|
ReagaNOMNOMicks posted:I have nerver ever posted ITT or anywhere in SH/SC I think because I'm a mere user but I think I found somthing you guys might like! Drupal, Joomla, Wordpress...any time I do a "hacked" web server investigation, it's a 99% chance that it's one of those. Not surprised at all.
|
#
?
Apr 6, 2016 19:18
|
|
|
|
| # ? May 5, 2024 19:31 |
|
|
OSI bean dip posted:Seconding this. If you're running a website in 2016 without SSL, you're a buffoon. So if I have https running (and http disabled), and have directory-level authentication with apache, I'm pretty much good to go, then? Just keep it updated and refresh my cert every week, and everything should be golden?
|
|
#
?
Apr 6, 2016 19:46
|
|
|
PBCrunch posted:That was remarkably easy; I feel dumb for not having that working before. While I cannot comment on the Apache authentication specifically, I can tell you that having your LE certificate checked every week automatically is the right thing to do.
|
|
#
?
Apr 6, 2016 20:22
|
|
|
Use TLS client auth
|
|
#
?
Apr 6, 2016 22:51
|
|
|
The Internet is going to be hell whenever they get hacked.
|
|
#
?
Apr 7, 2016 07:10
|
|
|
You could say that about any CA though. At least letsencrypt is open and uses really short lifetimes for their certificates.
|
|
#
?
Apr 7, 2016 09:33
|
|
|
dpbjinc posted:The Internet is going to be hell whenever they get hacked. The model LetsEncrypt is pushing hard is that you set up a cronjob or something that pulls a new certificate every week. I think the main goal is for them to be able to push stronger certificates on a reasonable timeframe if a new vulnerability comes out. But it also means that they could just as easily rotate their root certificate and push out new certificates to everyone if they were compromised, as soon as they could get their new root cert pushed into Windows/Linux/Firefox/Chrome/Java. Paul MaudDib fucked around with this message at 02:48 on Apr 8, 2016 |
|
#
?
Apr 7, 2016 13:29
|
|
|
Been trying to setup good security settings with Apache. Found Mozillas configuration recommendation page and wondered how reliable it was: https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
#
?
Apr 12, 2016 05:10
|
|
|
mrbass21 posted:Been trying to setup good security settings with Apache. Found Mozillas configuration recommendation page and wondered how reliable it was: https://mozilla.github.io/server-side-tls/ssl-config-generator/ It's good, but it's just SSL config. If you want mod_security or information on directory permissions or fcgi users or whatever, you'll need to look elsewhere.
|
|
#
?
Apr 12, 2016 05:50
|
|
|
What's the consensus about the news that WhatsApp (a company owned by Facebook, nonetheless) now has secure end to end encryption? The encryption may be provided by Open Whisper Systems but there's a bunch of proprietary code bundled in there, too. Is now more trustworthy than the likes of Telegram (which also uses proprietary software in 'default' server side encryption mode)? Is there a way that the core software could contain some kind of universal decryption method? Or are they keeping the core proprietary purely to retain ownership (and thus retain value)? Could anything closely tied to Facebook be a genuine attempt at global privacy? Is it a honeypot? So many questions I couldn't hope to answer, so over to you...
|
|
#
?
Apr 17, 2016 19:13
|
|
|
I think open whisper systems have too much to lose to very publicly promote a version of their code that had been backdoored
|
|
#
?
Apr 17, 2016 19:16
|
|
|
I'm not a WhatsApp user and only found out about the default end to end encryption today. I'm just a bit incredulous that a mega corp would make a bold move like this and I wanted to read some knowledgeable opinions before I start using WhatsApp (more than likely just message my mum which films she wants me to torrent, ha ha). Isn't it a little crazy for such an institution like WhatsApp (and by proxy, Facebook) to hold two fingers up to those who want freedom to freely investigate terrorism? Perhaps they've been inspired by the Apple/FBI debacle.
|
|
#
?
Apr 17, 2016 19:32
|
|
|
it's my understanding that Facebook finds it worthwhile to allow people in authoritarian regimes to use their services - they even have a tor-facing server so you can connect via hidden service. it's my understanding things like whatsapp are already used/in a position to be used by people in that same situation. it's worth the social/ethical capital for them to support keeping those communication lines open even if it doesn't support their main business
|
|
#
?
