Jump to content


Popular Content

Showing content with the highest reputation since 07/19/2019 in all areas

  1. 9 points
    Hi, I'm Kevin. I am currently the Security Operations Centre Manager at a company in Manchester. I started my career back in the late 90s, and was a founding member of the Teenage Mutant Hero Turtles fan club, Laceby Village, Grimsby, North East Lincolnshire division. I haven't not had a job since then thankfully, and I've had the pleasure to worth for four big companies doing big security, usually on a small budget. I love security, probably because it's the black and white TV era - it's new, it's not fully formed, there's a lot to learn and a lot to create as the industry isn't very mature still. It's also mildly terrifying because of those things.
  2. 5 points
    My favorite is still this one: I disclosed a number of vulns, including their private keys to the production environment and an exposed vulnerable router via SSRF. "Thanks, but why?"
  3. 5 points
  4. 4 points
    This just about covers every single frikkin aspect of IT & InfoSec Operations Management .........
  5. 3 points
    I've just released a new video Matthew Haynes and I put together on exposed RDP servers on the net and how we are seeing people get ransomwared via an initial RDP brute force or cred stuffing vector. Hopefully people find this useful, it's our first collaborative video and was a blast to make!
  6. 2 points
    Assuming you encourage your users to report suspected phish, how do you handle it after they report? Some of the things I do... Determine whether it is truly a phish, or spam, or legit business use. If phish, block email address at global perimeter and thank user for reporting. If spam, let user know that although unsolicited (assuming this since they reported it in the first place), the email appears to be a legit service/offering. I then attach a doc which shows them how to block the address in their personal quarantine, if they wish. I prefer this method rather than encouraging them to use the unsubscribe option in the email itself, due to the potential of that being the point of the attack. I always thank the user for submitting/reporting in any case, to build a healthy relationship between security/users. Sure, this leads to a select few users being 'report-happy', but so far it is manageable, and preferred. Curious what others are doing. Also, outside of the perimeter services/heuristics, is anyone using anything like PhishTank? https://www.phishtank.com
  7. 2 points
    I'm going to differ here to a lot of the opinions posted: as someone who's been heavily involved in the offensive realm for a long time now, modern EDRs like Crowdstrike and Carbon Black, are annoying as hell to me when I want to be evil. As a defender, they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around. Sure, the early ones were signature-based, did really stupid things to their agents that made it trivial to disable, perform sneak process hollowing tricks to stop you seeing me and so many others, but that isn't the case much today. I don't see them as a box ticking exercise, not at all whilst they still have a lot to do, i'm glad im not a pentester anymore 😉
  8. 2 points
    reporting patch data has levelled up my excel skills dramatically over the years. Now we use powerbi. (Ideally, i think patching teams should have some responsibility/capability to show effectiveness metrics, and security should be focused on finding the outliers </Utopian ideals>)
  9. 2 points
    Or VirtualBox. OpenSecurity runs on a single server with 2gb of RAM btw and a crap processor.
  10. 2 points
    @Ray Davidson Thanks for the Invite!
  11. 2 points
    +1 for hunch.ly. Not only for SoMe, but all webinvestigations. Nice product, annd great support from the devs.
  12. 2 points
    I suppose I'll share some fun stuff I've been playing with for a bit. ELF files are a lot of fun to mess with, and late last year I had figured out some techniques that led to the smallest possible 64 bit ELF, which is 84 bits. Since then I've been playing with it when I have time. I did a few write ups: https://medium.com/@dmxinajeansuit/elf-binary-mangling-part-1-concepts-e00cb1352301 https://medium.com/@dmxinajeansuit/elf-binary-mangling-pt-2-golfin-7e5c82bb482c https://medium.com/@dmxinajeansuit/elf-binary-mangling-part-3-weaponization-6e11971108b3 I did my best to spell out the thought process behind messing with binaries, all the way up to what appears to be a hypervisor level vuln that corrupts the VMCS in Xen. Affects AWS and a bunch of other platforms. I also collected some of the source files I've made here: https://github.com/netspooky/golfclub I am going to expand more in the future, but I try to make each source file as verbose as possible, to explain what purpose each individual byte serves. I'm really trying to encourage more people to play with this stuff, because it leads to some interesting results. Un-debuggable binaries that can break the tools that are attempting to parse them. If anyone has any questions feel free to get in touch!
  13. 2 points
    Yeah, it comes back to what people mean by EDR. EDR has become the new thing that vendors need to sell their product, as industry people are asking for it - but everybody means something different it feels like. Sophos are a pretty good example of where it gets confusing. As a customer, you have: Sophos Endpoint - their main product until a few years ago Sophos Intercept X Sophos Intercept X Advanced Sophos Intercept X Advanced with EDR But when you've got to "Sophos Intercept X Advanced with EDR" (how is that a product name?!) it still doesn't include the EDR you're describing above, Kieran.
  14. 2 points
    I've published a new blog post highlighting that security isn't the only community that has macho elitists who like trying to put newcomers down but, if you can push past them, the community really is worth joining. https://digi.ninja/blog/entering_community.php
  15. 2 points
    https://www.fireeye.com/content/dam/collateral/en/rpt-apt41-2019.pdf Extra IOCs are welcomed. Also some heated discussions.
  16. 2 points
  17. 2 points
  18. 2 points
    https://github.com/nettitude/Prowl https://github.com/laramies/theHarvester https://github.com/TheHive-Project/Cortex https://vincentyiu.co.uk/red-team/reconaissance http://patrowl.io/ https://www.spiderfoot.net/
  19. 1 point
    New information has come to light: apparently, the March 2020 update will NOT change the default settings for LDAP connections, but another monthly security update will later this year. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536 ***NEW NOTE*** ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers. A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings. Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.
