|
I think either would be good. Just thought I'd mention the alternative brand in case anyone finds them local or something. I had a little read up about how Fido/U2F works this morning and tbh I'm still slightly bewitched by it, but if these things are only performing a public key encryption calculation on the details being sent to them before spitting it back then I can't see that there's much to go wrong apart from the keyring clip breaking. One site I read seemed to suggest that a master private key was stored in the fido device and another site suggested that private keys were server-side. Then I gave up reading 
|
#
?
Jan 2, 2017 23:02
|
|
|
|
| # ? May 10, 2024 14:31 |
|
|
My biggest issue with this is that it's unlikely to ever be properly supported in Safari and I'm way too lazy to switch to Chrome or compile plugins and switch user agent strings on a per-site basis to hack this into working.
|
|
#
?
Jan 3, 2017 13:58
|
|
|
Just another reminder that AV vendors are (generally) idiots. https://twitter.com/taviso/status/816373947109228546
|
|
#
?
Jan 3, 2017 22:26
|
|
|
OSI bean dip posted:Just another reminder that AV vendors are (generally) idiots. Now I really want to know what their fix was i suspect it wasn't "turn off the 'feature'"
|
|
#
?
Jan 3, 2017 22:53
|
|
|
33-bit fingerprint.
|
|
#
?
Jan 3, 2017 22:54
|
|
|
OSI bean dip posted:Just another reminder that AV vendors are (generally) idiots. Yet more ammunition for my "MitMs are bad never MiTM" crusade. Stop MiTMing god dammit. Having written something that does similar caching (for an attack tool so the certs shouldn't be trusted in the first place, but it runs on a router and needs to not be generating certs constantly) this made me laugh. It's kind of annoying to do the caching correctly with alt names and friends but not very hard.
|
|
#
?
Jan 3, 2017 23:33
|
|
|
Hi all - fun request for y'all. I need to infect myself with a bot - any bot - so I can analyse it using Snort and practice creating rules and signatures. Yes, this is for a class. Yes, I want to get infected. Yes I'm using a VM. No I'm not asking you to do my homework - the assignment is the analyzing and signature-creation, not the actual infection. Surprisingly, I can find tons of "ARE YOU INFECTED - Find out here!" articles, and almost as many "Plx buy botnet C&C software for 5 gorillion bitcoins" sites - neither of which I'm looking for. Does anyone know where (or ... how) I could intentionally infect myself? Thanks all for taking the time to read.
|
|
#
?
Jan 10, 2017 22:04
|
|
|
madmatt112 posted:Hi all - fun request for y'all. If your assignment is the analysis and signature-creation why doesn't your assignment include sources on acquiring something to analyze?
|
|
#
?
Jan 10, 2017 22:10
|
|
|
madmatt112 posted:Hi all - fun request for y'all. Just download Netbus or something and use something simple. You can create a Snort signature based on traffic going to and from its management port, etc and it's old as hell so it'll be worth a laugh. https://avcaesar.malware.lu/sample/search?query=netbus But your course seems inadequate and should be giving you something to work on. What school is this?
|
|
#
?
Jan 10, 2017 22:13
|
|
|
madmatt112 posted:Hi all - fun request for y'all. Find a sketchy cracks/warez site and just download and install everything you can. I guarantee you'll be chock full of something before the end of an hour's time.
|
|
#
?
Jan 10, 2017 22:39
|
|
|
How about the leaked Mirai botnet source? https://github.com/jgamblin/Mirai-Source-Code Or just go on virustotal and find a botnet. You can download off of there if you sign up for an account, I think.
|
|
#
?
Jan 10, 2017 22:45
|
|
|
I put up a honeypot and a surprising amount of bots just downloaded themselves right from github. I f you want something that's out in the wild right now then just forward port 22 of a linux VM to your WAN IP, set the password to root/root and enjoy. Sitting in IRC C&C channels and making fun of nerds was fun for a few days until I realized I could spend my time more productively.. some kinda jackal fucked around with this message at 22:58 on Jan 10, 2017 |
|
#
?
Jan 10, 2017 22:47
|
|
|
Some of these replies are pretty ugh coming from IT security professionals. The suggestion is to put up a VM and hope it gets infected?  Or downloading Mirai from Gith?If you google around for malware samples, you can find malware samples. So I googled latest bot samples and got a result for Trickbot with this writeup https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ Which led to this hash https://virustotal.com/en/file/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a/analysis/ Which led to this site https://www.hybrid-analysis.com/sample/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a?environmentId=100 Which lets you download the sample (bot/malware) if you register an account. Here's another writeup that describes what the malware does: https://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot Then you can run it in your VM and see if you can find the same indicators. You can try that for other malware that has a writeup, find the writeup, find the hash, google the hash, see if you can DL the sample. [edit]Here's a list of a bunch of sites that offer malware samples and how access works: https://zeltser.com/malware-sample-sources/ Ham Sandwiches fucked around with this message at 23:13 on Jan 11, 2017 |
|
#
?
Jan 11, 2017 23:09
|
|
|
Putting up a VM and waiting for it to be infected is the funniest solution, therefore it is actually the best.
|
|
#
?
Jan 11, 2017 23:55
|
|
|
Better yet, put up a public facing VM and post the IP itt
|
|
#
?
Jan 11, 2017 23:58
|
|
|
Repost vulnerabilities that allow malware to escape containment ITT, the antivirus ones are always funny
|
|
#
?
Jan 12, 2017 00:07
|
|
|
CLAM DOWN posted:Better yet, put up a public facing VM and post the IP itt He wants viruses, not 100gb of goatse
|
|
#
?
Jan 12, 2017 01:10
|
|
|
My address is 0:0:0:0:0:0:0:1. Hit me with everything you’ve got.
|
|
#
?
Jan 12, 2017 12:09
|
|
|
Platystemon posted:My address is 0:0:0:0:0:0:0:1. This but unironically: 127.234.43.124
|
|
#
?
Jan 12, 2017 19:21
|
|
|
I never said it was the best method, but honeypotting was interesting and fun, so .. v v
|
|
#
?
Jan 12, 2017 23:32
|
|
|
Cup Runneth Over posted:This but unironically: 127.234.43.124 Great ping on that address. It's almost as if that machine is right next to me.
|
|
#
?
Jan 13, 2017 18:51
|
|
|
Anyone got recommendations/horror stories on cloud SSO providers? (eg: onelogin, bitium, etc) Was just asked about it from someone that's running Gsuite and wants to do some auth integration against it, but gear doesn't directly support it (this is to do 802.1x auth - they've seen the light about wifi).
|
|
#
?
Jan 13, 2017 19:34
|
|
|
Double Punctuation posted:Great ping on that address. It's almost as if that machine is right next to me. I like how the quote remembered the original value i got and not the new one it should have. Maybe not, just oddly similar. RFC2324 fucked around with this message at 21:34 on Jan 13, 2017 |
|
#
?
Jan 13, 2017 21:31
|
|
|
Back on the topic of AV and whether you should have it or not, saw an interesting article on Ars today - https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
|
|
#
?
Jan 27, 2017 17:18
|
|
|
Internet Explorer posted:Back on the topic of AV and whether you should have it or not, saw an interesting article on Ars today - https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/ Pretty much on the mark with the linked Mozilla thread: https://groups.google.com/forum/#!msg/mozilla.dev.platform/Bh8U0DLHrCc/IRbEMFFNC9wJ quote:I don't think of these A/V vendors as our "partners" --- they do all kinds
|
|
#
?
Jan 27, 2017 17:58
|
|
|
Mozilla is where I developed my hardened hatred for AV as software artifacts. That said, I don't think Microsoft's offering ever hosed us.
|
|
#
?
Jan 27, 2017 19:12
|
|
|
Wasn't this basically the consensus when Windows Defender came out ten years ago?
|
|
#
?
Jan 31, 2017 14:54
|
|
|
I've got questions regarding powershell use as a company that has to pay a great deal of attention to potential attacks. I work in sysops. Our infosec team is trying to get powershell (as an interactive console) blocked via our AV in order to reduce risk if we get attacked. 1) My understanding is: this is stupid. If we get to a point where someone has gained shell access then we have hosed up somewhere else. Is my understanding wrong? 2) This hinders some adhoc troubleshooting. I've explained this to our infosec team but they aren't swayed. 3) I've explained that blocking powershell but allowing custom .net/c# execution is: hilarious but still no change. This isn't really an argument against blocking powershell so much as an argument against their current policy set, but still. Am I on the wrong side here? I know bits and pieces about security but obviously it isn't my field professionally so I'm trying to find more information. Is there existing literature on this that I should trust? If I'm right, and blocking powershell console access on servers is silly, how should I approach the infosec team to get them to change their minds and policy?
|
|
#
?
Feb 2, 2017 06:43
|
|
|
Jowj posted:I've got questions regarding powershell use as a company that has to pay a great deal of attention to potential attacks. I work in sysops. Our infosec team is trying to get powershell (as an interactive console) blocked via our AV in order to reduce risk if we get attacked. You are correct and they are being dumb and hurting productivity without giving any useful increase in security. As for convincing them they're wrong? Good luck.
|
|
#
?
Feb 2, 2017 06:48
|
|
|
Jowj posted:Am I on the wrong side here? I know bits and pieces about security but obviously it isn't my field professionally so I'm trying to find more information. Is there existing literature on this that I should trust? If I'm right, and blocking powershell console access on servers is silly, how should I approach the infosec team to get them to change their minds and policy? Every time I've seen this it's someone who doesn't understand what they're looking at who sees the PowerShell Remoting GPO option, which has a warning on it, and immediately panics. Meanwhile, they leave RDP open globally because that's how its always been. If the Sec team doesn't actually understand credential theft, then what you're doing is exposing their incompetence, so you have to approach them like any other VIP who will instantly go into teacup-dictator survival mode when provoked.
|
|
#
?
