|
earlier today 3 key recovery attacks on aes-gcm-siv were unveiled on cfrg (1st is important): https://mailarchive.ietf.org/arch/msg/cfrg/k2mpWgod4mbdOxsvN6EtXHb0BAg more eyepyramid info, it uses a lot more third-party software than previously thought: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/ ongoing fun with manufacturer test accounts, awaiting part 2: https://research.trust.salesforce.com/Meraki-RCE-When-Red-Team-and-Vulnerability-Research-fell-in-love.-Part-1/
|
# ? Jan 18, 2017 23:24 |
|
|
# ? May 17, 2024 12:08 |
|
eBay still lets you embed flash content into your listings apparently, so how about some auto downloading malware that makes it look like the official apple website http://www.ebay.com/itm/350983607686?_trksid=p2060353.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT
|
# ? Jan 18, 2017 23:25 |
|
hackbunny posted:Blahblah dotnet blah DnSpy
|
# ? Jan 19, 2017 00:12 |
|
fisting by many posted:krebs released his big expose on the mirai author quote:
That's quite the jump. Surprised that was enough to make the whole connection go.
|
# ? Jan 19, 2017 00:56 |
|
so thats some serious circumstantial linking but did he inform the feds or what cause now ogmemes123123 (mods!!!!) is gonna try to wipe poo poo
|
# ? Jan 19, 2017 01:07 |
|
Wiggly Wayne DDS posted:more eyepyramid info, it uses a lot more third-party software than previously thought: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/ dang I'm slow. apparently I have one of the most recent samples! crrr.exe, but the table at https://documents.trendmicro.com/assets/Appendix_uncovering-the-inner-workings-of-eyepyramid.pdf doesn't include the c&c url (it's still https://webdav.hidrive.strato.com/users/oncole3991 btw, and don't bother going there as the account has been deactivated), and their "notable email addresses" column is misleading, it's really the usernames of the exfiltration webdav boxes, afaict btw thanks spankmeister and/or whoever recommended de4dot because it was a godsend I did eventually write the code to bruteforce the string encryption/anti-debugging protection hybrid algorithm, found some of the webdav boxes used for exfiltration, and wouldn't you know one of those was still up! I'm terribly curious what's inside those files. I have to look up the exact encryption scheme used but the key and iv should simply be derived by hashing the filename
|
# ? Jan 19, 2017 01:25 |
|
minecraft is serious business i guess
|
# ? Jan 19, 2017 01:26 |
|
yoloer420 posted:DnSpy still handles vb code horribly. dotpeek works better for now, even when decompiling vb to c#
|
# ? Jan 19, 2017 01:29 |
|
eyepyramid trivia: there's some unused code related to captchas, functions to download/upload both images and text from <url>/captcha/<unique id>. the same module contains code to scrape forms from the page currently open in IE and upload them. no idea about the captcha stuff but it seems out of place. I wonder if eyepyramid is part of a larger family of malware
|
# ? Jan 19, 2017 01:34 |
|
BiohazrD posted:eBay still lets you embed flash content into your listings apparently, so how about some auto downloading malware that makes it look like the official apple website the shutoff date for active content in ebay listings is still over the course of may-june 2017, just like they announced at the beginning of last year
|
# ? Jan 19, 2017 01:50 |
|
Rooney McNibnug posted:
Play stupid games win stupid prizes
|
# ? Jan 19, 2017 01:55 |
|
hackbunny posted:eyepyramid trivia: there's some unused code related to captchas, functions to download/upload both images and text from <url>/captcha/<unique id>. the same module contains code to scrape forms from the page currently open in IE and upload them. no idea about the captcha stuff but it seems out of place. I wonder if eyepyramid is part of a larger family of malware
|
# ? Jan 19, 2017 02:04 |
|
Wiggly Wayne DDS posted:from what i surmised the captcha section is a misdirect when communicating moderately sized blobs to weird domains the code seems simply unused to me, and the "captcha" url component would go through the usual sha1 obfuscation anyway, so I'm not sure about this. and it really seems to be related to captchas, as it can for example deserialize received data to a System.Drawing.Image unless you're talking about an older sample, I guess. crrr.exe/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c does nothing with it
|
# ? Jan 19, 2017 02:33 |
|
hackbunny posted:dang I'm slow. apparently I have one of the most recent samples! crrr.exe, but the table at https://documents.trendmicro.com/assets/Appendix_uncovering-the-inner-workings-of-eyepyramid.pdf doesn't include the c&c url (it's still https://webdav.hidrive.strato.com/users/oncole3991 btw, and don't bother going there as the account has been deactivated), and their "notable email addresses" column is misleading, it's really the usernames of the exfiltration webdav boxes, afaict While very cool, I'd recommend a lot of caution with putting any computer-linkable stuff related to you on a server that will almost certainly be part of a criminal investigation.
