lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Server stats:

64
active users

#pentesting

1 post1 participant0 posts today

Hundreds of Brother printer models are affected by a critical, unpatchable vulnerability (CVE-2024-51978) that allows attackers to generate the default admin password using the device’s serial number—information that’s easily discoverable via other flaws.

748 total models across Brother, Fujifilm, Ricoh, Toshiba, and Konica Minolta are impacted, with millions of devices at risk globally.

Attackers can:
• Gain unauthenticated admin access
• Pivot to full remote code execution
• Exfiltrate credentials for LDAP, FTP, and more
• Move laterally through your network

Brother says the vulnerability cannot be fixed in firmware and requires a change in manufacturing. For now, mitigation = change the default admin password immediately.

Our pentest team regularly highlights printer security as a critical path to system compromise—and today’s news is another example that underscores this risk. This is your reminder: Printers are not “set-and-forget” devices. Treat them like any other endpoint—monitor, patch, and lock them down.

Need help testing your network for exploitable print devices? Contact us and our pentest team can help!

Read the Dark Reading article for more details on the Brother Printers vulnerability: darkreading.com/endpoint-secur

My previous intro post was a few years old, so behold, new intro post:

Mike. Live in the Seattle area having grown up in the UK as a full blown British. Have a wife (incredible), child (boy), and three dogs (golden retriver/cream retriver/fuck knows).

I work in information security, something I have done for about 20 years. By day I run corporate security, enterprise IT and various other bits and pieces for an EV charging startup. I am big into EV's and currently drive one that is not a Tesla. I want an electric motorbike, so if anyone has a spare one please send it.

I also have a company of my own, Secure Being (securebeing.com), which does pen testing and digital forensic work - it's my way of staying super hands on while still doing the management bits on the career path.

I have written books about information security things. Five of them. Two are non-fiction textbooks, and three are fiction based on real world #infosec things. Check out infosecdiaries.com and your local bookstore to find them, just search for my name. I have been trying to write more stuff, but always seem to find myself distracted by other things, such as work. linktr.ee/secureowl has some mini stories I've written.

I love radio and everything RF. I have lots of antennas and various scanners and radios on my desk. I love intercepting and decoding things, like digital radio protocols.

I am a big aviation nerd. I always wanted to be a commercial pilot. I gained my private pilots license in the UK at 17, all self funded by my employment at the local Safeway/Morrisons store. I did the sim test and commercial assessments, but for some reason, at 18, I was unable to find the £100k needed to complete the commercial training, so I did computers. But do not worry, because those computers and love of aviation and radio/RF combined, and I run a project called ACARS Drama. acarsdrama.com has all the details.

I play guitar and am a big guitar/audio nerd as well. I record music under the moniker Operation: Anxiety, operationanxiety.com - the music is on all the normal places.

Finally, I am a massive fan of motorsport. I believe I have watched every F1 race for the last 30 years, maybe 25. I also follow F2, FE, Indycar and MotoGP closely. I average around 18 hours of Le Mans 24 hour racing watching per year.

So there you have it. If you are looking for a thought leader on the topics mentioned above, you've come to the wrong place - because this is where I shitpost, and shitposting is cheap therapy.

Secure BeingInformation Security Consultants | Secure Being | United StatesHome of information security consultants, Secure Being LLC

Mini Pen Test Diaries Story:

During the open source enumeration phase of an external footprint test, I found a virtual machine that bore the name of the client in its NetBIOS response in Shodan.

Connecting to the machine over HTTP, I found a web app that was very relevant to the industry of the client - so I knew it was likely related.

The strange thing, however, was that Shodan was telling me NetBIOS and SMB were open (that’s how I found the machine in the first place), but I was unable to connect to it over SMB. Port scan showed closed.

I needed to figure out why Shodan was telling me one thing, but my reality was different.

The machine was hosted in Azure, so I figured I’d try rerunning my port scan from a source IP in my own Azure account, to see if I’d get a different result.

Sure enough, SMB was open when scanned from an Azure machine. They’d opened it up to any IP in Azure. No auth. Just an open file share accessible to anyone who was connecting to it from an Azure public source IP.

