|
Krebs used to be cool and clever. What happened? E: maybe he had a lovely snipe and never recovered from it
|
# ? Apr 27, 2019 17:22 |
|
|
# ? May 13, 2024 07:32 |
|
He's long had a thin skin and most of his scoops rely heavily on having his pal Alex Holden lurk on message boards translating idiomatic Russian for him
|
# ? Apr 27, 2019 17:56 |
|
Boris Galerkin posted:Docker Hub hacked. 190k accounts exposed via usernames, hashed passwords, and github/bitbucket auth tokens. Lol
|
# ? Apr 27, 2019 19:33 |
|
Absurd Alhazred posted:Anybody have context on why Kevin Mitnick is harassing @notdan? I don't know the whole backstory but probably related to this https://twitter.com/_MG_/status/1121451458497351681
|
# ? Apr 27, 2019 19:38 |
|
Garrand posted:I don't know the whole backstory but probably related to this Want to know more about this internet drama!
|
# ? Apr 27, 2019 19:53 |
|
Garrand posted:I don't know the whole backstory but probably related to this Kerbs off His Meds
|
# ? Apr 27, 2019 21:35 |
|
This kills the Kreb.
|
# ? Apr 28, 2019 08:16 |
|
I've lost a lot of respect for him, since his goal is apparently to piss off the infosec field by outing people.
|
# ? Apr 28, 2019 23:05 |
|
https://arstechnica.com/information-technology/2019/04/zeroday-attackers-deliver-a-double-dose-of-ransomware-no-clicking-requiredquote:The vulnerability is easy to exploit because all that’s required is HTTP access to a vulnerable WebLogic server. Its severity rating under the Common Vulnerability Scoring System is 9.8 out of a possible 10. The attackers send vulnerable servers a POST command that contains a PowerShell command that downloads and then executes a malicious file called “radm.exe.” Besides PowerShell, attackers also exploit CVE-2019-2725 to use the Certutil command-line utility. Other files that get downloaded and executed include office.exe and untitled.exe Uh, is this possible with IIS as well?
|
# ? Apr 30, 2019 21:20 |
|
lmao I may or may not have a weblogic service in an app that dev is building right now time to go pause their hideously-slow progress and loving patch it. Again.
|
# ? Apr 30, 2019 21:29 |
|
incoherent posted:https://arstechnica.com/information-technology/2019/04/zeroday-attackers-deliver-a-double-dose-of-ransomware-no-clicking-required No, it's limited to specific versions of WebLogic. The ars writeup isn't very clear, but the powershell command is part of the payload, not the exploit. https://support.f5.com/csp/article/K90059138 quote:Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (CVE-2019-2725) e: https://isc.sans.edu/forums/diary/Unpatched+Vulnerability+Alert+WebLogic+Zero+Day/24880/ quote:The news today is full of a new deserialization vulnerability in Oracle WebLogic. This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected). The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war. A successful attack gets the attacker remote code exec on the vulnerable server. The Fool fucked around with this message at 21:43 on Apr 30, 2019 |
# ? Apr 30, 2019 21:34 |
|
So umm... apparently my parents were told today that the reason their DSL wasn't working according to their ISP, incredibly awful provider but their only option, was that I'd changed the login password on the modem/router hybrid they were provided when it was set up from the default, and if that's changed they can't update the firmware on the modems. I can't think of a single explanation for this that isn't unspeakably awful.
|
# ? May 1, 2019 18:22 |
|
quote:The root cause here seems to be that the affected WAR components ingest and process all serialized data, and have a blacklist of "bad" content.
|
# ? May 1, 2019 18:27 |
|
gourdcaptain posted:So umm... apparently my parents were told today that the reason their DSL wasn't working according to their ISP, incredibly awful provider but their only option, was that I'd changed the login password on the modem/router hybrid they were provided when it was set up from the default, and if that's changed they can't update the firmware on the modems. I had AT&T U-verse and can say that they used custom firmware on 2-wire routers (in my case) and would update just whenever. It also didn’t have features they the model of router should have. However, there was no problem with me changing the login to my own, so I’ve no idea what your parents’ provider is doing.
|
# ? May 1, 2019 18:48 |
|
Darchangel posted:I had AT&T U-verse and can say that they used custom firmware on 2-wire routers (in my case) and would update just whenever. It also didn’t have features they the model of router should have. However, there was no problem with me changing the login to my own, so I’ve no idea what your parents’ provider is doing. This is a router that has an IP v6 config page consisting of a TODO statement from the programmer to themselves to implement it later visible to the user and nothing else, so it's presumably just horrible.
|
# ? May 1, 2019 18:54 |
|
Wow.
|
# ? May 1, 2019 18:55 |
|
We used to have a real problem with ATT DSL to satellite offices and retail locations. They would update the modem firmware without any notice at all (before or after). Then we'd get alarms tripping all over because the FW update reset our config and turned the modems from that half-assed hybrid-bridge mode (ATT: Our business class DSL can't do transparent bridging!) to full on NAT with DHCP and turn on the wireless radios. We did end up solving that issue. We cancelled all the ATT circuits and went with another provider that could offer full transparent bridging and also didn't update FW willy-nilly. Of course they came with their own stupid issues, but still not as bad as ATT.
