c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
On a job application site for my local government it reveals if a specific social security has been used or not on that site. The site is very outdated.
Here is a reminder for all US citizens.
Your social security number is simply a serial number with zero checksums or any logic built in.
If you want another valid social security number you can simply pick a number before or after your own.
The social security number was never designed to be a general ID number, and should not be used as such.
If you’d like this information told more wittily, watch CGPGrey’s video “Your Social Security Card is Insecure” (7:49).
We have our birthday and 4 not so random numbers at least. Also one of the numbers say if you are man or female.
Here in Sweden the personal number starts with your birthday, then a serial number and finally a checksum that also indicates your gender.
If you have an even checksum digit, that indicates that you are a woman, if you have an odd checksum digit, that indicates that you are a man.
Here you can find more information: https://en.wikipedia.org/wiki/Personal_identity_number_(Sweden)
Looks similar to Belgium.
Here it starts with your birth date, a serial number that specifies your gender (even for women, uneven for men) and a checksum.
001-05-1120 was the number on the fake SS cards that used to be the inserts in wallets that had a clear plastic window for your ID. It is actually a number that the SSA set aside for advertising.
I use it where any business requires a SS number to get services.
"secret question"
yup, that looks about 20y out of date
When uploading my resume there was a little animation of a globe spinning.
More websites should do that. Bring back more fun throbbers! (yes, that is actually what they are called)
Instructions unclear, I searched for "fun throbbers" and now my browser is buried in gay porn ads.
Talk about living up to your username!
And all of them only apply if you're the most median white 50 year old man
Perfect thing to mention at the interview
We'll see if I get there, I obviously used a phony ss number because f that. I also have zero professional it experience, just homelab stuff, building PCs running a lemmy instance, that kind of stuff. I know I can do the job, it's just hard to get your foot in the door. I'm considering getting CompTia Network+
Using a fake ssn on a job application is profoundly counterproductive.
If you don't trust them with your ssn why are you applying
When they try the standard background check and find you lied they will have no interest in you
Would you hire someone for it if they willingly put in their SSN to a random sketchy, unsecure looking website? I have never had another online application ask for that.
I can assure you they are far more interested in your ability to follow instructions than they are in your online hygiene.
Well, then he dodged a massive red flag.
Maybe they're a local government, they inherited this undocumented unmaintained system and really need help? Sounds like that's what's happening here.
It would be different if the application was for a dodgy online make money from home setup
It seems like it's a third party, the base url is https://www.applitrack.com/ but redirects to a different url for education applications.
If it's for local government... seriously, spend 20 minutes writing up your findings & concerns about their job signup website, from the standpoint of IT security. Then just walk in person to the relevant government office with that and a copy of your resume, and ask to schedule a time to talk about the position.
If you have time to wait, the IT director or hapless Town Manager who wishes he had an IT director may well talk to you when they have a spare 20 minutes that day.
As long as you don't pick your nose or demand to work naked, IMO you'd have a solid shot at the job. Esp if most people are using the crappy online submission form.
This is correct. It could even be part of the application process. I would write them an email that the obvious fake one didn't work and you'll not put your SSN on that site for security concerns. Especially not in the application phase. If they reject you for that you have dodged a bullet.
Don't get your network+! I'm working on getting mine and I don't need the competition /lh
Alternatively get CCNA if you want to be certified for something useful.
I have the A+ and am already scheduled for the Network+ test. I still consider myself quite the noob, but am learning a lot. I will look into the CCNA, as you're not the first to mention it to me. Next on my list was Security+, however. At this point, I just want any entry-level job in IT. Or fuck... almost any job at all. Going on 6 months of unemployment here.
This is CWE-204, there are loads of big companies that don't care about this. Netflix is one of them where you can enumerate registered users email addresses from the login screen.
If you want to report this to them you can check if they have a security.txt file at https://domainhere/.well-known/security.txt where they should list the contacts to their security team.
Never give any info in a security error. Just say there was an error. Goes right along with the rule to sanitize any and all input. Trust no one and nothing.
Depends on the size of the agency. You can already guess a SSN based on the range of numbers used. If you were targeting the youngest or oldest person at a small agency you could probably get a high percent chance of getting a match.
True, but this is all applicants as it's a third party website. So likely not a huge issue, but it does lead me to believe there are other issues with their data handling.
Wonder if that record of ssns that its checking against is encrypted. That seems harder so maybe that's a step they skipped?
I’m not sure how dangerous that is. They’re not coupling that warning with any other data, so all you know is that a social already exists in that system. I don’t see a way from the screenshot to gather more info around the social.
I guess if you already knew someone’s social you could query to see if they’re in the system?
Seems like they’re trying to be helpful by telling you that you already have an account, but even if this turns out to be completely safe I still wouldn’t have provided that warning just in case. “Something happened please call us” seems wiser.