Locked out of your Credit Karma account’s 2FA? No problem! Here’s how I can log into mine:
Ta-da! I’m in. I reported this a month ago but they haven’t acknowledged it as an issue yet. If I stumbled across this, you can bet the bad guys are already using it.
2025-03-17: I report a critical vulnerability (trivial, complete 2FA bypass) to a well-known company’s security email alias. No reply.
2025-04-07: I report it again to their bug bounty program.
2025-04-09: They close it as a duplicate.
Their bug bounty program says, basically, “we never disclose reports. Don’t discuss them with anyone.”
23 days into this episode, I’m starting to weigh the responsible thing to do here.
AWS WAF now uses /64s instead of /128s for IPv6 rate-limit bucketing. That’s a huge and welcome improvement!
Credit Karma stopped accepting my decade-old Google Voice phone number for 2FA. It won’t let me change to use my regular number because we were already using that for my wife’s account (which she asked me to manage for her). Their support’s idea for resolving this? Just ask Verizon for a new temporary phone number each month or so forever.
Um, no.
I hear too many acquaintances worry that employees might work from a coffee shop or other public network, putting their whole company at risk. So what if they do? The idea that a coffee shop’s Wi-Fi is insecure implies that there’s a mythical “secure” network that can be trusted with the company’s secrets. That’s almost never true.
Work-from-home employees are on a tame home Wi-Fi setup, right? Don’t count on it. Is their gear current? Are they sharing Wi-Fi with their neighbors? Are they using their apartment building’s network? Who’s their ISP? Although their home setup might – or might not – have fewer people on it than the local cafe’s, that doesn’t make it trustworthy.
What about the employees we coerced into returning to a legacy office and using its Wi-Fi? Oh. You mean that named network that sits around with a target on its back as belonging to important people? Unless you manage your own office, and it’s in a Faraday cage blocking all outbound or inbound radio signals, and you pretend that MAC filtering is a security feature, and all your equipment is patched with the latest security updates, and you have guards walking around with fox hunt antennas to spot rogue access points, it’s not substantially better in the ways that count. If you can read this at work, at least a few of those assumptions are likely wrong.
The idea of a “trusted network” is dead. It’s time we stop pretending. If an employee can be compromised at the coffee shop, they can be compromised at the office. We have to design our defenses as though our staff are working from the free network at DEF CON. That means making sure all employee devices and servers are patched. That all connections are encrypted, even those between internal systems. That authentication uses cryptography, not passwords. That we don’t pretend that “route all traffic” VPNs are a good idea. That we don’t rely on allowlisted IPs as a critical defense. That we don’t trust any network our employees might use, and that our systems are robust enough to endure hostile environments. Yes, even the ones we tell ourselves are safe.
And if we’re not comfortable with our coworkers typing away next to a fresh latte, it’s our responsibility to figure out what part of that bothers us and then fix it. The issues that would make that scenario dangerous affect the “secure” office, too.
The email: Click here to enhance your account’s security with two-factor authentication!
Click.
The website: Please enter your phone number to receive your access code.
Cmd-W.
When a coworker forwards you an email to ask if it looks like phishing, take a moment to publicly praise them for it. “Jane sent me an example of a new phishing campaign going around. Her instinct to let us know about it was exactly right. Thanks, Jane!” Reinforce the idea that Security has their back and will be pleasant to interact with. That’s how you get them to want to report things.
Polyfill supply chain attack hits 100K+ sites:
The
polyfill.jsis a popular open source library to support older browsers. 100K+ sites embed it using thecdn.polyfill.iodomain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embedscdn.polyfill.io.
This is fine.
This is interesting and dangerous. I’m trying the new macOS Sequoia Passwords app. I exported my passwords from 1Password to a CSV and imported them into the new app, then soon saw a bunch of ancient logins from old employers. What? Searching for them in 1Password found nothing.
Oh, turns out those are archived in 1Password. The normal cmd-F search doesn’t look in Archive even if you’ve selected it. The other opt-cmd-F find does.
Hope you remembered to delete the passwords that would get you beaten up.
Little Snitch 6 came out yesterday with many quality of life improvements.
It’s always the first app I install on a new Mac. New versions are no-brainer upgrades for me. I still wish it had a way to sync rulesets between Macs so that I don’t have to train each one independently.