  20. 1 point
    hi, i'm gabs. i work as a security analyst and pentester. before that, i worked (and still continue to consult) in pharmaceutical/genetic science. i talk a lot about medical device security. i have a husky, he's the love of my life. i also like to powerlift and race cars. the end.
  21. 1 point
    On a note, if using our tool (FireEye linked above), make sure to keep updating as actors are actively trying to evade it.
  22. 1 point
    Thanks for this. Raised the flag 2-3 months back when ADV190023 first came out. I was wondering how could we go about investigating which appliances/systems would break after this update goes through, and the default settings gets changed. Looks like I'll be working on it right away.
  23. 1 point
  24. 1 point
  25. 1 point
  26. 1 point
    I've spent 1000's hours in Ubuntu server ( and came out of an U18 shell to write this) but I always put Mint on Desktops
  27. 1 point
    I have had instances where it does break functionality, but not often. The logs are pretty decent and it's pretty simple to see what is being blocked and then whitelist it. Also there is an option to temporarily disable Pi-Hole (well stop it from blocking lookups).
  28. 1 point
  29. 1 point
    There are many points that I can suggest: If you're looking for a way to identify and verify leakage of credentials, khast3x/h8mail is already includes APIs that you're talking about. A bit difficult to properly setup, but CIRCL/AIL-framework will help you identify a surface of darkweb. It automatically scrape pastes from many sources to identify `.onion`, and roughly scrape each page again to find specified keywords. There are a research about "Digital Risk Protection" market by Forrester which will help find and compare each vendor on the market. Just had a small session with RecordedFuture a little while ago and found that it didn't find the same amount of leaked credentials based on email address compare to HaveIBeenPwned. So, you must request for a PoC or trial if you need to know its true capabilities of the platform.
  30. 1 point
    Anyone else going ? https://www.cisosummit.co.uk/ think they can still take a few delegates
  31. 1 point
    It does strike me as very odd for a number of reasons. First it shows how little people are actually poking at the very devices meant to protect them (fair play to the vendors here, they do make it hard to do this in some cases) and secondly how this seemingly has remained "undiscovered" for so long. It's no secret that anything protecting the perimeter has been massaged by those who dislike perimeters and this is straight out of the OWASP Testing Guide 1.0 days in 2003 here's hoping a lot more of us now really start ripping apart security appliances as i'm sure this isn't a unique occurance.
  32. 1 point
    Thanks for the invite, James Mckinlay!
  33. 1 point
    @MalwareTech's analysis of the patch is up: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html lols
  34. 1 point
    remember these - https://github.com/certsocietegenerale/IRM/tree/master/EN
  35. 1 point
    I'll be there and not sitting at a stand for once, both 'yay' and 'oh...' See you there...
  36. 1 point
    Trying to put together a generic ransomware killchain with example TTPs and high- and low-fidelity detections for each phase in the chain. This is mostly to document all the good things we're doing wrt ransomware at my employer, and to justify deploying a few extra detections that got shot down in the past.
  37. 1 point
    I'm on a hunt to find the world's best Long Island Iced tea... It's a tough, thankless job but I struggle through it... Failing that a Whiskey Sour (with Egg white is a Boston Sour, fite me!) or an Old Fashioned I don't drink beer, so a regular drink would be Southern Comfort or Kraken rum with lemonade or something
  38. 1 point
    +1, Asset and Inventory managment . It is surprising how late in your organizations security journey you realize that it should have been one of your early investments into security controls Policies and procedures maybe not be the most under valued security control, but could very well be the least invested in security control
  39. 1 point
  40. 1 point
    NSM, VMP, Hardening endpoints, bringing webproxy inhouse, bringing email filtering inhouse, extending phishing reporting to IR and SOAR
  41. 1 point
    Hi everyone, I'm Josh, I currently work in Threat Intelligence/Malware analysis for a media organisation, moving to forensics in the coming months! Been doing this for five years now, after a short stint in physics at Uni and a lot of time spent building silly websites. Similar to Kev, I'm used to live near Grimsby, N.E. Lincs - have spent the past decade or so popping around the country!
  42. 1 point
    if the title is your thing you might like this work https://github.com/0xpwntester/CB-Threat-Hunting/tree/master/ATT%26CK
  43. 1 point
    The site is just off the shelf stuff with minor tinkering. I like PHP though, I think it's pretty easy to pick up. It has a bad security reputation but you can harden it - e.g. here AppArmor is running on the webserver, and the PHP config disables unused and risky functions.
  44. 1 point
    There's technical thing on how they're doing it here: https://censoredplanet.org/kazakhstan Amusing one is it's pitched as preventing malware and fraud, but the list of censored sites is all stuff allowing communication interception and news site altering. Shocked!
  45. 1 point
    I am yuu. I run ThugCrowd and related community / projects. I'm super into low level stuff and playing around with various things. Glad to be here!
  46. 1 point
    Besides google facebook has killed a lot of the tools that existed
  47. 1 point
    windows updates, host based firewalls, av, disabling macros, disabling shit like LLMNR/NETBIOS, using a jump box... all the boring easy (ok relatively easy) low cost shit that most orgs don't do! 🙂
  48. 1 point
    I won't be attending this year (work, DEFCON, and a hospital appointment for that morning has been thrust upon me by the NHS...) but my mother is going to be in attendance once again, and will be speaking this year! Please look after her and whatever ridiculous hat she brings.
  49. 1 point
    I like the layout and the look of this so far. Thanks for putting this together and exploring the idea around this! Greets everyone 😄
  50. 1 point
    I can confirm, Carl is able to invite people.
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy