#cybersecurity

we got them logging in again but now none of the ip based modules are connecting to the server...

we have been encouraging people to use s2 instead of infinias for the last few years due to their software issues

also s2 has some cool integration and api things

People never listened though

we've got a combination of ACS's on this site

mag swipe, RFID, NFC

the mag swipe stuff wont run on anything newer than 98

nah fortunatly people seem to listen when its early in the design phase still

the building management for the aircon / heating runs on 95

s2s stuff is pretty dang good so its an easy sell

plus it doesnt hurt that we have multiple people with s2 certs

[me for example]

Why does everything run on such old stuff

they hate change

well in the case of where i work

its astounding when i come across something that looks like it was made in the 90s

the place was built in the 1950's

but actually they [the devs] just never modify it

sold off in the 1970's and everything was refitted

BMS was updated to computers in the 90's

change means more bugs so they dont

and since it works?

don't update it

they're isolated systems with no network access

so it's not so much of a problem

And then somebody wants to change something and everyone gets annoyed

the mag swipe / bms that is

they literally don't make the building management software anymore

company went bust

so upgrading that would cost a fortune

and this business park has like fucking

30 buildings controlled by it

Your life sounds so fun

well those systems work fine so..... not a problem

yeah this kind of work is largely fixing issues with ancient stuff that no one that still works there knows anything about

when it comes to existing hw

i had a school with an old alarm panel from the 70s. the school had been burned down, remodeled you name it

the panel manufacturer was bought out like 5 times

it was an old radionics or something and we replaced it wit ha newer bosch 9412 or something

the latest thing we had was that a new aircon unit was installed for a new customer and it didn't align nicely with the old BMS but they just hired a guy to make a box to make it compatible

cheaper than replacing a whole system

due to people hating change, i was able to figure out how many popits they had just by removing the old header bus and putting it on the new board

nice

i cleaned up the wiring a bit but otherwise didnt have to go trace out all the wiring

thats like 40 years of non change that let me do that lol

they don't make it like they used to ¬_¬

Is Blowfish still considered secure?

blowfish is still secure

aes 256 is just more popular

Thanks

np

does this count as encryption?

wrong word

it's obfuscation

I would personally have called this a resignation letter

no

i'd call it encoding

Or job security 😏

What is the best way to hide a connection that is made to a server?

So I have an application that sends a trigger to a certain url which when triggered it will executes a command.

That command checks the database for login information, if the values matched that the user's inputted with the DB then it will return a True. Otherwise, it will return a False.

So what I'm mainly developing right now is a login page and in the DB its all encrypted with SHA , AES, etc..

So what is the best way to secure my url so no one can know/view it?

because the DB has important information. And the server only has access to it.

Could the channel be listened?

Is it a secure channel

@thorn obsidian

You could use the Diffie–Hellman key exchange

@ember light wdym?

SSH tunnel?

if it's between two servers

or some kind of VPN

without knowing more information about exactly what you've built DOES it's going to be hard to offer a suggestion

if you're talking about a request to a server and hiding it

HTTPS should sort that?

Force HTTPS on the login page

then the only traffic to anyone sniffing on the wire will be the domain

Well it’s simple an AWS lamba function connected to my dB @lusty flare

Also it’s not a website

It’s an app on the computer

well it's still making HTTP requests?

Well yeah I mean u just the requests model and make post with Jason data @lusty flare

so what's the problem with using HTTPS?

Well I’m not sure how could you show me? @lusty flare

uhm, i'm actually at work at the moment

i assume you've got some kind of web server running?

at least somewhere

apache, nginx, whatever

there's loads of guides on setting up HTTPS

@lusty flare I've figured it out thanks though.

Anyways I've got a question.

i'm currently streaming

Is there a way to capture the link that requests send?
Like for an example if my friend made an application that sends a post request to a certain URL, is there a way to find that URL?
I'm seeing if this is a security issue.

so i can only hop in

the IP and port a HTTPS request goes to is open. The exact URL path and parameters are encrypted.

oh nvm

thanks

deleted mentions are annoying. I still see the notification, but not what the reason was.

sorry it was a dumb question
i didnt fully read your response fully
i was asking if params and json are secured but ik now

sorry about that

ok

@thorn obsidian check the web server logs

So how encrypted is a VPN, like for example ExpressVPN

Nobody can access anything I do on any sites?

Not even the person who owns the site

it's a tunnel

they'll know X VPN ip address accessed it

if it's a HTTPS site they wont even know what page you're on, just that you're on x.com

your ISP will only see a VPN tunnel and nothing more

So couldn’t any hacker just use a basic VPN łike XVPN and never get caught?

no

VPN providers have information on who is what

so if someone did a hack and the IP was logged

authorities would go to the provider and ask for details

there are smarter ways to do it anyway, but i'm not willing to discuss them because this isn't really a server for that type of stuff

"authorities would go to the provider and ask for details"

sure, if the provider is based in the US

but if they're some where like, panama, no, they could just ignore warrants and subpoenas from the US

depends how serious what you're doing is

interpol might have words

well i have doubts about that 1

pretty sure it's been done before

got sources?

was a while ago, not sure i can dig it up. but i mean you are right

if the country the VPN is hosted in doesn't cooperate with international laws etc then yeah

i wasn't thinking specifically about US / Panama relations

Uh yeah, some countries can cooperate with law enforcement.

It usually depends what you did tbh

Very much what you did.

There are some things which pretty much any country will do you for

Uh I can't really think about any except streaming a murder or underage material

no doy :P

there are probably a few others

Maybe hate speech & terrorist propaganda but I can't think about actual hacking reasons

yeah i can imagine that if youre streaming kiddie p0rn a lot of people would want you arrested, which may include your vpn provider

i am not sure if this has been asked before in here and i can imagine this being a common concern. if i am in star bucks sipping away at my drink, using their free wifi with no vpn and trying to check my capital one account, i am pretty much asking to be screwed

but how about mobile data? does it offer similar security as your home wifi does?

@tropic bay No. Mobile isn't terribly secure, and it varies by the technology of your device. GSM has weak crypto. All tech is extremely vulnerable to death attacks (this is what a stingray does).

Assuming you're using WPA2 on your home wifi, of course ;)

There's enough obscurity and lack of cheap attack vectors like there are for wifi to make mobile OK day to day. I don't use a VPN on Verizon usually, unless I'm at DEFCON.

Heard a rumor at DC24 about someone messing with a stingray

well sh!t

alright

gonna dig a little deeper into that topic

US law enforcement use stingrays to track suspects i believe too

i think their legality has been brought into question in the UK since they intercept ALL traffic, not just a target

or maybe that was the US

damn it

still dont have magisk for my phone

thanks for the info tho

i'll look into it

note

I Feel very secure

wow

10:50 huh

living in alabama?

UK but yeah same thing

yeah

LOL

LOL

Is there any android apps that install security patches without r00t or non root alternatives

no

Guess I'll stick with 2016 patches

Man android 5 life is hard

can you not just flash new firmware from android?

if it is signed and official from google it shouldn't need root

I haven't tried because I assumed I need root anywhere to flash it

I'm not sure if it'd work on my phone, what's the point of the custom rom that was made for it then

Also considering my sys is "up to date" according to android and I'm on android 5 I feel like they stopped supporting this phone

See that girl bottom right?

Looks so fucking confused

i mean /you/ wouldnt flash it through twrp or something but via the system settings upgrade bit

and how did you manage to get a custom rom without root

You don't need root to install a custom rom.

I think one just needs an unlocked bootloader

It's pretty typically for custom ROMs to be rooted though, maybe that's what he's trying to say

Oh, like that.