I reported it, and it turned out that the machine was hosted by a vendor on behalf of the client.

The vendor was insistent that my description of “public access to SMB share” was wrong, since technically it wasn’t open to the internet - just to Azure.

I then pointed out that hey, Azure is a famous example of a “public” cloud for a reason.

They fixed it.

Lesson: always try from different perspectives - such as from within the same providers IP space, you might find what I found.

For more, slightly less mini stories like this ones check out infosecdiaries.com

Infosec DiariesInfosec DiariesLearn Pen Testing, Blue Teaming and Digital Forensics

🎙️✨ Here is a new Brand Story!

Guest: John Stigerwalt & Gregory Hatcher
Episode Title: No Manuals, No Shortcuts: Inside the Offensive Security Mindset at White Knight Labs

🚀 Marco Ciappelli and Sean Martin, CISSP are back — and this time, they’re chatting with the founders of White Knight Labsfor their first Brand Story with ITSPmagazine!

From learning on the field to building red teams to one of the toughest certification programs — John and Greg aren’t just playing the cybersecurity game. They’re rewriting it.

They don’t believe in cookie-cutter pen tests.
They simulate real ransomware attacks.
They write their own loaders.
And they only resell products they’ve personally tested in the wild.

🔥 Passion.
🔍 Precision.
🤝 Purpose.

🎧 Listen or watch now — and meet the team that’s raising the bar for offensive security:
📺 Video Teaser: youtu.be/VdGyPFhLAvU
👉 Full Podcast: brand-stories-podcast.simpleca

📌 Learn more about White Knight Labs on their Brand Page on ITSPmagazine:
itspmagazine.com/directory/whi

🎉 Join us in welcoming White Knight Labs to the ITSPmagazine family!
We already have three more conversations scheduled with them — you won’t want to miss what’s coming next.

Be sure to follow White Knight Labs and the Brand Stories with Sean and Marco podcast to stay connected with this exciting journey.

brand-stories-podcast.simpleca

Seriously, Broadcom... what's the deal lately? 🤯

First up, we've got CVE-2025-22230 hitting VMware Tools for Windows. This nasty bug basically lets standard users inside a VM escalate their privileges to admin level. Yikes! 😬 With a CVSS score of 7.8, you'll want to jump on this fix ASAP. It impacts versions 11.x.x and 12.x.x, so upgrading to 12.5.1 needs to be right at the top of your list!

But wait, there's more. CrushFTP is also sounding the alarm about unauthenticated access vulnerabilities lurking on HTTP(S) ports in versions 10 and 11. It's definitely time to double-check those DMZ configurations. Rapid7 has confirmed that exploits are out there, allowing unauthorized access. Pretty intense, right?

Stuff like this is a stark reminder: while automated scans have their place, they just don't cut it alone. Real-deal penetration testing is absolutely essential. Those manual checks are what uncover the sneaky issues that automated tools often breeze right past.

What's your take on this recent wave? How are you keeping your own environments locked down tight? Let's talk 👇

When I started the IC_Null channel the idea was to cover topics primarily about #cybersecurity, #hacking, #pentesting etc. from a #blind perspective. Blind as in #screenReader user, that is. But an overarching topic is showing off what jobs are (up to a point) doable for this demographic and where the obstacles are. Today's stream leans that way: we'll be looking at the premier #translation and #localization tool, Trados Studio. Supposedly they have upped their #accessibility as of late. I'll be the judge of that 💀
I'll see you all on #youtube and #twitch just under 1.5 hours from now. https://twitch.tvic_null youtube.com/@blindlyCoding #selfPromo #stream #trados

youtube.comBefore you continue to YouTube

New On Location Coverage with Sean & Marco on ITSPmagazine

🚨 Cybersecurity in #Italy 🇮🇹 : A Niche Topic No More... 🤔

Not too long ago, if you mentioned #cybersecurity in Italy, you’d get a lot of blank stares. Today, it’s everywhere—boardrooms, government agencies, and, of course, #ITASEC, Italy’s official cybersecurity conference.

