kravietz @kravietz@social.privacytools.io

Major breach found in biometrics system used by banks, UK police and defence firms

Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
Continue reading...

https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms https://friendica.hubup.pro/objects/174591b4e5021549e9183005cd20b1e80015a644

Ever seen an ad so accurate you think your phone is listening to you? While that's not the case, the reality is even creepier.

Here's how Google & Facebook collect your data & use it to auction you off to advertisers for profit: https://vimeo.com/352982094 https://video.buffer.com/v/5d516f99cb137e1e4e76fd38

🤔

PSA if your like me and would like to use a ROM but keep buying the wrong phones for lineage or /e/foundation. Now /e/foundation sells their own phones. They are coming out with a system where you could mail in your phones also. Here is the shop. https://e.foundation/e-pre-installed-refurbished-smartphones/

I spent all day looking for vulns in a IoT clothes dryer. What did I find?

* HTTPS to talk to backend service
* XMPP w/ STARTTLS to steam events
* Cert pinning so no MitM
* Android app obfuscated w/ no obvious backend URLs or certs
* Dryer runs an AP for initial setup w/ DHCP and HTTPS servers
* That HTTPS requires auth with a password printed on a label near the door

Best I could do was get the DHCP server to serve the same IP to every request.

Well done GE.

#defcon27 #iotvillage

My Recommended Services

Messenger: #Signal #Wire
Email: #ProtonMail #Tutanota
Search Engines: #DuckDuckGo #Qwant #Startpage
VPN: #ProtonVPN #NordVPN
Password Managers: #Bitwarden #KeePass
Browser: #Firefox #Brave #TorBrowser
SNS: #Mastodon
Cloud Storage: #Nextcloud #MEGA
Note: #StandardNotes
Encryption Software: #VeraCrypt #Cryptomator
Send File: #FirefoxSend
File Sync: #Syncthing

#Privacy #Security

~Open Source Security Tool of the Day~

#OSSTotD

Cabot is a free, open-source, self-hosted infrastructure monitoring platform that provides some of the best features of PagerDuty, Server Density, Pingdom and Nagios without their cost and complexity. 

https://github.com/arachnys/cabot/blob/master/README.md

A big step for privacy in Arizona! The state ruled that "police & govt agencies cannot obtain [a persons' online data] without a search warrant, [which] requires a showing of some criminal activity," reports @azcapmedia.

As it should be in all regions. https://azcapitoltimes.com/news/2019/07/31/court-rules-arizona-residents-have-right-to-internet-privacy/