@taeluralexis
I can. When I entered the field back in 2001, there were no such degrees at all. Sure you had computer science degrees but nothing related to security.
What are your thoughts on the Certified Ethical Hacker (CEH)? If you were offered a scholarship to take the cert for $200 instead of the standard $1k would you take it? Would you say it would benefit someone’s efforts towards getting interviews for a role in vulnerability analysis/pentesting? Asking for a friend, I’m trying to help her rn 🥴 #infosec#cybersecurity
My personal take – I’m not in the field of pentesting/vuln. analysis so take this with a grain of salt:
Personally, I’ve never bothered that much with certificates. I took a few (not many) at uni since it was part of the syllabus for some courses.
In general, my strategy has been to just dive in to those things I’ve found to be interesting.
Certificates can be a way to get a foot in the door but my preference is that if employer’s don’t trust my knowledge without certificates, then they might not be a good match for me.
Some related discussions on HN that might be interesting:
People have some strong opinions about this kind of things – again, take it with a grain of salt. But it can still be a useful input when you make up your mind on what paths to take and what paths to not take.
@taeluralexis my personal feeling is that it is an entry level cert, and as a hiring manager I would consider it a plus for entry level positions, alongside other entry level certs like Security+. Beyond entry level, the CEH probably doesn't do much good other than to check some boxes, and there are better certs for experienced specialists.
Certs can be useful to get past highly automated initial HR filters. There are a lot of paths to infosec, including certs, formal education, open source software dev, CTFs, home lab work, and lateraling in from adjacent fields (e.g., IT support). None of these paths is inherently better than the other, and ideally there should be some combination of several of them, but some automated HR systems have hard requirements for some of them like certs. Given that the tech sector downturn has made this all much more challenging, I'd say a cert would be a generally good idea, all other things being equal.
That said, it was not my personal route. I have never had certs. I came in to the field with a comp sci degree and some sysadmin experience at the turn of the century, and I had the privilege of a personal connection with someone at my then-prospective employer.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
.... if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.
Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.
The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.
I just spent a day or so figuring this out, and CVE-2022-41099 is... really stupid...
I decided to call this "push button decrypt".
basically when you boot to WinRE tied to an OS install, keys for the os volume are derived (this is done by having a sha256 hash of a wim in the bitlocker metadata)
anyway, WinRE does not require bitlocker recovery key when choosing to "reset my PC" and "remove everything".
When choosing "just remove my files", winre starts to decrypt the bitlocker volume at ~98%.
Hard resetting (hard power off / power on) here will reboot back into WinRE and show an error.
Clicking OK on the error will cause a reboot back to the OS, and starts windows setup which shows an "upgrade" screen.
...where Shift+F10 works to get a shell, you can then pause the decryption, remove all key protectors, then dump plaintext VMK, decrypt the FVEK with that, and use that FVEK to decrypt a disk image you made earlier.
This is the second time that Shift+F10 in setup to get a shell broke bitlocker.
The fix removes "reset my PC" -> "remove everything" from the list of options that are allowed to start with the osvolume unlocked and without entering a recovery key. (leaving only one in place: startup repair)
Because this is an issue with code running in winre usermode, this affects legacy integrity validation as well as secure boot integrity validation.
@Rairii Great work. Do you think ShutdownWithoutLogon=0 would mitigate this - remove the ability to do a graceful reboot into the Recovery Environment from the lock screen?
Look what came in the mail? My @purism Librem 5, but I am still waiting on my SIM card For the Librem cell service for some testing between that and @Efani but this will be an interesting review of the battle of the privacy phone ecosystems I have made.
Android/Graphene OS on Pixel 7a and PureOS on Purism Librem 5 #infosec#cybersecurity#linux#opensource#cellphone#review#privacy
Doing my initial tinkering of the @purism Librem 5 phone and WOW. I am impressed it’s truly full #Linux I just installed @element using apt out the box. Their official instructions! Taking the phone apart as well and thoroughly impressed #cellphone#infosec#cybersecurity#review#privacy
Ça fait deux jours que je suis fasciné par ce qui se passe dans le monde de la sécurité informatique, autour de la backdoor XZ. Je vais essayer de vous l'expliquer, ça va être technique, mais c'est important.
Pour Internet, c'est l'équivalent d'un gros astéroïde qui serait passé à 5000km de la Terre. Pas d'impact, pas de dégâts directs, mais on aurait pu tous y passer et personne ne l'a vu venir.
Je vais chercher à vulgariser un maximum, tout en donnant des liens vers les sources directes, qui sont souvent très techniques et en anglais. Ça va être un peu long, mais c'est passionnant.