Hey does someone know if it's possible to add some sort of protection to your discord bot like for example a key that can only be used on 1 machine or something

Personally i don't have enough skills in python to be able to do it was just curious

@tall haven oh no I assumed I needed root to install the custom rom, also yeah the custom rom has root

@thorn obsidian well you can check the mac address and then prompt them a password but it's python it takes 4 seconds to remove the code

You could always use pyinstaller to make it into an exe

You could also do something like aes the mac address, ask input and if it doesn't match then abort and if it does then ask the aes key too

He is asking if it's possible to protect his bot API token from getting used from more than one machine and no there is not

@thorn obsidian he wants it to only run the script from 1 machine, so the mac address would work for that

No he wants to protect the bot account from being used from one machine, only running the code from one machine is useless and if you implement it don't use a Mac but instead make some sort of verification method using signatures based on ECDSA or RSA

mac does perfectly tho 🤔

its pYthOn as if anything else makes it any more secure

in b4 commenting out 4 lines

There's nothing you can do in your script to keep someone from using your API token if they have it, since they don't have to use your script at all, they'll just copy it into their own

It might be interesting to encrypt the API token using the MAC address as a key. But most people don't keep their MAC addresses secret, and it doesn't really add any more security than using a password.

https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf

Yes but mac addresses are an easy way of checking if it's the same machine without doing anything complex, either way the lines can be removed from the script so why try too hard

you'd need to look into more clever HWID tactics

Well an implementation could take about 5 lines so yeah

It's standard security through obscurity

MAC address does not provide any assurance of uniqueness from a security perspective

Windows 10 has a built-in option to randomize your NICs MAC per-network

E.g only randomize if you're on, say, Starbucks Wi-Fi

pretty common now

iOS does it too i think?

i also think some of the Datto AP's we've got have that feature

Haven't tested it in captures yet, so dunno if it randomizes the OUI in addition to the host bits

ahhh

Why would an AP do that?

¯_(ツ)_/¯

i can't figure out most of what Datto is doing tbh

except sending me a non-working 2fa SMS 3 times in a row o_O

Lol

How does the 2FA work for that

Is the identity provider hosted locally?

nah, it's to access the management panel

So their services

yah

the management panel either being a super nice easy way to set something up and a smooth deployment

or a steaming pile of garbage that doesn't give you enough information about anything

and i was wrong anyhoo

About?

MAC randomisation

sleep deprived and still got 8 hours 30 minutes to go

-.-

i have a love / hate situation with Datto's networking situation

sure it's a nice idea that we can remotely control / configure something through a pretty panel and just have the box sent directly to a client

however when something doesn't work the logging / etc isn't at all verbose enough to get something done

and i have yet to be able to get access to a console out of them

plus they only offer phone call / sms 2fa

Oof

It's becoming worse by the month

i'd much rather a yubikey or even google auth

i live in a signal deprived area so sometimes on site i can't actually get access to the damn management panels

Spoofing is getting eerily close to the territory of commoditized

Oh yeah that too

have to log in using the overarching admin account and either email or phone the office

NIST says phone 2FA is too weak also

idd

also their routers, despite being quite tidy little boxes, still don't support cert based site 2 site vpns

at least last i checked

nope, still just PSK

Double oof

yah

their backup solutions are fantastic

i'm 3000% onboard with them

we've deployed a bunch of them for a load of customers are they've proved to be immensely useful. both the cloud end and the local end

had an RDP server pop a power supply and not a minute later the local datto unit was running a vm of it

people barely noticed "oh, we all got kicked out of our session...."

"le shrug"

they're also super nice to their partners

they paid us to send one of our dudes to spain for 3 days to attend a conference

"wanna come?"
"no soz got work to do and it's expensive."
"we'll discount it by 50%."
"no rlly, got work to do and that."
"no fees."
"are you not getting this? we're busy."
"okay we'll cover hotel and flights."
"done."

and got a bunch of free networking devices that i now hate

boss got a nice holiday in spain though

¬_¬

desk walk of the office space we share with a customer. 24 post-it notes with credentials on stuck to screens or desks

Yeah if you randomise it that won't help for a saved mac in the script 🤔

I eventually went by hashing a mac and making the bot check for the right mac each time

What is your script doing?

It's a discord bot lol

It checks the mac at the start and aborts if it's not correct

It should probably go to each command call

If you want it for each command call you could use a decorator

Are you trying to make sure it's on the right system

There are other methods of doing that

Hardware configurations and IDs

I'd rather not do anything more complex

@native edge true good idea

Well just be aware it's a security issue in your code

as if using literally anything else can't be gotten around

🙄

can you use a different from of authentication like keys or passwords for your users?

easiest way to make sure your bot can only be used on one machine? uh, dont share the code?

duh?

why go through all the steps of doing anything when the easiest part is to simply not distribute it in the first place if you dont want any other machines to run it ?

I think they meant one machine per user

Or perhaps customer rather than just user

@thorn obsidian anything can be easily removed either way so I'm fine using mac addresses

@novel river good point, I wasn't the one who needed this lol

Customers.. Discord bot.. Bot tokens.. Hmmm... Not something that can be sold really

Also I'm pretty sure it's against discord tos to do that

🤷

Don't quote me on anything ™

LOL the ToS

Hello
I would like to know what you are using to secure the network exchange of your Python applications, and how you implement it.
It's for a peer-to-peer network that I'm coding.
Thank you

ssl?

and you implement it with basically

import ssl

"Security" -- It's not that secure if the government can view it. 😉

tls 1.3 is not viewable by anyone

however the standard eTLS proposed by some EU folks is decryptable so the poor secret services and companies can view the shit

Whatever you just said, agreed. ^

blindly agreeing with people, always a good idea

@orchid notch everyone trusts you and your incredible peoples skills

i am aware

im just too convincing

Mhm

@orchid notch Ok, thanks for your answer 😀

no problem

cert authorities: exist

• nsa would like to know your location -

Is it possible to get into security without a degree?

Yes.

You can always get some certs and then build up some industry connections

These are the 2 mini projects
Please help me with anyone of them!
I just need a demo source on how to practically implement them
I am into ML and python, so I am unaware of sql injection and other cross scripting attacks

If you actually didn't have the idea for these projects yourself (which is assume you did not) they are meant to teach you something and not be implemented by <insert random person from the internet>

And the second one can just be make a site that transmits a password to the server so you can modify something on the website, if it's unencrypted aka http the attacked will be able to capture it and use it on the website himself. And then install certbot or something on it to setup Https on it and show that now the attacker can't read stuff anymore

@thorn obsidian very possible

Uh oh

I just read about the Huawei ring 0 local Priv ESC in pcmanager software

Inb4 "omg Chinese tryin 2 hax us"

And damn

Hackers are gonna kill you WITH YOUR CAR

You're focusing on the wrong part

Hackers are going to kill you with stickers

:D

getting hacked with stickers

fuck yeah

sumo stickers

the adversarial input thing with self driving cars has been making the rounds for a while

this one is new, last time it was making a stop sign misread as a speed limit 50 sign

what's next, wile e coyote painting a tunnel on the side of a canyon wall

i want to be completely transparent. I don't think this violates the rules, I just want to be clear so if it DOES i can be asked to stop: my friend (23)'s parents have set up https://meetcircle.com/ and my friends closeted and their parents are abusive so this is restricting their access to social media. It uses ARP poisoning to track traffic between the router and devices (from what I can tell). my question is, having a VPN set up wouldn't help, because the traffic would already be intercepted by the time it got to the router right?

@craggy nest pretty sure a vpn would work as the original packet would be encrypted and encapsulated within a new one with no significant attributes that would allow it to be filtered by something like this

just make sure that whatever configuration you are using has a cipher set up so it isn't unencrypted

i think you can do a couple of other things though

you might be able to spoof the affected computer's nic address

Fortunately, Circle is equipped with a VPN & Proxy filter category which blocks access to many common, popular VPN and proxy services. We strongly recommend using this to ensure that your Circle device is able to see your network activity properly.```

you can manually alter the arp cache

if you or your friend has used a command line before i think you'd be able to follow a digitalocean tutorial on how to set up a $5/m linux box with openvpn

im also thinking is that perhaps there is something within it that can be misconfigured such that it only works on a particular bandwidth

so your friend could just use the 5ghz band and the parents would be under the impression that it is working

well a proxy over websocket would likely be ok e.g https://github.com/mhzed/wstunnel on a linux vps if it blocks a standard vpn. changing the mac address could also rememdy the arp poisoning but it will likely do strict mac address filtering so you could be stuck there. though it appears that it might work temporarily until the parents figure out how to set up stricter filtering (https://support.meetcircle.com/hc/en-us/articles/115001381931-Stopping-Bypass-Attempts). tbh i would just yeet that circle box straight out the window but that probably wouldnt go down well. if their parents are that controlling when he/she are 23 they also might wanna consider moving out (though that's pretty extreme) cause it doesnt sound pleasant to have your life managed that much.

https://www.cvedetails.com/vulnerability-list/vendor_id-17214/Meetcircle.html

looks well designed

👍

well the human element is a big part of security. if you can talk someone out of trying to use tech to solve a human issue its way better than trying to circumvent it.

its more of an issue with lgbt ppl being able to access their support systems. getting in trouble for circumventing is much more manageable than being outed/going without support.

but tyvm for all the advice!!

@craggy nest Just taken a look through the legal on circle. ToS seems to state that you cannot attempt to attack the circle devices in any way. I don't think this includes bypassing the circle device, as long as you are not "attempt to interfere with, harm, reverse engineer, steal from, or gain unauthorized access to the Circle Services, user accounts, or the technology and equipment supporting the Circle Services;" you should be alright. Due to the vagueness of the ToS I'm going to go ahead and say we won't be able to assist with the technology here. IANAL.

whats ianal? but np ty!

ohhh ty

Seems useful

@thorn obsidian Yes sir, it is a mini project under the curriculum of cyber security

[17:50] Random: what's next, wile e coyote painting a tunnel on the side of a canyon wall

rofl

I still can't seem to find anything dangerous server side except possible use for DDoS attacks

It kinda just sucks for the client most of the time

It's not like you have a full scale data breach, it's typically like oh hey 9% of my cpu is being used by a coinhive ripoff this is so irrelevant to life

Oh no but most of the time it's not even stored

And if you paste 40 lines of code in an input box as a visitor then you have high levels of autism

Almost all I've encountered aren't

They're typically real time data being displayed that only gets parsed later on

Or its only stored for the current user

Or its only stored or a certain page out of like 300

That's deep

I noticed XSS on a pretty popular site that kept records of exam results

But it was probably only a 1 time thing which is entirely useless

I didn't go on because the registration has like 14 pages

If it doesn't get stored it's not that much of a deal imo

I'd just fix it eventually when I have time

Or when I can be bothered

If a user decides to paste in 30 lines of code it's likely they're in 39 breach compilations already

Without even knowing

You just need to hope for smart users 👌

If just doesn't really seem like something severe to me

Hoping for smart users does not sound like a great idea tbh

@thorn obsidian I don't expect them to know that, but if the XSS isn't stored I also don't expect them to paste in something Jamal59@IndianRepairShop.cc sent them

LOL

!tempmute 499340202687332362 2H Posting about a site which might have an XSS vulnerability with a link to the site is not responsible disclosure. Casual racism is also not welcome. Breach of rule 5 and 9.

:incoming_envelope: :ok_hand: muted @thorn obsidian until Thu, 04 Apr 2019 01:23:03 GMT (Posting about a site which might have an XSS vulnerability with a link to the site is not responsible disclosure. Casual racism is also not welcome. Breach of rule 5 and 9.).

"I'm not going to tolerate racism."

did i miss something?

he was talking bout how you just need smart users

I think that was referring to the indian repair shop...

It was the reference to the Indian phisher email

not okay.

:P

It's pretty funny imo 🤷

guys

my teacher made me sign into my gmail on her acc bc she wouldnt use her own google acc, anyway i used the sign out of all web sessions thing but today i saw she was still logged into my acc

i signed out of it physically, but like... how can i check if they're still signed in, and how can i remotely sign out of a laptop session? i can only see stuff about removing android devices from an account

also, if i change my pword and she has it saved in chrome, it won't update right?

not sure how it works with account linking

Cool, thanks

I changed my pw earlier, so is it prob logged out of their acc now?

Thanks mate

Ah kk thanks I may well do

https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html

rofl

exploit naming

       /wp-content/themes/Avada/framework/plugins ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/IncredibleWP/framework/ ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/MoneyTheme/uploads/upload.php: 6 Time(s)
       /wp-content/themes/MoneyTheme/uploads/uploads/jsspwned.php: 6 Time(s)
       /wp-content/themes/RightNow/includes/uploa ... tings_image.php: 6 Time(s)
       /wp-content/themes/andre/framework/plugins ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/beach_apollo/framework/ ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/betheme/muffin-options/ ... es/jsspwned.php: 6 Time(s)
       /wp-content/themes/betheme/muffin-options/ ... ield_upload.php: 6 Time(s)
       /wp-content/themes/centum/framework/plugin ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/cubed_v1.2/functions/upload-handler.php: 6 Time(s)
       /wp-content/themes/cuckootap/framework/plu ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/dance-studio/core/libs/ ... file_upload.php: 6 Time(s)
       /wp-content/themes/designplus/framework/pl ... er/jsspwned.php: 6 Time(s)
       /wp-content/themes/konzept/includes/upload ... ds/jsspwned.php: 6 Time(s)
       /wp-content/themes/konzept/includes/uploadify/upload.php: 6 Time(s)
       /wp-content/themes/library/visual-editor/l ... load-header.php: 6 Time(s)
       /wp-content/themes/medicate/framework/plug ... er/jsspwned.php: 6 Time(s)

woah, ugly

someone's been having fun spraying our hosted wordpress sites it seems

probably a bot

yah

looks like they're trying to hit every known recent vulnerable plugin

people these days

Hey, get off my network!

yeah i dont remember typing that

can confirm riseup is not aggressive

So I wanna talk about proton mail. Let me know if it is a appropriate topic to discuss and I'll react accordingly. Let say I wanna talk to Steve and he's got a gmail account while I got a protonmail account. If I send Steve an encrypted message to his gmail, he will need to use a decryption key. Problem is, I might like using decryption keys to make sure the email cant be red by a 3rd party but Steve is the average guy that just wants to read emails with out decryption keys. Therein lies the problem, what's the difference between using proton mail and gmail when most if not all the emails you receive are not encrypted and chances are, you wont encrypt your emails because you know the other guy wont wanna go through the trouble of using a decryption key. Therefore, your emails can still be seen by 3rd parties, defeating the entire objective of using proton mail in the 1st place. Am I missing something here? I'd love to be wrong on this 1.

gmail has the ability to encrypt with third-party mail services. Does protonmail not do that?

@tropic bay the advantage IIRC is that protonmail encrypts email at rest using your password so they, the company, can't read your email and neither could LEOs by just getting a copy of the database.

But yes, OpenPGP has the big social adoption problem you mentioned.

Moxie Marlinspike of Signal fame has a good article: https://moxie.org/blog/gpg-and-me/

Yea but problem is, if the email is passed through unencrypted providers like gmail, Google already red it, wont make such a difference if protonmail doesn't read it.

You still have the anonymity

If you want to have encrypted email you'll need both parties to adopt it.

Right and how does using protonmail help with anonymity without actually encrypting emails?

Because it's not known who send it.

Like tor where it's public what you are looking at, but not who is looking at it.

KC, I think because it's easier to register anonymously and the server's location in Switzerland gives it more legal protection

eg. try registering for a google account in 2019 without a phone number!

I don't know what their log policy is

I assume they do log otherwise it'd be an abuse nightmare

yeah but if they can still read all your emails, they can out together who you are . for examples, emails from youtube and face book sent to your proton mail, netflex, your bank, phone company etc... they can compare that to any previous emails you had that is not proton and put 2 and 2 together

If you reveal who you are, they will know yes

Even if emails from facebook, yt, netflix etc were incrypted, they'd still be able to figure out who you are from that.

how?

You think those services wouldn't give you up when asked by the authorities?

yeah but we're not trying to be edward snowden here

we're jus trying to make it so that google cant read our emails

Don't use gmail

great but everyone else is

I can get you a riseup invite if you want

oh

get them riseup invites 👏

If they are insistent on using gmail I highly doubt they'll go along with using a client that does the encryption for them.

exactly, so even if yo use proton mail, google can still see your emails because the guy youre talking to on the other end, wants to use gmail and wont wanna use decryption keys, which is the majority of us

using something like riseup seems like a fast ticket to end up on a watch list

what seems to be the difference bwteen rise up and protonmail?

riseup has a very conspicuous "we are activists seeking large-scale social change" vibe

protonmail's vibe is "privacy is good--who doesn't like privacy?'

do they face the same problems tho?

with social adoption i talked about?

Yes. But we know that eg. the NSA's XKeyScore program targeted users of certain websites for increased scrutiny

using something like riseup must trigger a flag somewhere

hell, in 2014, reading the Linux Journal did

right but does rising a flag mean theyre gonna send swat teams with fully automatics come batter ramming down your front door?

No, but I'd rather not be singled out for data collection and retention by US 3-letter agencies

Downside to protonmail is @protonmail.com

And you can only receive on @pm.me for free, not send

yeah but i wont mind giving up 5 bucks a month if it guarantees that my emails are encrypted even when interacting with gmail users

Protonmail can't force gmail users to go through the extreme pain of thunderbird + engimail + openpgp + shoddy open source smartphone mailclient

We have encryption in transit through opportunistic encryption between big providers.

But that's it.

if you want that level of privacy youll have to use something like your own matrix instance. if you dont want google to see the messages it has to never touch their servers, which means email is just out. you wont get people to change their email work flow.
buuut you might get people to install something like the riot client and connect to your server

or a server you trust more than google. additionally it has end to end encry so generally you can trust it a bit more than something like google anyway

I mean,

ultimately, you can't stop the intended recipient of the email from storing the plaintext insecurely or giving it to whoever

regardless of whether they're using gmail or not

it would be nice if (i don't know if this is the case or not) the webmail providers had support for displaying encrypted email, even if that means the email provider has the user's private key.

yeah but if they are on gmail and using any google controlled client then it can be assumed that google has seen it

sure, but they could just not use a google controlled client

but on an alternative client google wont see it unless the user goes out of their way to put it in to a google service

gmail supports imap

yeah

viewing google as a unique threat is probably excessively paranoid

but that alternative workflow is prob too much work for most people. i think its easier to convince someone to use a new app than it is to make someone switch how they access their main email stuff

yeah i just use them as an example here

if you dont trust a service you need to avoid sending data in a way that they will be expected to see it

anyway

you could still send encrypted mails to the gmail box even if they don't give google their private key

this is just a thought experiment, since i use google as my email provider anyway though

then they could only view those emails through thunderbird, but still access the non-encrypted mails through the web viewer

yeah that is quite true. there also might be some browser extensions that can identify encrypted data and then decrypt them out of band

eg in to a new window

if you are lazy and just have it do it inline in the gmail web interface i feel like it might almost defeat the purpose but the odds of that getting targeted by google are pretty low

unless some org is targetting you specifically, and if they are sucks2beu

so for casual use a transparent plug in like that would prob work

i hadn't considered in-browser solutions because they make other security features that a webmail service might provide (e.g. html scrubbing, proxying for image loading) more difficult or impossible, but for plain text email that'd be reasonable

yeah i assume it would only really work with a plain text one, or at least i personally wouldnt want it loading encrypted html data for those exact reasons

@tropic bay riseup has its problems with the police, but it hasn't really been the cause for anyone's arrest so far. People use their VPN for malicious things, but they haven't seemed to try and take anyone down yet

And definitely haven't cooperated with police about it

yep thats why i dont use any web service where the decryption and keys are effectively delivered via their server anyway.
it offers zero security against someone modifying the code they provide

eg lastpass

I'm sorry what does lastpass do wrong? I used to use them.

@gentle heron

they are the same as proton mail or any other system like that. since they are generally accessed via a website, the data that you are protecting and the program used to decrypt it are sent via the same channel.
to gain access to the data an attacker can change the program and cause it to intentionally leak your data after its been encrypted

its not as big of a deal if you use an app not the website, but its still not my preferred method. I just use an offline password app like keypass or something and manually sync it.
you still risk someone sneaking code in to the app, but since its somewhat an open standard, you would have to attack every single popular app/client to gain access to everyones data

its just a slightly lower risk since it tends to be easier to attack a website thats always accessible than an app which is developed on someones computer and generally signed before its uploaded

Hey there, I need help with running a MITM on someone, that someone being myself, of course

Basically, I'm trying to undertand what TLS does. Finally wrapped my head around the whole discrete logarithm problem and PKI, now trying to understand the dangers of non HTTPS websites, or rather the dangers of accessing them

So, uh... Is there any simple way I can run MITM on myself from my PC connected to the same network as the phone I'm using to access a website I own? It's a simple echo web server hosted on Heroku.

LOL

does anyone know any good article about security of airpods

serious question not a joke

@flat creek if you wanted to do it 'properly', you should look into ARP poisoning and some sort of tool to help make MITM more manageable (such as Ettercap). Alternatively if you just wanted to mess around with decrypted traffic, you could use Fiddler and set it to intercept HTTPS (installs it's own certificate, decrypts for you, shows you the plaintext packets). The obvious danger to HTTP is the submission of sensitive data in the clear but, injecting malicious code/replacing inbound data is also pretty damn scary. In fact, a hotel wifi provider (Hotel Internet Services) have been caught injecting ads in the past, they consider it a 'feature' (https://medium.com/@nicklum/my-hotel-wifi-injects-ads-does-yours-6356710fa180). I could go further here with a huge rant regarding malvertising, recent increases in supply chain attacks, and how various nation-state groups can utilize this technique which are all relevant to SSL/TLS specifically or lack of but, maybe out of scope a little. (example of nation-state-like entities injecting redirects for legitimate applications to alternative malicious (spyware) versions via deep packet inspection - https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/).

Apologies for the wall of text.

Thanks for the resources, I'll look into ARP poisoning since I'd already messed around with Fiddler :,)

@thorn obsidian airpods are bluetooth i believe so you could also look at bluetooth audio security. i know that back in the day there were a ton of ways to trivially listen in but i have not checked recently

aight I'll have a look thanks

anyone know any good websites / tutorials to get some basics on encryption in python?

what type of encryption? ancient ones like caesar, vigenere etc.? or actual modern algorithms

@gray willow

modern algorithms

and you want to implement those yourself or use libraries to apply them to something?

(that was an or question)

or do you mean none of those?

woops read that wrong

and implement them myself

implementing modern algorithms yourself is usually one of the worst ideas you can have (at least if you use them anywhere) but if you really want to you basically have two options I guess
a) read the standards and go from there
b) read source code of libraries which already implement them and try to understand that
I am not aware of any website that is explicitly made for learning to implement modern algorithms in python

fair enough

what about libraries then ?

most popular one I know of would be https://github.com/pyca/cryptography

there is also https://pypi.org/project/pycrypto/ but that hasnt been in development for years

ah thanks

just wanted to know it for future projects

If you do anything in real world dont implement it yourself and even with those libs you can still get lots of stuff wrong so you might be better of using something like ssl if you do network stuff or something in that direction

oh yeah for sure i was just planning to use it for some smaller scale projects

@orchid notch thanks for the links!! are you working on something? or do you have any cool opensource networking/cryptography projects to share?

nah Im just into cryptography, I do have some rust crypto project which I stopped developing but that basically it

rust has just got best place in the stack overflow interest chart. way to go, good luck :)

What about Werkzeug? @thorn obsidian

Or Not I guess

Werkzeug ist a Webserver no?

hi! i get this is a bit weird but does anyone know how to setup the tor proxy for all apps? ive tried torsocks but it wont open certain apps e.g discord?

im on ubuntu 18.04 LTS btw

some applications and websites block connections from the tor network

how can i use a proxy chain?

then

socks btw

What different parts of security can Python play a role into?

Most PoCs are written in python, seems like the easiest language to write them in

@thorn obsidian id suggest that you check the code of these functions then they just call hashlib over and over

Werkzeug is however not related to the implementation of modern cryptographic algorithms

and while it might be a big name it is because of that certainly not related to the original question

Tell me if this is the wrong place for this but is port forwarding on a home router actually safe

Its using it for a python web pased project lets say

its fine

the bad part is if you have a poorly written process talking to the outside world and it gets pwnd

^^
if your project is publicly facing use something like nginx as a reverse proxy locally, and use some kind of authentication (if your project is intended for only you to use)
while it's impossible to find every security hole, check that you're not doing anything that could end really badly like doing exec() on an input or sql injection

So in general, using Python for security, is the speed a major issue in terms of byte code compliation time/interpreter speed? Or would you just implement pypy or is it a relative non-issue? Even though it was stated I would only use Python/programming mild to moderately in cybersec, I am curious.

The performance differences are a non-issue almost always for security work

Obviously, it depends what you're doing

But generally speaking it's more than fast enough

hi guys, do you know any API free service which gives the ip reputation (if the ip was blacklisted through time)

@thorn obsidian AbuseIPDB

yeah i'm already using it

Gj

You could possibly use virustotal too

But abuseipdb is the best

@thorn obsidian https://www.spamhaus.org/zen/ perhaps

these are all the APIs that i'm using

Censys might also be useful

They do scan for certain vulnerabilities and also return software being ran

And they do a better job than shodan at scanning IPs

https://fofa.so/API could be helpful if you want running services too

hmn i'm trying to develop a tool which automates the process of creating a Level 1 soc ticket it searches all those api and try to gather info about that ip. If you have got any suggestions, i'd love to hear them.

you could possibly check if the IP is a proxy or spoofed

nice

https://iphub.info/ / https://getipintel.net/ / By this tool you can query the Caida database in order to find if an IP may spoof or not. you could look into caida, not fully sure what it is

thanks a lot

np

kinda sketchy, right?

That looks very sketchy. Is that on this server?

@thorn obsidian https://fofa.so/API is this a paid service ?

@leaden blaze na

just came here to ask

i have an ip for a server

not sure

I haven't really used the API before @thorn obsidian just the search

it doesn't seem to mention pricing

you need an account tho

yeah i signed in

but it gives me 401 Unauthorized, make sure 1.email and apikey is correct 2.FOFA coin is enough

oh

oh shit

fofacoin

LOL

grr

If they offer an API, I don't think they'd like scraping, even if the API fails

sucks for them 😔

No, as you well know, we don't allow violating the ToS of other services. so stop recommending that.

🙄

!warn 499340202687332362 If a staff member tells you not to do something because it's against our rules, posting a rolling eyes emoji is not the correct response.

:incoming_envelope: :ok_hand: warned @thorn obsidian (If a staff member tells you not to do something because it's against our rules, posting a rolling eyes emoji is not the correct response.).

lol ok

what should I say, fuck their terms

wasjust saying my opinion

Well, if your opinion goes against our rules, don't recommend it to people. It's simple really.

ah

Hey guys is overthewire a good stepping stone to enter the security world?

@thorn obsidian Yes overthewire an excellent way to get started

Start with Bandit

Ok ty

Due to me being on government Wi-Fi they are blocking me from connecting via PuTTy. Is there a solid VPN/proxy I can ride for free (even if it logs)

if they block you from putty there might be a good chance they block popular vpns

Government Wi-Fi?

@obtuse siren just try a lot of them till one works

"Is there a solid VPN/proxy I can ride for free (even if it logs)" i am not too sure if running a free vpn is a good idea

they gotta make money some how and you dont know how

Hmm

Okay how about cheap?

@pearl yacht Nah, I used generic phone VPNs on their network with ease

well i use nord

but what ever you choose, i'd read their EULA first

u know, the pages of words u jus scroll thru when u agree to but never read when u sign up for something?

Yeah End User License Agreement

$3/m for best deal isn't even terrible but at that price you could get an actual vps to use as well

"vps"?

setting up openvpn is pretty damn hard to get wrong

yeah vps

a logical server partition

sounds like something i need to google

its essentially like a computer

Virtual Private Server?

companies buy racks of servers then they partition the server into virtual components and sell them off

right and youre suggesting that buying that and running your own vpn server is cheaper tyhen $3/m?

it could be

you could be paying $3/m and have a vps to use as well as having your vpn, which works through your vps

it would be kind of shit tier hardware but still usable for hosting a small site or something

right and would it be as reliable or as secure as the main stream vpns?

for the cryptography part, yes it would be

for the reliability/server security it depends on the vendor

the vps i have right now is the best value for hardware i have seen and they have 100% uptime

which isn't uncommon really

and how much did u buy the vps for?

https://contabo.com/?show=vps

i have the vps 1400 one

they have some shit reviews online but i've been using them for a couple of months now and im extremely satisfied

yeah and the cheapest 1 i can see is 4 euros

which is more then 3 dollars amercian

this is just what i use, this is the best value probably anywhere

you can find something for $3 american im sure

but value-wise it will be much worse

so... u cant find a vps thats better then a $3 amercian/m vpn?

depends what you mean by better, in the end it depends on whether you will use the vps and whether you care enough to set up your own vpn and things like that

right

and let say i do set up a vps

is my ip masked into the server's ip? such that if i wanna be in let say britian, i can't because the server is located at taxes and i can only be seen as in taxes if i connect to the vps?

yeah the server's location is what applications and websites will see

it goes like

you know what i messed this graphic up lol im just going to delete it

essentially between you and your destination like a website

you have an encrypted connection between you and your isp that exits from the vps

yeah actually i jus thought of a rather unrelated idea. people seem to care about where VPN companies are located and whether or not they could ignore warrants from the likes of the us court. the courts may not be able to issue a warrant to the company's head quarters but can't they issue a warrant to the individual servers they have in the us to collect user data?

yeah it ultimately matters where it is located and they could do so

however the crypto behind the vpn keeps you safe somewhat

its probably a good idea to separate your own vpn from a vps that you might be using for other reasons or even just maintaining that vps

at least your prior data is secure, if at some point the vps is compromised because of something called perfect forward secrecy

it's worse if there are potential vulns in your vps that may allow some strange to get into your vps and intercept your vpn

also when you use a 3rd party vpn, you get the option to choose to connect to different servers across the globe, vs only vpn-ing into your vps's host country

yeah it is kind of on you to know what you're doing if you make a website for example

i think it depends on the vpn

some limit you to one ip

maybe but the ones i've seen and used allow for you to connect to any of their servers set up around the world at no additional cost

and they're not very costly

could be, its been a long ass time since ive purchased a vpn subscription

I have somewhat of a security question and I need to know how to solve this.

So, I'm assisting an elderly individual to clean their e-mail ( easily 5,000 e-mails from a bunch of questionable groups/individuals ) of "You've won $gorillion dollars!" and other such tricks. The only issue... Is that they have an @gmail account and gmail doesn't seem to do really any decent filtering at all. Basic from/to/subject type stuff, but nothing on a more in-depth header level. So, how do you approach this? How would you stop the spam outside of getting an entirely new account ( because they can't )

Posted in #cybersecurity rather than any help channel, because this seemed more appropriate.

really? i thought gmail would have pretty damn good spam filtering

can't say im really to familiar with gmail though since that isnt my email provider, but perhaps they have an option to set the aggressiveness of filtering?

yea i'd expect that too

Yeah, and I've beeen told by many people that "Gmail's spam filtering is one of the best!", well that's not the case here..

some of those emails might be legal too in the sense that this person subscribed to them

so you might have to manually unsub

See, and that's the problem. It's not like they have 4,000+ from the same group. It's like, 18 here, 12 there, 40 here.

also you could probably do more if they had their email on an email client like firefox instead of accessing via browser

thunderbird

idk why i said firefox lol

Well, I've logged into Thunderbird actually. Only problem is that while I could very easily get rid of them now, nothing stops them from coming back because the lack of filters on Gmail's end.

Also, they have a cell phone - which I can't think of any mobile device's e-mail that can do great filtering either.

So, yeah, you see the issue.

i havent looked into it myself because i dont really get any spam but im pretty sure thunderbird has adaptive spam/junk filtering based on what you specify as junk

also you can probably make pretty extensive filters yourself or maybe there is some module/extension available already that does it

But that means all the e-mail has to go through Thunderbird itself. Which is easily defeated if their computer is off.

yep it is a tough problem no doubt

i would def look into seeing if there is an aggression option for gmail filtering

Doesn't look like it, and it gets worse...

Gmail checks the addresses or domain names that you enter against the From part of the message header, and not the Return-Path part of the message header. For this reason, From must match an address or domain you entered in the list. https://support.google.com/a/answer/2368132?hl=en

From is easily trivially spoofed...

@thorn obsidian From is protected by DKIM, isn't it?

gmail isn't going to filter on it, so not an issue.

@tropic bay it's wiser to buy a VPN imo

For $3 a month you get multiple locations and better privacy since you can switch servers with nord

Plus they use multiple ISPs which helps with getting past vpn bans

Hello everyone I wanted to ask one simple question and i will really appreciate if i can get a good answer how do i protect a computer from getting hacked?

and I am not talking about changing to a really good password

use 👏 linux 💯

apt-get update && apt-get upgrade is all you need 😎

just don't download and run weird files lol, don't always keep stuff like RDP/VNC/SSH/Telnet running when you don't need it

@thorn obsidian first of all that's not going to stop someone who is really trying to

@frozen thicket quite simple, you don't, you make the life of the attacker so annoying he finally gives up after some time

lol yes because big hackerman is gonna have linux 0day up his sleeve 😎

there's a higher chance of a guy kicking your door down and stealing ur pc

with outdated packages it can be come very likely tho 😔

You don't need to have a zero day to attack a Linux system, conaider for example Gentoo which GitHub got taken over and injected malicious code into their systemd if they wouldn't have noticed it a package upgrade would in fact have brought the vulnerability on your machine

and the next one would've removed it

doubt actual people automatically update either way

well i dont think u need any zero days to attack any system

just need the guy to be dumb enough to click "run"

or be dumb enough to set his password to "password123" "ilovemydog" or "iam handsome"

Well yea I did say not to run weird files

He did say excluding passwords

Oh yea I also suggest possibly checking if you're in any data breaches

Hey guys, I'm setting up a webapp with django that has an api coupled with it that uses OAuth2 for it's authentication. There is also a desktop client involved (written in python too) that has a client_id , what would be a good way to authenticate this client? The only thing that is exposed is the client_id

How good is Python at malware analysis

the real question is: how good are YOU at malware analyiss

what im trying to say, with respect to malware analysis there isnt really a "best language"

I personally value C# higher than any language on any non-ui related subject, for example ;d (but that's obviously very subjective)

@thorn obsidian complete garbage. But I'm all for utilizing my time the best. So I was curious if Python could be used to breakdown malicious software for sandboxing or anti-virus or something

cough cough send file to virustotal with python or do it manually cough

How does one "do it manually"

1. Go to https://virustotal.com/
2. Drag and drop or click Choose file and choose which file**(s)** to upload
3. Upload
   4 ????

^ That's how you'd do it manually

Oh

Easy enough

Well that too, I also meant manually checking the file for suspicious code

It wasn't clear that's what was meant.

True

@obtuse siren virus total has an api, if you want to automate it

hello there

Serious question, do people here actually report IPs they notice that tried to bruteforce your servers/work servers? Or do you all just set up honeypots

i just blacklist countries that are not supposed to access it, setup stuff like denyhosts to blacklist ips that fail multiple times and move services to different ports or just use a vpn.
if its not a web server or a vpn server it prob shouldnt be open to the internet

k

hi guys, are there any SOC L2 analysts here ? i'd like to get some feedback on a project that i have been working on

Do any of you guys listen to things passively to learn stuff ever? I have some podcasts that I listen to but I'd like better ways to actually educate myself passively over time

I do it more for "general knowledge"-type things that I want to know, as opposed to specific knowledge I want to try to remember

Like, I'm currently listening to a podcast on historical events around hacking

True, it

's hard to get technical stuff in my head passively like that

What podcast is that you were referring to?

@cloud horizon Dark Net Diaries by Jack Rhysider

Awesome! Thank you

https://darknetdiaries.com

https://news.ycombinator.com/item?id=19763413

im surprised at how few honeypots there actually are (or that post to abuseipdb anyway)

with the amount of reports coming in I expected a larger number but I ran into 3 out of 4 million IPs

I might've asked before here how to deal with password input, but:

I'm thinking of creating an e-mailing module to integrate with tools for reminder e-mails and such. My idea to securely store passwords for verification is through CSVs, with the e-mail address in the same row to quickly look and verify hashes (input password hashed, with a secure crypto-encryption, the CSV ones as well). However, what's the best way to handle the input of passwords? Wouldn't the passwords be stored as plain text in RAM? I would like to prevent a lot of common 'security flaws' regarding the small project, as a challenge.

If you start caring about wether or not things are stored in plaintext in RAM then python is the wrong language for you, actually every language is the wrong for you because everything has to be in RAM to be processed at some point however especially python might be bad for you then because its a bit more interesting with the values in RAM there.
Mooving on hashes are not encryption, encryption is reversible hashes arent but thats just a detail.
And the most common flaw would be using broken algorithms like md5 and maybe even SHA1

SHA1 is broken as well, right?

it is no longer considered cryptographically secure, yes https://en.wikipedia.org/wiki/SHA-1

Since 2005 SHA-1 has not been considered secure against well-funded opponents,[4] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[5][6][7] Microsoft, Google, Apple and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.[8][9][10][11][12][13]

In 2017 CWI Amsterdam and Google announced they had performed a collision attack against SHA-1, publishing two dissimilar PDF files which produced the same SHA-1 hash.[14][15][16]

Yup, there we go

But I think that, even if it wasn't broken, it's still bad to store passwords in it. Cos it's weak enough that is vulnerable to dictionary attacks

yeah thats why I added a "maybe"

If a hacker gets hold of the hashed passwords, they can use hashcat to try to get the original plain text password. Then they can try to "credential stuff" other websites

sounds like you'd still be a painfor the hacker if your password is YIUDSFB879b%t*^&*7 and not "Ilovemydog" or "Iamawesome"

Oh yeah, a unique password like that will be tricky to reverse even with a SHA1 hash.

sad thing is, you can prob count the amount of people you know with unique passwords on 1/2 a hand of fingers

Yup indeed

If only more people used password managers ...

Well, I'm hoping Chrome's ability to auto-generated strong passwords since v69 had helped things a bit

yeah but if they dont come with a secure vault, it sounds like a waste of time

How do you mean? Do you mean that Chrome's implementation of password storage isn't secure?

well i dont know if it is

if it is as secure like a password manager then it would be useful

I think that Chrome's implementation is useful. If used, it prevents one of the big attack vectors out there - credential stuffing

It's not perfect, and it's missing features in other dedicated password managers for sure. But it's a lot better than nothing

i thought they store password in plain text when you hit the "save password" button

Maybe they do, although when I used the Chrome implementation, I always had to put in my Windows user password to be able to view my passwords

But still - I think you'd much rather have a user use that anyway. Because at least then they are safe from the credential stuffing attack

@quasi turtle KeePass always also exists

Yup, lots of password manager options out there

Lastpass, 1Password, Keepass, Dashlane, etc etc

I use 1Password for personal usage, and at work we can get Keepass which I use there

KeePass is the only thing I recommend, because storing your passwords online doesn't seem like the smartest thing...

For me, I need to have password syncing, and password managers store the password file encrypted

I just copy/paste the .kdbx file to external media

Remember to do it every x amount of time, you're good. Becomes a habit.

That's just extra friction I don't want to have to deal with

Whenever I add something to my 1Password vault, it's available on my desktop and phone without any extra hoohaa involved

With it being the channel it is, I don't think I'm alone in my belief of KeePass 😄

Oh don't get me wrong, I think Keepass is great :)

I use it at work and it's a fine password manager

But, I want a better UX than what Keepass has to offer. I want syncing, I want notifications of breaches and automatic checking against Have I Been Pwned and all things like this

And, yes, you can configure Keepass to have many of the above

But I just prefer a solution that has that all built in

I don't want my password database to connect to the internet, period. You can very easily do the HIBP stuff yourself. Lemme link.

I don't think anyone is telling you to

https://haveibeenpwned.com/NotifyMe

Also works for an entire domain if you can prove ownership - https://haveibeenpwned.com/DomainSearch

While there's merit in the argument that having credentials online isn't as secure as limiting it to a local copy, the security of online services like 1password, LastPass and Dashlane are pretty well tested and protected and has yet to really have any significant issue. They do hack challenges and pen testing constantly and are always improving it because their service hinges on it.

It's fine to personally not want to use them, but continuously trying to force others to not use them gets a bit lame.

@thorn obsidian 1Password and others have connection to Pwned Passwords

@quasi turtle Sure, but it seems silly to not do it yourself.

Why? Again, I don't care about setting all that stuff up

¯_(ツ)_/¯

I've got a few sites I manage so it's easier for me.

Yes, HIBP has the pwned passwords API

But then I'd have to set something up to do the hash of my password and then check part of the hash against the API and so forth

You don't need to do that at all

Really? How do you integrate with Pwned Passwords?

I thought the link you posted was for the emails

Not the passwords

Mostly just worried about compromised e-mails/passwords, as opposed to bad passwords.

But Pwned Passwords tells you exactly which password got compromised

Knowing which email gets compromised isn't enough if a) you use an email for multiple online accounts, or b) the email/password combo is on one of those combined files like Collection 1

You don't know exactly what you need to change

With the password API you know exactly what password you need to change

I should also mention - I also get prompts to change my password on accounts for websites that did something stupid but wasn't technically a breach

For example, FB and Instagram left hundreds of millions of passwords in plain text for years.

The news broke about a month back, but kinda went under the radar because they didn't actually get hacked and there was no confirmed breach

But still - 1Password marked the passwords for those accounts in my vault as insecure and prompted me to change them

This is something you wouldn't get in Keepass, but 1Password has it out of the box

Not too worried about it. Most all accounts have 2FA enabled on them.

Yeah but if the password actually did get taken, then you don't have 2FA, you have 1FA instead

At the moment, FB has assured us there was no breach, but I don't want to take their word on that at all

My argument to that is if someone you have an account with you feel you can't trust, I'd get rid of the account.

I don't think FB would lie about something like this (at least I hope not)

It's more like, why risk it? Changing a password is very easy to do and once you do it, the account is absolutely back at full strength

Also, sometimes you have little choice over what services you are registered with

Example?

I say little, rather than none. But for example, if you buy an Android, you kinda need to have a Google Account to get apps on it (yeah I know you can install apps outside the store but most don't do that).

Many of my friends are only accessible on FB Messenger, so I feel like I have to at least keep the FB account or cut contact with many people

That kind of thing

Err

I have an Android device without Google Play/Services and get apps via Yalp.

Also all up-to-date. Patch level of April 5, 2019

To repeat myself: yeah I know you can install apps outside the store but most don't do that.

https://www.zdnet.com/article/security-flaw-lets-attackers-recover-private-keys-from-qualcomm-chips/ - interesting.

Perhaps the Apple ecosystem is a better example though

Yeesh that bug doesn't look nice

"KeePass is the only thing I recommend, because storing your passwords online doesn't seem like the smartest thing..." Perhaps the most secure thing to do is the old fashion way where you write your passwords in a word document and you encrypt that. thing is tho, i think hackers would rather go for the low hanging fruit passwords looking like "Ilovemysnake" or "iwantaporsche" then guys like us who use 20 character long passwords looking like this: UYGOYUygiui7687^&*^hjbvj.

i got my self bitwarden cause it's open source, cheap and has everything i need

@tropic bay That's fairly silly to use a word document, considering KeePass uses a password and a keyfile.

@tropic bay automated probes pull in the whole dataset though

i have a 9 character random password that got used for one of those bitcoin blackmail spams

I had a 16 character random password that was used for that too

If a company uses weak hashing, or they just store in plain text, it's possible :(

At least you guys got a password used on you. Mine was just "I hacked your webcam!", which is weird considering I have it disabled in the BIOS.

If I hadn't known my password had been hacked beforehand (thanks to HIBP) I would have been a little freaked out by the email they sent

I can easily see those emails tricking more unsuspecting people, as the hacked password gives it a ring of authenticity that most dumb phishing emails don't have

@quasi turtle imo you should use something like weleakinfo and not hibp

Any reason why?

they provide private databases & allow you to see the hashes (but they have a crack hash option which almost always works)

HIBP let's you download their database of hashes as well.

yes but that's not very helpful to know if your password is in what db

its way easier to search your email and be given a password too

Oh ok you want the emails and passwords together

well if you want them, then weleakinfo is better

because it gives you the exact data that was breached not just a yes/no question and hashes elsewhere

Yup fair enough

HIBP will let you search emails separately, and tell you the breaches for it. Or let you search passwords separately.

But it won't let you do combinations of the two

yeah

WLI also does have an additional 801757231 records more

Does anyone have any suggested importable modules that allows me to work with IPs?

@thorn obsidian "Work with" IPs?

https://docs.python.org/3.5/library/ipaddress.html ?

Let me explain. I am going to try to create a Python program as a final project for a class that will allow me to check if my website for my Web Dev course is being attacked (DDoSed to be more spec.). For my Adv. CyberSec course, I am going to DDoS the website.

I imagine you'd be dealing with a HTTP server?

AWS

So, I assume HTTP

Fail2ban / mod_evasive on Apache comes to mind

Never heard of those. Can you explain?

https://www.fail2ban.org/

https://www.google.com/search?hl=en&q=mod_evasive

I could be wrong, but this seems like it will ban the IPs. I just want to create a program that says Yes, this site is being attacked or No, this site is not being attacked and nothing more

It will be less corny than how those are worded, but it will be along the lines of that

Also, Scott, since the website is going to be using html, css, js, etc., should I put all of my files on my GitHub?

I have the student discount, so I have access to private repos

Private repos are free

I imagine you could do something with fail2ban

Oh. I guess this whole past year, I read the thing wrong. Lmao

Well, it was a recent thing

How recent?

Before the summer of 2018?

Or after?

https://github.blog/2019-01-07-new-year-new-github/ beginning of the year

Oh. Then, what are the perks of a paid sub now?

No idea

Should I just cancel?

That's up to you

I will look into it sooner or later

Thank you for the help and info

No problem!

I have a question if anyone would be able to help that would be great?

So I wanted to know if I encrypt data locally and then send it over a socket to a server which then decrypts it locally is it secure against man in the middle attacks? I am new to all of this so sorry if none of this makes sense

that would be end-to-end encryption, so technically it should be safe if you distribute your keys safely and use a strong encryption method that also signs the message so that the receiver can verify the authencity of the message and that you're the correct sender

e.g. just encrypting stuff with the public key of the other party would not be enough because then a third party could still impersonate the original sender

(I am no expert though, take any advice with a grain of salt. The responsibility for whatever you make based on this is only on you. And generally, don't roll your own crypto for anything but academic/learning projects that never get online - use well reviewed and established secure libraries)

Ok thank you that is very helpful 😃

@thorn obsidian @thorn obsidian The main perk of pro is unlimited users on those private repos

I think your limited to 3

Can someone please guide me if there are websites or places i can learn how to protect a software i made from getting hacked?

depends what the software is, depends what there is to protect

@frozen thicket if this is a situation where you want to put data on a users computer and not allow them access to it, you cant fully protect it period. you can just burden anyone trying to get to it. but if its ever paintext eg when the program runs/uses it, then the user can get it.
the safest way to protect software / data is to never give it to the user such as by making a web page instead.

@thorn obsidian Yeah like Byte said encryption alone isnt enough. You need to both securely share the keys ahead of time AND be able to know WHO you are sending those keys too. There are protocols for that but if you know the person IRL its pretty easy to preshare keys in person.
either way though you should always use existing audited tools and libraries for this and avoid writing your own crypto code.

@cedar pelican Something I never have to worry about, lol

Yeah

That fact forced me to go open source

A good change for devops at least

@frozen thicket Gonna need a lot more information as to what you're doing.

hey

I installed pip3 install dnspython3 from GitHub through the Command Prompt. Is it already usable via PyCharm or do I have to do some extra configurations?

@thorn obsidian Did you pip install it or did you run the setup.py? Because if you pip installed it, you didn't install it from Github.

I used that exact command to install it

Then you'd have installed it from pypi

https://pypi.org/project/dnspython3/

Do...

import dnspython3 print(dnspython3.__version__)

You should get 1.15.0

Okay, it actually might be dnspython you import rather than dnspython3

Traceback (most recent call last): File "C:/Users/judgi/Desktop/PythonFinal/dosCheck.py", line 3, in <module> import dnspython ModuleNotFoundError: No module named 'dnspython' Either way of spelling it @thorn obsidian

I'm not sure, I'd check the docus docs

oh hey!

Learning python now..

How do I get started in security

With python

pirate ebooks

@thorn obsidian The module's called dns

See http://www.dnspython.org/examples.html

@thorn obsidian 😄

Any reference that u can recommend

Security focused python

Violent Python is a nice resource, but all the examples are in Python 2

Ooh

Nice

Is it okay to use windows or should I switch to linux

I mean python is cross platform so it shouldn't make a difference?

If you're getting into cybersec, learning how to get around in Linux would definitely be a plus

lol windows exists

😁 😁 😁

Is centos a good choice

I've only ever used it for server side stuff

But yeah, it works

Great

For home I'd recommend parrot or Ubuntu

Is the use of premade scripts considered plagiarism?

Ones that I find in GitHubs that is

depends on their license

Where and how would you look for that permission in their license?

And also, if the license allows the use of it, is it normal for programmers to use their scripts or alter them?

in most github repositories is a LICENSE file

if there isnt the guy who uploaded it is the copyright owner

I found the license which is under the General Public License

for SSL and TLS do they all use symmetric encryption for data?

They use hybrid encryption so both symmetric and asymmetric, however due to asymmetric cryptography being slow it's just used to transfer a symmetric key which then does encrypt the data

Also SSL and TLS are two names for the same thing

https://github.com/Cymmetria/MTPot

who has used this before?

🤢

?

Is it bad?

Not a fan of honeypots

Isn't a honeypot something else

Like it's not supposed to be public knowledge that it's a honeypot

well he didn't say his server ip so

ewwww centos

oops, scrolled up

If I want to secure a database server in terms of encryption would the best approach be to use hardware encryption in addition to application level encryption like bcrypt?

@thorn obsidian you wrote it yesterday but parrot is not really nice for a beginner

and i prefer mint over ubuntu

mint is better than ubuntu imo

doesn't look that good imo lol

What is mint never heard of it

@orchid notch SSL and TLS are two different things. They're not the same thing.

I would hope no one is using SSL in 2019

@tepid rover They're talking about Linux Mint ( https://www.linuxmint.com/ )

SSL is similar to TLS from my understanding?

I thought TLS was evolution of SSL

It is

https://en.wikipedia.org/wiki/Transport_Layer_Security

A lot of people refer to TLS when they say SSL?

`SSL 2.0 was deprecated in 2011 by RFC 6176.

In 2014, SSL 3.0 was found to be vulnerable to the POODLE attack that affects all block ciphers in SSL; RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.

SSL 3.0 was deprecated in June 2015 by RFC 7568`

They do, but it's two different things

Oh okay

I am using openSSL which seems to have both

Disabled SSL and 1.1

Trying out 1.3

Good. I mostly just have TLS 1.2 enabled these days. 1.3 is still "experimental" in Debian 😃

Do you implement perfect forward secrecy?

Sorry, went AFK. Yes I do.

Anyone have any suggested modules I can look into that allow for requesting info about data packets being sent to websites? I would like to create a script that allows me to use info about data packets being sent to a website to check if the packet size is over a certain size.

@thorn obsidian So you want Content-Length?

Trying to piece together what exactly you want

@thorn obsidian Sorry for the late reply. Anyways, so I want to check if a packet is > 65,536 bytes. I am using this to check for a DoS attack on a given site

That's a horrible way to check for a DoS

Apache or Nginx?

Apache

Well

I am going to have a few requirements for the program to say that it is a DoS.

The packet size is only one of the requirements

https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7

Check out mod_evasive then

Alrighty

Also, do you have experience with AWS?

``The module works by creating an internal dynamic table of IP addresses and URIs as well as denying any single IP address from any of the following:

Requesting the same page more than a few times per second
Making more than 50 concurrent requests on the same child per second
Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the IP address is logged. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address. ``

I do, why do you ask?

So, I have to enter a URL to check in my script, but it has to be in the format of http://www.website.com. I typed my whole ec2 link into that template, but I get errors.

I assume I need to configure it to give access to status code requests

Not really a #cybersecurity question, but I'd look up how-tos and read up on it

i wouldnt have apache handle this particular issue at all tbh.
at the packet level you should have your firewall filter these packets and you could have tools like snort or something designed for it monitor for bad behavior

mod_evasion would still be good for detecting strange http accesses. but for packet stuff that should happen before it ever hits your apps

Sure, but that's not really want they asked.

well since tcp packets are not really visible to applications as packets but instead become streams of data, i feel like its going to be hard for apache to do anything with their size since it never sees them.
now if he just meant he wanted to filter very large http requests then apache is the best place for that

anyone here used either of the 2 nmap library? both seem to have limitations or bad documentation

guess ill just try and ask for help in a general way with figuring out how this librarys functions work

@stoic ember Someone probably does use the library. Ask your question

i asked in help earlier and mark helped me out

i couldnt figure out how to get to the services from an nmap scan using libnmap and it was because you have to iterate through the host portion of the parsed info before you can get to the services

also im still learning some of the fundamentals of python which made understanding some of the unspoken obvious things a more seasoned person using the library would just know

its actually weird i couldnt find any real uses of it online to reference, everyone just uses subprocess to call nmap and only uses the library to parse the file output

I've noticed that as well, not sure if it's because that functionality was added recently, if there are issues with their implementation, or if it's simply a case of people not reading the docs

its a mix a both

the doc exmaples will be half written in python2 and python 3 and contain functions that have been removed

and im not talking about separate examples either, this is one code block with all 3 of those things

How is python used in cyber security

does anyone here use the hibp API

is a request just a get to https://haveibeenpwned.com/api/v2/breachedaccount/accountusername

because I was blocked at the first request I made lol, also with various proxies

I think you should include a user agent as well

It can be anything, but without it, I get a 403 as well