|
who is this 'fip' character and why do people like their mode so much. i prefer toris mode myself 
|
#
?
Sep 25, 2017 20:48
|
|
|
|
| # ? May 22, 2024 10:30 |
|
|
anatoliy pltkrvkay posted:who is this 'fip' character and why do people like their mode so much. Fips is the jar jar of security
|
|
#
?
Sep 25, 2017 21:02
|
|
|
Harik posted:I got that via running it and watching what it did, when I saw an ftp user and password I just laughed. It's nice running RE on something written so naievely. you can probably submit it to clam somewhere on their website, no idea about defender. upload it to virustotal if you haven't already
|
|
#
?
Sep 25, 2017 21:19
|
|
|
Wiggly Wayne DDS posted:testing the credentials is dodgy as it could just be a compromised account that the malware author doesn't really own. should probably avoid doing that anyway as you're just going to set off alarm bells on the attacker's end Harik posted:I got that via running it and watching what it did, when I saw an ftp user and password I just laughed. It's nice running RE on something written so naievely. To be clear: I watched a wireshark of it's network activity, saw it connected to a FTP server (TLS), then initiated a transfer. I.E. the program itself connected with it's own credentials. The only alarm that would raise is "some sucker fell for this and ran it." I should have kept the VM firewalled off and setup a honeypot FTP to log everything it did. I'll do that next time I feel like reversing something. I also should have paid more attention to the direction of the transfer - it uploaded the empty buttcoin wallet I keep on the VM for exactly this kind of poo poo to find. That's why I thought the stage2 would be more interesting than the stub, but there is no stage2. It's "Crypto Currencies Wallet Stealer 1.1" with the credentials of a freewebhost he's using to drop them. Emails sent but it's not like I found undetected ransomware or something interesting. If he reacts fast he'll get my empty wallet before they shut down the account. mid 90s something like this happened when someone logged into our servers to setup a phishing form. Back then, I watched his session, saw him connect back to his home server on dialup with a loving password to get the template files - and then I followed him in, grabbed his password list and nuked his copy. spent a while sending emails to people in the list explaining they needed to change their password and why, but overall I felt it was the "right" choice at the time. maybe it wasn't? whitehat trolley problem. is there ethical responsibility to take action in any case? or I'm just bitter because a virus that wasn't widely detected could have been interesting but was just more stupid buttcoin bullshit. cinci zoo sniper posted:you can probably submit it to clam somewhere on their website, no idea about defender. upload it to virustotal if you haven't already it's on VT, I always check hash first. That's how I know clam & defender didn't see it but stuff like eset shows it as generic.trojan. e:  https://www.clamav.net/malware 404 Sorry, this page does not exist Go back home -->
|
|
#
?
Sep 25, 2017 21:29
|
|
|
anatoliy pltkrvkay posted:who is this 'fip' character and why do people like their mode so much. https://support.microsoft.com/en-us/help/811834/prb-cannot-visit-ssl-sites-after-you-enable-fips-compliant-cryptograph posted:This error may occur if you have enabled the following local security setting (or the setting has been enabled as part of a domain Group Policy setting): anthonypants fucked around with this message at 21:36 on Sep 25, 2017 |
|
#
?
Sep 25, 2017 21:33
|
|
|
3des is slow as balls but still fine. In general it should be the last cipher in your suite list for backwards compatibility with dumb old poo poo and isn't hurting anything unless you're trying to go DHE-suites only.
|
|
#
?
Sep 25, 2017 21:36
|
|
|
Harik posted:To be clear: I watched a wireshark of it's network activity, saw it connected to a FTP server (TLS), then initiated a transfer. I.E. the program itself connected with it's own credentials. The only alarm that would raise is "some sucker fell for this and ran it." I should have kept the VM firewalled off and setup a honeypot FTP to log everything it did. I'll do that next time I feel like reversing something. I also should have paid more attention to the direction of the transfer - it uploaded the empty buttcoin wallet I keep on the VM for exactly this kind of poo poo to find. That's why I thought the stage2 would be more interesting than the stub, but there is no stage2. not touching the poop means not touching the poop, not bragging that you think you didn't get caught touching the poop while touching the poop
|
|
#
?
