cybersecurity

The upstream xz repository and the xz tarballs have been backdoored.

Another installment of #infosec / #cybersecurity #followfriday! Some awesome accounts below👇

- @4Dgifts
- @hatless1der
- @eatscrayon
- @lcheylus
- @badhorse
- @blastoise
- @hookgab
- @misczak
- @thomrstrom
- @dkohlbre

If you're interested in following along in what is happening in the /c/cybersecurity community on infosec.pub (#Lemmy) than you can follow @cybersecurity!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Question for people willing to visit Cloudflare sites:

How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.

Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?

cross-posted from: https://midwest.social/post/10292094

Source: www.infosecurity-magazine.com – Author: 1 A new phishing kit dubbed Tycoon 2FA has raised significant concerns in the cybersecurity community.  Discovered by the Sekoia Threat Detection & Research (TDR) team in October 2023 and discussed in an advisory published today, the kit is associated with the Adversary-in-The-Middle (AiTM) technique and allegedly utilized by multiple threat […]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Part 1: https://venturebeat.com/security/security-expert-chris-krebs-on-tiktok-ai-and-the-key-to-survival/ Part 2: https://venturebeat.com/security/security-expert-chris-krebs-on-tiktok-ai-and-the-key-to-survival-part-2/

An HTML-only email from a gov agency has a logo referencing an URL that looks like this:

https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png

It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.

The output of torsocks curl -LI looks like this:

HTTP/2 200
date: (exactly now)
content-type: image/png
accept-ranges: bytes

That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel -- it’s a logo.

The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?

Are there any other checks to investigate this?

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

A thread compiling all Verge articles about AI influence on the upcoming election.

Has its own RSS feed: https://www.theverge.com/rss/stream/23862839

cross-posted from: https://midwest.social/post/10043498

In this interview, Pedro Cameirão discusses emerging cybersecurity trends for 2024 and advises enterprises on preparation strategies.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

• CSI: Advancing Zero Trust Maturity Throughout the Network and Environment Pillar [pdf]

• CSI: Use Secure Cloud Identity and Access Management Practices [pdf]

• CSI: Account for Complexities Introduced by Hybrid Cloud and Multi-Cloud Environments [pdf]

• CSI: Manage Cloud Logs for Effective Threat Hunting [pdf]

• CSI: Uphold the Cloud Shared Responsibility Model [pdf]

• CSI: Secure Data in the Cloud [pdf]

• CSI: Implement Network Segmentation and Encryption in Cloud Environments [pdf]

• CSI: NSA’s Top Ten Cloud Security Mitigation Strategies [pdf]

• CSI: Mitigate Risks from Managed Service Providers in Cloud Environments [pdf]

• CSI: Use Secure Cloud Key Management Practices [pdf]

• CSI: Enforce Secure Automated Deployment Practices through Infrastructure as Code [pdf]

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

For anyone interested in compliance and hardening, here's some links to the DOD/US GOV standards for information systems. This information is available to the public.

Security Technical Implementation Guides (STIGs)

This is a document that has recommended settings, methods, etc to make a product the most secure it can reasonably be. STIGs break things or turn off features people might be accustomed to. You have to do testing and figure out how to either make something work with STIG settings applied, or do exceptions. These are similar to Internet Security (CIS) Benchmarks.

STIG Viewer

The STIG viewer is a Java app that basically makes the list into a checklist where you can track applying settings.

SCAP

Going farther with automation, Security Content Automation Protocol (SCAP) can be used to conduct automated checked against systems to determine compliance with a setting. Install the SCAP tool, load the automated checks into it, and then take the results from SCAP tool and import them into the STIG viewer. It will knock out anything that could be checked automatically. The remaining checks would be things that are manually checked.

Compare

Here's a good article that compares STIGs and CIS benchmarks: https://nira.com/stig-vs-cis/#:~:text=The%20Center%20for%20Internet%20Security%20offers%20a%20tool%20similar%20to,robust%20than%20the%20STIG%20tool.

Download STIGs for products: https://public.cyber.mil/stigs/downloads/

STIG Viewer: https://public.cyber.mil/stigs/srg-stig-tools/

Security Content Automation Protocol (SCAP) content: https://public.cyber.mil/stigs/scap/

https://public.cyber.mil/stigs/supplemental-automation-content/

For anyone who's interested in pen. testing, there's a business from MN that does a podcast where the host and business owner, Brian, talks about doing tests, tells stories, and is generally goofy.

Brian made a podcast intro song, kinda funny. He talks about testing successes, tips for security, personal things, and running the business. They do live streaming where they sometimes get into the weeds and teach some techniques.

(I am not affiliated with 7 Minute Security, just enjoy the podcast/learning)

One of the vulnerabilities (identified as CVE-2024-27198) has a near-maximum severity CVSS rating of 9.8 out of 10 and is an authentication bypass issue in TeamCity's Web component. Researchers from Rapid7 who discovered the vulnerability and reported it to JetBrains have described it as enabling a remote unauthenticated attacker to execute arbitrary code to take complete control of affected instances.