This year, #ITASEC2025 took over Bologna, bringing together researchers, policymakers, and industry leaders to discuss what’s next for digital security. AI security, regulatory shifts, #cybereducation — yes, even the Digital Operational Resilience Act (#DORA) that’s reshaping financial sector security—were all on the table.

Unfortunately I wasn’t in Italy at the time of the event, but that didn’t stop me from having a fascinating conversation with Professor Alessandro Armando, one of the key organizers and a leading voice in cybersecurity research. In this latest On Location episode. Of course, Sean Martin joined me and we spoke about:

🔹 How cybersecurity went from an afterthought to a national priority in Italy

🔹 Why companies are (finally) realizing that #security is an #investment, not just a cost

🔹 The rise of Cyber Challenge IT—Italy’s initiative to build the next generation of cybersecurity experts

🔹 And, of course, the big reveal… ITASEC 2026 is heading to Sardinia!

📺 Watch the Full Video: youtu.be/NsdkYAYZANc

🎧 Listen to the Full Podcast: eventcoveragepodcast.com/episo

🔔 Subscribe to On Location Podcast: eventcoveragepodcast.com

Cybersecurity isn’t just about stopping threats—it’s about shaping the future of how we live, work, and trust #technology.

What’s your take? Are we heading in the right direction, or are we still playing catch-up?

#InfoSec, #CyberRisk, #AIsecurity, #CyberThreats, #CyberEducation, #CyberWorkforce, #ThreatIntel, #EthicalHacking, #PenTesting, #RiskManagement, #CyberResilience, #DataProtection, #DigitalSecurity, #CyberLaw, #TechnologyNews, #OnLocationPodcast

Alright, Go developers, listen up! 🚨 Seriously crazy stuff is happening in the Go world right now. We're talking major typosquatting issues. Attackers are slithering in and spreading malware via fake packages, can you believe it?

So, for goodness sake, pay super close attention to the names of your modules! One little typo and bam! You've got yourself a nasty infection. As a pentester, I see this kind of thing all the time, sadly. Tiny mistakes, HUGE consequences. This malware then installs a backdoor. Totally not cool, right?

Therefore, check your imports, folks! And make sure you're getting your devs trained up on security. Automated scans? Nice to have, sure, but they're absolutely no substitute for a manual pentest! What are your go-to tools for fighting this kind of attack? Oh, and yeah, IT security *has* to be in the budget, that's just the way it is.

Hey everyone, what's cooking in the open-source universe? 🤯 I just stumbled upon something that's seriously mind-blowing.

So, there's this Python library pretending to be a music tool (automslc), but get this – it's actually illegally downloading songs from Deezer! And the worst part? It turns your computer into an accomplice in a huge music piracy operation. Seriously, a digital pirate cove. 🏴‍☠️

And then there's this npm saga with @ton-wallet/create... Crypto wallet emptied, just like that! 💸

The moral of the story? Open source rocks, but blindly trusting everything is a recipe for disaster. Always double-check those dependencies! Automated scans are cool, but a real penetration test? That's pure gold. 🥇

Clients are always so appreciative when we can spot and fix this kind of stuff beforehand!

Now, I'm curious: What are your go-to methods for keeping your codebase squeaky clean and secure? Any tips or tricks you'd like to share?

True Story, bruh:

Back in the 90's people would go on about how superior emacs is as an editor. And some cheerleaders would hound me about why I "still" used (and still do today) vi... vim actually. Even for doing things like Usenet news, and the email client. Joe was in a lot of email readers, which is pretty much slobberproof, BUT...

My answer was and still is simple. I hack and break things for a living. I've never seen emacs installed on a bridge, router, or frankly any other network device. Hell, when the web came around, emacs was only rarely on those servers, either. But ed and vi is (was?) on pretty much all of them.

So that's what I learned. And my personal ecosystem and workflow is all about vi(m) and nothing about emacs.

Even though I'm a Lisp cheerleader, lol.

Do I hate emacs? No, but I do very much dislike the overpowering smell of religion that seems permeate it's very existence, like those dirty air lines fuming from the Peanuts character Pigpen.

Some call me a space cowboy. Some call me a gangsta of #Lisp :ablobdj: