What are your thoughts on the Certified Ethical Hacker (CEH)? If you were offered a scholarship to take the cert for $200 instead of the standard $1k would you take it? Would you say it would benefit someone’s efforts towards getting interviews for a role in vulnerability analysis/pentesting? Asking for a friend, I’m trying to help her rn 🥴 #infosec#cybersecurity
My personal take – I’m not in the field of pentesting/vuln. analysis so take this with a grain of salt:
Personally, I’ve never bothered that much with certificates. I took a few (not many) at uni since it was part of the syllabus for some courses.
In general, my strategy has been to just dive in to those things I’ve found to be interesting.
Certificates can be a way to get a foot in the door but my preference is that if employer’s don’t trust my knowledge without certificates, then they might not be a good match for me.
Some related discussions on HN that might be interesting:
People have some strong opinions about this kind of things – again, take it with a grain of salt. But it can still be a useful input when you make up your mind on what paths to take and what paths to not take.
@taeluralexis my personal feeling is that it is an entry level cert, and as a hiring manager I would consider it a plus for entry level positions, alongside other entry level certs like Security+. Beyond entry level, the CEH probably doesn't do much good other than to check some boxes, and there are better certs for experienced specialists.
Certs can be useful to get past highly automated initial HR filters. There are a lot of paths to infosec, including certs, formal education, open source software dev, CTFs, home lab work, and lateraling in from adjacent fields (e.g., IT support). None of these paths is inherently better than the other, and ideally there should be some combination of several of them, but some automated HR systems have hard requirements for some of them like certs. Given that the tech sector downturn has made this all much more challenging, I'd say a cert would be a generally good idea, all other things being equal.
That said, it was not my personal route. I have never had certs. I came in to the field with a comp sci degree and some sysadmin experience at the turn of the century, and I had the privilege of a personal connection with someone at my then-prospective employer.
Look what came in the mail? My @purism Librem 5, but I am still waiting on my SIM card For the Librem cell service for some testing between that and @Efani but this will be an interesting review of the battle of the privacy phone ecosystems I have made.
Android/Graphene OS on Pixel 7a and PureOS on Purism Librem 5 #infosec#cybersecurity#linux#opensource#cellphone#review#privacy
Doing my initial tinkering of the @purism Librem 5 phone and WOW. I am impressed it’s truly full #Linux I just installed @element using apt out the box. Their official instructions! Taking the phone apart as well and thoroughly impressed #cellphone#infosec#cybersecurity#review#privacy
Ça fait deux jours que je suis fasciné par ce qui se passe dans le monde de la sécurité informatique, autour de la backdoor XZ. Je vais essayer de vous l'expliquer, ça va être technique, mais c'est important.
Pour Internet, c'est l'équivalent d'un gros astéroïde qui serait passé à 5000km de la Terre. Pas d'impact, pas de dégâts directs, mais on aurait pu tous y passer et personne ne l'a vu venir.
Je vais chercher à vulgariser un maximum, tout en donnant des liens vers les sources directes, qui sont souvent très techniques et en anglais. Ça va être un peu long, mais c'est passionnant.
On ne sait pas qui a fait le coup. La stratégie a été progressivement mise en place sur deux ans, il faut être très organisé et très solide pour voir aussi grand et aussi loin. Beaucoup pensent que seul un Etat a pu mettre en pratique un projet d'une telle ampleur.
Les analyses sont en cours, on en saura plus dans les prochains jours. Des débats on déjà commencé sur les responsabilités, et notament sur le rôle critique de la communauté open-source (et son sous-financement).
Les révélations ont commencé vendredi matin, le 29 mars 2024, avec un post sur un forum suivi d'un pouet sur Mastodon.
Tout est en place quand, en février 2024, Jia Tan ajoute le code de la backdoor dans XZ. Il envoie ensuite des messages aux mainteneurs des différentes distributions Linux pour leur demander de mettre à jour avec la nouvelle version.
Tout se passe comme prévu, jusqu'à ce qu'Andres Freund découvre tout par hasard.
Voilà ce qui vient d'arriver. Un plan mené sur 2 ans et demi, qui cible une des infrastructures de sécurité les plus importantes d'Internet. Un plan qui a failli réussir.
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
As an update, Truth Social's posted Mastodon source code has not been updated since my initial post in this thread, and has seemingly not been updated since at least June of 2022 (compare: http://web.archive.org/web/20220614001551/https://opensource.truthsocial.com/mastodon-current.zip). So if they're still using and updating Mastodon internally, they're no longer complying with its AGPL license at that link.
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
@Scraft161 Hello there! I've reviewed security keys for years.
First thing you might consider is whether you want a boatload of features or just U2F/WebAuthn support. The Yubico Security Key and similar devices are very affordable but do only the basics. The YubiKey 5 Series has many more features, but is significantly more expensive.
The second thing to think about is whether you require open-source hardware/firmware or not. Nitrokey and SoloKey both tout their open-source roots, while Yubico keeps things mostly closed.
I've tested dozens of these things and they all work equally well. Yubico's build quality and sheer number of features in the 5 series makes it my go-to, but it's hard to go wrong here sticking with known brands.