|
# ? Jan 19, 2017 03:17 |
|
A Man With A Plan posted:While very cool, I'd recommend a lot of caution with putting any computer-linkable stuff related to you on a server that will almost certainly be part of a criminal investigation. I took precautions. barring stupid mistakes I should be fine
|
# ? Jan 19, 2017 03:38 |
|
hope you used log deleter v4 or they'll be able to trace you back to InterNIC and nuke your gateway
|
# ? Jan 19, 2017 03:40 |
|
hackbunny posted:I took precautions. barring stupid mistakes I should be fine Cool, just wanted to make sure. My secfuck of the day was some idiot sending possibly the worst phishing attempt I've ever seen to my entire alma mater. Looked like code:
|
# ? Jan 19, 2017 04:00 |
|
Luigi Thirty posted:even my lovely Amiga browser from a million years ago can use a modern OpenSSL library port and TLS 1.2 the current version is 12.18 which came out last year with more modern SSL/TLS
|
# ? Jan 19, 2017 06:09 |
|
A Man With A Plan posted:Cool, just wanted to make sure. My secfuck of the day was some idiot sending possibly the worst phishing attempt I've ever seen to my entire alma mater. Looked like Probably their account got hijacked because of easy to guess credentials. University email accounts are a popular target for spammers and scammers.
|
# ? Jan 19, 2017 08:02 |
|
Luigi Thirty posted:minecraft is serious business i guess oh my god minecraft drama is hilariously sad there's mods that look for other mods that were made by the mod-maker's ~enemies~ and specifically nuke your game if they're installed
|
# ? Jan 19, 2017 09:22 |
|
https://twitter.com/kaepora/status/821981816139747328 his lebanese passport was handwritten until early 2016
|
# ? Jan 19, 2017 16:13 |
|
Get ready to DDOS while invading oil nations boys.
|
# ? Jan 19, 2017 16:36 |
|
i was going to make a joke about conscription coming to cyberwar but it's already a thing
|
# ? Jan 19, 2017 16:38 |
|
only iot devices are conscripted to cyberwar, regular humans are still conscripted to regular war
|
# ? Jan 19, 2017 16:42 |
|
Boiled Water posted:
Would you like to know more? Servers currently unavailable, please try again later.
|
# ? Jan 19, 2017 16:42 |
|
OSI bean dip posted:i was going to make a joke about conscription coming to cyberwar but it's already a thing We already have "cyber reservists" here.
|
# ? Jan 19, 2017 17:21 |
|
spankmeister posted:We already have "cyber reservists" here.
|
# ? Jan 19, 2017 18:43 |
|
Bhodi posted:I would guess a double-digit percentage of americans would install a DARPA-designed official LOIC-type app if the new administration advocated it. Or hell, just straight up pay telecoms to install servers in their networks, it's not like they've turned down free money for doing that in the past that's insipid NSA already installs stuff at telecom facilities and the reason to use residental/small business internet connections for attacks is to make attribution difficult, hard to do when parties are going right out and saying "install this poo poo that lets us run attacks from your connection"
|
# ? Jan 19, 2017 18:48 |
|
Cocoa Crispies posted:that's insipid I'm not saying that it's necessarily smart or subtle, but as a ham-fisted way of putting pressure on someone I could kind of see the incoming administration looking at it as cyber gunboat diplomacy
|
# ? Jan 19, 2017 18:51 |
|
Bhodi posted:serious question? does any one government department control enough resources to create a substantial ddos? I don't even know. I know there's a lot of server farms and some have taps everywhere, but what about actual traffic generation? seeing the goalposts on "substantial ddos" move in the last year or two, probably not, and that's okay, because no one man should have all that power, and the more minecrafters get behind bars i'm okay with that
|
# ? Jan 19, 2017 19:14 |
|
OSI bean dip posted:https://twitter.com/kaepora/status/821981816139747328 lol that was to sign up with n26
|
# ? Jan 19, 2017 19:24 |
|
Cocoa Crispies posted:seeing the goalposts on "substantial ddos" move in the last year or two, probably not, and that's okay, because no one man should have all that power, and the more minecrafters get behind bars i'm okay with that Supposedly the NSA's big bajillion dollar data center has a ton of bandwidth and a supercomputer attached so it probably could idk
|
# ? Jan 19, 2017 21:09 |
|
ate all the Oreos posted:Supposedly the NSA's big bajillion dollar data center has a ton of bandwidth and a supercomputer attached so it probably could idk That'd all be coming off a few particular routes though, and thus be easy to block off.
|
# ? Jan 19, 2017 22:12 |
|
everyone's downloading "Meitu" today, the new craze hit which is a photo app that makes you look like an anime, there's tons of news articles about it and stuff already because of how fast it took off sadly, uh, the permissions are Not Good and it sends your IMEI data to china https://twitter.com/FourOctets/status/821987185188478977 aaaand more https://twitter.com/rekrom12/status/822134887226425344
|
# ? Jan 19, 2017 22:23 |
|
banime
|
# ? Jan 19, 2017 22:28 |
|
So it's your average analytics system that tries to get all your information to resell then
|
# ? Jan 19, 2017 22:29 |
|
owned by anime
|
# ? Jan 19, 2017 22:35 |
|
Jewel posted:everyone's downloading "Meitu" today, the new craze hit which is a photo app that makes you look like an anime, there's tons of news articles about it and stuff already because of how fast it took off anroid
|
# ? Jan 19, 2017 23:13 |
|
BiohazrD posted:anroid it does the same poo poo on ios, zdziarski was going through it on twitter earlier
|
# ? Jan 19, 2017 23:22 |
|
|
# ? May 17, 2024 12:08 |
|
fishmech posted:That'd all be coming off a few particular routes though, and thus be easy to block off. With all that we know about NSA's hardware and software capabilities this is a super naive assumption. It's extremely likely that there are entire IoT botnets out there that have compromised control servers ready to be used by a variety of nation states. I would bet both of my testicles against a sandwich that at least 3 nation states have enough ddos capacity to take out the root nameservers.
|
# ? Jan 19, 2017 23:29 |