Jump to content


Popular Content

Showing content with the highest reputation since 07/19/2019 in Posts

  1. 9 points
    Hi, I'm Kevin. I am currently the Security Operations Centre Manager at a company in Manchester. I started my career back in the late 90s, and was a founding member of the Teenage Mutant Hero Turtles fan club, Laceby Village, Grimsby, North East Lincolnshire division. I haven't not had a job since then thankfully, and I've had the pleasure to worth for four big companies doing big security, usually on a small budget. I love security, probably because it's the black and white TV era - it's new, it's not fully formed, there's a lot to learn and a lot to create as the industry isn't very mature still. It's also mildly terrifying because of those things.
  2. 5 points
    My favorite is still this one: I disclosed a number of vulns, including their private keys to the production environment and an exposed vulnerable router via SSRF. "Thanks, but why?"
  3. 4 points
    This just about covers every single frikkin aspect of IT & InfoSec Operations Management .........
  4. 2 points
    Assuming you encourage your users to report suspected phish, how do you handle it after they report? Some of the things I do... Determine whether it is truly a phish, or spam, or legit business use. If phish, block email address at global perimeter and thank user for reporting. If spam, let user know that although unsolicited (assuming this since they reported it in the first place), the email appears to be a legit service/offering. I then attach a doc which shows them how to block the address in their personal quarantine, if they wish. I prefer this method rather than encouraging them to use the unsubscribe option in the email itself, due to the potential of that being the point of the attack. I always thank the user for submitting/reporting in any case, to build a healthy relationship between security/users. Sure, this leads to a select few users being 'report-happy', but so far it is manageable, and preferred. Curious what others are doing. Also, outside of the perimeter services/heuristics, is anyone using anything like PhishTank? https://www.phishtank.com
  5. 2 points
    I'm going to differ here to a lot of the opinions posted: as someone who's been heavily involved in the offensive realm for a long time now, modern EDRs like Crowdstrike and Carbon Black, are annoying as hell to me when I want to be evil. As a defender, they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around. Sure, the early ones were signature-based, did really stupid things to their agents that made it trivial to disable, perform sneak process hollowing tricks to stop you seeing me and so many others, but that isn't the case much today. I don't see them as a box ticking exercise, not at all whilst they still have a lot to do, i'm glad im not a pentester anymore 😉
  6. 2 points
    reporting patch data has levelled up my excel skills dramatically over the years. Now we use powerbi. (Ideally, i think patching teams should have some responsibility/capability to show effectiveness metrics, and security should be focused on finding the outliers </Utopian ideals>)
  7. 2 points
    Or VirtualBox. OpenSecurity runs on a single server with 2gb of RAM btw and a crap processor.
  8. 2 points
    +1 for hunch.ly. Not only for SoMe, but all webinvestigations. Nice product, annd great support from the devs.
  9. 2 points
    I suppose I'll share some fun stuff I've been playing with for a bit. ELF files are a lot of fun to mess with, and late last year I had figured out some techniques that led to the smallest possible 64 bit ELF, which is 84 bits. Since then I've been playing with it when I have time. I did a few write ups: https://medium.com/@dmxinajeansuit/elf-binary-mangling-part-1-concepts-e00cb1352301 https://medium.com/@dmxinajeansuit/elf-binary-mangling-pt-2-golfin-7e5c82bb482c https://medium.com/@dmxinajeansuit/elf-binary-mangling-part-3-weaponization-6e11971108b3 I did my best to spell out the thought process behind messing with binaries, all the way up to what appears to be a hypervisor level vuln that corrupts the VMCS in Xen. Affects AWS and a bunch of other platforms. I also collected some of the source files I've made here: https://github.com/netspooky/golfclub I am going to expand more in the future, but I try to make each source file as verbose as possible, to explain what purpose each individual byte serves. I'm really trying to encourage more people to play with this stuff, because it leads to some interesting results. Un-debuggable binaries that can break the tools that are attempting to parse them. If anyone has any questions feel free to get in touch!
