cybersecurity

It was obvious already before that NVD really does not try very hard to actually understand or figure out the problem they grade. In this case it is quite impossible for me to understand how they could come up with this severity level. It’s like they saw “integer overflow” and figure that wow, yeah that is the most horrible flaw we can imagine, but clearly nobody at NVD engaged their brains nor looked at the “vulnerable” code or the patch that fixed the bug. Anyone that looks can see that this is not a security problem.

During the last two days it seems we have been "bombarded" with advertisement bots.

I found it curious, the advertisements are correctly targeted to sysadmins and security professionals. Meanwhile they have somewhat believable biographies (even if they are a little on the nose), suggesting hand crafted accounts.

Something they all have in common is their instance (discuss.tchncs.de) and that they have a "bachelors degree in computer science".

This is not the first time I've seen adbots on Lemmy, but it's the first time I've seen them on infosec.

Does anyone have any insight into the world of adbots they could share? I find myself increasingly curious in what goes on behind the curtains.

The vulnerability should be obvious: at some point in the boot process, the VMK transits unencrypted between the TPM and the CPU. This means that it can be captured and used to decrypt the disk.

I'm interested in looking at newly registered domains for bad actors.

There are services out there that offer zone files for 'all' TLDs but are too expensive for individuals not backed by a company to pick up the bill. I've also found some free lists but they appear to be incomplete.

So I've gone down the route of attempting to obtain zone files or at least newly registered domain lists from TLDs themselves. Obtaining zone files for gTLDs is straight forward with ICANN's CZDS service. But obtaining zone files for ccTLDs appears to be quite interesting. I attempted to Google but couldn't find anything so I've started to email ccTLDs; it already feels like I'm spamming since I'm sending the same email - I've only sent it to 10 TLDs so far. It looks like there are a few hundred ccTLDs.

Is there a better method than emailing each ccTLD and hoping for the best?

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Hi all,

Small question. Does anybody know if there already exists a lemmy community on disinformation (in the infosec area or more broadly)?

Thanks! :-)

Kr.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

*Sorry for the late posting!!

In case you need a quick laugh, have a look at this CVE report.

For context: quote DVWA Repo:

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, [...].

The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477.

https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

Hello all!

I'm wondering what folks who are more involved with infosec and have their fingers on the pulse are thinking for best devices and practices at this time.

From my perspective, modern computing has made MFA a requirement for pretty much everything. I'm not a fan of app-based as it is too fragile and increases possible attack surface.

When it comes to HW keys, I see a few factors:

• Physical manufacturing location/supply chain
• Source code access
• Third-party certification

The first one is fairly straightforward - do you have trust in the place of manufacturer and the components used? Or, is there some other philosophical reason (ex. labor conditions)?

The second and third are a bit less clear. It seems to me that the more open the source, the more auditable and verifiable, however, this seems to be inversely related to the chance that a device is certified by the FIDO Alliance. I'm not sure if this is due to it being a commercial working group or costs involved being more likely to be prohibitive for OSS/OSHW projects. Any other certifications recommended?

While I would rather the verifiability of open-source, it seems like Yubico's offerings might be winning out in the other categories for the price. Any thoughts?

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

I stopped at level 24, but it was super funny!

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Happy Friday c/cybersecurity! I wanted to try out a new recurring thread with a familiar theme, Follow Friday!

Use this thread to share information about yourself or others including social accounts, blogs, podcasts, YouTube channels, w/e you want to plug so people can follow!

If you like (or don’t like) this idea, sound off in the comments or send me a DM. This can be a regular weekly thread or could be monthly or quarterly. Cheers!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.