|
hello friends
|
# ¿ Jun 26, 2017 23:08 |
|
|
# ¿ Apr 29, 2024 01:44 |
|
Lain Iwakura posted:No Defcon for me this year but likely next. Same
|
# ¿ Jun 27, 2017 08:10 |
|
I hope this one comes in via email and then spreads internally
|
# ¿ Jun 27, 2017 16:03 |
|
Wiggly Wayne DDS posted:i saw talk of email spreading petya earlier before eternalblue got mentioned so i'd expect that amongst other spreading mechanisms good, gooood because that was wannacry's greatest flaw imo, it would _only_ spread through eternalblue
|
# ¿ Jun 27, 2017 16:05 |
|
Shifty Pony posted:it also would fail to properly execute on XP, causing the computer to blue screen instead of becoming encrypted. It wasn't even meant to be a kill switch, we got really lucky with that one
|
# ¿ Jun 27, 2017 17:13 |
|
Jabor posted:poorly-conceived anti-analysis tech was the prevailing assumption afaik. This. What they did was use a single, hard-coded, unregistered domain to check if the sample is running in a sandbox. It was then trivial to register that domain. The guy (MalwareTech) didn't even know the malware would stop working if the domain were registered. He just thought he was sinkholing it. Now, to do this properly you should use domains that are randomly-generated on the spot and not beforehand, and you query several so you can recover from a false positive if a random domain happens to be registered.
|
# ¿ Jun 27, 2017 17:54 |
|
Migishu posted:Looking forward to the Wiggly Wayne DDS overview of Defcon videos not going this year so
|
# ¿ Jun 27, 2017 18:01 |
|
Wiggly Wayne DDS posted:eh i never do defcon (nor ever have), rarely anything of value. based on their speaker page for this year there's only a handful of interesting talks, and even then it's just further details of public research (sha-1 collision) You don't go to def con for the talks tbqh
|
# ¿ Jun 27, 2017 18:23 |
|
https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-monthly-dump-service-july-2017 posted:TheShadowBrokers is having special invitation message for “doctor” person theshadowbrokers is meeting on Twitter. “Doctor” person is writing ugly tweets to theshadowbrokers not unusual but “doctor” person is living in Hawaii and is sounding knowledgeable about theequationgroup. Then “doctor” person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging. TheShadowBrokers is thinking “doctor” person is former EquationGroup developer who built many tools and hacked organization in China. TheShadowBrokers is thinking “doctor” person is co-founder of new security company and is having much venture capital. TheShadowBrokers is hoping “doctor” person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of doctor@newsecuritycompany.com then theshadowbrokers might be taking tweets personally and dumping data of “doctor” persons hacks of China with real id and security company name. TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping “doctor” person and security company is making smart choice and subscribe. But is being “doctor” persons choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company. Straight up blackmail lmao
|
# ¿ Jun 28, 2017 11:55 |
|
Much is unclear right now, but imo it's clear that it was targeted against Ukraine. Hmm who would want to do such a thing?
|
# ¿ Jun 28, 2017 12:25 |
|
infernal machines posted:a breathless and poorly written piece on the petya variant that hit recently Malware Tech refutes this: https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html The fact remains that the installation ID is generated randomly though. https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ I've looked at some samples today and the code does seem to support the theory, too early to tell though.
|
# ¿ Jun 29, 2017 11:54 |
|
I agree with both of you. To me it's abundantly clear what the purpose of this malware is.
|
# ¿ Jun 29, 2017 13:20 |
|
cinci zoo sniper posted:that i kinda assumed it's russians just ukraining it away, i more thought some specific computer level macro objectives petya had that spankmeister may have implied The initial infection vector is from a Ukranian company that makes tax return software. This company was hacked and made to push a malicious update to its users. A lot of businesses and government in Ukraine and businesses that deal with Ukraine use this software because it's one of the few that's allowed for use by the government. So that makes it clear that Ukraine was the target. Now the malware itself looks like a variant of Petya, which is an existing ransomware family. This is a false flag, smoke and mirrors. Why? Because there is no way of getting your files decrypted. This is because it generates a unique "Installation ID" which you're supposed to send along with your bitcoin wallet address that you made the payment from to an email address. They use a single hardcoded bitcoin wallet for every infection. This method requires manual verification and is completely ludicrous for a malware that has such aggressive spreading methods. Modern ransomware uses a more sophisticated backend that generates a unique bitcoin wallet for each infection which allows payments to be automatically verified over a tor backend. Stupid verification method aside, the installation ID is completely random. There is _no_ way to link this ID to a specific infection. The malware authors cannot determine which key it belongs to. So there is no chance of this ever working as a "legitimate" ransomware. And like Wiggly Wayne DDS said, Petya was a perfectly functional ransomware, there was no reason to make the changes that they did.
|
# ¿ Jun 29, 2017 15:24 |
|
Cocoa Crispies posted:so wait was there a new legit ransomware attack this week or is petya older and just the non-ransomware targeted at ukraine is new? Petya is an older ransomware. The attack on Ukraine uses malware based heavily on Petya but it's not legit ransomware, it amounts to a wiper. There was also a campaign with Loki making the rounds this week which caused some confusion but it's unrelated.
|
# ¿ Jun 29, 2017 21:46 |
|
Wiggly Wayne DDS posted:they're getting better at this: https://steemit.com/shadowbrokers/@theshadowbrokers/response-to-response-to-doxing wow, someone at fujitsu knows how to use nmap such cyber
|
# ¿ Jun 30, 2017 14:10 |
|
fins posted:https://iss.oy.ne.ro/Shattered Is it those Israeli stunt hacking guys?
|
# ¿ Jul 1, 2017 23:35 |
|
ate all the Oreos posted:"hospital" and "end of life" in the same sentence The death panels are real!
|
# ¿ Jul 3, 2017 10:39 |
|
Hmm slight chance I might be going to def con after all
|
# ¿ Jul 3, 2017 10:52 |
|
Subjunctive posted:I only do palliative software maintenance As a Mozilla dev I,
|
# ¿ Jul 3, 2017 23:06 |
|
working in the government space has taught me to just embrace cyber because then people will at least have a vague idea of what you're talking about
|
# ¿ Jul 3, 2017 23:12 |
|
Wish your posting rig would self destruct
|
# ¿ Jul 3, 2017 23:18 |
|
Wiggly Wayne DDS posted:cyber was definitely used by itself for years before then
|
# ¿ Jul 4, 2017 10:13 |
|
It's pretty clever imo. I think we're going to see a shadowbrokers / guccifer 2.0 style disinformation campaign...
|
# ¿ Jul 5, 2017 00:06 |
|
here's a video of the police raid on MEDoc, the company that (likely unwittingly) spread the NotPetya malware https://www.youtube.com/watch?v=TY5f2fmwcDE
|
# ¿ Jul 5, 2017 15:35 |
|
BangersInMyKnickers posted:I'm going over the OpenSSL docs to review their cipher support (schannel/openssl configbomb incoming) and there are some PSK suites that have name strings that I am having a hard time parsing They do it's PSK i.e. a pre-shared key. Meaning you share the AES key offline beforehand.
|
# ¿ Jul 6, 2017 16:24 |
|
BangersInMyKnickers posted:So with the RSA/DH PSK variants are you pre-sharing the asymm keys and then letting it negotiating the sym key from there while PSK_WITH_AES_256_GCM_SHA384 just pre-shares the symm key? I am concerned that the non-RSA/DH ciphers are doing something similar to these garbage anon suites through maybe that doesn't matter if you are assuming the out of band exchange was secure. The DHE ones use a pre-shared key to authenticate the DH key exchange. Because as you probably know DH does not offer authentication, only key exchange.
|
# ¿ Jul 6, 2017 20:06 |
|
https://en.m.wikipedia.org/wiki/TLS-PSK
|
# ¿ Jul 6, 2017 20:07 |
|
Number19 posted:any bets on what type of software this one's in? That's a strange guess, what makes you say that?
|
# ¿ Jul 7, 2017 00:11 |
|
I don't know if this user1 has any infosec knowledge or anything but it seems to me they dont actually know what an 0day is. 0day is becoming one of those terms that gets thrown around without people knowing what it really means, just yesterday I was talking to some non-techies about wannacry and nyetya and one of them thought and 0day was a backdoor and persistence mechanism.
|
# ¿ Jul 7, 2017 07:54 |
|
https://www.youtube.com/watch?v=u7ERHEJLmWc
|
# ¿ Jul 8, 2017 08:13 |
|
I use antifa on all my accounts
|
# ¿ Jul 9, 2017 09:56 |
|
Beverly hills nine zero two one zero
|
# ¿ Jul 9, 2017 12:45 |
|
By the way the plural is zeroes day
|
# ¿ Jul 9, 2017 12:47 |
|
I'm not going this year
|
# ¿ Jul 9, 2017 20:31 |
|
lmfao if you use computers at all imo
|
# ¿ Jul 10, 2017 12:10 |
|
WAR DOGS OF SOCHI posted:i saw that the petya decryption key was released just the other day A few things are in play here: The recent attack on Ukraine was performed using a modified version of Petya, known as NotPetya, ExPetya, Nyetya etc. Modifications included the delivery method (EternalBlue and Powershell/WMI) and a hastily-implemented payment mechanism which didn't work. These modifications were done without having acces to the original source code. I.e. likely not by the original authors of Petya. "Janus" the original author of Petya, contacted Hasherezade, a malware researcher, and gave her the master key for the previous versions of Petya. I.e. the OG ransomware version, not the one used in the attacks. This key cannot be used to decrypt NotPetya. Now, the Petya familiy of ransomware can work in two modes: If it has no administrator privileges it encrypts the files on the machine with the current user credentials using AES. If it _does_ have admin, it will write a new bootloader to the MBR that will encrypt the entire drive using Salsa20. Most recently it became known that certain errors were made in the implementation of said Salsa20 encryption, possibly allowing for the decryption of files. You can read about this recent development here: http://blog.ptsecurity.com/2017/07/recovering-data-from-disk-encrypted-by.html
|
# ¿ Jul 10, 2017 19:41 |
|
BangersInMyKnickers posted:Yeah, I will look in to it this week Oh I've been meaning to ask you why you chose the ecc curve order that you did.
|
# ¿ Jul 11, 2017 06:16 |
|
He registered a company in that name to get the code signing cert lmfao
|
# ¿ Jul 11, 2017 13:20 |
|
BangersInMyKnickers posted:Anything in particular? I lean to the NIST curves over Brainpool because I feel they are more heavily vetted (and I am a CIA plant). 25519 is young but under a lot of review, with a strength roughly equivalent to P256 so it goes in the middle. Thanks. Nothing in particular, just wanted to know your reasoning. Some of the curves are unsafe according to djb et al: https://safecurves.cr.yp.to/ But I don't know enough about ecc to really understand the implications of "unsafe" curves.
|
# ¿ Jul 11, 2017 18:16 |
|
|
# ¿ Apr 29, 2024 01:44 |
|
I went to this crypto museum last year and they had a large collection of enigmas and we weren't tuoposed to touch it but I couldn't help myself. It's a very satisfying machine.
|
# ¿ Jul 13, 2017 11:26 |