|
THREAD MASCOTquote:Don't roll your own crypto. recommended resources: SecLists.Org Security Mailing List Archive attrition.org r/netsec r/crypto conferences/gatherings: BSides (check for one local to you!) Black Hat DEF CON ShmooCon recent news: HardenedBSD ends their call for donations on a successful note Let's Encrypt begins closed beta CISA is revealed to not contain Senator Whitehouse's CFAA amendment more resources: VulnHub - Vulnerable By Design OverTheWire SmashTheStack RISCy Business fucked around with this message at 15:52 on Dec 18, 2015 |
# ¿ Nov 8, 2015 03:00 |
|
|
# ¿ Apr 28, 2024 10:42 |
|
reserved just in case
|
# ¿ Nov 8, 2015 03:00 |
|
on this topic, if anyone needs/wants an invite to keybase, i have 5 left- send me a pm or an email (root[a]reverie.pw) with your email address and i'll get you squared away
|
# ¿ Nov 8, 2015 03:05 |
|
hey, remember Linux.Encoder.1? turns out it sucks http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/ quote:We mentioned that the AES key is generated locally on the victim’s computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s).
|
# ¿ Nov 13, 2015 17:15 |
|
mindphlux posted:hmmm wow I just hmmmmmm I mean go on wow this is so interesting tell me more i love watching literal mongoloids post so thank you for this opportunity
|
# ¿ Nov 17, 2015 06:14 |
|
some shady poo poo coming out of the marketing world (again): Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC quote:Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are "picked up silently by an app installed on a [device] (unknown to the user)." The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices. some of the stuff that can be transmitted: it can also trigger a recording as seen here code:
RISCy Business fucked around with this message at 16:56 on Nov 17, 2015 |
# ¿ Nov 17, 2015 16:39 |
|
Stanley Pain posted:How is it going to record that data on any of your devices though? You'd have to be stupid to install their software on your phone or am I missing something here and they're exploiting something? yeah, it doesn't have to be THEIR app, just one utilizing their SDK. and what is pulled and sent is up to the whim of whoever runs that app. it would be possible to sniff out calls using wireshark if you're curious and think you may have such an app, since it seems a lot of them[citation needed] use the same url schema, you could use: http.request.method=="POST" and http.request.uri contains "/oapi/getAd"
|
# ¿ Nov 17, 2015 17:06 |
|
Antillie posted:I thought this was a thread were we could discuss whether or not it should be best practice to disable TLS 1.0 on web servers that also support TLS_FALLBACK_SCSV. Or maybe what a good lifetime value would be for a HTTP Strict Transport Security header and the pros and cons of including the preload option in said header. But for some reason we are talking about a new form of advertising tracking that is supposedly only being used in India. infosec is a much larger and broader topic than you think it is. it entails not only application and network security, but privacy, cryptography, anonymity, and more. stick around and you might learn something. also: 3 keybase invites left, root[a]reverie.pw since i don't have plat anymore RISCy Business fucked around with this message at 04:15 on Nov 21, 2015 |
# ¿ Nov 21, 2015 04:11 |
|
related to the recent dell stuff, i was just linked this: http://rol.im/dell/ arbitrary service tag disclosure via dell's "tribbles" software.
|
# ¿ Nov 24, 2015 20:14 |
|
also, seems that a new POS malware that is extremely sophisticated is making the rounds: https://thestack.com/security/2015/11/24/modpos-retail-malware-is-not-the-work-of-script-kiddies/quote:‘ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. We believe other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.’
|
# ¿ Nov 24, 2015 20:26 |
|
i honestly don't know, that's kind of a weird setup since i'm used to people either encrypting everything or nothing. is this going to be for linux or something else?
