What are your thoughts on the Certified Ethical Hacker (CEH)? If you were offered a scholarship to take the cert for $200 instead of the standard $1k would you take it? Would you say it would benefit someone’s efforts towards getting interviews for a role in vulnerability analysis/pentesting? Asking for a friend, I’m trying to help her rn 🥴 #infosec#cybersecurity
My personal take – I’m not in the field of pentesting/vuln. analysis so take this with a grain of salt:
Personally, I’ve never bothered that much with certificates. I took a few (not many) at uni since it was part of the syllabus for some courses.
In general, my strategy has been to just dive in to those things I’ve found to be interesting.
Certificates can be a way to get a foot in the door but my preference is that if employer’s don’t trust my knowledge without certificates, then they might not be a good match for me.
Some related discussions on HN that might be interesting:
People have some strong opinions about this kind of things – again, take it with a grain of salt. But it can still be a useful input when you make up your mind on what paths to take and what paths to not take.
@taeluralexis my personal feeling is that it is an entry level cert, and as a hiring manager I would consider it a plus for entry level positions, alongside other entry level certs like Security+. Beyond entry level, the CEH probably doesn't do much good other than to check some boxes, and there are better certs for experienced specialists.
Certs can be useful to get past highly automated initial HR filters. There are a lot of paths to infosec, including certs, formal education, open source software dev, CTFs, home lab work, and lateraling in from adjacent fields (e.g., IT support). None of these paths is inherently better than the other, and ideally there should be some combination of several of them, but some automated HR systems have hard requirements for some of them like certs. Given that the tech sector downturn has made this all much more challenging, I'd say a cert would be a generally good idea, all other things being equal.
That said, it was not my personal route. I have never had certs. I came in to the field with a comp sci degree and some sysadmin experience at the turn of the century, and I had the privilege of a personal connection with someone at my then-prospective employer.
Look what came in the mail? My @purism Librem 5, but I am still waiting on my SIM card For the Librem cell service for some testing between that and @Efani but this will be an interesting review of the battle of the privacy phone ecosystems I have made.
Android/Graphene OS on Pixel 7a and PureOS on Purism Librem 5 #infosec#cybersecurity#linux#opensource#cellphone#review#privacy
Doing my initial tinkering of the @purism Librem 5 phone and WOW. I am impressed it’s truly full #Linux I just installed @element using apt out the box. Their official instructions! Taking the phone apart as well and thoroughly impressed #cellphone#infosec#cybersecurity#review#privacy
Ça fait deux jours que je suis fasciné par ce qui se passe dans le monde de la sécurité informatique, autour de la backdoor XZ. Je vais essayer de vous l'expliquer, ça va être technique, mais c'est important.
Pour Internet, c'est l'équivalent d'un gros astéroïde qui serait passé à 5000km de la Terre. Pas d'impact, pas de dégâts directs, mais on aurait pu tous y passer et personne ne l'a vu venir.
Je vais chercher à vulgariser un maximum, tout en donnant des liens vers les sources directes, qui sont souvent très techniques et en anglais. Ça va être un peu long, mais c'est passionnant.
On ne sait pas qui a fait le coup. La stratégie a été progressivement mise en place sur deux ans, il faut être très organisé et très solide pour voir aussi grand et aussi loin. Beaucoup pensent que seul un Etat a pu mettre en pratique un projet d'une telle ampleur.
Les analyses sont en cours, on en saura plus dans les prochains jours. Des débats on déjà commencé sur les responsabilités, et notament sur le rôle critique de la communauté open-source (et son sous-financement).
Les révélations ont commencé vendredi matin, le 29 mars 2024, avec un post sur un forum suivi d'un pouet sur Mastodon.
Tout est en place quand, en février 2024, Jia Tan ajoute le code de la backdoor dans XZ. Il envoie ensuite des messages aux mainteneurs des différentes distributions Linux pour leur demander de mettre à jour avec la nouvelle version.
Tout se passe comme prévu, jusqu'à ce qu'Andres Freund découvre tout par hasard.
Voilà ce qui vient d'arriver. Un plan mené sur 2 ans et demi, qui cible une des infrastructures de sécurité les plus importantes d'Internet. Un plan qui a failli réussir.
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
As an update, Truth Social's posted Mastodon source code has not been updated since my initial post in this thread, and has seemingly not been updated since at least June of 2022 (compare: http://web.archive.org/web/20220614001551/https://opensource.truthsocial.com/mastodon-current.zip). So if they're still using and updating Mastodon internally, they're no longer complying with its AGPL license at that link.
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
@Scraft161 Hello there! I've reviewed security keys for years.
First thing you might consider is whether you want a boatload of features or just U2F/WebAuthn support. The Yubico Security Key and similar devices are very affordable but do only the basics. The YubiKey 5 Series has many more features, but is significantly more expensive.
The second thing to think about is whether you require open-source hardware/firmware or not. Nitrokey and SoloKey both tout their open-source roots, while Yubico keeps things mostly closed.