While Keepass has the ability to use a Yubikey (or similar) as 2FA (masterpassword is still required), this does not work on the mobile (Android) apps I tried. If you can make it work, please let me know!
Other than that: I got my Yubikey working ok on Linux Mint. But somehow the first login often does not work as expected (you have to touch the key). That is why I don’t use it anymore as 2FA for computer login.
Cyber insurer startup Coalition says ransomware attackers are asking for much higher ransoms (average US$1.62M), but it has been able to negotiate the amounts down to 44% of the original demands. Also, ransomware claims are through the roof right now. Another interesting statistic: “When reasonable and necessary,” 36% of Coalition’s policyholders opted to pay a ransom in the first half of this year. #infosechttps://info.coalitioninc.com/rs/566-KWJ-784/images/Coalition_2023-Claims-Mid-Year-Update.pdf
Just throwing this out there: For my free lancing I often need to share passwords or other secrets with clients. (Or they with me.)
I usually suggest Signal for that, but obviously most people don't have that.
Is there a a good (and not too pricey - I only do very few free lance projects, so only need it once every few months) password sharing option for this?
I tried 1Password shared vaults, but even that is just too complex for many of my clients.
Open to self hosted ideas, as I have a server I could install this on.
Ideally a very simple thing where both my clients can securely input passwords to share with me without having to create an account (secret link and OTP, or something like that) and I can share links with clients.
@michael well there a tools like https://pwpush.com/ which you can (and should) host yourself. here the customer could create a secret and phone you the password to access it.
As more walls are raised around gardens and users are even more aggressively preyed upon by greedy corpo overlords, I feel it becomes an #InfoSec community responsibility to arm normal users, not just the tech-savvy, with knowledge and alternatives to break the cycle of exploitation we know drives this business model.
@mttaggart@bhawthorne Agree. It's meant to be a relatively private discussion, and i once again neglected to make it unlisted earlier... some day i will learn.
@mttaggart simplicity and usability is key in anything. Historically we’re not good at it. I don’t find fediverse services confusing, but it is non trivial to find people and places to follow. Feels like that’s one of the more difficult problems they face and I’m not sure how it’s going to be solved beyond a curated portal.
Do ya'll study or work on security-related stuff on the weekends? For the most part I do..reading about diff vulnerabilities or doing TryHackMe or writing a script but sometimes I just chill and do nothing lol. Today I'm on HackTheBox prepping for the interview
@taeluralexis I do read sometimes, and write a blog from time to time. But mainly I focus my weekends on reloading my energy and being as efficient as possible during the week.
@maxleibman I have not done our halfyearly phishing training for 2 or 3 years because it comes from an external address and asks me to click on a link. So I report it (and the 3 or 4 reminders) as phishing and go on with my life.
My manager caught flak for this from his manager. My manager is fine with what I'm doing.
@maxleibman Our IT security sent out an invite for courses on corporate security that were developed and hosted by Kevin Mitnick. I'm like "yeah, right, this is a crafty tiger team ploy to see if we're dumb enough to click on anything with the name of one of the most notorious hackers in history". I flagged it as phising and commented "most amusing". No. Turns out it was a real course they wanted us to take.
it now has a fun/dumb html5 countdown spinner, and redirects you to a random snakeoil bullshit site. for now, a joke etsy listing and some google queries for norse and crown sterling.
what other complete horseshit snakeoil security vendors/products are out there that I can add?
Genuinely curious as most of my followers are #infosec and somewhat logically minded (just somewhat) - how many of you have #solar panels, batteries, an #EV, or even gas/diesel generators at home? Or more than one? Curious.
@simplenomad neither of these, but I live in Iceland, which is isolated enough and at the same time rugged and resilient enough, as far as power generation is concerned. Basically all power is locally generated, and its geothermal or hydro.
We talk about wanting professional journalists to ditch Twitter and come to Mastodon.
When they do we need to make them welcome!
Today Chris Bing @Bing_Chris a distinguished Reuters reporter covering hacking and foreign affairs has joined Mastodon saying "Hi - Twitter is a garbage fire. I am going to try to use this platform more. Love,-Bing."
@mastodonmigration - Gavin Maguire from Reuters also just joined Mastodon - @gavinjmaguire - can he get a boost too please! Reuters Global Energy Transition Columnist #energy#climate change
I created this account on 6/6/23, intending it to be my replacement #Instance for my current/active one https://kolektiva.social/@MsDropbear. However back then, after doing all my #Imports et al, i halted my changeover & placed this https://infosec.exchange/@MsDropbear42 on-hold. That was coz i was disappointed, indeed frustrated, that several of my desired #Follows, each of which work fine in #kolektiva, seemed to work only partially or not at all in #infosec. Huh?
Every now & then i've logged back into this account to check if they're better, & no they're not. That's a bugger, coz the infosec.exchange Instance seems to have several nice GUI enhancements over other #Mastodon Instances' #browser websites' #AdvancedWebInterface, which would be good to use.
So, a bit of a #Catch22; make infosec.exchange my new full-time daily home & accept the effective loss of those Follows, or stick with the fully-available Follows but slightly less sophisticated UI of kolektiva.social. Hmmm.
Tonight whilst doing this latest round of testing & head-scratching, i did at least finally ascertain, afaict, exactly why those particular account-Follows aren't working well here. At least one of them is from the domain @bird.makeup, which only tonight i realised, per https://infosec.exchange/about - Moderated servers, is listed! Ah.
⬇️
bird.makeup
Limited
Reason not available
So then i checked each of the troublesome Follows, & voila, they're all on that domain. Gaaaah. 🤦♀️Weirdly though, two other Follows, also on that domain, seem to be working ok here, so that's another huh? 🤷♀️
I'd be sad to lose all four, but the one i most wish to have still, if i had to pick, is the Crikey one. Doing a search in infosec.exchange yielded a possible alternative, which uses a different domain, not included in the Moderated servers list; @crikey_news. So now it's another little waiting game; dunno how long it'll take for my Follow request to be approved [or not], & then... does it actually feed the Crikey posts into my Home timeline with the same alacrity as now in kolektiva.social? If yes, then i'll make infosec.exchange my new daily Instance. If no... then... 🤯
Sadly not at all 😭. It's the next day now, & i've just finished a few hours of close comparison of all the new overnight [my time, ofc] items in my Home timeline of #Kolektiva vs #Infosec. It's bad.
I've attached sample pics [there's many more, but i exceeded the upload limit] fwiw, but TL;DR = #Infosec has picked up NONE of the numerous new bird.makeup posts happily showing in my #Kolektiva Home, from either @lenoretaylor or @crikey_news
It's such a pity. I've found so much i like here about this Instance, & truly hoped to be able to migrate fully to it, but it seems for whatever reason, unsuitable wrt the four Followed bird.makeup accounts that are important to me @rachelrwithers and @annabelcrabb].
Thanks very much all the same, Jerry, for having tried to solve it for me.
I just discovered that apparently Time Machine backups are not encrypted by default. This seems crazy insecure. Would like to be told that “Yes they are!” or “No, that’s not crazy insecure because…”
[Back story: Just replaced a disk in our Synology that was going bad, wondering if I should hit it with a hammer a few times before tossing it in electronics recycling. My Arq backups are safe but apparently my wife’s Time Machines aren’t.]
@frank@jwz Similar story. Two things that re universally true about Time Machine. (a) it's slow (b) it gives you no useful information what it's doing. It failed for me one time (forget the details) and offered no useful information as to why and I just said “screw this, what’s Plan B”.
Basically neither the master password change dialog nor the 2FA settings dialog require the current master password to function. So to exploit this, you'd need GUI access to a machine with an unlocked KeePassXC session. It's not nearly as scary as the KeePass vuln we saw a few weeks ago, but appears to be planned to be addressed in version 2.8.0.
EDIT: This is a BOGUS CVE that was created in bad faith. None of this should be considered a "vulnerability" so much as "how password managers work." Apologies to @keepassxc, who do fantastic work and whose project I use professionally and endorse.
Right so, in KeePassXC, if you have an unlocked session, the change password flow does not require you to enter the current database password.
That means someone who accesses the machine locally (Or via RDP? Maybe?) would be able to change those settings. But then, they'd also be able to just read the passwords so ¯_(ツ)_/¯
So wait building all these "secure" chat apps on a browser engine packaged in a thin layer of UI, with its insane number of dependencies and the gigantic, immense attack surface that this entails, was somehow a bad idea?
Who knew! Who could have foreseen this! Shocking, really.
Been thinking about this for a while now. I wonder if I could write a "worm" that uses smb to spread? It would require access to the DC with the design I have. Think it would be interesting to code, but would require specific requirements before it can be used.
@thisismissem Which attributes are you referring to?
Since I am using Mastodon's search API, cvecrowd should already respect the setting "Include public posts in search results". If this setting is disabled, I would assume that posts are not being detected by the crawler.
A note to the roughly 5 other people on the planet who run their own mail server - do you reject the spam/scam/malware source of the email (returning a reject automagically) or do you let the process quietly discard it? I do the latter.
It made sense when a lot of people ran their own mail servers (mainly businesses) as it could delay and maybe prevent some from recently the bad email before the source got added to a block list, but now with everyone using something like gmail (BTW a huge source of spam in recent years) it doesn't seem worth it.
Depending on the threshold it is either marked and delivered to a spam file, or it is quarantined, or if the score is high enough it just gets discarded.
Idea: A new #InfoSec conference called "The Boring Security Conference". It covers topics and hands-on advice that are what actually keeps organizations secure. No zero-days, no APTs and no "if the criminal does these 39 things in precise order and you're not watching your owned" talks.
@chetwisniewski talks about 'frequently changing passwords' will also be banned as snake-oil, and the talk on why implementing RPZs at an organizational level is critical will still be strangely under-attended.
Suppose you have a sign in form which first accepts an email address and then proceeds to MFA steps. If you enter an email which does not match one in the system you get an error. "No matching account found" or whatever. Conversely if you enter an email which matches, you progress to the next screen. In this way you can know whether or not a particular email address is registered with the service.
What would be an alternative approach that doesn't reveal this information?