  10. 2 points
    Yeah, it comes back to what people mean by EDR. EDR has become the new thing that vendors need to sell their product, as industry people are asking for it - but everybody means something different it feels like. Sophos are a pretty good example of where it gets confusing. As a customer, you have: Sophos Endpoint - their main product until a few years ago Sophos Intercept X Sophos Intercept X Advanced Sophos Intercept X Advanced with EDR But when you've got to "Sophos Intercept X Advanced with EDR" (how is that a product name?!) it still doesn't include the EDR you're describing above, Kieran.
  11. 2 points
    I've published a new blog post highlighting that security isn't the only community that has macho elitists who like trying to put newcomers down but, if you can push past them, the community really is worth joining. https://digi.ninja/blog/entering_community.php
  12. 2 points
    https://www.fireeye.com/content/dam/collateral/en/rpt-apt41-2019.pdf Extra IOCs are welcomed. Also some heated discussions.
  13. 2 points
  14. 2 points
  15. 2 points
    https://github.com/nettitude/Prowl https://github.com/laramies/theHarvester https://github.com/TheHive-Project/Cortex https://vincentyiu.co.uk/red-team/reconaissance http://patrowl.io/ https://www.spiderfoot.net/
  16. 2 points
    I like Cyber Warrior Princess for talky talk. https://www.owltail.com/podcasts/Xs5tV-Cyber-Warrior-Princess/
  17. 1 point
    New information has come to light: apparently, the March 2020 update will NOT change the default settings for LDAP connections, but another monthly security update will later this year. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536 ***NEW NOTE*** ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers. A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings. Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.
  18. 1 point
    hi, i'm gabs. i work as a security analyst and pentester. before that, i worked (and still continue to consult) in pharmaceutical/genetic science. i talk a lot about medical device security. i have a husky, he's the love of my life. i also like to powerlift and race cars. the end.
  19. 1 point
    On a note, if using our tool (FireEye linked above), make sure to keep updating as actors are actively trying to evade it.
  20. 1 point
    Thanks for this. Raised the flag 2-3 months back when ADV190023 first came out. I was wondering how could we go about investigating which appliances/systems would break after this update goes through, and the default settings gets changed. Looks like I'll be working on it right away.
  21. 1 point
  22. 1 point
  23. 1 point
  24. 1 point
    I've spent 1000's hours in Ubuntu server ( and came out of an U18 shell to write this) but I always put Mint on Desktops
  25. 1 point
    I have had instances where it does break functionality, but not often. The logs are pretty decent and it's pretty simple to see what is being blocked and then whitelist it. Also there is an option to temporarily disable Pi-Hole (well stop it from blocking lookups).
  26. 1 point
  27. 1 point
    There are many points that I can suggest: If you're looking for a way to identify and verify leakage of credentials, khast3x/h8mail is already includes APIs that you're talking about. A bit difficult to properly setup, but CIRCL/AIL-framework will help you identify a surface of darkweb. It automatically scrape pastes from many sources to identify `.onion`, and roughly scrape each page again to find specified keywords. There are a research about "Digital Risk Protection" market by Forrester which will help find and compare each vendor on the market. Just had a small session with RecordedFuture a little while ago and found that it didn't find the same amount of leaked credentials based on email address compare to HaveIBeenPwned. So, you must request for a PoC or trial if you need to know its true capabilities of the platform.
  28. 1 point
    Anyone else going ? https://www.cisosummit.co.uk/ think they can still take a few delegates
  29. 1 point
    getting offsec to accept me onto OSCE - such a mess these days think they've grown too big to actually care - CX!=VG
  30. 1 point
    It does strike me as very odd for a number of reasons. First it shows how little people are actually poking at the very devices meant to protect them (fair play to the vendors here, they do make it hard to do this in some cases) and secondly how this seemingly has remained "undiscovered" for so long. It's no secret that anything protecting the perimeter has been massaged by those who dislike perimeters and this is straight out of the OWASP Testing Guide 1.0 days in 2003 here's hoping a lot more of us now really start ripping apart security appliances as i'm sure this isn't a unique occurance.
