Very interesting info on modern password cracking using PassGAN (https://arxiv.org/abs/1709.00440).
I can't vouch for this but also have no reason to doubt it.
For #infosec folks out there, what’s your routine/strategy for “staying current” in the field? I’ve written about my daily reading routine here for anyone interested.
This list only contains accounts for security bsides, events, and conferences found in the fediverse / :mastodon: with some post history. I will regular update this post as more events migrate here. For hacker meet-ups and local DEFCON / 2600 groups, please refer to the link below.
Are there any interesting #redteam or offensive security reports on cracking #guix or #nixos? I've always been curious what kind of challenges it would present in practice/how much difficulty the immutable store and containerization of packages would really pose, or if there are minor faults throughout the codebase they can easily be tracked down and exploit for professionals. But haven't found any good posts on the matter.
Genuinely curious about this. I have heard from a few people that Summer Camp 2023 wasn't that good. Like, at all. Many people are talking about going next year, skipping the cons, and just having dinner with friends, or skipping Vegas entirely. Do others feel this way? Is this bitterness over a lack of an electronic badge, long lines, and overcrowded events in general? Or is this just old school hackers bitching? Inquiring minds want to know.
The UK is now building a national system to allow police to access and inspect people's internet history
In 2016, the government passed the Investigatory Powers Act, also known as the Snooper's Charter
The law says telecoms companies can be made to collection people's 'internet connection records' and store them for up to a year
Internet connection records are essentially the websites you visit, but not the individual pages upon them
For the last few months, the UK has been creating a 'national' system that will allow law enforcement to access and 'filter' internet connection records
An initial police trial of the records has found “significant operational benefit”
For once, please, can we as an #InfoSec community please NOT be total knobs when it comes to Cybersecurity Awareness Month?
People work hard to produce these programs, tips, and other events.
If our users see security practitioners not taking it seriously and crapping on it, WTF kind of message do you think that sends to end users … AND THEN users get made fun of. 🤦♀️
So, this October, be a part of the solution and not the problem.
Just fixed my @Efani dashboard issues, support was great. So now that I have access to my dashboard some notes for #Efani
TOTP Code generation shouldn't just be QR, you should also allow the string of text to be manually input. I had to use zbarimg to convert the QR code to text to input into my @yubico security key and vault for TOTP generation.
You should also add FIDO/WebAuthn support. TOTP has a single seed, so if stolen they have access. #infosec#Cybersecurity#SIMSwap#cellphone
You know you will be asked about #InfoSec topics in the news during your #Thanksgiving observance. Why not have some fun with it? See if you get a bingo talking to family and friends. 🦃🍽️
Federated wireguard network idea
Any feedback welcome.
Let's keep things stupidly simple and simply hash the domain name to get a unique IPv6 ULA prefix.
Then we would need a stupidly simple backend application to automatically fetch pubkeys and endpoints from DNS and make a request to add each others as peers.
Et voilà, you got a worldwide federated wireguard network resolving private ULA addresses. Sort of an internet on top of the internet .
The DNS entries with the public IPv4 / IPv6 addresses could even be delegated to other domains / endpoints which would act as reverse proxy (either routing or nesting tunnels) for further privacy.
Maybe my approach is too naïve and there are flaws I haven't considered, so don't be afraid to comment.
#Start9 sent me their Server Pure for a review. They appear to be based on the @purism Librem Mini computers. Intel ME is disabled out of the box. I will have to tinker with this on #twitch tomorrow live but their StartOS seems to be great for those starting to do a #homelab and they are all about data sovereignty and you owning your data. It has options to setup #Mastodon and #Matrix out the box as well as #bitcoin and #monero nodes with #tor as well.
ICYMI: I interviewed the hacker known as "USDoD" who was responsible for the InfraGard incident last year, as well as the recent Airbus and TransUnion breaches. He tells me he's been busy targeting NATO, Europol, CEPOL, and Interpol. He's an ambitious hacker and is really going after U.S. military intelligence in his own way and for his own endgame purposes.
Why does he tell us his targets? For the challenge -- he wants to beat his targets when they know he's coming.
Read what he told me in “I’m Not Pro-Russia and I’m Not a Terrorist!” —- InfraGard and Airbus Hacker 'USDoD' Unveils His New Campaigns:"
On a positive note, it appears that NATO detected him when he attempted to gain access to an internal area; part of their site has now been "under maintenance" for days.
How serious a threat is he really? I can't judge that -- maybe you can.
@joshbressers@kurtseifried I just listened to the latest episode of the Open Source Security podcast. Rather entertaining listening to you two go back and forth. I was rather intrigued with the notion that it really isn't "supply chain" in the traditional sense - particularly in this cut-and-paste-from-stackoverflow world. Also interesting since a library or package might be listed as a component but either the vuln part of that component is never called or even never used. Interesting to think about (and we're still just talking about security, skipping the whole privacy elements aka "features" in this altogether).
Service NSW says starting tomorrow it will scan the "Dark Web" for the email/password combination people use to log in and alert users if it finds that the credentials have leaked. I wonder what service provider it is using for this. #infosec#Australia
Dear #Fediverse#InfoSec#Privacy folks, if anybody knows of any peer reviewed papers, official reports, etc., on how ad networks are or have been used by malicious actors to target specific people or groups — with malware, but also with targeted surveillance — I would love to hear.
I'm talking beyond "mere" surveillance capitalism. Surveillance capitalism is bad enough, of course, but in this particular case I am looking specifically for stuff that goes beyond "just" targeting ads.
Hi #InfoSec fediverse: Can you recommend "hacker type" people, who still actively post here?
Doesn't have to be particularly infosec related, I simply want my timeline to be filled with more technical/interesting/clever/creative hacker mindset stuff.
The questions I want answered for any cloud-based password manager:
· Is its encryption approach sane?
· Does the server have access to any plaintext data?
· Can the server manipulate the data?
· Are users being aided in creating safe credentials?
· Do encryption keys or their components ever leave user’s computer?
· Are there encryption backdoors meant to aid account recovery for example?
· Is the client-side software safe from web-based attacks?
· Are there precautions in place to avoid filling in passwords on the wrong websites?
· Are there precautions in place to avoid filling in passwords on compromised websites without user’s knowledge?
· …
The questions media coverage tends to focus on:
· Are there plain text passwords in memory that someone with administrator privileges on user’s machine could read out?