Feb 2, 2017 15:37
|
|
|
If I was Red Team and wanted to try and elevate privilege the first thing I would look for is a Scheduled Task configured to run a PowerShell script in the context of a privileged service account. Then I would see if I can edit the script referenced by the task. I'd reckon that 9/10 times the NTFS permissions on the .ps1 file would allow an unprivileged user to edit it. Depending on how privileged the service account is you can cause some serious havoc. If you're running PS scripts via Scheduled Tasks either setup signing and/or lock-down NTFS permissions on the script files themselves. Also deploying WMF 5.0 to your fleet is beneficial as you can then enable auditing for PowerShell on endpoints. Not exactly a security feature but does provide a good source for monitoring. Edit: whilst I'm here I want to say that disabling Windows Firewall on servers is the dumbest loving thing ever unless you have reason to do so (Performance usually the thing). Pile Of Garbage fucked around with this message at 16:31 on Feb 2, 2017 |
|
#
?
Feb 2, 2017 16:24
|
|
|
If you're super-paranoid about powershell you can configure the execution policy through policy to straight up block it, or only run signed scripts. I'm guessing this will have plenty of unintentional effects with all the internal background stuff the OS comes out of box that runs in the task scheduler.
|
|
#
?
Feb 2, 2017 17:09
|
|
|
With Server 2012 R2 and later the default PowerShell execution policy is RemoteSigned which will prevent unsigned scripts from running. Scripts for other Microsoft products such as Exchange are already signed to accommodate this configuration. As far as I can tell no Microsoft products including Windows will attempt to run a ps1 via Scheduled Task. Realistically the only thing which the default execution policy interferes with is flesh and blood admins. Best practice would be to setup a jumphost with a modified execution policy for admins to work from. In addition installing WMF 5.0 and configuring PS auditing would help for oversight.
|
|
#
?
Feb 2, 2017 17:18
|
|
|
BangersInMyKnickers posted:If you're super-paranoid about powershell you can configure the execution policy through policy to straight up block it, or only run signed scripts. I'm guessing this will have plenty of unintentional effects with all the internal background stuff the OS comes out of box that runs in the task scheduler. If you're talking about the powershell execution policy, Microsoft has always said it's never meant to be a security control as there's a squllion ways to bypass it. https://blogs.msdn.microsoft.com/powershell/2008/09/30/powershells-security-guiding-principles/ https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
|
|
#
?
Feb 2, 2017 17:18
|
|
|
Like most things on Windows the best way to limit exploitation is to enforce RBAC and ensure that privileged accounts cannot be misused. The commands executed by a PS instance are only as powerful as the context in which they are executed.
|
|
#
?
Feb 2, 2017 17:23
|
|
|
Execution policy isn't really an effective security boundary. And yeah blocking the powershell console is really only going to limit legitimate productivity, there are tons of ways to run powershell code without the console.
|
|
#
?
Feb 2, 2017 17:27
|
|
|
Preventing the malicious usage of PS scripts is the same as preventing malicious usage of any software. As I said, enforce RBAC policy, limit your privileged surface area and ensure that auditing is enabled. A PS script is only as powerful as the context in which it is executed.
|
|
#
?
Feb 2, 2017 17:41
|
|
|
cheese-cube posted:Edit: whilst I'm here I want to say that disabling Windows Firewall on servers is the dumbest loving thing ever unless you have reason to do so (Performance usually the thing). Performance impact is very little too, even on heavy load machines. It's really dumb.
|
|
#
?
Feb 2, 2017 18:22
|
|
|
Maneki Neko posted:If you're talking about the powershell execution policy, Microsoft has always said it's never meant to be a security control as there's a squllion ways to bypass it. If you are enforcing execution policy as restricted or signed through policy, you've pretty effectively minimized your chance of using the task scheduler to elevate regardless of these workarounds. Its a system value, so you're going to need admin to modifying it so its anything but the default for all new shells, and if you already have admin then you don't really care about powershell anyway. Those workarounds will allow you to invoke scripts as your current user context in spite of the execution policy, but things launched out of the task scheduler are still going to honor your execution policy unless you do something with admin rights which, again, that's already game over. The typical elevation attack is to modify scripts in the task scheduler running with your arbitrary code and then wait for them to launch and boom, you're in. If you're enforcing signing, those scripts will not launch after you've touched them unless you re-signed and you aren't able to modify the execution policy that task scheduler defaults to without admin rights. That is a security control and it does work.
|
|
#
?
Feb 2, 2017 18:33
|
|
|
|
| # ? May 10, 2024 14:31 |
|
|
Let POLP be your guide. If you need a service account to execute a Scheduled Task on a server then just give it the "Log on as a batch job" user right which is the minimum required to execute tasks. Too often have I seen service accounts granted local Administrator privileges on a server simply for the purpose of running a task which does not require any privileged permissions.
|
|
#
?
Feb 2, 2017 19:02
|
|