I've tested dozens of these things and they all work equally well. Yubico's build quality and sheer number of features in the 5 series makes it my go-to, but it's hard to go wrong here sticking with known brands.
While Keepass has the ability to use a Yubikey (or similar) as 2FA (masterpassword is still required), this does not work on the mobile (Android) apps I tried. If you can make it work, please let me know!
Other than that: I got my Yubikey working ok on Linux Mint. But somehow the first login often does not work as expected (you have to touch the key). That is why I don’t use it anymore as 2FA for computer login.
Cyber insurer startup Coalition says ransomware attackers are asking for much higher ransoms (average US$1.62M), but it has been able to negotiate the amounts down to 44% of the original demands. Also, ransomware claims are through the roof right now. Another interesting statistic: “When reasonable and necessary,” 36% of Coalition’s policyholders opted to pay a ransom in the first half of this year. #infosechttps://info.coalitioninc.com/rs/566-KWJ-784/images/Coalition_2023-Claims-Mid-Year-Update.pdf
Just throwing this out there: For my free lancing I often need to share passwords or other secrets with clients. (Or they with me.)
I usually suggest Signal for that, but obviously most people don't have that.
Is there a a good (and not too pricey - I only do very few free lance projects, so only need it once every few months) password sharing option for this?
I tried 1Password shared vaults, but even that is just too complex for many of my clients.
Open to self hosted ideas, as I have a server I could install this on.
Ideally a very simple thing where both my clients can securely input passwords to share with me without having to create an account (secret link and OTP, or something like that) and I can share links with clients.
@michael well there a tools like https://pwpush.com/ which you can (and should) host yourself. here the customer could create a secret and phone you the password to access it.
As more walls are raised around gardens and users are even more aggressively preyed upon by greedy corpo overlords, I feel it becomes an #InfoSec community responsibility to arm normal users, not just the tech-savvy, with knowledge and alternatives to break the cycle of exploitation we know drives this business model.
@mttaggart@bhawthorne Agree. It's meant to be a relatively private discussion, and i once again neglected to make it unlisted earlier... some day i will learn.
@mttaggart simplicity and usability is key in anything. Historically we’re not good at it. I don’t find fediverse services confusing, but it is non trivial to find people and places to follow. Feels like that’s one of the more difficult problems they face and I’m not sure how it’s going to be solved beyond a curated portal.
Do ya'll study or work on security-related stuff on the weekends? For the most part I do..reading about diff vulnerabilities or doing TryHackMe or writing a script but sometimes I just chill and do nothing lol. Today I'm on HackTheBox prepping for the interview
@taeluralexis I do read sometimes, and write a blog from time to time. But mainly I focus my weekends on reloading my energy and being as efficient as possible during the week.
@maxleibman I have not done our halfyearly phishing training for 2 or 3 years because it comes from an external address and asks me to click on a link. So I report it (and the 3 or 4 reminders) as phishing and go on with my life.
My manager caught flak for this from his manager. My manager is fine with what I'm doing.
@maxleibman Our IT security sent out an invite for courses on corporate security that were developed and hosted by Kevin Mitnick. I'm like "yeah, right, this is a crafty tiger team ploy to see if we're dumb enough to click on anything with the name of one of the most notorious hackers in history". I flagged it as phising and commented "most amusing". No. Turns out it was a real course they wanted us to take.
it now has a fun/dumb html5 countdown spinner, and redirects you to a random snakeoil bullshit site. for now, a joke etsy listing and some google queries for norse and crown sterling.
what other complete horseshit snakeoil security vendors/products are out there that I can add?
Genuinely curious as most of my followers are #infosec and somewhat logically minded (just somewhat) - how many of you have #solar panels, batteries, an #EV, or even gas/diesel generators at home? Or more than one? Curious.
@simplenomad neither of these, but I live in Iceland, which is isolated enough and at the same time rugged and resilient enough, as far as power generation is concerned. Basically all power is locally generated, and its geothermal or hydro.
We talk about wanting professional journalists to ditch Twitter and come to Mastodon.
When they do we need to make them welcome!
Today Chris Bing @Bing_Chris a distinguished Reuters reporter covering hacking and foreign affairs has joined Mastodon saying "Hi - Twitter is a garbage fire. I am going to try to use this platform more. Love,-Bing."
@mastodonmigration - Gavin Maguire from Reuters also just joined Mastodon - @gavinjmaguire - can he get a boost too please! Reuters Global Energy Transition Columnist #energy#climate change
I just discovered that apparently Time Machine backups are not encrypted by default. This seems crazy insecure. Would like to be told that “Yes they are!” or “No, that’s not crazy insecure because…”
[Back story: Just replaced a disk in our Synology that was going bad, wondering if I should hit it with a hammer a few times before tossing it in electronics recycling. My Arq backups are safe but apparently my wife’s Time Machines aren’t.]
@frank@jwz Similar story. Two things that re universally true about Time Machine. (a) it's slow (b) it gives you no useful information what it's doing. It failed for me one time (forget the details) and offered no useful information as to why and I just said “screw this, what’s Plan B”.