Sep 25, 2017 21:40
|
|
|
Built in accounts strike again!Cocoa Crispies posted:not touching the poop means not touching the poop, not bragging that you think you didn't get caught touching the poop while touching the poop .....I think he's saying he was sandboxing to see what the infection would be? CommieGIR fucked around with this message at 22:10 on Sep 25, 2017 |
|
#
?
Sep 25, 2017 22:08
|
|
|
Cocoa Crispies posted:not touching the poop means not touching the poop, not bragging that you think you didn't get caught touching the poop while touching the poop letting the malware do it's own thing is touching the poop? this is a yes/no question: Running the program as received and seeing what it does is considered poop touching? because absolutely nowhere in there do I talk about launching an ftp client or other direct actions - this is just running it and watching the network in wireshark. e: i bet you mean "validate the credentials work". that was phrased badly - i saw they worked because the ftp portion of the sample worked and was able to transfer files.
|
|
#
?
Sep 25, 2017 22:09
|
|
|
oh my godDiva Cupcake posted:dont touch the poop, etc.
|
|
#
?
Sep 25, 2017 22:20
|
|
|
anthonypants posted:oh my god Nothing makes me feel better about my security policies like seeing how badly the top rated consulting firm in the world does theirs
|
|
#
?
Sep 25, 2017 22:27
|
|
|
Writeup is out: https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/ quote:Indeed, it appears that Deloitte has known something was not right for some time. According to this source, the company sent out a “mandatory password reset” email on Oct. 13, 2016 to all Deloitte employees in the United States. The notice stated that employee passwords and personal identification numbers (PINs) needed to be changed by Oct. 17, 2016, and that employees who failed to do so would be unable to access email or other Deloitte applications. The message also included advice on how to pick complex passwords: lol if you think forcing 263,000 people to reset their passwords all at once will be seen as anything other than panic mode
|
|
#
?
Sep 25, 2017 23:30
|
|
|
CommieGIR posted:Nothing makes me feel better about my security policies like seeing how badly the top rated consulting firm in the world does theirs my gmail account with a yubikey in a drawer somewhere and a code generator on my phone feels like more security than 99% of the enterprise world right now.
|
|
#
?
Sep 26, 2017 00:18
|
|
|
it is
|
|
#
?
Sep 26, 2017 00:31
|
|
|
My PIN is 4826 posted:Writeup is out: https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/ There is a guardian article that says that they have known about the hack since March, but only the senior partners and the security consultants they brought in have been made aware. https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-wizard-attack-revealing-clients-secret-emails
|
|
#
?
Sep 26, 2017 00:53
|
|
|
toilet and douche
|
|
#
?
Sep 26, 2017 01:07
|
|
|
Phrosphor posted:There is a guardian article that says that they have known about the hack since March, but only the senior partners and the security consultants they brought in have been made aware. I'm calling bull.
|
|
#
?
Sep 26, 2017 01:12
|
|
|
Midjack posted:toilet and douche 
|
|
#
?
Sep 26, 2017 03:56
|
|
|
i hope all their poo poo gets leaked 
|
|
#
?
Sep 26, 2017 07:16
|
|
|
same but it sucks for all their clients
|
|
#
?
Sep 26, 2017 07:24
|
|
|
hope the EU shows it muscles now
|
|
#
?
Sep 26, 2017 07:48
|
|
|
the first one of these to happen after gdpr arrives is gonna be good
|
|
#
?
Sep 26, 2017 08:43
|
|
|
Cocoa Crispies posted:c'mon
|
|
#
?
Sep 26, 2017 09:08
|
|
|
spankmeister posted:same but it sucks for all their clients they deserve it. only rich assholes and monstrous corporations use companies like toilet & douche
|
|
#
?
Sep 26, 2017 09:21
|
|
|
Powaqoatse posted:they deserve it. only rich assholes and monstrous corporations use companies like toilet & douche They do a lot of pentesting for smaller companies as well. Would suck really bad for those reports to leak.
|
|
#
?
Sep 26, 2017 09:28
|
|
|
They also do normal financial auditing which tends to be required in many territories. In other news, pretend you work at phishlabs, now feel sad because you work at phishlabs and are probably very incompetent. Are they internet trolls or something? they reported the login page of our product as a phishing page. What the gently caress.
|
|
#
?
