cybersecurity

You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now detect using DOM Invader! In this post we'll show you how.

We've based the test case on a bug bounty site, so you're likely to encounter similar code in the wild. If you're unfamiliar with DOM clobbering then head over to our Academy to learn about this attack class and solve the labs.

The Fediverse – a network comprised of Mastodon, Pleroma and other adjacent projects – suffers from the same glaring contradiction. Similar to email nodes, servers (known as Instances within this network) are branded around common interests, political beliefs or sexualities. Users are encouraged to join the servers that resonate with them. Like Scuttlebutt, political and sexual expression is warmly encouraged; in just one example, after centralised media moved to close the accounts of sex workers to comply with new US anti-sex trafficking laws, a Mastodon Instance named Switter was created to offer space for these individuals to continue to operate safely. Switter is now one of the largest Instances in the network.

A brand-new Burp Suite extension for discovering DNS vulnerabilities in web applications.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Basicgopot is a basic honeypot I have been developing. It is an HTTP honeypot that logs and saves all file uploads, optionally checking the uploaded file against VirusTotal. Additionally, the user can easily extend the functionality of the honeypot by configuring API webhooks. I plan on adding more features and possibly broadening the project's scope to include deploying deceptions for other protocols.

I would appreciate any feedback and contributions are always welcome.

HI all,

For people who live in the neighbourhood of Hanover, Gernany. In almost 3 weeks from now, I will give a workshop "Hacking Radio-signals" in the summer edition of hackover 2023. The exact timeslot still has to be decided, but hackover is the weekend of 14, 15 and 16 July.

In the workshop, we will capture, analyse and decode the signal of a 433 MHz remote-control. You do are required to bring your laptop and have some software installed beforehand.

If you are interested, either drop a message in this thread or contact me at the email-address in the announcement

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

TIL the French government may have broken encryption on a LUKS-encrypted laptop with a "greater than 20 character" password in April 2023.

• https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/

When upgrading TAILS today, I saw their announcement changing LUKS from PBKDF2 to Argon2id.

• https://tails.boum.org/security/argon2id/index.en.html

The release announcement above has some interesting back-of-the-envelope calculations for the wall-time required to crack a master key from a LUKS keyslot with PBKDF2 vs Argon2id.

And they also link to Matthew Garrett's article, which describes how to manually upgrade your (non-TAILS) LUKS header to Argon2id.

• https://mjg59.dreamwidth.org/66429.html

Anyone familiar/have experience with conducting a Crown Jewels Analysis (CJA)? MITRE's SEG ("Systems Engineering Guide") has a process for doing this (page 167) but there are certainly other methodologies. Am working on something like this so any anecdotes would be cool to hear about!

Now here's two tools I wish I was more experienced with - Semgrep and Jupyter. Beyond this cool article from NCC, I'm interested to hear from anyone who uses either one of these tools. How did you get started, what do you do with them, etc...

Hey Pub-folk of /c/cybersecurity! Wanted to get a quick pulse-check and collect some thoughts from the community here regarding their usage both current and future. I'll

1. Would anyone like to see weekly threads created for things like #mentorshipmonday? If so, let me know what kind of weekly threads you all would find useful/interesting.
2. There are a few infosec/cyber-related communities that have popped up both here on infosec.pub and elsewhere (e.g. kbin.social, fedia.io, etc...). Some are more niche, while others similarly general as this community. What is everyone's thoughts in terms of where they plan to spend their time? I want to be mindful of the fracturing and try to build something here that people find useful.
3. Do you think the "threadiverse" (kbin, Lemmy, etc...) is a viable alternative to Reddit for you? (Assuming you were on reddit originally).
4. If you have any other thoughts or suggestions for the community please share them here as well! Thanks!

Gotta hand it to the guys over at risky.biz, it seems like they are producing so much great content that I can't get enough of it.

I really enjoy their stuff because it's not just a bunch of news headlines with little context; they'll actually go into in-depth conversations and talk about the implications of a current event or headline.

Are there any other podcasts I should be checking out?

Interesting piece from last year on how Spotify does VM

I found this tool on github:

https://github.com/hmaverickadams/breach-parse

and there is also h8mai, but just wondering if there are any other places I could go to download more dbs for offline research? I am willing to pay a small fee, but I want a site that isn't shady and is legitimate for research.

After being scammed into thinking her daughter was kidnapped, an Arizona woman testified in the US Senate about the dangers side of artificial intelligence technology when in the hands of criminals.

Jennifer DeStefano told the Senate judiciary committee about the fear she felt when she received an ominous phone call on a Friday last April.

Thinking the unknown number was a doctor’s office, she answered the phone just before 5pm on the final ring. On the other end of the line was her 15-year-old daughter – or at least what sounded exactly like her daughter’s voice.