|
# ? May 1, 2019 19:04 |
|
TR069 or a vendor-specific management platform doesn't use a user-accessible account to do the logging in and management. I guess if you rolled your own terrible system based on SSHing into routers then it might be affected.
|
# ? May 1, 2019 19:52 |
|
Thanks Ants posted:TR069 or a vendor-specific management platform doesn't use a user-accessible account to do the logging in and management. I guess if you rolled your own terrible system based on SSHing into routers then it might be affected. My guess is Telnet. I have absolutely no evidence for this other than it seems roughly on their competence level and they once spent a year repeatedly rewiring all the phone wiring in their house to try to get DSL to work in anything other than perfect weather (temperatures over 85 or so or below 40 would kill it, so would using the microwave) until they realized they'd forgotten to actually prepare the line from the house to their systems for DSL at all and it was using ancient phone switching technology incompatible with DSL.
|
# ? May 1, 2019 20:01 |
|
Can anyone tell me what the deal is with OSQuery? OSQuery Our Security team is saying from our latest PCI audit and because we're working towards HITRUST that we all need to install these on our laptops. It looks to be mainly reading low level stuff on the machine but appears to be interested in stuff like Browser plugins, etc. This looks invasive as gently caress to run on a laptop (yes it is provided by my work) and when we get it installed I should halt doing anything but work on it. Am I paranoid or not? They haven't given any reason except just saying YOU MUST INSTALL!!!!! and no context so that is always spirit lifting that we're being open and honest. No published queries or what metrics they are trying to track either.
|
# ? May 2, 2019 16:06 |
|
Virigoth posted:Can anyone tell me what the deal is with OSQuery? OSQuery It's looks like a pretty typical endpoint tool from what I can see and your company/security team doesn't owe you anything like metrics.
|
# ? May 2, 2019 16:12 |
|
CLAM DOWN posted:It's looks like a pretty typical endpoint tool from what I can see and your company/security team doesn't owe you anything like metrics. You are right they don't BUT they have always been super transparent and explanatory on what they are doing for X and Y just like we are when we provide tooling to our developers. This is a strong turn towards just yelling out mandates randomly after an audit with little to no explanation. This is a disturbing and growing trend. They usually provide these explanations, metrics, etc because we all like to learn and grow from how we do things on our product and how our culture is setup. This is a big step backwards for our culture and product to start throwing up walls and not communicating. I'm glad it looks like a standard tool, and I don't do any weird illegal poo poo on my laptop anyway because I'm not a complete fuckup, but I always like to try to check / learn as much as I can about these things.
|
# ? May 2, 2019 16:23 |
|
Virigoth posted:You are right they don't BUT they have always been super transparent and explanatory on what they are doing for X and Y just like we are when we provide tooling to our developers. This is a strong turn towards just yelling out mandates randomly after an audit with little to no explanation. This is a disturbing and growing trend. They usually provide these explanations, metrics, etc because we all like to learn and grow from how we do things on our product and how our culture is setup. This is a big step backwards for our culture and product to start throwing up walls and not communicating. I'm glad it looks like a standard tool, and I don't do any weird illegal poo poo on my laptop anyway because I'm not a complete fuckup, but I always like to try to check / learn as much as I can about these things. I think its reasonable to not thoroughly discuss your security watch dog tools with the people its intended to watch over. I don't think its anything to get concerned over.
|
# ? May 2, 2019 16:27 |
|
Virigoth posted:You are right they don't BUT they have always been super transparent and explanatory on what they are doing for X and Y just like we are when we provide tooling to our developers. This is a strong turn towards just yelling out mandates randomly after an audit with little to no explanation. This is a disturbing and growing trend. They usually provide these explanations, metrics, etc because we all like to learn and grow from how we do things on our product and how our culture is setup. This is a big step backwards for our culture and product to start throwing up walls and not communicating. I'm glad it looks like a standard tool, and I don't do any weird illegal poo poo on my laptop anyway because I'm not a complete fuckup, but I always like to try to check / learn as much as I can about these things. Just because you don't do dangerous poo poo on your system doesn't mean others aren't. Endpoint security tools like that (especially basic inventory ones, there are FAR more intrusive tools like Carbon Black whitelisting ,etc) are very standard and you're worried for no reason. Your security team is doing the right thing by not disclosing details.
