|
Trabisnikof posted:Lol yes you only exploited 0-days when your clients said it was ok, but youre pretty sure none were bad guys I mean she's Russian so "found bugs and exploited them" probably means found bugs and wrote exploits that clients could use so she is making more of an effort to filter out bad guys than zerodium
|
# ¿ Jan 8, 2017 03:42 |
|
|
# ¿ May 5, 2024 15:32 |
|
yeah I'm pretty sure it also sends back info on you, your shopping habits, the gender of your children, etc. before it pops a GUI
|
# ¿ Jan 14, 2017 06:15 |
|
mailbee feature was probably a client requirement, author was like no that's not secure, then client was like I DEMAND IT, author was like whatever idiot here you go get hosed
|
# ¿ Jan 24, 2017 15:37 |
|
carbon black is good software, I did bug bounty stuff for them. would recommend. not so sure about your privacy as an end user, but you should assume networking knows what you jack to
|
# ¿ Feb 14, 2017 07:11 |
|
has anyone looked into their native library yet? exactly what address is it that they're finding via JS? from their videos that looks like a stack or library address, stack makes more sense because the data changes, but I'm not sure. if it is a stack location there's way less cause for concern than if they leaked an executable's aslr slide. if it turns out they can only leak addresses for locations they can rapidly change the contents of, that's disappointing
|
# ¿ Feb 15, 2017 18:24 |
|
pseudorandom name posted:ok, you're an idiot! uhhhh there's also families being called fileless because they persist entirely in registry keys, using powershell. this is what the recent wave of news spam using the term has been about...
|
# ¿ Feb 17, 2017 07:00 |
|
hey has anyone used splunks universal forwarder as an alternative to expensive endpoint security poo poo (carbon black)? it says it can log new processes, services, logins, runkeys, etc which is probably enough to detect if an endpoint got owned. is this good enough? budget is $0, and there's like no trail for these things in the corporation at present. only other things I can think to do is run LimaCharlie or Eljefe on hosts, and that would only serve to tell us they did double click the exe they downloaded, or the webapp on this server was popped because a process spawned as a child of php-fpm. it would also serve to make another server exist, to promptly break when I'm not there to babysit the company in a few months... idk how robust those are
|
# ¿ Feb 26, 2017 06:43 |
|
uncurable mlady posted:have fun with your 500mb/day ingestion limit! geez yeah I wonder how much I could tune it down to ingest and still be useful in this ~1200 person company why does security have to be expensive, I think it's impossible to save companies that won't spend money on it.
|
# ¿ Feb 26, 2017 07:07 |
|
OSI bean dip posted:then again nothing generally works out of the box at $0 anyway yeah, I've got to get them set up with an ELK stack until their permanent engineers can grab a better splunk license. WEF is a great tip, I think that'll be really useful for when they need to do IR again. Hopefully I can use one DB for WEF and point multiple things at it (google timesketch, kibana, etc) osquery is cool, but none of the security dudes at this co can program for poo poo so I was swerving it. bro-osquery like you linked looks like the automation/collection layer I was missing for osquery which is awesome! I'll check out how much pain is involved.
|
# ¿ Feb 27, 2017 13:07 |
|
spankmeister posted:https://ictf.cs.ucsb.edu/pages/the-2016-2017-ictf-ddos.html there is a sec thread poster on that team it's ok friend ictf is the shittiest ctf I agree
|
# ¿ Apr 4, 2017 13:25 |
|
spankmeister posted:It's a pretty lovely way to cheat and they didn't even win because of it lmao. in a competition like ictf a 1% difference is wholly attributable to being unlucky with their poo poo garbage infrastructure not scoring correctly one or two times. it was a decent gamble, I wouldn't of thought their whole system was going to poo poo the bed just because you're doing under 100k connections either e: also if you're not first you're last p much no other place matters Daman fucked around with this message at 15:32 on Apr 4, 2017 |
# ¿ Apr 4, 2017 15:22 |
|
Cocoa Crispies posted:so… y'all broke the rules because you didn't think you'd be caught, and then sent a million emails protesting that you didn't break the rules enough not a Russian, ictf has always been garbage run by academic sperglords. you only have it as a dc qual because it's like the only a/d ctf regardless of quality last year they literally made everyone write their own challenges lmbo
|
# ¿ Apr 5, 2017 14:51 |
|
rjmccall posted:llvm does a lot of implicit constant folding even at -O0 when you're writing an obfuscation pass it's run last using opt... there isn't any constant folding past that, is there? the only part of the llvm chain left is the export of bitcode to whatever backend, which.... doesn't really contain any optimization other than grouping multiple IR instructions into one emitted instruction. right? lmk if I missed a part
