#cybersecurity

im sure your actually suppose to use binary, but supprised you got it working with utf 😄 gj @thorn obsidian

Hmm

Gotta keep working on new shit

my friend is interviewing for a security position, and i want to give her a mock interview, except i don't know shit about security, would you have some good question to help ?

I know someone who interviewed for a cyber security thing recently and the questions they were asked were apparently quite generic:

How would you go about securing a network?
How does HTTPS work? (Along with asymmetric vs symmetric encryption)
What is a VPN and how do they work?

along with some normal programming/data-structures questions

eh thanks

i will ask

and i will do the "Tell me about a time where " X question

@dark walrus what position exactly, if you don't mind me asking? Security is a very wide range, it's like asking "what would you ask hiring for an IT position"

checking with her, i'll ping you back, i don't know exactly as i didn't read the job posting myself

@thorn obsidian "security specialist" she's not sure what that mean and will see during interview i guess

https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/

noice

An SQL injection vulnerability in the Government of Gibraltar's website paved the way for any old Joe to rewrite official web versions of the British Overseas Territory's laws.

thoughts on this: https://huntr.dev

that seems cool

might even join in

awesome!

@noble kraken they have an e-mail submission form i think

filling in a self assessment form for cyber sec cert

~20 pages of this shit

some of the questions are interesting actually

Are all administrative accounts only used to perform legitimate administrative activities with no access granted to external email or the internet?

thanks internet explorer

i'm sure that microsoft in-built about page was dangerous

that previous question though seems a bit weird

thoughts @thorn obsidian ?

administrator accounts with internet access

depends how paranoid you are

that one seems pretty paranoid

it's good practice, but not very useful. If you're admin, you can just impersonate another account who does have internet access

not just that but i think there are some tasks you might want to perform that would require internet access as well as admin rights

well, yeah, you can probably get around that by setting up whatever you need locally, but... that's a lot of effort for not much gain

wonder if they classify this as a minor

the certification is sort of like a driving test

minor / major failures

can have 10 minors

apparently having remote workers and no VPN set up for them is just a minor

but that implies they're probably going in through RDP or something

so the threshold for passing this shit is suuupppper low

self assessment completed

a number of curious questions where i'm like

"uhhh... should that even matter?"

Do you have anti-virus installed on all networked devices?

not on the switches m8

or on the local linux servers

TIL workstations which are not network-connected don't need antivirus

everyone knows viruses can't traverse through removable media... duh

well there is another one about turning off auto-run for removable media

This may be of interest

https://srlabs.de/wp-content/uploads/2014/11/SRLabs-BadUSB-Pacsec-v2.pdf

yeah, there's a lot of ways to exploit a machine if you can physically walk up to it

Yeah my joke is ... Once they have physical access you lose

there's harm mitigation at that point

disable / glue all the ports shut

have a fully encrypted disk and auto-shutdown on chassis open to clear memory of keys

install thermite in there

loads of options, just not great ones

@lusty flare @royal latch Except that's not the case.

https://github.com/Lvl4Sword/Killer exists for just this reason. Mind you, it needs work, but to say "physical access == total compromise", just isn't a thing anymore.

@lusty flare Also, auto-run hasn't been a thing since Vista

i mean...one could just violate the rules set by that thing on purpose, shutting it down and then they can do maaany things...like....live boot a completely different OS....like change the init system of your linux to /bin/sh to gain a root shell on your machine etc

that thing doesnt really protect against anyone actually trying

nothing protects against someone physical actually trying

@thorn obsidian i believe windows 7 still had it enabled for CD's

perhaps 2008R2 as well, since it's the same era

also i'm not sure on the default GPO behaviour in AD anymore

Nope, sure didn't. Vista disabled that.

@orchid notch Like I said, it needs work. It's implied it's running on a system with FDE as well.

But it's certainly better than nothing

@thorn obsidian its a python script, a python script cant possibly temper with your thing if someone has physical access to it and can disable the part of your OS starting your protection thingy up at boot

up at boot - If someone has the FDE password, you have many other issues

hah

gonna take a look at that repo now i'm at work

I see that you had previous interest in our Weekly Threat Briefing, and I wanted to reach out to see if we can answer any questions you may have.

We’ve been releasing a number of exciting new features to help organizations detect, prioritize and respond to the most serious threats targeting their network. May I help set up a call for you to learn more?

Thank you and I hope you have a wonderful morning,

NO

I WONT.

RACHEL.

so many emails from getting scanned at expos

:|

nifty little tool

autorun vs autoplay is perhaps where i got confused

i believe there have been proof of concepts with autoplay still

I don't really understand the debate about physical access == total compromise There were several cases in the medias that talked about IS stuck to unlock iPhones for example

the only time I can think of where physical access does not lead to total compromise is when the data is encrypted

and the Bad Guys aren't going to give the device back to the Good Guy.

(If they were, they could install a keylogger to capture the encryption password)

data is very often encrypted today, thanks to Apple (which has other downsides)

I'm not sure why Apple has anything to do with encryption?

apple's operating systems offer decent disk encryption

I think iOS encrypts everything by default; MacOS it's an option

my mac at work is encrypted up the yin-yang

so if the power is off, or even if you're logged out, nobody can get your data, even if they take the "disk" out and plug it in to their own computer

as do other operating systems? Full disk crypto by default has been a thing since android 5.0, windows has and encourages bitlocker, Linux has excellent cryptography support with LUKS, etc

not sure why Apple is being praised here

I suspect Apple makes it easier than Linux (as with most things). Windows I can't comment on

also @blissful raven , like me, might not have realized those other options were available

Erm... most distro installers only require you to tick a box to enable (at least) home partition encryption, not sure how it could be easier

I'm not saying Apple doesn't have excellent crypto support or anything, but I seriously dislike how they keep being praised for things they're not responsible for cultivating or pioneering

I don't doubt that disk encryption with Linux and Windows is a lot easier than it was 10 years ago; I haven't used either in about that long, so I'm out of touch.

But I'd be very surprised if MacOS weren't the first operating system to make it easy

I'm not sure that Android encrypted by default at the beginning

wouldn't be surprised if half the android phones out there still don't

@olive lark android forces data partition encryption, and has been since 2014

fair enough, but ... 2014 wasn't that long ago

it's around the same time iOS started rolling out crypto

I've been using Android since 2008, so ...

that was a long time without encryption

that's literally when android was first released

2008 september

even if "Android" started doing something in 2014, it take literally years for those changes to appear in actual customer's hands, due to the carriers and manufacturers dragging their feet; in practice, iOS changes get out much more quickly

@thorn obsidian you are correct, sir/ma'am. I bought a G1, the first Android phone available in the US.

okay? the first iPhone was 2007, so technically iOS went even longer without crypto

I'm not sure what your point is

if you assume that every phone in existence magically gets upgraded the instant that the software is available, sure

so this is no longer a discussion about crypto, but rather just attacking another (mostly irrelevant) weak spot in how vendors choose to implement the open source project

got it

yeah I'm bored talking about this tbh

let's let other people ask some real questions

@blissful raven What do you mean IS stuck to unlock iPhones for example?

Also, https://www.issms2fasecure.com/ this is nice 😄

I think in terms of security we have to use denuvo protection

https://cdn.discordapp.com/attachments/339036375695228928/666017776871407634/unknown.png

This is from another server, had to spread the word

@little scroll Surely you jest?

@tawdry lake QR codes are fantastic for long strings - like a Wi-Fi password or a cryptocurrency address. They're also pretty neat considering you can use them to transfer a contact's vCard to your device. That way you have their number, e-mail, etc. What they're not good for, is anything to do with a website. You have no idea what website you're going to, or if it's questionable or not. I wrote a blog post about just this about a year ago.

@thorn obsidian I never scan QR codes from a random website/people tbh, but i can see why

a good scanner app will show you the link instead of just opening it

like what would that be? though i personally never use QR

tbh

and you can't tell by looking at it that a qr code is a url or vcard or wifi or whatever else anyway

like the one built in my phone just says "tap here to go to "[the domain]" in your browser"

not the full url, weird

but it doesn't just automatically open it

@thorn obsidian link to the article?

ok this thing is apparently a badly designed app feature, not a website qr code...
https://support.discordapp.com/hc/en-us/community/posts/360056255592-Major-flaw-with-QR-scan

When you try to log in to a PC client, a QR code is displayed. The Discord servers sent this to the client, and it uniquely identifies that client on that PC if you scan it with your phone. If you do that, then the Discord guys have naïvely set it up so that you have now authorized that PC client to log in.

What a-holes are doing is pulling up the client on their own PC, taking a screenshot of the QR code that identifies their PC client, and then posting the screenshot to others to scan. When someone scans it, the Discord servers think they were physically present at the PC and authorized it to log in, so boom, the a-hole is now logged into your Discord account on their own PC.

tried it myself, it's a magic url that prompts to open the discord app on your phone, and then displays this screen

[if you open the url in a browser it just redirects to the app download page]

Here's what it looks like in the alpha app

They should let you disable it

I guess so

They probably just expect you to not use it

If someone gets a hold of my phone for just a second, they could use it to log in to my user account on their device

You don't lock your phone?

hmm i wonder

You always need a pin or passcode lock on android, even if you don't anticipate this being a problem

Depends, I started doing it recently. I didn't use to lock my phone in the past.

It encrypts the storage

bleh

i don't have a lockscreen because i'm scared of buttdialing 911

since every lockscreen puts a single-click "emergency call" button on it

like

at least pop up a keypad and make them go through the motions of dialing 911

It does still make you type in the number and hit call though

does it now? it didn't used to

and i'm not inclined to test mine

If someone gets a hold of my phone for just a second, they could use it to log in to my user account on their device
I would imagine people who can get hold of your phone physically likely wouldn't be interested in that

eh

Yes it asks me to type the number

also they'd have to have their pc with them

And then to hit phone

So basically same as if phone is unlocked

Yeah if someone malicious has my phone they're going to sell it, not use it for discord

Hmm, I guess I treat my phone differently from you

I let people use my phone if I'm showing them photos and so on

I'm not talking about theft

I don't let anyone use my phone

That'd be irresponsible, it would give people access to things that I run for others

Well yeah. But who of those people you let your phone would want to log in your discord

I hope no one, but that assumption can be dangerous

Yeah, Ves is right

Anyway, I don't want a log-in method that bypasses 2FA and passwords entirely, I think it reasonable to have that option

That's the only thing I'm asking for

It probably should still 2fa, yeah

Or even better, it should require password and be a form of 2fa

I will change my behavior, since it's not just my Discord account, but it unlocks a lot of potentially fuckery with this guild

Well that's true.

Do yourself a favour and set a screen lock

If you have a pin or password, that will be your encryption key for your storage

I've got a lock screen for a while now. Some of my apps require it.

You can still set up fingerprint or face unlock alongside it as well

Ah, fair

I don't have a fingerprint sensor

Well then I guess you can set up face unlock or..

Hmm.. Pattern lock?

Also I don't remember for 100% but I think some os let you set specific pass or something for specific apps?

That's a launcher thing usually

I'm using a password for the lockscreen these days. Somehow, those are easier for me to remember and trying to remember more PINs messes with my memory of other PINs that I use less frequently.

Password is fine, yep

I combine pin and fingerprint

Same.

Btw
Anyone uses bitwarden as password manager?

From my google research it seems to be safe

I use it @mellow parcel

It's fantastic

cool. I've installed it some time ago but did not really start to use. Recently I realized that I cannot reproduce the master password, and that is when I understood that it is secure casue you can't restore it 🙂

Haha, yeah, you need to remember that

It's good, I use it for everything

Apps are good too

@marble dawn yeah I actually knew what should be inside even without a hint

but I could not remember the assembly rule of my master pass lol

you use 2FA for it? and which one

I use a yubikey

But I have a backup authenticator app via Authenticator Plus

I like that one because it can back up my codes

eh, don't have yubikey. Maybe will do authenticator + for now

@simple orchid My article? It's pretty much just reiterating what I said. I need to clean up the design too

I tried a Yubikey, but the hardware nature of it and lack of backups turned me off of it

Backups consist of "Buy another one"

Well yeah

That's kind of the point

It's a security device, there are no backups

yeah it is like the fact you can't restore master password of bitwarden

only delete acc

@mellow parcel Those are two separate things, though

yeah

Bitwarden is more of a KeePass or some such

Yubikey is more of a "This is better than TOTP"

TOTP

?

https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

is like those google authenticator app where you have key every 30 sec

or smth

Yeah

They're SHA-1 if I remember correctly

I mean they are better

Just don't lose it or break it

You should clone one if it's your only form of 2fa

Yeah, that's what worries me though

I don't want to spend $50~ for a device, and lose it/it get's stolen/it breaks/etc

Then I can't access anything

Security and convenience do not go hand in hand

You have to sacrifice one for the other

Finding the right compromise for you is part of the process

it's 50$?

That and threat modeling

wow

but yeah, security 🙂

Have either of you seen https://www.issms2fasecure.com/ ?

Does it say no?

It does!

@thorn obsidian link to your article?

Does someone have a small ressource on how to secure a small server for noobs? I just rented a server for the first time this weekend (i'm not really experienced with linux or server in general). I removed the root access by password, and added ofw firewall i think. Next i'll try to make that docker don't bypass the firewall and try to connect with an SSH key. Any idea what to do next that is simple to read/understand/do ?

It's 5$ server just for dev things, so no sensible data yet

set up explicit ufw rules for each of your application, only use key-based ssh for all accounts, disable ssh access for the root account entirely, set up unattended upgrades, don't copy-paste random commands from the internet before being 100% sure what the command does

Thanks i'll check the ufw deeper and the rest too

additionally, don't fuck around with sudo rules

never set NOPASSWD

might seem convenient, but... just no

limit group access, don't go crazy adding yourself to groups

having access to the docker and lxd groups = basically effortless root privesc

In that same vein - is there a suggested article for database security? I am trying to create a program that uses google sheets as a database and intend on distributing the program to multiple end users

I don't know of any such article, but I imagine you'll have to require all your users to have google accounts, and somehow have them authenticate to google before they can user your program

obviously you don't want to touch any of their credentials yourself

Yeah absolutely! What i'm doing right now is using the credentials i received from the google api under my own account. My idea for the login is to have them create an account which is simply to have their name,email hashed password stored on a particular sheet and then login's would compare to that sheet. No where in the program itself would they see the google sheet and the only "email" with access to the sheet other than my email is the api credentials. Creation / login would be through the program so - i just don't know if that is enough

I was watching a pyinstaller video on how to make it a single exe file. Wondering if that will be enough to hide the json file I'm using that stores the credentials currently

no. Do not send DB credentials to the end user

In any shape or form

even if you manage to obfuscate the credentials you use to access the database (which is impossible on its own regardless), the connection to the DB is still initiated on the user's machine, so they can just capture the requests by observing traffic

why don't you just use an API against a real database?

this Google sheetery is going to be much more of a headache than its worth

Sheetery

I steal this

Is there not a similar json file with api credentials to connect to sql? The class i took on udemy was very similar method so unsure if there's a full encyclopedia i'm missing on the subject

@thick flint if the code connecting to the db is running on your machine (ie a server), it's fine. If it runs on a client's machine, very bad

K - I'm just trying to rethink my approach but don't have a proper example to base it off of then

well, like I said before

it's easiest to just have an API running on a server which communicates with the database, ie "the backend" @thick flint

I think i finally understand what you're saying - and that makes tons of common sense now LOL -- trying to use what tools are free as much as possible since this is my first project .. I appreciate the direction!!!

Random Q -- is it almost worth it to simply build a website front end versus a .py or .exe file? Been parsing through this tutorial here as a possible solution (https://pythonprogramming.net/practical-flask-introduction/) or will that middle man / server still be required even in that situation?

I haven't got context, but: if you're writing something that actual users will use, and need a UI -- yes, a website front end is a good idea; if you're careful that can work on any platform.

an .exe file by definition only works on Windows, and I get the sense that it's hard to generate those (although I've never actually tried it)

Most of my posts are either ramblings or "Hey, did you know of this neat thing." - I don't think any of it is very detailed/technical.

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

I saw that yesterday. Any updates on it?

@thorn obsidian I was just sent this, but it doesn't load for me

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

oh, it loaded

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Yeah, I saw that

Looks like the NSA recently disclosed it, and could have been holding onto it for years

Stockpiling 0days, woo!

what if i wanted to make a rat

I am afraid we can't help you with that

@thorn obsidian https://twitter.com/subTee/status/1217300590696501249 :)

@thorn obsidian That's what I meant about IS stuck to unlock iPhones for example: https://www.theguardian.com/us-news/2020/jan/14/fbi-apple-faceoff-iphone-florida-shooting 😉

@blissful raven The BootRom exploit comes to mind

I know what's BootRom, but how do you there's an exploit on this version?

I don't see which version of the device they were using within that article

Which makes me believe that there's a possibility it could be old, and susceptible to the BootRom issue

Sorry, but you may only use this command within #bot-commands.

list of a few important CVE's in the latest patech tuesday and related KB numbers for them all: https://paste.pythondiscord.com/tazihotiro.py

heh

Homeland Security has issued an emergency directive to all government departments to patch the CryptoAPI bug in 10 days.

a Homeland Security advisor described it as "seriously, seriously bad. patch."

Trust mechanisms are the foundations on which the internet operates – and CVE-2020-0601 permits a sophisticated threat actor to subvert those very foundations.

yes, NSA. a sophisticated threat actor could do that couldn't they.

oh it's being called CurveBall

Windows Defender definitions have been updated to catch some attempts to exploit it

https://cablehaunt.com/

a new and fun one.

estimated 200 million cable modems vulnerable to an RCE

First, access to the vulnerable endpoint is gained through a client on the local network

booooo

https://news.ycombinator.com/item?id=22048619

interesting write up about the technicalities of the exploit

so it seems like on generated curves Windows was comparing certain values to known curves and then trusting them

but not using all values to compare the curves

something the RFC specifically says not to do

https://twitter.com/XorNinja/status/1217163890703785985

and while you can't attack Windows Update you may be able to attack a WSUS server

PoC of the remote desktop RCE

https://twitter.com/MalwareTechBlog/status/1217433253096779776

@marble dawn :)

Haha

Except, what's that look like on mobile/anything other than Windows?

well, it's a windows bug, so on other devices it should give the red warning page

https://curveballtest.com/

( Kind of silly name that they're calling it, but.. )

¯_(ツ)_/¯

When working with dynamic websites, what’s the best way to achieve information on the servers?

what are you trying to achieve? having a hard time understanding what you're asking and how it's related to security

@thorn obsidian trying to find a way to automate WebWork, if you’ve ever used it for HW, it’s pretty popular at my Uni. For a research project my goal is to make a bot to get 70% or more on the HW

But unlike my initial assumption webwork is dynamic and not static I believe and I am trying to find how to get the info

does anyone know how to encrypt the connection in the chat function? oasis.py https://github.com/Nightarcher3677/OASIS

you have to scroll down to elif program == 'chat':

the ssl module should suffice

although this is gonna be a PITA if you have your own server setup

i'm using socket to run a server and connect to it

for the server code look at server.py

btw i have no prior experience in security

yes, use the ssl module

how do i use it?

its in stdlib and there should be an explanation on how to use it wioth scokets

ok tahnks

*thanks

so I type import ssl, right

among other things yes

ok thanks

I havew a question that is strange, reslated to security, but probably not typical of what comes up here. Let me explain.

I'm working on a game of sorts where one of the features of trhe game is interface with a fake system based on a a real linux systsem but the terminal is actually just a toy.

Or, and interface for a game more literally.

One of the complications of doing this is

That you require a lot of data on many many many many things and Ive been gathering what I need for a while when it came to me

That everything that I need is in journalctl calls.

Pretty much everything

Im trying to think of a way that I could get...

sevices, various hardwars, system messages and problems, various things that to fake the linux system for the game in such a way that... There is nothing that leaves anyone vulnerable by sharing it. It seems like a lot to ask anyone to share so I would have to reproduce it somehow

I need to somehow create shitloads of virtual images of Linux systems that have unique hardware configs, ideally unique problems, and the hardest part..an amount of time simulating their use. I think that asking people to contribute their journalctl logs or at least the data from them in fields (not specifically saying anything) is too much to ask right?

Do you know of public dumps of such data maybe that dont leave anyone compromised at all

taht is very important

What is the most dangerous info that could be leaked about someone in those logs

So that

i can make sure it is removed

I suppose alternative means of accessing the type of extensive data i describe would be acceptable

Its possible that a more safe way to do this would be to only query certin fields ... but the problem is, this game is an RPG wher your system may vary from anyonbe elses

There need to be options

So there needs to be infinite possible messages almost

that would be tolo muc obviously

but one machine doesnt reflect enough machines

100 machine running for 2 minutes doesnt reflect enough

If you're just faking a terminal that interacts with the game why in the first place do you even need that info... @thorn obsidian

Though I also feel this question, if there is one, is far from related to this channel

Because I somehow have to to create a beliebable Linux system in some capacity because the game is about Linux and learning some basics of it. It has to be realistic enough top teach lessons. And the easiest way to do that is to create a list of words... many lists of words. It just so happens that the journalctl logs have many, many, many, many linux related words in them I realized while looking at mine. And they are in fields so they can be categorized easily but I already figured out some solutions

The reason I asked here

is because my concern was that getting info this way would also gather info that was sensitive to users.

I didnt want that

it wont be like an open tty terminal in linux oviously. There would be objectives and available commands to use.

But they would need to output something that looked reliastic. And its just a lot of data. I found a way to get it though more safely

most of the data that i need I can generate with a module called faker lol

So that changed everything

anyway, encrypted persistance and all that.... right?

It would be totally awesome if I could literally just give the user a shell to a terminal in a webapp and not have to recreate linux for a game lol

Buit like

at what cost haha

we're more about encryption and whatnot here, not means to get data

just keep that in mind in the future

Well, I wopuld like to clarify

I dont need any help getting the data. I only wanted to ask experts maybe in security of users and what not if there was a lot of sensitive content.

I have no problem getting data. But ok

i mean the worst case scenario

it seemed as if you were asking about getting the data, my bad. either way, that's more of a linux question cause it's along the lines of "what's in journalctl logs" rather than security

is i built a game filled with my own vulnerabilities lol

fair

the question still stands if anyone has an opinion... how well should you guard your system logs? Are they endangering you?

How do I specify a key length when using this https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.modes.GCM

@thorn obsidian you don't have to create a believable Linux system, you can probably come up with a minimal fake Unix that only interacts with the user and not the hardware in a week or so

#ot2-the-original-pubsta

@plucky python that looks to me like it's just a mode abstraction that probably returns an object you can pass to the AES primitive or any other block cipher primitive in that lib

How would I port this nodejs function to python tweetnacl.sealedbox.seal(new Uint8Array(ckey), pkey) is there a cryptographic equivalent for python?

Looks like it uses nacl

Nacl is a c lib that should also have bindings for python

yeah

it's called pynacl @plucky python

https://pynacl.readthedocs.io/en/stable/public/#nacl-public-sealedbox

@thorn obsidian If I were you i would look into one badass rig to run many instances of virtualized machines, and then i'd look into porting BSD jails to linux

BSD jails works by installing an OS to this sandboxed environment. it has access to network cards and stuff, but you can throw the traffic through a custom made virtualized interface to simulate a network card. on top of that, it allows you to run FULL OSes in a sandbox

since it's BSD licensed (which is a looser license than linux), you can freely port the software over.

think of it like lxc/docker but more features

@thorn obsidian sounds very similar to docker with the Kata runtime

@thorn obsidian except it's been around for years, BSD jails has been around since 2000

yep

it was a development of BSD chroot IIRC

yup, i was there

does anyone know a free service for reconaissance that has a db of historical whois records for a given domain
like securitytrails but for whois

that owuld probably be illegal considering GDPR

@orchid notch wouldn't web archive be so as well then?

ping

whois is especially complicated, archiving most things is fine

but atm whois will barely give you any data thanks to gdpr so i doubt youll be allowed to keep records

well the data is public isnt it

so what prevents someone from saving it?

i suppose selling this data by a 3rd party would be against GDPR then?

but what about just putting it out on the internet 🤔

thanks to gdpr most of the original whois data is not public anymore

Registry Domain ID: 1905774754_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2018-01-24T21:00:12.00Z
Creation Date: 2015-02-26T22:47:43.00Z
Registrar Registration Expiration Date: 2021-02-26T22:47:43.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited 
Registry Registrant ID: 
Registrant Name: Andrei Zbikowski
Registrant Organization: Discord, Inc.
Registrant Street: 444 De Haro Street STE 200
Registrant City: San Francisco
Registrant State/Province: CA
Registrant Postal Code: 94107
Registrant Country: US
Registrant Phone: +1.8885940085
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: accounts@discordapp.com
Registry Admin ID: 
Admin Name: Andrei Zbikowski
Admin Organization: Discord, Inc.
Admin Street: 444 De Haro Street STE 200
Admin City: San Francisco
Admin State/Province: CA
Admin Postal Code: 94107
Admin Country: US
Admin Phone: +1.8885940085
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: accounts@discordapp.com
Registry Tech ID: 
Tech Name: Andrei Zbikowski
Tech Organization: Discord, Inc.
Tech Street: 444 De Haro Street STE 200
Tech City: San Francisco
Tech State/Province: CA
Tech Postal Code: 94107
Tech Country: US
Tech Phone: +1.8885940085
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: accounts@discordapp.com

like

this is the discorapp.com whois

there is barely anythin

or rather

barely anything personal

but imagine what would be if this was a domain hosted by a individual

i cant imagine stockpiling this data would be fine

Registry Domain ID: DO_0a1a2ee7b8a82b895230b0a0a7d852c0-UR
Registrar WHOIS Server: www.gandi.net/whois
Registrar URL: www.gandi.net
Updated Date: 2019-10-28T20:15:26.014Z
Creation Date: 2016-11-18T13:04:32.675Z
Registry Expiry Date: 2020-11-18T13:04:32.675Z
Registrar: Gandi SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: 
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: 
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: GB
Registrant Phone: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY

like for example here

bisks domain has eeeeevyrthing hidden

@thorn obsidian

You have to pay extra for that.

Which is a disgusting way to approach data.

If you can afford to make money on it and exploit people who cant, ALL THE DATA YOU WANT

Otherwise, that is conspiracy with a computer, sir.

Dump it on the web? Crime. Sell it for a profit. Reasonable.

It's an insane system.

The amount of money you pay when registering a domain for the privacy option is basically just a necessary part of purchasing the domain.

Its not too much. You just shouldnt consider it otherwise

NameCheap offers WHOIS privacy for free

Good to know. It should be required to sell a domain to ensure that your customer has it.

For example, my domain:

Registrar WHOIS Server: whois.namecheap.com
Registrar URL: www.namecheap.com
Updated Date: 2019-12-03T18:45:19Z
Creation Date: 2016-05-31T06:38:21Z
Registry Expiry Date: 2021-05-31T06:38:21Z
Registrar Registration Expiration Date:
Registrar: NameCheap, Inc
Registrar IANA ID: 1068
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.6613102107
Reseller:
Domain Status: ok https://icann.org/epp#ok
Registrant Organization: WhoisGuard, Inc.
Registrant State/Province: Panama
Registrant Country: PA
Name Server: DNS1.P07.NSONE.NET
Name Server: DNS2.P07.NSONE.NET
Name Server: DNS3.P07.NSONE.NET
Name Server: DNS4.P07.NSONE.NET

Really no info there.

yeah.

For people who know about WHOIS and how to avoid its pitfalls, its easy to not be vulnerable there.

The problem is that its left wide open for anyone who doesnt to be preyed on for

I mean, there are reasons it exists though. Universities and larger companies need this information out there, I believe.

Right, but... what I mean is that... There should not be people in the business of selling you something that is making you vulnerable at cheap cost and then offering you the service you need at an increased premium. I'm happy to know that there are people domain registrars now that are offering that, but... I just think that we would have less vulnerabilities as a society if we were not legally allowed to exploit people who are ignorant and instead covered the holes up.

Sure, if you want to for a reason have information up, that is something you can do.

But tbh

as a non business kind of guy...

I dont see how WHOIS is that important when the average customer has no idea what it is

There's a lot of angles to this, and it's rather late here. I'll sketch up a blog post sometime soon-ish covering this, since I think it needs to be brought up.

Night, I'll read it.

I'm learning python almost a half year and I now I know how to use loops string and using data types and other and I want now to focus now on security (in the defense side) now what kind of things should I learn to be able to use python for security what kind of function are exist for this goal?

that is a very broad question

what exactly are you trying to secure?

what's your threat vector?

also you can't really just do security on the defense side without at least understanding the offense side

to secure software or hardware

@thorn obsidian

what software or hardware specifically? secure from whom?

every attack method needs its own method of defense

I don't think your question is something that can actually be answered @thin mountain

there are no catch-alls in security

if you just want to learn "how to secure things", I would say go to your local university and get in an information security class

then get a security job, pass you CISSP, etc, etc...

if you just want to casually discover some security related stuff you can do with python, check out the book "Grey Hat Python"

@hoary marten ok I'll check it out

thank you to @thorn obsidian

sure

can some one help me w some cod

code

@wide laurel ask

!ask

ty scott

No problem 😄

Can securing an Ubuntu server be done with python? And, what threats should I be securing against as a web dev?

well, securing a server is a hardening process

changing system variables, installing software, defining firewall rules, etc, etc

Guys, how does one create self-signed certificates that the browser likes. It is not for production, just for testing a Flask application on localhost. As the app has geolocating feautures and there are settings in place that don't allow the map to display unless the certificate is trusted. So far this guide has been followed. 🙂 https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https

It successfully changed "http" to "https" and the problem is that the browsers display the big scary message and upon continuing the map still does not display. Because of the way the restrictions are set (which will be great for production). 🙂

@hazy leaf create a CA to generate "trusted" certs off of and import the CA into your browser/OS

be extra careful to not expose your CA's private key

https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

Or just use Let's Encrypt with a domain you own

My printer has a .de address xD

A portion of my domain is public, the other part is private on my local network, for stuff like that and some fun

@thorn obsidian , @fossil halo in those cases what do you think about external authorities such as https://letsencrypt.org/ would it be sufficient? Since creating a certification authority seems like a last resort. 🙂

If you own a domain, yes. It won't work with e.g. a .local domain

I simply use certbot on my PI, using DNS challenge to authenticate on my public dns

having your own CA is not a last resort, it's a very common method of doing development w/ TLS

You dont even need your own CA, just load the certificate into the windows certmanager

At least chrome should accept it

Firefox does not

that's a lot more cumbersome if you're working with more than one domain

Does "chrome" mean all Chromium based browser or just "Google Chrome"? 🙂

FF has its own cert store, it doesn't use the system's one.

Ah ok

@hazy leaf chrome and chromium behave the same

I mean Google Chrome, never tried others @hazy leaf

should be the same for the whole family

This is served by my Pi, using a Let's Encrypt cert for my internal network

Alright that sounds good. Also are there Ubuntu 18.04 specific caveats? 🙂

You need to provide a means of authentication when using certbot to generate the cert

either a public web server on your IP or a public DNS

to answer the acme challenge

On a DNS you need to create a TXT entry

so make sure you can provide either of that

https://certbot.eff.org/all-instructions

Yes, that seems reasonable also regarting the information in the certificates. What role does it play in the authentication? 🙂

If you make a cert for example.com, you need to prove that you are in control of that domain

For the computers that is, because it seems made so that humans can understand it.

control means either controlling the web server or the DNS

My provider lets me edit the DNS, not all providers do that

In that thought train it seems reasonable that we are able to prove that localhost/<anyport_here> is owned by us.

Isn't it?

you can't prove that localhost is yours, because it's mine

you need a real top level domain

that is registered

This is going to sound ridiculous and it would be nice to hear your guys' thoughts on it. Can we register "localhost" under some other name that can be used only through one machine? 😄

No

First of all, you need a DNS, like bind9 to actually resolve your domain

Then just make a bogus domain like server.local

I think that is easier for you

I can give you configs for a quick start

localhost is a reserved keyword and should always resolve to, well, the local machine (::1)

That makes sense. It is just hard for accepting. What would be the proper way of doing it? 🙂

Challenges help growth after all.

Step 1: apt install bind9
Step 2: create a domain on that dns with a domain like .local or .home, which are allowed to be used on an internal network
Step 3: Make the bind9 installation no-transfer, to not spam this across the internet
Step 4: Generate a certificate with the open-ssh command

For step 2 you need to make a SOA entry in the DNS config file

Example: local.home. IN SOA ras.local.home. root.local.home ( 2019012400 ; serial 8H ; refresh 4H ; retry 4W ; expire 1D ; ttl )

ras

hmmm

that's my username

This would make a domain named local.home with ras.local.home as DNS and root@local.home as contact email

on my local machone

comes from Rasmus, my name

straswudje

dovarish

privet, although I'm not sure why you started speaking russian

Isn't Rasmus russian?

nop

swedish

but I'm from Estonia

anyways, getting a bit off topic :p

But to continue: After you have made this zone, you can add your A, AAAA, CNAME entries

also, don't forget the reverse zone for ptr entries

I think you got enough to google now xD

A entry: printer IN A 10.10.10.251

AAAA entry: ras IN AAAA fc00::1

cname: ns1 IN CNAME ras

those are examples

so you see what that is

For sure! Thank you so much! A lot of people will be quite happy because of that app and it will be thanks to you guys. 🙂

Could anyone help me with porting some node js that uses web crypto api to python? I’ve attempted it but I’m doing something wrong as the last 16 bytes in my array are 0 when they should be a number

@plucky python what does the code look like? 🙂

Is anyone having issues with domains that use Let's Encrypt today?

Suddenly my browser is rejecting it

"Unknown issuer"

hm, nope, it suddenly started working again

weird

haven't noticed anything meself

me neither

https://teensy.info/ e.g.

Could anyone help me with porting this nodejs crypto? https://pastebin.com/raw/nYL2W2bG

Here is my attempt at it here https://pastebin.com/raw/DURQVhTn

@plucky python What does this have to do with Instagram?

Why? @thorn obsidian

And I’m just making an api wrapper and that is a header that needs to be generated

I'm trying to google this error: '_PasslibRegistryProxy' object is not callable But all of the returns are missing PasslibRegistryProxy key words.

I'm unsure of what is going on - as this was tested and working fine this morning. I get home tonight and do a few more tests and start getting this error but no code change. I reinstalled passlib and that did not solve the issue.

recreated with minimal code:

import passlib.hash
a = passlib.hash('magic15!')
print(a)

Error:
TypeError: '_PasslibRegistryProxy' object is not callable

Are you trying to make a new hash?

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html#module-passlib.hash

https://passlib.readthedocs.io/en/stable/#welcome Details this

> # import the hash algorithm
> >>> from passlib.hash import pbkdf2_sha256
> 
> # generate new salt, and hash a password
> >>> hash = pbkdf2_sha256.hash("toomanysecrets")
> >>> hash
> '$pbkdf2-sha256$29000$N2YMIWQsBWBMae09x1jrPQ$1t8iyB2A.WF/Z5JZv.lfCIhXXN33N23OSgQYThBYRfk'
> 
> # verifying the password
> >>> pbkdf2_sha256.verify("toomanysecrets", hash)
> 
> True
> >>> pbkdf2_sha256.verify("joshua", hash)
> False

@thick flint yeah, like Scott said, RTFM. The passlib.hash import is just a class which contains supported algorithms - which in turn contain their respective functions (like hash, verify, etc)

with your import, you'd have to do something like

(of course, you can do something like this instead to make it a lot more readable instead of just a one-liner:)

import passlib.hash
algo   = passlib.hash.hex_sha512
hashed = algo("magic15!")
print(hashed)

I mean, I wasn't trying to say RTFM. It's more that I wasn't sure what they were doing, and that perhaps they were unaware of that specific method.

https://secure.readthedocs.io/en/latest/

secure.py 🔒 is a lightweight package that adds optional security headers and cookie attributes for Python web frameworks.

Neat

A question regarding TOR, if you do enable acting as a bridge, and you do happen to be an exit node and malicious traffic gets sent through your machine, how come you can get away with this?

I mean technically you are not the one who initiated the request originally

but you are the one who forwarded it, why cant you get punished?

I did go over the manual but the reason why I was using passlib.hash() is because I had received

2.0, use .hash() instead.``` I received this while using sha256_crypt.encrypt() as taught via a tutorial video series. Using passlib.hash() was working and suddenly stopped. I guess for the better but the fact that it was working and stopped, that confused the tar out of me. But to y'alls point, I'll more align with the documentation and move on -- Thanks!!

@thorn obsidian my guess is: you can, which is why there are fewer exit nodes than the other kind

@thorn obsidian you totally can, this is why exit node are mostly located in countries with very lax laws and hosting providers that don't care too much about what you do

It seems to me that most CSRF attacks are <form> related and to fix it you should include a CSRF token but wouldn't it work to just swap the normal form submit to XMLHttpRequest or fetch instead since they follows the same-origin policy?

no, don't do that.

@dusty jacinth check the owasp cheat sheet for recommendations, but you can also use the SameSite cookie attribute with modern browsers

anyone got any help with making a poly morphic engine with pythin
to make binary's signature different to stop heuristics

what do you need this for?

This might be useful https://github.com/a0rtega/metame

@still crow the whole point of heuristics is that they don't work on signature

@still crow Why? Curious as to your usecase.

anticheat

and them siging my script

we cannot help with anything that goes against a services tos

!rule 5

in fact this is the second time you've been told about this, so it can be an official warning

https://whynotsecurity.com/blog/teamviewer/

TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also lets you copy data or schedule tasks to run through their Service, which runs as NT AUTHORITY\SYSTEM, so a low privilege user can immediately go to SYSTEM with a .bat file. This was assigned CVE-2019-18988.

Why do I get a slightly different result with ```bash
$ echo -n $PAYLOAD | openssl dgst -sha256 -sign signing.key | hexdump -v -e '/1 "%x"'

vs ```bash
$ echo -n $PAYLOAD | openssl dgst -sha256 -sign signing.key -hex

?

The former is almost the same, but contains some occasional extra zeroes.

Like so

leading zeroes are dropped

you need to set the width

ie %02x @spiral iron

The width of what?

perhaps it's easier if i demonstrate

https://i.imgur.com/t9447UL.png

https://i.imgur.com/wKApSzq.png

etc

you get the gist

Aah, right, thanks

the 02 in %02x signifies "pad to a width of 2 with zeroes"

Yeah, got it

Does http.server have any known vulns?

Because my honeypot showed someone trying to access a URL with Hydra in it with some random URL to an executable file

I'd have to capture it again

Ok, so, now I'm getting identical output from ```bash
echo -n $PAYLOAD | openssl dgst -sha256 -sign signing.key -hex