  31. 1 point
    I think totp is a great solution and I am baffled that google and twitter require SMS failback for totp. They require you to enable SMS before totp and then they disable all 2FA if you remove your phone. I assume that the reasoning is, "We don't want to have to deal with every user that loses a phone". That's fair, but you wouldn't have that problem if you made it easier for users to backup the secret seed for the totp generation. Mandatory SMS failback is both an invasion of your privacy and makes you vulnerable to sim swapping.
  32. 1 point
    @MalwareTech's analysis of the patch is up: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html lols
  33. 1 point
    remember these - https://github.com/certsocietegenerale/IRM/tree/master/EN
  34. 1 point
    I'll be there and not sitting at a stand for once, both 'yay' and 'oh...' See you there...
  35. 1 point
    Trying to put together a generic ransomware killchain with example TTPs and high- and low-fidelity detections for each phase in the chain. This is mostly to document all the good things we're doing wrt ransomware at my employer, and to justify deploying a few extra detections that got shot down in the past.
  36. 1 point
    I'm on a hunt to find the world's best Long Island Iced tea... It's a tough, thankless job but I struggle through it... Failing that a Whiskey Sour (with Egg white is a Boston Sour, fite me!) or an Old Fashioned I don't drink beer, so a regular drink would be Southern Comfort or Kraken rum with lemonade or something
  37. 1 point
    +1, Asset and Inventory managment . It is surprising how late in your organizations security journey you realize that it should have been one of your early investments into security controls Policies and procedures maybe not be the most under valued security control, but could very well be the least invested in security control
  38. 1 point
  39. 1 point
    NSM, VMP, Hardening endpoints, bringing webproxy inhouse, bringing email filtering inhouse, extending phishing reporting to IR and SOAR
  40. 1 point
    Hi everyone, I'm Josh, I currently work in Threat Intelligence/Malware analysis for a media organisation, moving to forensics in the coming months! Been doing this for five years now, after a short stint in physics at Uni and a lot of time spent building silly websites. Similar to Kev, I'm used to live near Grimsby, N.E. Lincs - have spent the past decade or so popping around the country!
  41. 1 point
    if the title is your thing you might like this work https://github.com/0xpwntester/CB-Threat-Hunting/tree/master/ATT%26CK
  42. 1 point
    Eventually you need to run a scream test anyway. Go for it. Tell them we said you could! 😎
  43. 1 point
    The site is just off the shelf stuff with minor tinkering. I like PHP though, I think it's pretty easy to pick up. It has a bad security reputation but you can harden it - e.g. here AppArmor is running on the webserver, and the PHP config disables unused and risky functions.
  44. 1 point
    There's technical thing on how they're doing it here: https://censoredplanet.org/kazakhstan Amusing one is it's pitched as preventing malware and fraud, but the list of censored sites is all stuff allowing communication interception and news site altering. Shocked!
  45. 1 point
    I am yuu. I run ThugCrowd and related community / projects. I'm super into low level stuff and playing around with various things. Glad to be here!
  46. 1 point
    Besides google facebook has killed a lot of the tools that existed
  47. 1 point
    windows updates, host based firewalls, av, disabling macros, disabling shit like LLMNR/NETBIOS, using a jump box... all the boring easy (ok relatively easy) low cost shit that most orgs don't do! 🙂
  48. 1 point
    I won't be attending this year (work, DEFCON, and a hospital appointment for that morning has been thrust upon me by the NHS...) but my mother is going to be in attendance once again, and will be speaking this year! Please look after her and whatever ridiculous hat she brings.
  49. 1 point
    I like the layout and the look of this so far. Thanks for putting this together and exploring the idea around this! Greets everyone 😄
  50. 1 point
    I can confirm, Carl is able to invite people.
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy