Basecamp Briefing: June 20th 🏔️
#InfoSec + #DataPrivacy news along with tools and resources for your professional climb. https://open.substack.com/pub/sherpaintelligence/p/basecamp-briefing-june-20th?r=272cku&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Facial recognition profiles you without asking — airports, stores, streets.

AI Blocker is a nose strip with an adversarial camo pattern that scrambles the nose-bridge point cameras trust most. Looks like an ordinary strip. 5 for $19.99 → aiblkr.com

#privacy #FacialRecognition #surveillance #AntiSurveillance #infosec #privacyMatters #fediverse

Every week a new provider gets breached and user credentials leak. Stop using email+password combos for privacy tools.

I built Celestride to use passwordless OTP only. No passwords stored = nothing to leak. Your traffic is fully masked via VLESS-Reality to bypass DPI.

Try it out: https://celestride.pro
#infosec #cybersecurity #privacy #passwordless #VPN

Security Advisory: CVE-2025-60471 - Use-After-Free in GPAC MP4Box PID Reconfiguration

Processing a crafted MPEG-2 TS file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_reconfigure_task_discard()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_reconfigure_task_discard()` function in `filter_core/filter_pid.c` can access a freed `pid_inst` structure during PID reconfiguration task disposal. When MP4Box processes a specially crafted MPEG-2 Transport Stream file containing broken PMT descriptors, missing packet sync markers, unsupported stream types, and invalid packet data, a PID instance can be freed by `gf_filter_pid_inst_swap_delete()` and later accessed in `gf_filter_pid_reconfigure_task_discard()`.

AddressSanitizer reports a `heap-use-after-free` at `filter_core/filter_pid.c:1341`, with a `READ of size 8` from a freed 336-byte heap region.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:1341
Function: gf_filter_pid_reconfigure_task_discard()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1557-g62714f27c-master
Commit: 62714f27c64a3d1eb7e880f9eed2d38673cb43ce
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Local MITRE data also describes affected GPAC MP4Box 2.4 and earlier, including development branches that contain the vulnerable PID reconfiguration lifecycle handling.
Builds before the fix commit `868c6801c226e9964cace54cfd5a759f152780b4` should be considered affected if they contain the vulnerable path.

Attack Conditions:
An attacker supplies a crafted MPEG-2 TS file with corrupted PMT descriptors and invalid packet data. The issue can be reproduced locally with:
```
./MP4Box -info 31_gf_filter_pid_reconfigure_task_discard_filter_core_filter_pid_c_1341
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
868c6801c226e9964cace54cfd5a759f152780b4
```
Users should update to a GPAC build containing this commit or later. The affected filter PID reconfiguration path should ensure that PID instance lifetime is valid before task discard logic accesses the object.

References:

- Issue: https://github.com/gpac/gpac/issues/3279
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/31/31_gf_filter_pid_reconfigure_task_discard_filter_core_filter_pid_c_1341
- Fix: https://github.com/gpac/gpac/commit/868c6801c226e9964cace54cfd5a759f152780b4
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60471

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

🚨 CVE-2026-47717: Dive into my deep technical analysis of the FUXA SCADA API logic flaw that allows unauthenticated attackers to leak critical project configurations and operational data.

Read the full analysis here: 👇 https://denizhalil.com/2026/06/19/cve-2026-47717-fuxa-scada-data-disclosure/

#SCADA #infosec

One more time. This is an important read if you have any of the mentioned connected brands. Notice the part about "as long as it remains plugged into a wall socket and connected to a local network."

"These streaming boxes typically bundle or come pre-installed with software that turns the user’s TV into a 'residential proxy' — allowing anyone to route their Internet traffic through that device for as long as it remains plugged into a wall socket and connected to a local network."

KrebsonSecurity, from yesterday: ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/ @briankrebs #infosec #botnet #privacy #malware

BeenVerified has your address, phone number, relatives, and court records — searchable by anyone. Today's guide walks you through removing it in about 5 minutes. https://indigoprivacy.com/subscribe #privacy #databrokers #optout #infosec #indigoprivacy

The day quantum computers break the first cryptographic key I'm gonna go full rampage and publicly name and shame all the snarky folks who identify themselves with the "QC/is/bullshit" gender. I am taking notes on my list, mind you. Your name is there as well.

Revenge is best served at 0.02 Kelvin.

#crypto #cryptography #infosec #quantum #quantumcomputing #qc #drama #humor

Lightweight Asymmetric Encryption for C2 Implants — from XOR to Rabin KEM

Why Rabin beats RSA for implants: ~60 lines of pure C, no external deps, no heavy constants, provably as hard as factoring.

Covers the full crypto pipeline: XOR → AES-CTR → Rabin key encapsulation, with a working Python toolkit.

https://medium.com/@alfred.abston/lightweight-asymmetric-encryption-for-c2-implants-a-red-teamers-guide-from-xor-to-rabin-42e9b6b275d6

#redteam #infosec #malware #pentesting #crypto #cybersecurity

🆕 New event added: @hopeconf

📌 HOPE
📅 Aug 14-16, 2026
📍 New York (NY) 🇺🇸
🔗 https://www.hope.net

#infosec #cybersecurity #conference #USA

Recently I blogged about the dangers posed by “harvest now, decrypt later” in relationship to quantum cryptography, and I even released a tool to assess local and remote systems running SSH and HTTPS. Now I have a new blog post where I outline configuration settings for servers running OpenSSH and NGINX to address the threat. The threat is small, but eventually your boss will ask and you can say “we already took care of it”.

https://www.markloveless.net/blog/2026/6/18/quantum-safe-openssh-and-openssl

#security #infosec #quantum #Cryptography

Who did this https://www.cbc.ca/news/canada/newfoundland-labrador/nlhs-phishing-email-9.7238374 #Infosec #Phishing

I'm sure this has done the rounds but I am catching up with things after being offline for a few days.

tl;dr: FIFA's RBAC controls implemented client side inc. streaming controls and live scores portals

> It wasn't just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle.

> "Update Live Stats" with a rich text editor, match time, match score fields, and an "Edit and Publish" button

Dang.

#InfoSec

https://bobdahacker.com/blog/fifa-hack

New.

Recorded Future: State Digital Surveillance Risk Landscape https://www.recordedfuture.com/research/state-digital-surveillance-risk-landscape #infosec #surveillance #privacy

Zerion 2.0.3 is now live on F-Droid, Play Store and GitHub. This is our most stable release yet.

What’s in it: reliable voice calls in both directions, video calls as opt-in beta, faster startup, and lower battery use during sync.

F-Droid: https://f-droid.org/packages/com.professor.zerion
GitHub: https://github.com/zerionproject/Zerion/releases/latest
Play Store: https://play.google.com/store/apps/details?id=com.professor.zerion

#fdroid #foss #privacy #tor #android #encryption #p2p #opensource #infosec #grapheneos

Most people don't know Google has a free tool to remove your home address, phone number, and email from Search results. It's called Results About You (myaccount.google.com/results-about-you). It monitors for new matches and lets you request removal with one click. https://indigoprivacy.com/subscribe #privacy #Google #databrokers #infosec #indigoprivacy

This dumb password rule is from Credit Agricole.

* Login is a predefined 11 digits long identifier that you can not change
* Password is a 6 digits long identifier that you need to input using your mouse

https://dumbpasswordrules.com/sites/credit-agricole/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NEW by me:

One threat actor demanded $50 million from Novo Nordisk. Another one demanded $25 million. Neither got paid.

Two different groups tried to extort Novo Nordisk at around the same time. Novo Nordisk strung them both along, and then went dark.

Data leaks followed.

https://databreaches.net/2026/06/16/one-threat-actor-demanded-50-million-from-novo-nordisk-another-one-demanded-25-million-neither-got-paid/

#NovoNordisk #FulcrumSec #TheUSERS007 #hackandleak #extortion #AI #databreach #infosec #cybersecurity

@campuscodi @euroinfosec @jgreig @lorenzofb @ajvicens @amvinfe

✈️ New Blog Post: Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.

Frontier's mobile API returns full passport numbers, home addresses, children's DOB, credit card details, and KTNs for any booking. The only auth? A PNR and last name. Printed on every boarding pass.

Reported March 3rd. 105 days later, still live. They fixed the least important vuln and ghosted me on the rest. They also updated the website code and somehow made the leaks worse.

Full writeup: https://bobdahacker.com/blog/frontier-airlines-hack

#InfoSec #BugBounty #ResponsibleDisclosure #FrontierAirlines #Security #CyberSecurity #Privacy #Aviation #PCIDSS #DataExposure

New.

SprySOCKS used to be a "Linux-only backdoor."

ESET: FishMonger’s arsenal upgraded: SprySOCKS for Windows https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/ @ESETresearch #infosec #threatresearch #Windows #Microsoft #cybercrime #Linux #malware

I've done it! After literal months of work, I've finally finished my (rather long) blog post about how AES-GCM works and how it's security guarantees can be completely broken when a nonce is reused:

https://frereit.de/aes_gcm/

It includes more than 10 interactive widgets for you to try out AES-GCM, GHASH and the nonce reuse attack right in your browser! (Powered by #RustLang and #WASM )

If you're interested in #cryptography , #math (or #maths ) or #infosec you might find it interesting.

If you do read it, I'm all ears for feedback and criticism!

⚽ New Blog Post: I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

Registered on FIFA's public Agent Platform, got added to their Entra tenant, and accessed the Streaming Management panel for every live World Cup 2026 match. RTMP ingest URLs, stream keys, all five camera angles. Confirmed live in VLC. An attacker could have replaced live camera feeds on TV worldwide.

Full writeup: https://bobdahacker.com/blog/fifa-hack

#InfoSec #BugBounty #ResponsibleDisclosure #FIFA #WorldCup #Security #CyberSecurity #RTMP #BrokenAccessControl

hey so. looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years experience administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. I'm also 26, so I started when I was 11, explaining the no jobs so far. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Three machines, 72 docker containers. One running most of them, one running Mastodon+glitchsocial, one running the uptime monitor. encrypted root on ZFS, alpine linux, gVisor on supported containers, plan to move to Kata. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. Currently using gVisor, docker compose, and kata containers in production, experience with Linux, docker, Net/Open/FreeBSD, Cisco IOS, Juniper Junos, Mikrotik and UniFi, configuring and administering Asterisk, plus extensive experience with IBM AIX and Sun Solaris. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps #GetFediHired

Please boost for reach, any job offers please DM me.

Someone mentioned in passing during a meeting in work today that "going passwordless is inevitable" and that using biometrics and facial scanning to sign in to accounts will be necessary.

I work in the data protection office (the GDPR kind), so I'm begging please someone tell me this is not true.. 😩

#GDPR #DataProtection #biometrics #InfoSec

The most interesting thing about the new SearchLeak attack on Microsoft 365 Copilot isn't any single bug. It's that none of the three pieces was dangerous on its own. Varonis combined a prompt injection via a URL parameter, an HTML rendering race condition, and a server-side request forgery in Bing's image search. Each of these is a common bug that security teams usually consider minor. But when you put them together with a Copilot that can access your mailbox, OneDrive, and SharePoint, they create a critical flaw. Microsoft has since patched this issue (CVE-2026-42824).

This is how the attack worked:

* The victim clicks a link. That's the whole interaction. They type nothing.

* The link instructs Copilot to search the mailbox, find sensitive information such as access codes, and place it into an image URL.

* Bing retrieves that image, which sends the stolen data to the attacker's server. Bing serves as the delivery service, allowing the attack to bypass the content security policy intended to stop it.

From the user's perspective, Copilot just pauses for a moment. There is no visible sign that any data has been taken.

In the past, we've spent years rating bugs by their severity on their own. An SSRF here, an HTML injection there—each seemed minor. But when an AI assistant can follow instructions from untrusted input and access your real data, those minor bugs become much more serious. Old types of vulnerabilities become important again in this new context.

If your company uses Copilot or any AI assistant that can access company data, it is important to ask your team how they are rating bugs that affect it. The way we judge what is low risk has changed.

https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/

#AI #Cybersecurity #InfoSec #security #privacy #cloud #AttackChain

🚀 Registrations are OPEN for our Introduction to Security 2026 course! A free, hands-on, 14-week cybersecurity course to learn how to attack and defend real systems in your own cyber range.
https://cybersecurity.bsy.fel.cvut.cz/

#infosec #mooc #training #cybersecurity

I know not everyone is interested in digital privacy or security.

And even when you are interested, it can be hard to know where to start.

So I wrote a small wiki section with beginner-friendly notes and checklists about things like:

* passwords and 2FA
* email security
* phone privacy
* browser privacy
* home lab security
* social media safety
* privacy communities

It is not meant to be perfect or expert-level. It is a practical starting point for learning, improving habits, and making digital life a bit safer.

https://wiki.error-404.cc

#Privacy #DigitalPrivacy #CyberSecurity #InfoSec #SelfHosting #DigitalRights

American Express ordered to fix security gaps after a customer complained about improper employee access.

It seems that a customer reported a privacy concern and fought AmEx for 4 years to get them to implement stronger access controls or monitoring of employee access to data.

Now, the AU govt has ordered AmEx to rectify security flaws in five of its data systems to guard against “insider threats” and to restrict employee access to specific customer information to protect vulnerable and high-profile customers.