and 
```python
binascii.hexlify(digest)

but the output differs between

echo -n $PAYLOAD | openssl dgst -sha256 -sign signing.key -hex | base64 -w 0

and

base64.b64encode(digest)

What could be the cause of this?

There's a short identical prefix, but then the length of the base64 string differs. Since the hex matches, I would've thought that the b64 agreeing would be pretty much guaranteed.

Ok, nevermind, my mistake.

The above snippet wasn't actually what my script was doing, I was storing a byte array in a variable and echoing it.

@thorn obsidian none which are public

but it's not meant for production

so please don't use it for anything else but testing

it has not been under close inspection due to that

Pretty sure http.server says not to use it in production in the docs too

https://docs.python.org/3/library/http.server.html

Warning

http.server is not recommended for production. It only implements basic security checks.

https://bugs.python.org/issue26657

https://www.sudo.ws/alerts/pwfeedback.html

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html - plenty of security updates

What does penetration testing an Android app look like?

depends on the app

I'm resisting the urge to post a GIF of some stupid movie with a teenaged "hacker"

Mostly consists of finding an API key embedded within the APK itself, and then finding out that key has way more permissions than it should have.

That actually sounds like a mistake I would make if I hadn't heard about it hre

You don't even have to decompile the apk, just use a packet capture app

... unless the app uses SSL pinning, which most do nowadays

unless you're root, it's... not hard, but often troublesome to get past that

depending on whether SSL pinning is achieved with native code or java

I am developing a paid application, and after testing with burpsuite, regardless of the key you send to the auth server, you can change the response to make it seem like the autorization was successful. Does anyone know of any work arounds for this?

I'm currently just using requests to post the data :/

@eternal veldt I mean, when authorising, the server should return a key usable in the current session which will be sent along with all future requests. The server then checks whether the key is valid or not and invalidates it after a certain amount of inactivity or when the user requests it (ie "log out")

you can spoof what the response is (client-side), sure, but without a valid server-issued key, you can't really make any further requests

I'm not the best with web stuff, but you're saying that the key sent from the server won't be valid once loaded in burpsuite?

what I'm saying is, normal user flow is:

1. user successfully authenticates
2. server starts a new session and returns a session key/token
3. user's client stores the token
4. user makes an authenticated request and the session token is sent along with it
5. server checks token, sees it is a currently valid token, and proceeds with the request
6. [...]
7. user sends a log out request
8. server removes the session, making the token invalid

with a MITM attacker, it'd go something like this:

1. attacker fails to authenticate
2. attacker spoofs response to make it seem like auth was OK
3. attacker attempts to make a request, which fails as he never got a valid session token from the server

@eternal veldt

Unfortunately, the only request being made the client is during the authentication process, the rest of the program runs offline.

there's not much you can do against that

everything which runs offline can be cracked

Hmm, back to the drawing board then. I appreciate you trying to help though

yeah, no problem dog. sorry for this hard truth

it's why game cracks are a thing, really

even super advanced techniques such as Denuvo are eventually cracked

https://labs.f-secure.com/blog/forging-swift-mt-payment-messages Huh, neat

For one reason or another, I need a secure connection between my application and my server (only used for authentication of the application). With simple http requests, the user could intercept the server's response to authenticate even if they shouldn't be. I have now implemented websockets (without ssl or tls), and I can't find the websocket connection in burp suite. Is there another way a malicious user could intercept a websocket connection with no ssl or tls in place?

Are you worried about the user intercepting their own connection, or an attacker on the network intercepting it?

Either way, with no encryption it's trivial to intercept

Hi, may I ask a question related to blockchain here?

@eternal veldt websockets is easy to intercept as well, aye

Is a huge list of nmap GET requests in nginx logs (which returned a 404) a sign of an attack, or something I'm not aware of?

etc

Seem to happen every 26 hours

that's a regular "intrusive" nmap scan

harmless if your shit is set up properly, but I recommend setting up fail2ban or some other rate limiting anyways @silent pier

Huh

it makes me wonder though, cause we haven't been able to connect to our app since.... well a few days ago

I guess it could be the universitys IT trying out stuff to find what works and doesnt 🤷🏽‍♂️

@sturdy viper If it's security related, sure

yeah any public server will get intrusion attempts 24/7, as long as your nginx config is secure and nginx is up to date youll be fine

If it were your U, I'd hope they would let you know they're doing it

@silent pier I get those all the time on my server(s). Numerous attempts and accessing PHP files, when I don't even have it installed.

I assume all web sites get those

ye we dont have it installed either

justt was curious is it had anything todo with out downtime

Do you have anything that pays attention to logs?

I added winston to the frontend

and flask server should log traffic

None of them log any traffic no matter how i try to access teh site or api

Does anyone have a good guide on the basic steps you should take to secure a production server? Running something like Docker Compose and Nginx

I have a question regarding app security. This question is related to the authentication of keys for licensed software. Suppose I hardcode the server's public RSA key into my application. I then generate another keypair for the client. I send the license key, as well as the client public key to the server, encrypted with the server's public key. I decrypt that serverside with the server's private key, and then send back a response (successful authentication or failed), encrypted with the client's public key. I decrypt the response clientside with the client's private key, and allow access based off that. Does this seem secure to you all?

Please ping me if you respond!

@eternal veldt what's stopping me from simply swapping the hardcoded public key out for my own in the client?

The obfuscation method of the software

@thorn obsidian

I have a lot of faith in it, despite it being python

https://en.wikipedia.org/wiki/Security_through_obscurity

Well I don’t have too much of a choice in this case. Furthermore, the technique does employ encryption techniques

It’s a library called pyarmor

Actually I don’t think it encrypts, but it’s the best choice for python

hey uh so i wrote some script and i want to realease it to public but im afreid they will use it to exploit other people how to prevent that and make them use tool with care

@thorn obsidian exploit how?

the tool i wrote was to prevent my little brother to not go on internet because we live far away from each other i made something like dos but it makes router get hot how do i delete the tool completly from hard disk ?

like beyond recovery?

jk there is not tool i was just checking is this active 😂

🤔

Preferably don't spam up the channel, thanks.

okay

but what do i do here

I'd start with reading previous posts if you're unsure.

oh so its ethical stuff

can i upload non ethical as well or does that get deleted? @thorn obsidian

Preferably don't upload anything questionable

maybe like upload source code ?

you know like upload source code of exploits

it's fine to post links to repositories as long as the vulnerability was responsibly disclosed and patched

ie no 0days please

Hi. I did one Python desktop program and I want to sell to someone 1 license. What best way to control the lincese online? I can do that using lambda ? Anyone have some example so i can see? Many Thanks

can anyone help me with a ransom ware issue?

@pine sparrow You'd have a decent chunk of the work being done on the server

So you'd have a dumb client that does the bare minimum in that case

hmm, am i the only that that thinks its super creepy that facebook wants your picture before you create an account?

no thats called facebooks greed for data and should not creep you out nowdays but instead be accepted as normal if you wanna use social networks

So yes, it's creepy.

yeah and they say "please use your real legal name"

what's the difference between saying tat and "please fork over your private and personal info so that people can dox you and send a squad of heavily armed police with fully automatics to your house"

cause that shit aint funny bro

That's a little bit more graphic than is needed I think.

there are cowards on the internet hiding behind their screens and calling the cops on innocent people and acting like they're some kind of hero

i don't know if Scott minds but @tropic bay i would prefer you removing that. there are younger people in this server and most people in general just don't need to see that.

sure, i can see where youre coming from

hmm, am i the only that that thinks its super creepy that facebook wants your picture before you create an account?
@tropic bay last time I attempted to sign up to Facebook (had to for a school-related event), they asked me to upload my ID to make sure "I was using my real name"

noped the fuck out of there

you smart

asking for my phone numkber was creppy enough

i managed to give them none of that shit

the fact they stop people using aliases is mega creep level

like dude perching outside your window with a camera level creep

I’m intermediate at python but don’t have much experience with cyber security l when it comes to python. What would be a good starter project and which libraries should I use to improve my skills?

Cisco-PIX MD5 do the keys hit each other like in sha-256 case ?

i can confirm that Cisco-PIX MD5 are hitting each other.

@errant burrow make a simple "password manager" in terminal with passlib and/or pycryptodome

@thorn obsidian but.. that's how hashes work

i think cisco's pix md5 suffers from collisions just like md5 though

plus it appears to be much smaller than a normal MD5

** <!> Hello_People <!> **
If anyone is interested, i am looking for experienced cyber-security / cryptographers to try and crack and decrypt a file that i have encrypted using a custom method

