidelines for 2024 are in the process of being updated. This is a HUGE pet-peeve of mine (when vendors in particular are still operating like its 2017 and keep changing passwords every 60 days, STOP DOING THIS, it's outdated and has been shown to put you MORE at risk than less -- NIST explains why it does in this document, meticulously outlining user behavior**) so I'm sharing this in the hopes all of you will pass it along to your bosses. The Special Publication series governing passwords is SP 800-63 "Digital Identity Guidelines". The 2024 version is 800-63-4. Here: pages.nist.gov/800-63-4/ The companion docs are also on that link. They are 800-63A, 800-63B and 800-63C. These are different documents for different scenarios in play at your org. The previous update was in2020. The changes in the 2020 version from the 2017 version were numerous but one of them was that the password verification method should NO LONGER require passwords be changed at specific intervals (i.e. every 60 days) but in the following circumstances instead: 1. After a breach/compromise 2. User request 2024 repeats this and adds a bunch more guidlines but here is a screenshot of page 13 of the new 800-63-4 (note the # 4 after it) which outlines how your systems should now and moving forward, be handling passwords. This goes for Active Directory, too. All your systems which have passwords should align with these guidelines provided there isn't another standard or framework you must adhere to which overrules this. Most frameworks, however, have moved away from arbitrary password resets and complexity rules. **We cybersec researchers and hackers use wordlists from breaches in a variety of different ways. Hackers use them in tooling to crack passwords whereas researchers use breach dumps to see the kinds of passwords users are creating and the psychology behind them. Using complexity rules gets you the user psychology of: Password1 Password2 and so on Use phrasing instead and allow for spaces, which is important. Humans type phrases with spaces. They also mention phish-resistant methods and most vendors are on-board with MS going to be turning off all Legacy Auth next month, across all free accounts and tenancies. I'm so excited for the new changes! Ok I'm off my soapbox. Share the love! Thank you!

Halloween comin lawd 👻 get prepared #infosec

1947: An error in the Mark II computer at Harvard University was due to a moth trapped in a relay. The moth was attached to the log book with notation "first actual case of bug being found." Yes, that's the actual moth taped to the log. Best. Bug. Report. Evah!

I always tell people interested in TI and DFIR that books and the tools/methods they describe are just half the journey. Most of what I've learned about threat actors - their methods, tools, and techniques - came from reading threat reports. While I started by extracting IOCs and creating YARA / Sigma rules, the insights gained along the way are invaluable No week-long training or seminar can teach you what you get from reading 250 threat reports

PSA—if ur old enough to have used Kali when it was known as BackTrack then u should probably start prioritizing ur cardiovascular health