Apr 17, 2016 19:38
|
|
|
So are you saying that the kudos (or 'cool factor') they receive for providing such a service (if it is trustworthy) is worth the possibility of putting the government and/or legal system's noses out of joint? Like how Apple gained respect (from a lot of quarters, maybe not everyone but I'd say a majority) due to standing up for privacy.
|
|
#
?
Apr 17, 2016 19:48
|
|
|
DeaconBlues posted:So are you saying that the kudos (or 'cool factor') they receive for providing such a service (if it is trustworthy) is worth the possibility of putting the government and/or legal system's noses out of joint? I'm going off half-remembered posts from fb people in yospos but I think it boiled down to "we have the ability, and therefore responsibility, to lose targeted ads to prevent targeted bullets for a segment of people"
|
|
#
?
Apr 17, 2016 19:55
|
|
|
Presumably this sort of approach only works if the company is Facebook/Google/Apple-sized and then when going up against the government on the issue of end-to-end encryption it can be painted as "the government wants to take Facebook away from us", which is likely to get more people to take notice than "the government wants to shut down this open-source messaging company".
|
|
#
?
Apr 17, 2016 19:57
|
|
|
Adix posted:I'm going off half-remembered posts from fb people in yospos but I think it boiled down to "we have the ability, and therefore responsibility, to lose targeted ads to prevent targeted bullets for a segment of people" I'm interested in the technical side of this, put into simple terms. I'll have a look in yospos. Thanks.
|
|
#
?
Apr 17, 2016 20:04
|
|
|
DeaconBlues posted:So are you saying that the kudos (or 'cool factor') they receive for providing such a service (if it is trustworthy) is worth the possibility of putting the government and/or legal system's noses out of joint? There's no guarantee that it hasn't been backdoored and Facebook stands to gain more from doing so than it does for being 'cool' or whatever. You should probably just assume that it's not secure rather than place a ton of faith in Facebook of all people respecting your privacy.
|
|
#
?
Apr 17, 2016 20:46
|
|
|
That sums up my hesitation/reluctance to install it. Too good to be true.
|
|
#
?
Apr 17, 2016 20:59
|
|
|
PGP on phones has been defeated: http://www.theguardian.com/uk-news/2016/apr/21/gang-found-guilty-of-uks-largest-known-gun-smuggling-operation quote:Officers from the National Crime Agency, which led the investigation into the smuggling, breached the PGP (pretty good privacy) encryption software installed on multiple BlackBerry phones used by the group to intercept messages as the trafficking took place. The UK is only the third country in the world, after Canada and the Netherlands, to have publicly said its law enforcers have been able to breach the PGP programme for encrypting data. I thought the maths behind PGP was pretty solid, so weaknesses in the software?
|
|
#
?
Apr 21, 2016 13:04
|
|
|
spog posted:PGP on phones has been defeated: I think it Its that messages were encrypted with a key blackberry controlled and that's been compromised
|
|
#
?
Apr 21, 2016 13:15
|
|
|
^ you're thinking of BES It likely had nothing to do with PGP as such and was just an endpoint attack to either steal the plaintext or the keys
|
|
#
?
Apr 21, 2016 13:22
|
|
|
Someone having physical access to your device generally means all bets are off.
|
|
#
?
Apr 21, 2016 14:46
|
|
|
OSI bean dip posted:Someone having physical access to your device generally means all bets are off. The article suggests that the messages were accessed while the crime happened, not after the fact. Rufus Ping posted:It likely had nothing to do with PGP as such and was just an endpoint attack to either steal the plaintext or the keys I guess the question is how they attacked the phones without the user's knowledge. Can you push software onto a phone without alerting the user?
|
|
#
?
Apr 21, 2016 15:08
|
|
|
spog posted:The article suggests that the messages were accessed while the crime happened, not after the fact. quote:I guess the question is how they attacked the phones without the user's knowledge. Can you push software onto a phone without alerting the user? I think you just answered your question. You can push apps to a Blackberry device.
|
|
#
?
Apr 21, 2016 15:31
|
|
|
What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects.
|
|
#
?
Apr 21, 2016 16:00
|
|
|
Bash/shell and encryption aren't really even in the same category so yeah. I don't have any links but I'd say start with looking up how RSA works and go from there. If you're into videos there's a series with an English guy that's somewhat easy to understand but he's annoying to listen to. It also is gonna depend on your math background.
|
|
#
?