“On the other end was our daughter Briana sobbing and crying saying ‘Mom’.”

Briana was on a ski trip when the incident took place so DeStefano assumed she injured herself and was calling let her know.

DeStefano heard the voice of her daughter and recreated the interaction for her audience: “‘Mom, I messed up’ with more crying and sobbing. Not thinking twice, I asked her again, ‘OK, what happened?’”

She continued: “Suddenly a man’s voice barked at her to ‘lay down and put your head back’.”

Panic immediately set in and DeStefano said she then demanded to know what was happening.

“Nothing could have prepared me for her response,” Defano said.

Defano said she heard her daughter say: “‘Mom these bad men have me. Help me! Help me!’ She begged and pleaded as the phone was taken from her.”

“Listen here, I have your daughter. You tell anyone, you call the cops, I am going to pump her stomach so full of drugs,” a man on the line then said to DeStefano.

The man then told DeStefano he “would have his way” with her daughter and drop her off in Mexico, and that she’d never see her again.

At the time of the phone call, DeStefano was at her other daughter Aubrey’s dance rehearsal. She put the phone on mute and screamed for help, which captured the attention of nearby parents who called 911 for her.

DeStefano negotiated with the fake kidnappers until police arrived. At first, they set the ransom at $1m and then lowered it to $50,000 when DeStefano told them such a high price was impossible.

She asked for a routing number and wiring instructions but the man refused that method because it could be “traced” and demanded cash instead.

DeStefano said she was told that she would be picked up in a white van with bag over her head so that she wouldn’t know where she was going.

She said he told her: “If I didn’t have all the money, then we were both going to be dead.”

But another parent with her informed her police were aware of AI scams like these. DeStefano then made contact with her actual daughter and husband, who confirmed repeatedly that they were fine.

“At that point, I hung up and collapsed to the floor in tears of relief,” DeStefano said.

When DeStefano tried to file a police report after the ordeal, she was dismissed and told this was a “prank call”.

A survey by McAfee, a computer security software company, found that 70% of people said they weren’t confident they could tell the difference between a cloned voice and the real thing. McAfee also said it takes only three seconds of audio to replicate a person’s voice.

DeStefano urged lawmakers to act in order prevent scams like these from hurting other people.

She said: “If left uncontrolled, unregulated, and we are left unprotected without consequence, it will rewrite our understanding and perception what is and what is not truth. It will erode our sense of ‘familiar’ as it corrodes our confidence in what is real and what is not.”

Great series on container security from Datadog.

*Random cool note: As I publish this to /c/cybersecurity I see that infosec.pub also makes me aware of the fact that it has also been posted to the Blue Team and Cloud Security communities here. Interesting!

Where are my VM folks at? CVSS v4.0! Some takeaways reading the brief change list...

• Emphasis that scoring is not just the Base metrics but in order to get an accurate score you need to consider temporal/environmental scores. Awesome and so true.
• Attack Requirements (AT) seems useful given so much of what the "likelihood" of a successful attack is dependent on how likely it is for the attacker to meet all requirements.
• Temporal renamed to "Threat metric". Don't like...
• RL and RC deprecated. Good. Never liked those
• More emphasis on OT vs IT which is great!

Thanks to @forgetful@infosec.exchange for tootin' about it!

As someone who has spent A LOT of time getting certifications, this is a question I ask myself a lot. In the past, I was all about them, in some part because I had the time and resources to do them and less so because I thought they were the key to big career or knowledge gains. These days, I recommend to newer folks in the field to limit caring about certs and focus more on the prize (practical learning and real experience). Anyways, thought this was an interesting read.

I really respect SpecterOps content and think this is a great read for new and veteran security pros. Beyond the philosophical ponderance of "what is security", I think defining these building blocks is a great way to stay centered when making security decisions.

Draw.io libraries for #threatmodeling (courtesy of @raptor@infosec.exchange)

I've been getting into a lot of threat modeling myself lately and as a big fan of draw.io this was an insta-save for me.

Hey infosec/cyber/tech folks of the fediverse! With reddit being a mess coupled with my interest in becoming more fedi-active/aware, I wanted to share out my site/blog where I post mostly about cyber and tech but also venture into other non cyber/tech stuff. Check it out and find me on Mastodon if you want to connect or chat! Some interesting stuff I'll highlight from my site is listed below...

• A guide for getting into information security
• A thorough list of named vulnerabilities
• A long list of mini-reviews about trainings I have taken
• A huge repo of infosec blogs I have collected over time (message me if you want to be added)
• A "bootcamp" on Vulnerability Management
• A comprehensive guide on the various threat modeling methodologies that I have encountered.

Thanks!