On ne sait pas qui a fait le coup. La stratégie a été progressivement mise en place sur deux ans, il faut être très organisé et très solide pour voir aussi grand et aussi loin. Beaucoup pensent que seul un Etat a pu mettre en pratique un projet d'une telle ampleur.
Les analyses sont en cours, on en saura plus dans les prochains jours. Des débats on déjà commencé sur les responsabilités, et notament sur le rôle critique de la communauté open-source (et son sous-financement).
Les révélations ont commencé vendredi matin, le 29 mars 2024, avec un post sur un forum suivi d'un pouet sur Mastodon.
Tout est en place quand, en février 2024, Jia Tan ajoute le code de la backdoor dans XZ. Il envoie ensuite des messages aux mainteneurs des différentes distributions Linux pour leur demander de mettre à jour avec la nouvelle version.
Tout se passe comme prévu, jusqu'à ce qu'Andres Freund découvre tout par hasard.
Voilà ce qui vient d'arriver. Un plan mené sur 2 ans et demi, qui cible une des infrastructures de sécurité les plus importantes d'Internet. Un plan qui a failli réussir.
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
As an update, Truth Social's posted Mastodon source code has not been updated since my initial post in this thread, and has seemingly not been updated since at least June of 2022 (compare: http://web.archive.org/web/20220614001551/https://opensource.truthsocial.com/mastodon-current.zip). So if they're still using and updating Mastodon internally, they're no longer complying with its AGPL license at that link.
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
@Scraft161 Hello there! I've reviewed security keys for years.
First thing you might consider is whether you want a boatload of features or just U2F/WebAuthn support. The Yubico Security Key and similar devices are very affordable but do only the basics. The YubiKey 5 Series has many more features, but is significantly more expensive.
The second thing to think about is whether you require open-source hardware/firmware or not. Nitrokey and SoloKey both tout their open-source roots, while Yubico keeps things mostly closed.
I've tested dozens of these things and they all work equally well. Yubico's build quality and sheer number of features in the 5 series makes it my go-to, but it's hard to go wrong here sticking with known brands.
While Keepass has the ability to use a Yubikey (or similar) as 2FA (masterpassword is still required), this does not work on the mobile (Android) apps I tried. If you can make it work, please let me know!
Other than that: I got my Yubikey working ok on Linux Mint. But somehow the first login often does not work as expected (you have to touch the key). That is why I don’t use it anymore as 2FA for computer login.
Cyber insurer startup Coalition says ransomware attackers are asking for much higher ransoms (average US$1.62M), but it has been able to negotiate the amounts down to 44% of the original demands. Also, ransomware claims are through the roof right now. Another interesting statistic: “When reasonable and necessary,” 36% of Coalition’s policyholders opted to pay a ransom in the first half of this year. #infosechttps://info.coalitioninc.com/rs/566-KWJ-784/images/Coalition_2023-Claims-Mid-Year-Update.pdf
@jerry him, that dude over there. No, over there. The one with the trilby, flippers and the copy of the avian carrier protocol. Dodgy as fuq if you ask me.
Just throwing this out there: For my free lancing I often need to share passwords or other secrets with clients. (Or they with me.)
I usually suggest Signal for that, but obviously most people don't have that.
Is there a a good (and not too pricey - I only do very few free lance projects, so only need it once every few months) password sharing option for this?
I tried 1Password shared vaults, but even that is just too complex for many of my clients.
Open to self hosted ideas, as I have a server I could install this on.
Ideally a very simple thing where both my clients can securely input passwords to share with me without having to create an account (secret link and OTP, or something like that) and I can share links with clients.
@michael well there a tools like https://pwpush.com/ which you can (and should) host yourself. here the customer could create a secret and phone you the password to access it.
As more walls are raised around gardens and users are even more aggressively preyed upon by greedy corpo overlords, I feel it becomes an #InfoSec community responsibility to arm normal users, not just the tech-savvy, with knowledge and alternatives to break the cycle of exploitation we know drives this business model.
@mttaggart@bhawthorne Agree. It's meant to be a relatively private discussion, and i once again neglected to make it unlisted earlier... some day i will learn.
@mttaggart simplicity and usability is key in anything. Historically we’re not good at it. I don’t find fediverse services confusing, but it is non trivial to find people and places to follow. Feels like that’s one of the more difficult problems they face and I’m not sure how it’s going to be solved beyond a curated portal.
Do ya'll study or work on security-related stuff on the weekends? For the most part I do..reading about diff vulnerabilities or doing TryHackMe or writing a script but sometimes I just chill and do nothing lol. Today I'm on HackTheBox prepping for the interview
@taeluralexis I do read sometimes, and write a blog from time to time. But mainly I focus my weekends on reloading my energy and being as efficient as possible during the week.