Apr 21, 2016 18:36
|
|
|
oaok posted:What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects. Security is a really broad field. A deep understanding will probably require you to learn pentesting in parallel with coding/administration - you set up something, then break into it, make it stronger, etc. There are a bunch of different categories that are pretty much unrelated - learning how to store passwords securely in a database doesn't really help you with portscanning and so on. I'd start with looking at some of the stuff you can do with metasploit and nmap, probably. Stay out of trouble.
|
|
#
?
Apr 21, 2016 18:47
|
|
|
How about starting with CIS's 20 Critical Security Controls and researching and understanding why each of them are implemented and how they fit into an enterprise environment? Probably better to have a base knowledge than mucking around with Kali and Metasploit tutorials.
|
|
#
?
Apr 21, 2016 19:04
|
|
|
oaok posted:What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects. here's a bigass wiki full of all kinds of web security stuff: https://www.owasp.org/ here's a really good place to start: https://www.owasp.org/index.php/OWASP_Top_Ten_Project once you've got your head around how all of that works you'll be ahead of everybody who doesn't give a poo poo about security, and should have a better idea of what you actually want to do(dev, ops, qa, infrastructure, whatever)
|
|
#
?
Apr 21, 2016 19:11
|
|
|
Dex posted:here's a bigass wiki full of all kinds of web security stuff: https://www.owasp.org/ Thanks man
|
|
#
?
Apr 21, 2016 20:40
|
|
|
ItBurns posted:There's no guarantee that it hasn't been backdoored and Facebook stands to gain more from doing so than it does for being 'cool' or whatever. You should probably just assume that it's not secure rather than place a ton of faith in Facebook of all people respecting your privacy. DeaconBlues posted:That sums up my hesitation/reluctance to install it. Too good to be true. You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it. Like, this isn't something that you have to decide based on your personal biases against a company, you can just go check it for yourself. Theres a reason you don't hear any real security professionals saying dumb poo poo like this.
|
|
#
?
Apr 21, 2016 22:57
|
|
|
oaok posted:What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects. Check out https://www.cybrary.it/courses/ They have a lot of classes on a variety of things broken down into skill levels. Maybe dive in to the penetration testing course and just start googling stuff you don't understand?
|
|
#
?
Apr 21, 2016 23:02
|
|
|
oaok posted:What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects. Become a competent programmer and/or sysadmin first
|
|
#
?
Apr 22, 2016 01:02
|
|
|
pr0zac posted:You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it. I hear Facebook bribed Moxie to install a broken ratchet.
|
|
#
?
Apr 22, 2016 01:11
|
|
|
pr0zac posted:You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it. It doesn't have to do anything obviously nefarious if the protocol is poo poo and/or improperly or poorly implemented.
|
|
#
?
Apr 22, 2016 03:09
|
|
|
ohgodwhat posted:It doesn't have to do anything obviously nefarious if the protocol is poo poo and/or improperly or poorly implemented. Okay. So have you ever looked at the code yourself? Do you understand the difference between a "poo poo" protocol and one that is not? Can you cite any examples or are you just theorizing?
|
|
#
?
Apr 22, 2016 04:00
|
|
|
Why on earth would someone see whatsapp hiring moxie and immediately jump to the conclusion it's too good to be true and must be part of a nefarious plot nobody else has identified and that you'd better not use it? That's seriously loving stupid even by sh/sc standards
|
|
#
?
Apr 22, 2016 04:41
|
|
|
OSI bean dip posted:Okay. So have you ever looked at the code yourself? Do you understand the difference between a "poo poo" protocol and one that is not? Can you cite any examples or are you just theorizing? As already pointed out in the POS, this isn't about WhatsApp. I have no reason to doubt what they've done. I just don't see how being able to decompile iOS apps provides all of the necessary information to any old individual that the privacy of their communication is maintained.
|
|
#
?
Apr 22, 2016 05:13
|
|
|
|
| # ? May 5, 2024 19:31 |
|
|
oaok posted:Thanks man np, just don't stress it too much if things look overwhelming - like others said, it's a huge field. if you're finding yourself not understanding XSS exploits because you don't understand how something like text encoding works, that's ok, just keep googling the bits that don't make sense until it starts to come together
|
|
#
?
Apr 22, 2016 09:36
|
|