|
# ? May 2, 2019 16:31 |
|
If a user stopped me in the halls or ask me at my desk about concerns they have with what we monitor and secure, I was generally very happy to explain what we did, why we did it, and how their privacy was or was not implicated. I've talked people down who were as indignant as you are, Virigoth, and generally by explaining our perspective and how we are constrained by a narrow set of regulatory, legal, and/or compliance directives I was always able to alleviate people's concerns. If you have serious concerns, the best way to learn more is just to ask your security team. Chances are they'll welcome an opportunity to explain their side of what's happening! I'd recommend going in person over dropping an email though, a face to face conversation is usually for the better here. I'd certainly never publish more information than I had to though, or broadly distribute that sort of specific information on how the agent works or our various regulatory/legal/compliance requirements. There's a big difference between explaining honestly to one or two users how things work so they feel more comfortable using their corporate equipment, and explaining that to the whole company. It's simply not appropriate to distribute certain information that widely, and you're just inviting trouble and blowback when 99% of the time nobody's going to notice or care.
|
# ? May 2, 2019 16:59 |
|
Virigoth posted:Can anyone tell me what the deal is with OSQuery? OSQuery I had that and its predecessors running on my laptop for about 5 years. It was really helpful in dealing with a zero-day used to target someone on my team, and the group that built it is pretty sharp. Part of the value is the ability to do ad hoc querying to investigate security (or performance or configuration) problems, so I doubt they’re going to limit themselves to a set of published fixed queries.
|
# ? May 2, 2019 17:21 |
|
Virigoth posted:Can anyone tell me what the deal is with OSQuery? OSQuery Don’t do anything but work on your work computer. An overintrusive infosec team is the least of your worries.
|
# ? May 2, 2019 17:27 |
|
PCjr sidecar posted:Don’t do anything but work on your work computer. An overintrusive infosec team is the least of your worries. I use a cloud VM for non-work stuff during the day, using my MSDN credits. Hence I can still shitpost here.
|
# ? May 2, 2019 17:49 |
|
Virigoth posted:This looks invasive as gently caress to run on a laptop (yes it is provided by my work) and when we get it installed I should halt doing anything but work on it. Virigoth posted:I'm glad it looks like a standard tool, and I don't do any weird illegal poo poo on my laptop anyway because I'm not a complete fuckup, but I always like to try to check / learn as much as I can about these things.
|
# ? May 2, 2019 18:04 |
|
CLAM DOWN posted:I use a cloud VM for non-work stuff during the day, using my MSDN credits. Hence I can still shitpost here. Of all the ways I keep my not work activities apart from corp devices, this is the one I hadn't considered and I have no idea why.
|
# ? May 2, 2019 20:20 |
|
I hadn't either. How do you connect? RDP? VNC? Parsec in a browser?
|
# ? May 2, 2019 21:19 |
|
There's also an HTML5 RDP interface that will work through a gateway, if you don't want to do VPNs.
|
# ? May 2, 2019 21:25 |
|
Mustache Ride posted:I hadn't either. How do you connect? RDP? VNC? Parsec in a browser? RDP. We use Azure extensively so permit outbound RDP to Azure VMs in our region, Canada Central. So I'm golden
|
# ? May 2, 2019 21:26 |
|
Yeah that's going to be hard to catch by security pukes. Azure has a $200 trial, right? That's worth a shot. Thanks
|
# ? May 2, 2019 21:32 |
|
Mustache Ride posted:Yeah that's going to be hard to catch by security pukes. Yup. My org gives everyone MSDN Enterprise, so I get 200/mo ongoing credits.
|
# ? May 2, 2019 21:42 |
|
Has anyone here tried out NSA's Ghidra?
|
# ? May 3, 2019 01:14 |
|
Absurd Alhazred posted:Has anyone here tried out NSA's Ghidra? Yep. Its amazing how many features it can do compared to IDA Pro to make ~$1000 look odd for a Pro license. Plus it does a lot more such as a better struct inference, decompile to actual pseudo c, support many more architectures (like dozens of weird archs compared to x86, x64, ARM, and AArch64), but the best thing it lets you do. It lets you Undo. That might seem small, but there are times IDA will just gently caress up everything to an unrecoverable mess if you do something like messing up a return, make a typo on an array size; too many things to list. IDA Pro never really had competition so it has been interesting to see discussion.
|
# ? May 3, 2019 01:42 |
|
EVIL Gibson posted:Yep. Its amazing how many features it can do compared to IDA Pro to make ~$1000 look odd for a Pro license. How long have you been piping your posts through IDA? E: legitimately though, thanks for this. I’ve been meaning to gently caress around with it and never got around to it.
|
# ? May 3, 2019 01:43 |
|
Absurd Alhazred posted:Has anyone here tried out NSA's Ghidra? It's good. IMO, the lack of a debugger is the only thing holding it back from being a complete IDA replacement right now (and supposedly there is a debugger coming at some point down the road). I'm sure there are cases where hexrays does a better job decompiling something better than Ghidra (and vice-versa) but I haven't run into anything that Ghidra has handled significantly worse than IDA. also for whatever reason, Ghidra performs better than IDA on my machine but ymmv.
|
# ? May 3, 2019 01:46 |
|
|
# ? May 13, 2024 07:32 |
|
Cool! I might have a chance to try playing around with it at work in lieu of getting another IDA Pro license.
|
# ? May 3, 2019 02:41 |