fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

8.8K
active users

#ato

5 posts5 participants0 posts today

Several fedi-peeps have already posted this ABC article this morn
https://www.abc.net.au/news/2025-07-28/ato-tax-office-gst-scam-billions-fraud-four-corners/105573446
& been critical of the ATO. I am not here to defend the
#ATO, & fwiw i remain deeply bitter about what they did to #RichardBoyle, but before too much more reflexive pile-on happens here, i would like to quote these four crucial paragraphs:

As the Abbott government swept to power in 2013, the ATO was moving away from this model of human verification to an automated system.
That would eventually see about 1,000 staff — or half the people in the division responsible for the GST — lose their jobs.
"I'm not sure the ATO has ever recovered from that sort of drain of knowledge and drain of skill sets," said Stephen Hathway, a liquidator currently investigating a large-scale GST fraud.
"The people [at the ATO] work really hard and diligently, but there just needs to be more of them. And there needs to be more regard to getting out there in the field and making those inquiries."
So, i suggest that one's wrath should be properly directed.

#AusPol #WhyIsLabor #HahahahaLiebs #NatsAreNuts #GreensYEAH
ABC News · The ATO learned it was being scammed, then paid out millions more to fraudstersBy Angus Grigg

Phishing - zoek de verschillen

Zelfs een onjuiste link onder de knop "Android App on Google Play" wordt gekopieerd...

Nb. ook in het linkerplaatje waren het logo van Proximus en de taalkeuzeknop te zien, maar omdat ik de kleurstelling onderaan wilde tonen (paarse horizontale balk met de Android knoppenbalk groen gemaakt door beide websites) en de cybercriminelen in de nepsite tekst hebben tussengevoegd, heb ik de neppagina een stukje omhoog gescrolled. In het derde plaatje zijn de taalknop en logo wel (deels) te zien.

Voorkom oplichting, lees namen van websites van rechts naar links: infosec.exchange/@ErikvanStrat

Replied in thread

@relishthecracker : that's make belief.

"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.

Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.

Therefore:

1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;

2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;

3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:

• A malicious third party website manages to obtain a fraudulently issued certificate (examples: infosec.exchange/@ErikvanStrat);

• An attacker obtains unauthorised write access to the website's DNS record;

• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see github.com/w3ctag/design-revie);

4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).

Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.

Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.

However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.

@oliversampson @kaye

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins

Australians paid over $298 billion in income tax last year, yet 139 millionaires paid nothing. They legally dodged tax through deductions, while everyday workers shouldered the burden. This isn't just a loophole—it's a systemic failure. We need a fair tax system that holds the ultra-wealthy accountable.

#auspol #taxjustice #inequality #ATO #taxtherich

amp.9news.com.au/article/5af03

9News · Australians paid more than a quarter of a trillion in income tax, but dozens of millionaires didn't pay a centBy Daniel Jeffrey
Replied in thread

@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.

In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.

From blog.talosintelligence.com/how (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".

From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.

The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: techcommunity.microsoft.com/bl).

Furthermore, from the page referenced by you, meta.wikimedia.org/wiki/Stewar:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."

TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.

There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.

Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in usenix.org/conference/usenixse (source: infosec.exchange/@conorgil/109). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).

Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.

I wrote about the caveats of password managers in, for example, infosec.exchange/@ErikvanStrat.

Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.

@conorgil

Cisco Talos Blog · How are attackers trying to bypass MFA?Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks

Proofpoint cloud threat researchers have recently uncovered an account takeover (ATO) campaign weaponizing TeamFiltration, a pentesting framework designed to assist cybersecurity practitioners in testing and improving defense solutions.

Attackers leverage Microsoft Teams API and globally distributed Amazon Web Services (AWS) servers for greater speed and efficiency, allowing for automating the tedious work of user enumeration and password spraying for both efficacy and stealth.

So far, over 80,000 user accounts across roughly 100 cloud tenants have been targeted.

Read the full campaign analysis here: brnw.ch/21wTk3G

Proofpoint · Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool | Proofpoint USKey takeaways  Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting

If as reported by Independantaustralia.net :
“Inflation declined again in April to 2.34%, making three consecutive monthly falls and nine months within the Reserve Bank’s optimum band between 2% and 3%. That’s the best run since monthly records have been kept.

Core inflation was 2.8%, within the optimum band for the fifth consecutive month. Interest rates were cut again in May to 3.85%, with further reductions likely soon.”

WHY then, pray tell, has my #HELP debt increased by 3.2% in on 01Jun25?
Is #StudentDebt meant to turn a #Proffit ?

WTF? I can’t wait to find out what seemingly arbitrary #CPI increase my #pension will deserve this new financial year.