to get you over hump day, newly published today, here is @Viss at LABScon 2025 talking about how to bug a hotel room with HomeAssistant.
https://www.sentinelone.com/labs/labscon25-replay-how-to-bug-hotel-rooms-v2-0/
The 25th Scrolls newsletter is out! Would have gotten it out last Friday but some holiday stuff got in the way. In any case, it’s here now! Check it out for the usual #indieweb, #fediverse and #infosec / #cybersecurity stuff.
https://shellsharks.com/scrolls/scroll/2026-01-21
Also worth mentioning... I usually publish these announcements from my @shellsharks@malici.ous.computer account but that GtS instance needs to be migrated at the moment so instead I'm posting from here 😁.
to get you over hump day, newly published today, here is @Viss at LABScon 2025 talking about how to bug a hotel room with HomeAssistant.
https://www.sentinelone.com/labs/labscon25-replay-how-to-bug-hotel-rooms-v2-0/
The 25th Scrolls newsletter is out! Would have gotten it out last Friday but some holiday stuff got in the way. In any case, it’s here now! Check it out for the usual #indieweb, #fediverse and #infosec / #cybersecurity stuff.
https://shellsharks.com/scrolls/scroll/2026-01-21
Also worth mentioning... I usually publish these announcements from my @shellsharks@malici.ous.computer account but that GtS instance needs to be migrated at the moment so instead I'm posting from here 😁.
Pues este comunicado de #PCComponentes sobre la noticia de ayer me parece totalmente creíble y encaja con mi experiencia y los ataques que se ven habitualmente por ahí. Resumiendo mucho lo que pasó fue un ataque automático contra su login probando combinaciones usuario/contraseña sacados de otros leaks (credential stuffing para los amigos) y para aquellos usuarios que reutilicen contraseñas previamente comprometidas pues habrán acertado.
Esto es un ejemplo más de la poca fiabilidad que le tenemos que dar a este tipo de noticias de leaks. El que intenta vender el leak lo va a exagerar para ganar más pasta o reputación y las empresas de Intel les van a dar bombo sin hacer demasiado énfasis en la veracidad del dato para vendernos su capacidad de detección.
https://www.pccomponentes.com/actualizacion-importante-oficial-seguridad-datos
Pues este comunicado de #PCComponentes sobre la noticia de ayer me parece totalmente creíble y encaja con mi experiencia y los ataques que se ven habitualmente por ahí. Resumiendo mucho lo que pasó fue un ataque automático contra su login probando combinaciones usuario/contraseña sacados de otros leaks (credential stuffing para los amigos) y para aquellos usuarios que reutilicen contraseñas previamente comprometidas pues habrán acertado.
Esto es un ejemplo más de la poca fiabilidad que le tenemos que dar a este tipo de noticias de leaks. El que intenta vender el leak lo va a exagerar para ganar más pasta o reputación y las empresas de Intel les van a dar bombo sin hacer demasiado énfasis en la veracidad del dato para vendernos su capacidad de detección.
https://www.pccomponentes.com/actualizacion-importante-oficial-seguridad-datos
Trump administration concedes DOGE team have misused your Social Security data.
If anyone has any information on the identity of the "advocacy group tyring to overturn election results in certain states” and who were secretly in contact with DOGE, the Signal is DavidGilbert.01
https://www.politico.com/news/2026/01/20/trump-musk-doge-social-security-00737245
Trump administration concedes DOGE team have misused your Social Security data.
If anyone has any information on the identity of the "advocacy group tyring to overturn election results in certain states” and who were secretly in contact with DOGE, the Signal is DavidGilbert.01
https://www.politico.com/news/2026/01/20/trump-musk-doge-social-security-00737245
New, from me: The Kimwolf Botnet is Lurking in Corporate, Govt. Networks
A new Internet-of-Things botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.
https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/
New, from me: The Kimwolf Botnet is Lurking in Corporate, Govt. Networks
A new Internet-of-Things botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.
https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/
New.
Cyata Research: Breaking Anthropic’s Official MCP Server https://cyata.ai/blog/cyata-research-breaking-anthropics-official-mcp-server/
mcp-server-git 2026.1.14 https://pypi.org/project/mcp-server-git/
More:
The Hacker News: Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution https://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.html @thehackernews #infosec #Anthropic #vulnerability
Quad9 has new DNS over HTTPS and DNS over TLS .mobileconfig profiles for iOS/MacOS for January 2026 <-> January 2027.
The previous profile expires today, January 20th.
The new .mobileconfig files now support MacOS >=26.1, which did not work with the previous (2025 -> 2026) files due to a breaking change introduced in MacOS 26.1.
Download the profiles here:
https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/
Remember, sharing is caring!
