Jerry

THIS is precisely the experience I've had with #passkeys and why I didn't use them for a couple of years and only now use them where I trust there are alternative login methods still usable as fallbacks.

Passkeys are great, but every implementation I've seen seems to suck, except for MyChart (Epic).

I cannot recommend them yet for this reason.

https://www.zdnet.com/article/passkeys-wont-be-ready-for-primetime-until-google-and-other-companies-fix-this/?zdee=%5BContact.email_zdee%5D

#CyberSecurity

Seriously? WTF?

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” according to a copy of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”

https://www.nbcnews.com/business/business-news/lawsuit-says-clorox-hackers-got-passwords-simply-asking-rcna220313

#CyberSecurity #Ransomware #Hacking #SocialEngineering

https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/?utm_social-type=owned

#CyberSecurity

Stay safe!

https://www.infosecurity-magazine.com/news/hundreds-malicious-domains/

#CyberSecurity #Spoof #AmazonPrime

Seems one lesson here is to use an Ad Blocker.

https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number

#CyberSecurity #Malware

I really like the idea of this #Lemmy community: https://feddit.online/c/dadforaminute@lemmy.world . I wish it were more active.

Most on the Fediverse can follow it at, and post to it at: @dadforaminute

Note. Those on my Friendica instance can't access lemmy.world because the 240K requests per day coming in from Lemmy instances overwhelmed the server and the database, and I had to block Lemmy. Friendica just can't handle it.

#Piefed #MBIN #dad

#Citibank emailed me an alert. The same bank that constantly warns me about email scams. And, yet, they misconfigured their email so it comes as a spoofed email. My email provider delivered it anyway because Citi has a "relaxed" policy in their DNS that says that EMAIL FROM A SPOOFING SERVER CAN BE DELIVERED so long as the signature passes. Yep, servers spoofing them are not a major red flag and the email should be delivered to the inbox anyway. The email provider is not to blame here.

A major bank should not do it this way.

The spoofing SMTP server check failed because the sending IP address is not authorized by Citibank's SPF record for info6.citi.com to send their email. This has been going on for years. Do you want Citibank email from a server not authorized by them to send it?

This relaxed attitude by corporations is why people get scammed.

Authentication-Results: mail.protonmail.ch; spf=fail smtp.mailfrom=info6.citi.com
Authentication-Results: mail.protonmail.ch; arc=none smtp.remote-ip=173.213.5.122

#citi #CyberSecurity #EmailSecurity

1. Hacker News, a #CyberSecurity newsletter, is sent from a domain where DMARC policy is p=none, which tells email providers, like gmail, to deliver all email that is screaming, "I am a Hacker News spoof email sent by a POS scammer" to the intended recipient anyway. p=none means take no action, even if you know it's a scam. Spam folder optional. Email services and clients will oblige. WTF Hacker News?

2. Hacker News is also using an insecure signature algorithm for signing their newsletter.

3. An extremely well-known Cybersecurity expert is sending the newsletter from a domain that has no DMARC record at all, so all spoof emails claiming to be from them will be delivered. And likely this is being constantly exploited. A DMARC policy of p="reject" would have those spoof emails trashed and not delivered. But no DMARC policy means "whatever, and I don't want to know". So, spoof emails go through unstopped and no reports of abuse are being sent to this person either. And it's their job to tell us how to stay secure and not be fooled by spoof emails. WTF?

Sometimes I don't understand how things work in the world.

#HackerNews #spoofing #EmailSecurity

I received an "important email" from #Dreamhost about my domain registration. You'd think that #email security would be paramount for them.

They have no DKIM setting, so it's impossible to see if the email was tampered with in transit and if it was sent by the claimed sender. And, their DMARC policy is p=none, which tells email providers, "don't do anything special if you can't verify me".

Their dreamhostregistry.com domain is wide open for spoofing because they've configured it to be wide open for spoofing.

How can a web hosting company be so lax about email security? How can I trust emails they send to me if I have no assurance they sent it, and it wasn't modified in transit?

#Cybersecurity #DKIM #SPF #Spoofing #EmailSecurity

TikTok videos now push infostealer malware in ClickFix attacks

"One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly," has reached almost 500,000 views, with over 20,000 likes and more than 100 comments."

OMG. These are such naive people. Over 20,000 likes for a malware video! Disheartening. And I feel sorry for the real experience they've boosted.

https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infostealer-malware-in-clickfix-attacks/

#Malware #CyberSecurity #Tiktok

Putting this out there for whatever good it does.

#Email #Spam folders are a problem because they contain a mix of emails that are clearly spoofed and faked based on #SPF and #DKIM failures, along with others that maybe might, perhaps, be spam based on HTML content, language, whatever. We train people to expect Spam folders are usually wrong. But emails that fail SPF and DKIM should be taken seriously!

Email providers. Why not deal with this by either providing 2 SPAM folders or else showing emails that land in the spam folder because of the #DMARC p=quarantine policy, in red, bold letters, and with a "!!" flag, so people know to be extra cautious?

And when opened, give notices like the sending server is not authorized to send email for the sender or the from address is not authorized to be sent by the sending server.

Why not?

#CyberSecurity #Spoofing
@runbox@mastodon.social @Tutanota@mastodon.social @thunderbird@mastodon.online

Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.

Can you stop this or prevent this? No

Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.

Does the spammer get a bounce message? Nope, not one.

Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.

Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.

The more I learn about the email protocols, the more I realize how terrible the design is.

#emailsecurity #spoofing #cybersecurity #spam