Sep 26, 2017 10:01
|
|
|
spankmeister posted:same but it sucks for all their clients literally don't feel bad about anything that happens to any client of deloitte's. They work for the worst people in the world.
|
|
#
?
Sep 26, 2017 14:02
|
|
|
computer bad, hypervisor not enough https://twitter.com/abu_y0ussef/status/912276772800090112 e: and another fun one Tavis just retweeted, some pretty simple iphone 7/galaxy S7 remote code execution https://bugs.chromium.org/p/project-zero/issues/detail?id=1289 e2: downside of being in the uk means everyone's asleep so I look like an rear end in a top hat when more and more things come in. bitcoin mining script was on showtime.com supposedly put there by hackers https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/?mt=1506379755407 Jewel fucked around with this message at 16:31 on Sep 26, 2017 |
|
#
?
Sep 26, 2017 14:40
|
|
|
deloitte bought out my former employer. i wonder what impact it will have for me
|
|
#
?
Sep 26, 2017 16:41
|
|
|
Better job prospect cause now you can say you worked at big 4. Before it became big 3. Also you'll get invited to.alumni events where they kiss your rear end hoping you give them business.
|
|
#
?
Sep 26, 2017 16:51
|
|
|
Lain Iwakura posted:deloitte bought out my former employer. i wonder what impact it will have for me you dropped that in the grey thread before here. as you're never willing to speak on your former employer (for obv reasons) can you just advise as to how relatively hosed we are?
|
|
#
?
Sep 26, 2017 16:53
|
|
|
Jewel posted:computer bad, hypervisor not enough If you aren't running ECC or at least TRR capable hardware in TYOOL2017...
|
|
#
?
Sep 26, 2017 16:55
|
|
|
poo poo, these days I have to specifically turn guest memory dedupe ON by exclusion. I think even click-next installation of esxi by default leaves ram dedupe off and warns you when you're turning it on
|
|
#
?
Sep 26, 2017 16:58
|
|
|
cheese-cube posted:you dropped that in the grey thread before here. as you're never willing to speak on your former employer (for obv reasons) can you just advise as to how relatively hosed we are? no clue  i haven't worked there in almost three years (actually i think i gave notice on this very day three years ago) so i am unsure. based on what was in my e-mails at the time i was working there, all sorts of awful things could surface but i could only speculate at best
|
|
#
?
Sep 26, 2017 17:04
|
|
|
LOL PACK IT UP BOYS WERE hosed!!!
|
|
#
?
Sep 26, 2017 17:08
|
|
|
Potato Salad posted:If you aren't running ECC or at least TRR capable hardware in TYOOL2017... i thought ECC didn't actually protect against rowhammer, or like it was at least still possible if you were clever
|
|
#
?
Sep 26, 2017 17:33
|
|
|
ate all the Oreos posted:i thought ECC didn't actually protect against rowhammer, or like it was at least still possible if you were clever Correct quote:Different methods exist for more or less successful detection, prevention, correction or mitigation of the row hammer effect. Tests show that simple ECC solutions, providing single-error correction and double-error detection (SECDED) capabilities, are not able to correct or detect all observed disturbance errors because some of them include more than two flipped bits per memory word. TRR or pTRR provides more protection, and was pushed as part of the DDR4 specs. You can force faster row refreshes as well to help counter it, but it cuts into your throughput. CLAM DOWN posted:https://autodiscover.deloitte.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.deloitte.com%2fecp fyallm posted:Hahaha Deloitte ... What.. The... gently caress.. CommieGIR fucked around with this message at 17:45 on Sep 26, 2017 |
|
#
?
Sep 26, 2017 17:37
|
|
|
https://twitter.com/Viss/status/912437594993987584 Security Fuckup Megathread - v. 14.1 - 'a;sljfasdfjadjaserfaweakjwtgfaehasrhfasd;
|
|
#
?
Sep 26, 2017 18:00
|
|
|
CommieGIR posted:
|
|
#
?
Sep 26, 2017 18:04
|
|
|
|
| # ? May 22, 2024 10:30 |
|
|
cheese-cube posted:LOL PACK IT UP BOYS WERE hosed!!!
|
|
#
?
Sep 26, 2017 18:05
|
|