|
# ¿ Apr 23, 2017 04:29 |
|
Subjunctive posted:I think the point is that the constants you're looking for may be folded before the obfuscation pass can see them. well mov reg, constant can't really get folded out of every situation. it'll still occur plenty. mov reg, constant; xor reg, imm; is a constant expression you'd see trivially folded. so, curious if OP knows more Daman fucked around with this message at 07:02 on Apr 23, 2017 |
# ¿ Apr 23, 2017 06:49 |
|
so, that guy's funny, but here's some quotes from the one guy responding to them in that channel. quote:<Bitweasil> warrshrike, right. So. Quit video games if you want to get good at stuff. never stop being horrible, security community
|
# ¿ Apr 27, 2017 00:01 |
|
Does anyone know the process to get AV companies to care about some malware? Doing IR for this hopeless company that got hosed by a certain nation state, they had like four different implants, only one of which is being detected by like 6 on virustotal. The rest are totally not detected, but these binaries are not even obfuscated. Lots of strings and debug strings. That one is a Remexi implant, Symantec did a writeup on Remexi, wrote a report with YARA signatures. Symantec endpoint protection, installed on all of their hosts, failed to detect it. Like one of these hits Google Drive and calls createprocess after downloading whatever new poo poo. How is there not a heuristic "Internet connectivity, and then this process spawned cmd.exe as a child"! AV is loving worthless. But there's got to be some way to get Symantec to trigger on these samples at least, right?
|
# ¿ May 10, 2017 13:45 |
|
I would think Symantec probably takes ages to detect new stuff from feeds, there's gotta be some high priority channel...
|
# ¿ May 10, 2017 13:54 |
|
bicycle posted:this is loving gross and makes me mad - malwaretech repeatedly asked to be anonymous and although right now this malware looks to be hacked together and vaguely skiddish it could just have easily have been a serious gang with nothing against causing this guy damage if he didn't know his handle was doxxable he's an idiot practicing bad opsec. if some poo poo journalist can do it, anyone can. good thing he was made aware of it? so he can gently caress with malware gangs on an alias that won't get him assassinated. or take the full Brian Krebs route
|
# ¿ May 16, 2017 00:41 |
|
so what is tsb trying to do they're not trying to make money, they would just sell individual exploits. they're not trying to cause chaos, they wait for patches they're not trying to embarrass the usgovt, they'd just post how easy it was to own them for that or at least there'd be more fuckery than a tool dump are they just in it for the meme fame
|
# ¿ May 16, 2017 08:19 |
|
how can msmpeng not be sandboxed? like, what? they rolled it in as a standard component. they're even sandboxing dangerous kernel areas now. did someone just forget all this weird AV poo poo
|
# ¿ May 26, 2017 05:56 |
|
ate all the Oreos posted:e: just saw this winner on their homepage oh boy I can post about them they're a fresh grad mill where people leave after a year unless they're a specific kind of person that's the kind of person that really enjoys pseudo military style management. this one partner level guy has a huge huge military fetish. the incompetence, the temperament, it's all there!! people jokingly call him "major". your performance in the company is really only based on certifications and time spent. the listing is correct. no security experience required. that matches the skill level of people at all levels in that company plus the main office is Tampa Florida. bad Daman fucked around with this message at 02:54 on Jun 10, 2017 |
# ¿ Jun 10, 2017 02:45 |
|
ate all the Oreos posted:yeah that sucks though i'm already kinda living in tampa bsides tampa is a good place 2 look if you want entry level jobbo from doing regular IT. none of the other vendors that were there last year were awful companies, i think. GuidePoint is an example of a good consultancy that was heavily involved in bsides cuz they have a big office in tampa but i am just a self-hating floridian
|
# ¿ Jun 11, 2017 04:48 |
|
leper khan posted:I just bought binja; does anyone know a good resource of crackmes to get better at reversing? these reversing challenges have pretty much everything you'd expect from a crackme https://github.com/ctfs/write-ups-2016/search?utf8=%E2%9C%93&q=reversing&type= also this is going on right now, but it's not really 100% just pure reverse engineering in binja LabyREnth.com
|
# ¿ Jun 15, 2017 03:29 |
|
its apparently lame as gently caress, not really the same as the old 2k core source leak it's some API set and other poo poo leak
|
# ¿ Jun 23, 2017 23:55 |
|
|
# ¿ May 5, 2024 15:32 |
|
e_vestigate / the twitter account replying to nikita is a troll account tho, it's not really him
|
# ¿ Jun 26, 2017 13:54 |