See: https://www.oaic.gov.au/news/media-centre/australian-privacy-commissioner-orders-american-express-australia-limited-to-compensate-complainant-following-interference-in-privacy

and:

https://www.oaic.gov.au/__data/assets/pdf_file/0031/264919/Report-of-investigation-into-AMEX.pdf

h/t, @TheAge (paywalled):
https://www.theage.com.au/business/banking-and-finance/american-express-ordered-to-fix-security-gaps-after-customer-was-spied-on-20260612-p606ei.html

#AmEx #AmericanExpress #insiderthreat #accesscontrols #logging #enforcement #privacy #FinSec #infosec

InfoSec question: my spouse is proposing to buy and install a Blink camera. I understand that Ring sold its soul to Flock/ice, at least for a while. I have seen Blink and Ring mentioned in the same sentence, but haven't seen anything definitive on Blink sharing data. Do any of you know about the data safety of using a Blink camera?

#Infosec

hey so. looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years experience administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. I'm also 26, so I started when I was 11, explaining the no jobs so far. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Three machines, 72 docker containers. One running most of them, one running Mastodon+glitchsocial, one running the uptime monitor. encrypted root on ZFS, alpine linux, gVisor on supported containers, plan to move to Kata. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. Currently using gVisor, docker compose, and kata containers in production, experience with Linux, docker, Net/Open/FreeBSD, Cisco IOS, Juniper Junos, Mikrotik and UniFi, configuring and administering Asterisk, plus extensive experience with IBM AIX and Sun Solaris. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps #GetFediHired

Please boost for reach, any job offers please DM me.

A source wants to reach you safely. With most messengers that starts with a problem: they need your phone number, you get theirs, and a server in the middle logs that you two talked.

Zerion skips all of that. You share a QR code or link, the connection runs device to device over Tor, and no record of the contact exists outside your two phones.

Source code and protocol docs are public. Verify before you trust: https://github.com/zerionproject/Zerion

#journalism #infosec #privacy #tor

People who have been around the tech world longer than I have: I've been reading for a while how some people seem to feel like the industry peaked somewhere in the 2000s and that it all went downhill from there.

There was one hype after the next and people just kept on jumping on the bandwagon because everyone was doing it. I've read this sentiment about containers, Kubernetes, the Cloud in general but there are probably more.

Do you feel that LLMs are more of the same of this or does this feel qualitatively different? If so, how? I'm trying to find some perspective in all this as I haven't been around the block for long enough to have it myself.

Boosts appreciated.

#ai #llms #infosec #technology #kubernetes #cloud

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

PSA regarding a change in how Secure Boot will work in Fedora soon. The change isn't urgent, but it is something you should take a look at.

If you have any questions about this, please ask in our forum. 🙏

➡️ https://fedoramagazine.org/expiration-of-microsoft-secure-boot-keys/

Forum: https://discussion.fedoraproject.org/c/ask/6

#Fedora #Linux #OpenSource #Cybersecurity #InfoSec #SecureBoot

#tech #technology #BigTech #data #security #privacy #safety #InfoSec #IT #surveillance #computing #digital #online #internet #web #cloud #meme

Alt...

Meme, showing a continuous circle of data breach messages from corporations… Ahaha you're not gonna believe this but we had a bit of a data breach. Your data is probably for sale online now. That means someone could easily impersonate you. Going forward we're gonna need more of your data to make sure its you.

ATT limited some tracking. Meta Pixel was a workaround. Fingerprinting is another one — and it doesn't need any permissions at all. While this isn't limited to just iOS — Android can be mined as well, Loupe is an open source iOS app that shows you the raw data your phone hands out by default. The third tier of signals is genuinely creepy.

https://blog.ppb1701.com/what-your-phone-is-handing-out-before-youve-said-a-word

#privacy #fingerprinting #adtech #apple #android #bigtech #ios #tracking #userhostile #infosec #metapixel #blog

#Github Security Advisories program is struggling under the load of new submissions. Delays in CVE assignment up to a month are being reported. Apparently, May 2026 was the highest volume month ever, and they are working through a backlog.

source: https://www.openwall.com/lists/oss-security/2026/06/10/9

It is not very hard to figure out what is going on: The amount of AI-assisted reports is flooding the systems. Considering the asymmetric nature of the situation (limited human resources processing increasing number of reports), it is unlikely the it is getting any better soon.

If just tracking and assigning issues is getting this hard, it can't bode well for actually fixing and patching them.

#infosec #cybersecurity