|
# ¿ Nov 25, 2015 16:01 |
|
ok, i misread your post, sorry i think you're overthinking this- you're better off using dm-crypt if you're on linux; as for windows/mac, i really don't know since i haven't really used encryption on either (don't own any macs and my gaming pc doesn't need to be encrypted)
|
# ¿ Nov 25, 2015 17:30 |
|
http://malwarefor.me/2015-12-01-angler-ek-sending-cryptowall/ angler ek + cryptowall info with pcaps and samples
|
# ¿ Dec 2, 2015 16:48 |
|
facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php
|
# ¿ Dec 17, 2015 23:14 |
|
Wiggly Wayne DDS posted:have you been near a bug bounty in your life? the man went well beyond scope and is lucky he isn't in jail considering he didn't touch any user data, only confirm he was able to pivot to a bucket containing user data, i'd say he was fairly safely within scope now, if he had downloaded, altered, accessed or otherwise gotten at user data instead of just the bucket it was hosted on, then i'd agree with you, but it's pretty clear that he didn't also, the timeline didn't load for me initially so i was unaware that he got paid, but i'd still say that what he found is deserving of a fair bit more than what he got
|
# ¿ Dec 18, 2015 00:21 |
|
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 also it turns out juniper hosed up and their netscreen vpn can potentially be MITM'd, at least that's what i'm gleaning from what i've seen so far
|
# ¿ Dec 18, 2015 00:27 |
|
Alereon posted:I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing. thanks also thanks for the av babyface nerd, whoever it was RISCy Business fucked around with this message at 16:13 on Dec 18, 2015 |
# ¿ Dec 18, 2015 15:50 |
|
personally i like keepass, i have it on a locally accessible windows fileshare so i can copy it to my laptop and other devices when i update it
|
# ¿ Dec 23, 2015 20:38 |
|
Researchers investigate North Korea's Red Star OS 3 and the presentation from 32c3: https://www.youtube.com/watch?v=KTBemKiSgWI
|
# ¿ Dec 28, 2015 18:52 |
|
MrMoo posted:There is a pretty awful Cisco appliance that has a SSL portal that works like this. can confirm that it's awful, we have one in place where i work now. i hate it.
|
# ¿ Feb 18, 2016 09:56 |
|
also, there's a new bug. in glibc. http://www.zdnet.com/article/patch-linux-now-google-red-hat-warn-over-critical-glibc-bug/ quote:Google and Red Hat have linked up to deliver a patch for a serious bug in the GNU C Library, or glibc, which is widely used in Linux applications, distributions and devices.
|
# ¿ Feb 18, 2016 09:59 |
|
Paul MaudDib posted:Way to beg the question. In the real world, oh man
|
# ¿ May 1, 2016 06:38 |
|
Paul MaudDib posted:One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. i think you're entirely missing the point here
|
# ¿ May 1, 2016 06:46 |
|
Mustache Ride posted:Jesus tapdancing christ, why is everyone so loving angry in these threads? because if you get called out on being wrong about a thing you shouldn't double down on being wrong
|
# ¿ May 1, 2016 07:18 |
|
Mustache Ride posted:Thats not a good reason to be angry. Soon you'll only be left arguing with yourself about how good you are at masturbating about security. you had me at "masturbating"
|
# ¿ May 1, 2016 08:09 |
|
Paul MaudDib posted:If they have professional experience, why don't they do more than ask me how antivirus works? because you obviously don't know how it actually works, and what actual detection rates in the real world for AV suites are you were given a perfectly reasonable and accurate explanation by a person who, for all intents and purposes is way smarter than you as to why AV is not the same line of defense it was 15 years ago but you just kept doubling down on being wrong, and then got all pissy because he posts in YOSPOS protip: it doesn't matter where the person who is calling you out on being wrong posts, because at the end of the day you're still loving wrong Paul MaudDib posted:Mmm, yes, Aunt Stupid installing gentoo. I'm sure she's gonna be A-OK with compiling kernels and portage and poo poo. have you ever heard the word "hyperbole" or are you purposely being this stupid
|
# ¿ May 2, 2016 06:28 |
|
Paul MaudDib posted:I actually don't have plat and can't look up where he posts. Unlike the guy from this thread who stalked my posts so he could argue with me in another forum. I just could tell because he's a shitposter. quote:All anti-virus products at their core operate the same and how they all update is as well. Anti-virus typically relies on signatures to know what is potentially malicious from what is not. However, this is its biggest flaw as those signatures can easily be thwarted by malware creators. As such, a determined attacker can easily create 2,000 different copies (in a single day no less) of the same malicious software and that may require the anti-virus vendor to create multiple signatures in order to successfully thwart it. The vendors know this and last year, Symantec admitted that at best they detect up to 45% of threats although there are suggestions that catching any new threats is at best 5% successful. also he wasn't seriously suggesting you install gentoo for your aunt you idiot every single time you post in this thread you make an idiot out of yourself and i'm fairly certain that everyone is tired of it
|
# ¿ May 2, 2016 06:38 |
|
Paul MaudDib posted:Did I misclick into YOSPOS or is this the serious forum for actual advice? jesus christ how do you have such little self-awareness? how has it not occurred to you that maybe, just maybe the person you're arguing with is smarter than you, or at the very least knows a lot more about this poo poo than you do? at what point do you decide that maybe it's time to cut your losses, swallow your pride and just shut up? i guarantee you if you survey security professionals they'll tell you the exact same thing- AV is dead, and the focus has shifted to educating users on how to protect themselves against the myriad threats that they'll come across on a regular basis.
|
# ¿ May 2, 2016 06:47 |
|
Paul MaudDib posted:Probably about the time you post an actual argument that isn't "trust me" or conspiracy theories or some clickbait poo poo. nobody's posting conspiracy theories? where are you getting this?
|
# ¿ May 2, 2016 06:52 |
|
Paul MaudDib posted:This is literally a conspiracy theory about antivirus. The NSA is not targeting you personally, that is not a realistic threat vector. If they do, there is absolutely nothing you can do to defend against it, they can absolutely deploy something on the level of Equation Group or (hypothetically) BadBios and you will never know it. nobody ever said antivirus is poo poo because the NSA is loving with it antivirus is poo poo because it's poo poo, and it can't detect poo poo Paul MaudDib posted:(not naming names but she's my GF) why did you post this
|
# ¿ May 2, 2016 07:07 |
|
hey guys [shouting into next room] MY BOYFRIEND just got some adware on his laptop
|
# ¿ May 2, 2016 07:08 |
|
Wells posted:my takeaway is that if you sell a product with the promise of security and it actually makes your computer less secure, it's not worth it if all it does it catch "the low hanging fruit". (if it even does that) the vendor's literal job is to sell you a product, and they do that by giving you numbers that make you feel all warm and fuzzy but don't really have much of a basis in reality if the vendor doesn't sell you a product, they don't get paid
|
# ¿ May 2, 2016 15:39 |
|
the focus has 100% shifted from recommending antivirus to recommending adblockers and the like because, as has been said over and over and over again, there's way too much poo poo for even the best antivirus to catch nowadays "you are your own adversary" is completely true, the worst threat to your security is your own activities AV will catch the relatively benign stuff, like adware, but the poo poo that you actually need to be concerned about is a whole hell of a lot harder to catch i would recommend reading the talos blog (shameless plug) because there's a lot of insanely cool poo poo in there about how modern malware works, and the efforts to detect and block it
|
# ¿ May 2, 2016 15:46 |
|
apseudonym posted:I'm not sure I'd go so far as to say that vulns are how malware get installed/executed. Often times it's us, the user, that executes the malware. lack of education/awareness is a vulnerability by definition
|
# ¿ May 2, 2016 19:37 |
|
apseudonym posted:If the security of your system depends on users(or IT admins or whatever) being smart and constantly vigilant about security then it is an unfixable system. i never said that, all i said was that it is a vulnerability.
|
# ¿ May 2, 2016 21:10 |
|
Swagger Dagger posted:I'm graduating from college in the fall with a BS in Computer Science, any tips on getting a job in the infosec industry? I'd rather be on the blue team/admin side of things but I'm kinda worried that I'll be job hunting and end up in something akin to a basic tech support job, and I've spent way too much time and money in college to really be able to afford that. see if you have a local convention (bsides, for example). don't just be a fly on the wall, ask questions, no matter how dumb they may sound. figure out what you want to do and ask people in the industry the best way to get into it. in my experience, people in infosec love to help people trying to break into the industry.
|
# ¿ May 3, 2016 01:36 |
|
Mr Chips posted:Is there anything more recent than Ormandy's 2012 stuff on Sophos being poo poo? Central IT at my workplace has a 'policy' that it has to be installed on all machines (including RHEL machines) and having it sitting there taking up 200+ Mbytes x 2000 VMs seems like a waste of resources. i can probably guarantee you that they won't change the policy even if you gave them evidence that sophos as poo poo
|
# ¿ May 3, 2016 01:43 |
|
dpbjinc posted:Seven million characteristics. gee bill, your mom lets you have SEVEN million characteristics?!
|
# ¿ May 5, 2016 18:46 |
|
Mustache Ride posted:FireEye found your problem
|
# ¿ Jun 5, 2016 06:14 |
|
|
# ¿ Apr 28, 2024 10:42 |
|
Subjunctive posted:FireEye sure didn't
|
# ¿ Jun 5, 2016 16:31 |