@lusty flare thats what i ment the keys are hitting each other

but they're the same string

bisk@bisktop:~$ echo "the quick brown fox" > brownfox.txt
bisk@bisktop:~$ sha1sum brownfox.txt
a5675307b61ec2517330622a6e649b4ca1ee5612  brownfox.txt
bisk@bisktop:~$ sha1sum brownfox.txt
a5675307b61ec2517330622a6e649b4ca1ee5612  brownfox.txt

feed the same data into a hashing algo and it'll produce the same result

a collision is when two different inputs produce the same result

@thorn obsidian first of all its called colliding/collision in crytography if this happens. Secondly the smaller your bit sizes get, obviously the higher the chance gets for collisions. Thirdly, of course if you hash the same text twice you get thte same hash, what youre showing is not a Cisco PIX MD5 collision but just how the algorithm is supposed to work. THat does however not mean that you can find two different inputs a and b for which

a != b
hash(a) == hash(b)

for this algorithm

for any cryptographic hashing algorithm in fact

i did a little look and Cisco's PIX MD5 is actually more susceptible to collision than straight MD5 as it only uses 25% of the bytes

sighs

:D

eeeeenterprise appliances!

"okay you pay us $5k for the box. also pay us $1k a year for the license. what? security? what's that?"

"is that the thing the NSA installed for us after we ship?"

mhm

in 24 hours fail2ban has been triggered ~220 times and they're all unique

:|

my friggin systems email inbox is a mess

Hi guys...Is any one using hashicorp vault....Is is possible using Azure Active directory credentials to login vault

.....why do you want to use a hashicorp vault if youre working with azure?

@lusty flare you get fail2ban reports via mail?

isn't there a way to instead make a general report which gets sent once a week or so?

probably, i threw it on the other week to reduce the amount of bullshit hitting the server

haven't really gone through all the config options yet

i can probably tie it into my logwatch reports

rebuilding this server atm anyway

moving away from docker for hosted site isolation

bit too heavy and saving money is lit.

Were you using Docker to host static HTML?

no, bunch of php sites

wordpress / silverstripe

Ah sure

it made sense to me to containerise them so shitty infected sites could be dealt with more easily

but resource usage is proving a little hefty and we don't want to move up to the next EC2 tier

@orchid notch To enable single sign on....

but like

azure has builtin vaults

Let's say we want to move to GCP or AWS, We want to set up single sign on for independent

kerberos server?

both support it

probably not a helpful answer, but it's true

I will have a look into that thanks...

I would like to try to create a password manager and password generator with python. What libaries should I use or avoid? I mean I've heard that e.g. random() is secruity wise not advised to be used for a password generator.

@hard bramble well the azure key vault is surely gonna integrate more and easier into your azure environment than any third party one so id say it's questionable whether you want a hashicorp thing you gotta figure out again when you move to another cloud Vs the integrated solution of the cloud

@safe schooner aye, random doesn't provide cryptographically secure random numbers, check out the secrets library for that

@orchid notch thanks ...

@orchid notch you enlightened me

aha

happy to uh

help i guess

lmfao

😂

https://cdn.discordapp.com/attachments/336642776609456130/678934947108618245/unknown.png

help

@slate fulcrum pip install wheel

it fails @restive vine

Show screen

pycrypto is no longer maintained and hasn't seen an update since 2013. There are some issues that will prevent you from installing it related to compiles and so on.

I need RSA decrypter

However, there's an alternative that's can act as a drop-in replacement: pycryptodome

ok I'll check

don't mind requests, idk why it shows like that, it works tho, crypto doesn't

In the bottom left you can change interpreter in vscode.

still doesn't do anything, I changed Crypto to crypto since it's like that in the folder, but there's another problem

In your error it doesn't have the crypto instead of Crypto like you said

but I changed it

do I have to do that in every file? or change the main folder "crypto" to "Crypto"

You should avoid capitals in folder and file names since not all platforms are case sensitive.

Did you change the folder from Crypto to crypto yourself?

no

pycryptodome's documentation mentions that you should import it using a capital C, as it's intended to be mostly compatible with PyCrypto's API

I changed the folder's name to Crypto, it compiled at least

I have a public key, what do I need to do to use it to encrypt a string?

@slate fulcrum the documentation has examples https://pycryptodome.readthedocs.io/en/latest/src/examples.html#encrypt-data-with-rsa

the first example in the last section is encrypting with a public key, the second example is decrypting with a private key

thx

tried to implement it but uh, giving me an error

try asking in one of the help channels

also suggest posting the error if you do

I meant in the help channel

Good Infosec Twitters to follow?

its proven that the biggest security vulnerability is the brain , learn social engineering .

@visual atlas psychology

follow psychology

I just found out about the libary „cryptography“ and its Fernet encryption. Is this safe to use for (text)file encryption? Would anyone able to crack or decrypt it without the generated Fernet key?

i think i just found a way to make bruteforce 10 times easyer

but im not sure

@visual atlas check out @briankrebs @matthew_d_green @isislovecruft @MalwareTechBlog @IanColdwater

@safe schooner "Fernet" is basically AES-128-CBC + HMAC-SHA256

It's relatively safe, even though better alternatives exists

For example, PyNaCl provides a "SecretBox" that consist of Salsa20+Poly1305, which is a bit more modern

@hoary marten Thank you for info. I just saw that PyNaCl got its last update in 2018. Should I still use it?

yes, it is still actively maintained

ok thanks

hey is it possible to split passwords by chunks

probably

what do you intend on doing?

making hashes crackable in few minutes not few hours

that's not how (most) hashes work

there's no magic in bruteforce

unless you get into quantum computing sorcery, it's always going to be O(N) complexity, with N being the password length

however even if computation will always be O(N), you can always speed things up by running your operations on multiple cores / machines

which I guess is what you mean by "splitting passwords"

trying to get to run PyNaCl, but getting "ModuleNotFoundError: No module named 'nacl.secret'; 'nacl' is not a package"

Google didn't help

I checked my venv's site-packages folder and can confirm that nacl is indeed there

it's most likely an OS/env issue

Do I have to install libsodium separately on Windows 10?

In order to get PyNaCl running I mean

I don't use windows but it shouldn't be required no

anyone know how to make anti virus scripts ??

@proven zodiac elaborate please, what exactly do you want to make?

Like a Anti virus software that can find suspected viruses in your computer and put them in Quarantine

@safe schooner

That is a mega project

I think you would have to write it in c

the language doesnt really matter for whether it would work, it's that an antivirus written in python would probably be real slow
the hard part is designing algorithms to detect whether something is a virus. bear in mind that all paid for enterprise grade packages fail to detect things. not to say that it's impossible to make your own, it would just be extremely difficult to make one that's useful

The language actually matters because you're not going to write a ring0 driver in python and that is a requirement for proper anti-virus software

There's one OpenSource anti-virus around called ClamAV, it's not really good to use, but I guess checking out the source code can help you understand how an AV engine works

Hi everyone, I am trying to hash a text to sha256 & this is my code to do it:

import hashlib
def encrypt_string(hash_string):
    sha_signature = \
        hashlib.sha256(hash_string.encode()).hexdigest()
    return sha_signature

print(encrypt_string('4dM1n'))

the text i want to hash is '4dM1n' but there is something wrong with hashlib, the true equivalent should be the following:

96719db60d8e3f498c98d94155e1296aac105ck4923290c89eeeb3ba26d3eef92

but the letter 'k' goes missing in output of that method above

Why is this happening? am I not using the right library?

[SOLVED]
I needed to read a bit about SHA256 itself, because it was a part of the challenge I been working on, a SHA256 can only contains these chars: a-f, A-F, 0-9
So that's why we must remove 'k' from the given hash

@hoary marten about that clam av thing, the BSI (German government department for it security) has shown interest in improving it so don't loose hope ^^

And no a kernel driver is not a requirement for a proper anti virus

On windows it's definitely the proper way to hook process creation / termination

On Linux it might be doable through eBPF callbacks like falco does, which I guess is doable in Python

@obtuse harness That doesn't "encrypt" anything

Hashing isn't encryption

I totally forgot to change the function's name, my goal was totally different, I was up to something like this:

import hashlib, sys

given_hash_in_challenge = '96719db60d8e3f498c98d94155e1296aac105c4923290c89eeeb3ba26d3eef92'

# sha2 method that takes a string and prints its sha256 equivalent; we will use the right equivalent that matches
# with the sha256 that is given for us in the challenge
def encrypt_string(hash_string):
    sha_signature = \
        hashlib.sha256(hash_string.encode()).hexdigest()
    return sha_signature


with open('wordlist-sha2.txt', 'r') as sha2_wordlist:
    for every_word in sha2_wordlist:
        sha_signature = encrypt_string(str(every_word).strip())

        if sha_signature == given_hash_in_challenge:
            correct_sha2_equiv = str(every_word).strip()
            print("\n\tThe correct word is: ", correct_sha2_equiv)

            # now take the correct equivalent word and convert it to sha1
            convert_to_sha1 = hashlib.sha1(str(correct_sha2_equiv).encode())
            print("\tThe word was hashed to SHA1: ", convert_to_sha1.hexdigest())
            sys.exit(2)

        else:
            print("Tried word: ", str(every_word).strip(), " | Hash: ", sha_signature)

I don't understand what this is for

That was for a challenge:
https://www.root-me.org/en/Challenges/Cryptanalysis/Hash-SHA-2

To reach this part of the site please login

Forget it, I will give you the statement of that challenge

Statement

This hash was stolen during a session interception on a critical application, errors may have occurred during transmission. No crack attempt has resulted so far; hash format seems unknown. Find the corresponding plaintext.

96719db60d8e3f498c98d94155e1296aac105ck4923290c89eeeb3ba26d3eef92

The answer is the SHA-1 of this password.

the k in the middle is to throw you off

remove it, and you'll be able to crack the hash quite easily

the plaintext is iirc only five chars long

@obtuse harness

don't even need to use a word list for it, just brute force it charwise

Yeah I got that & solved that challenge, I had to learn a little about "letters used in SHA256" and found out that it's from a-f

well, it's hexadecimal values

I couldn't do that because the actual matching word was "4dM1n"

00-FF

the plaintext can be anything, even bytes which don't correspond to proper letters

gotcha! I had forgotten, thanks

https://www.reddit.com/r/blackhat/comments/f7akl3/blackhat_exploiting_network_printers/

help me get it working by upvoting or answering

that's not really what the security channel is for

Hacking, data sanitization, encryption, and protecting yourself and your devices.

yeah, discussion of it

basically we can't know your intentions for using the actual framework

how do I get a username to link with a password?
Instead of putting all usernames in a list and all passwords in a list...

you could store them as a tuple in a list, but there are probably better ways to handle a user/pass system

first of all by not storing passwords

in clear text

hello

anyone good with printer exploting

or has knowledge and is willing to help

as bisk has said, this is for discussion of these topics. not for us to help you achieve these things for nefarious reasons afaik

even if you're not doing it nefariously, we can't know your motives so... it doesn't matter.

more than happy to talk about printer exploiting, it's pretty cool

not going to help you set up tools

@cold fossil An SQL DB would work great for this, also https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html for the passwords

( Implementing Argon2 is trivial if using the above, and you have no reason to not use it. )

my code uses this right now but I will try to implement that instead...
https://paste.pythondiscord.com/uculejakoc.py

If you're doing that, you might want to look at https://docs.python.org/3/library/getpass.html as well

the first line is now
bank = {}

is it a bad idea to hash a hash?

like hash a password...
Then hash the hash I got

It's not really useful

No that's not true, there are round based methods for hashing that do apply a hashing function multiple times because a) rainbow tables worn work on such hashes as it's unlikely you'll find rainbow tables for the exact number of rounds you've gone through and b) if you hash twice people that run a word list attack will have to do twice the work for an attack as wwll

However usually hashing once with currently secure methods will provide more than enough security

🧂

hi there

How can I detect phishing pages and websites

Sometimes they are so real

SSL certificate, making sure you're familiar with the site and it's not just a slight spelling difference, the kind of content on the page

generally those types of sites blatantly want some type of information of yours that you may think is harmless

You should be fine if you just check the url

https://www.phishtank.com/ you can also utilize this site

@safe lark I agree with the rest of it, but you should definitely not rely on SSL to check whether it's phishy or not. Certs are free and even EV certs are pretty easy to get. It doesn't indicate much more than that the owner of the site bothered to set up encryption. Please don't use the existence of SSL as any proof of legitimacy for the site.

the details of the cert can help identify if it's dodgy

checking the URL is a good move if it's an impersonation site

if you're ever presented with a login screen and aren't sure, just manually go to that login page.

¯_(ツ)_/¯

get a google drive looking link in your gmail email and you click it and it asks you to login? probably a phish.

you're already logged into google.

man, i wrote a ~15 page advice pdf for our customers on how to avoid phishing attacks. so much of it is just taking a few seconds to think about why someone is asking you for the thing and if it makes sense

15 pages because full of pictures, obviously. no one would read 15 pages of text.

the details of the cert can help identify if it's dodgy
@lusty flare if you can't identify a phish from the url, you will definitely not identify it from the cert

true enough

since apparently it wasn't clear enough I was referring to the LACK of a certificate. they were just bullet points, please ask me what I mean before assuming what I said and calling me out for absolutely nothing @thorn obsidian

@safe lark sincere apologies if you felt like I was calling you out. It wasn't a personal attack on you or anything of the sorts, I just genuinely thought you didn't realise that an SSL certificate wasn't an indication of a site's legitimacy. If what you said was enough to confuse me, a person working in the security industry, then it will also confuse less security-conscious people.

In any case, while the lack of an SSL cert can also indicate a number of things (such as the clear lack of secure practices), a phishing site is not one of them. Unfortunately, tonnes of legitimate companies still don't default their sites to TLS. If anything, I've seen a better track record for SSL for phishing campaigns than legitimate sites.

jesus man I understand all of that. I was just asking you not to come at people all the time until you ask them what they mean. it's great for you you're in the industry but I know this stuff too lol, you don't have to be in it to know it

ok? I'm not sure why you're taking any of this as a personal attack

it's not

I'm not, I'm just asking you to adjust how you talk to someone fam

it's not fun to see people explaining things to someone before even asking them what's up. it has nothing to do with personal attacks bro it's okay

in what way was anything I said not neutral? (we can move to another channel such as off topic to discuss this if you wish)

whatever though, I guess I'm again confusing you

if you're willing to present information in a misleading manner, then you should also have nothing against when someone clarifies something you've said. :) just my two cents

yeah you sound like a passive aggressive guy, nice way to be liked

how about be human

I think this is getting off topic

Anyone can teach me cyber security in terms of breaching into someone’s connection? (Educational purposes)

there's no such thing as "breaching into someone's connection", and even if there was we wouldn't help you here, as what you're seeking to do seems malicious

and I don't think putting "educational purposes" in brackets is going to help

@scarlet vapor That's pretty easy to do, be the NSA.

Problem solved 😄

But yes, we don't tend to discuss things that can be used for nefarious purposes even if it's "educational". Considering there are quite a few people on this server, we can't say for certain there isn't even just one person wishing to be malicious.

So we tend to be cautious in that regard, thanks for understanding 👍

@west peak so if someone would like to learn the process with which a network is attacked to then maybe want to create something that can last to that type of attack it would be malicious? Ridiculous thinking of yours

That's entirely different than what you asked above.

Anyone can teach me cyber security in terms of breaching into someone’s connection?
Is what you said. If you're wanting to learn how to defend against things, we can discuss that. What specifically are you wanting to protect against?

@thorn obsidian ehm I don’t think so, I asked how that type of attack would work so I can understand better..

Well, let's step back and analyze what you meant, as there may be some confusion.

Are you talking about nation states attacking the connection? ISP? Local wireless network?

I would like to understand what type of attacks there are and how these works, what defenses are taken for these type of attacks and what new ones could be built

Like local connection

For personal security

You don't really have to worry about local connections these days. Certificate pinning, HSTS and the like have made things like firesheep useless and broken.

@thorn obsidian Unless there's something I'm missing here?

Now, are you talking about regular browsing outside of apps and the like?

Because you can setup your own VPN pretty easily

I would be talking like someone being able to get into my network and having access to all that goes and comes to my router

Your router specifically, or are we talking about public wifi?

Mine

Is there any chance someone from another side of the world being able to breach into my connection and getting any my data

Well, security is always a multi-tiered approach

So if you're worried about anything to do with that, you'd set devices either in front of or behind it.

if your router has known flaws it might be possible for an attacker to control it. at that point they might be able to sniff about your network and see if you've say, left any network shares open.

they also may potentially be able to see any traffic flowing through the router

or perhaps leverage the router as an attack platform to get to another device inside your network

and while that sort of stuff is possible, it's pretty damn unlikely.

that sort of attack is non-trivial and would doubtfully be applied to random home routers on the internet

in general people are far more likely to click something dumb on their phone or computer to expose themselves to malicious attacks

@lusty flare what type of links can do harm ?

malicious ones. ;D

seriously speaking, it's people clicking on a link that'll then ask them to download and run something, you know?

sometimes there are browser exploits out in the wild that just require you to visit a site but they're more rare

what goes into making a Brute Forcer?

as in how are they usually programmed

you build a thing that generates every combination possible for whatever you wanna attack

and then pipe that into a mechanism that tries this combi

and then wait until you get a match

i think thats as much as i can say without providing help for possibly malicious things

Brute forcing is useless for proper webapps too

Where you get locked out after 3/5/6/10/12 etc attempts

ya...

Or even just a time out between attempts

I wouldn't say it's entirely useless for webapps. It's pretty out of the question for passwords, but I've found quite a few instances where brute forcing a code of some sort (authorisation code or similar) has been viable and applicable in practice. But yeah, those cases are pretty rare when looking at the big picture.

My web application uses Flask-Limiter for rate limiting