Dedicated to those passionate about security.
A community built to knowledgeably answer questions related to information security in an enterprise, large organization, or SOHO context.
Questions on how to get started? Check out the following subs:
Question on issues regarding personal security? Check out the following subs:
Please read and abide by our Rules & Guidelines
Snort (e.g. on pfSense) is all fine and dandy - but how are you guys are really putting it to use in real-world scenarios?
Being able to block only on alerts of a certain priority (e.g. only prio 1 & 2) would help alot here IMHO, but AFAIK that's not possible.
What are your thoughts and experience here?
Sorry if this is the wrong place to ask but I am looking for some guidance on where I should take my career next..
I have about 8 years experience in medical devices field (Biomedical) where I have maintained, serviced and repaired a huge variety of of medical equipment from something as simple as an infusion pump all the way up to anaesthesia machines, dialysis machines, and diagnostic imaging equipment (plus a tiny bit of networking). I've worked mainly with my hands troubleshooting and fixing physical problems, and don't get me wrong it's a fantastic field that can be highly challenging and rewarding, but I am looking to move my career into a position that is less physically demanding, gives me the flexibility to work remotely, increases my salary ceiling, and is also in high demand.
Right now, with just a diploma in Biomedical Electronics I've topped out at about $110k (Cad$) but that's about as good as it gets for the next 25 years unless I shoot for management or medical device sales (No Thanks).
With my biomedical and medical device experience I feel like aiming for a medical device cyber security type role at one of the big name medical companies makes the most sense but I could be wrong. (I really have no idea where to start here as you may be able to tell).
My ideas right now are:
-Begin taking CompTIA certifications and work towards CySA+ or PenTest+
-Enroll in an online cyber security degree program like something at WGU
If anyone has any advice or if this pathway even makes sense it would be greatly appreciated.
E.g. if we take a look at all the known vulnerabilities for Signal Protocol.
We see all of them relate to a specific OS or platform.
But if I want to see weaknesses with the Signal Protocol itself
I see many articles that show information like replay attacks are possible.
Internally, how are most orgs restricting rdp access or limiting internal rdp for users/machines?
The US government now seems to work under the assumption that any electronic device coming out of China is a surveillance device. Should non-state actors (i.e. civilians) practice the same caution, or is that delving into paranoia?
Setting up a new laptop with PopOS 22.04 Jammy (I know, don't judge! I promised myself the next laptop I'll try Arch). I was trying to find a way to auto-configure some tuneables in PowerTop without using --auto-tune which enables all of them, and Google led me to a set of tool called tuned-utils.
I installed the package, which also installed the recommended package tuned (tune daemon?). After playing with it for about 5 mins, rebooting, and not getting the results I was looking for, I apt removed the package tuned-utils, and apt autoremoved afterwards since it left tuned behind.
The autoremove listed some packages I was not happy seeing - ethtool, hdparm, ncat, virt-what were to name a few off the top of my head. Seeing this has led me into a panic. The laptop is now off, and I intend to reformat it with a fresh install.
This is one place I've been able to find the tuned package listing ethtool and hdparm as a dependency: https://launchpad.net/ubuntu/jammy/+source/tuned
Is anyone willing to find out what the malicious package does? Any chance data may have been exfiltrated, or that it would try to compromise other systems on my network?
This is my first time encountering anything malicious on Linux. I'm not sure how to report it to the repositories, if someone could help point me in the right direction.
I apologize if this type of question/post is not meant for this subreddit. This was the first place I could think of posting after I realized what had happened. If there is somewhere else I should post this, please let me know. Thanks in advance!
tldr; I installed a popOS/ubuntu repository package 'tuned' which also installed ethtool, hdparm, ncat, virt-what and other tools which leads me to believe it was malicious. Looking to see if anyone is willing to help me understand what the payload/package is meant to do.
In a enterprize network setting, is detecting RDP to the internet something that should be investigated? If so why?
We are seeing some RDP from 192.168 IPs out to internet IPs also seeing 192.168 to 192.168 on the home LAN of some users.
》Is Synack better than Hackerone and Bugcrowd?, 》How difficult is to get into synack ? 》 Pros And Cons ?
I'm very curious to know:
Are there dedicated roles where the primary job is to piece together artifacts from an incident / intrusion / etc. and try trace it back to an actual person or organization? (Especially with an emphasis on providing operational intel for follow on actin including say law enforcement action). And..
How did those of you doing that kind of work get into that role?
Initially I feel like this might be in DFIR. And I can easily see this being as much OSINT as network security. That's where my interests lie.
I'm not terribly interested in being a SOC analyst at this point or doing a lot of report writing as a cyber threat intel analyst either.
But I would love to get into a role where you combine OSINT, cyber intel, and "people finding".
The context is that whenever there is an alert, I need to go to different excel files to enrich the information of target internal IP address.
Do you have any effective way to inventory IP address? I prefer it to be an open-source tool or something free for now, a commercial tool will be considered for the long-term plan.
Appreciate any input!
My work is requiring us to install a trusted root certificate to be able to access work Citrix through our personal computers. They now require use of PIV card to access Citrix.
The root certificate is Federal Common Policy CA G2 (FCPCAG2) certificate and here are the instructions:
However I am concerned about the security and privacy implications of this to my personal laptop
- I understand that anything is Citrix is completely visible to them - so this is NOT a question about privacy using anything in Citrix
- If I install this root certificate on my personal computer, what else can they access or see OUTSIDE of Citrix.For example, if I am home and on my home wifi and logged into Citrix - then I open up Firefox (NOT in Citrix, but on my personal computer) and go to a banking website, can they decrypt it OR will the bank be using a different root certificate?
- Once I install the root certificate, can they install or download other programs through Citrix without my approval on my personal computer while it's connected to my home wifi - since they can self sign using the root certificates?
I would not be taking my personal laptop to work and connecting it to work wifi
- Any other privacy or security implications (outside of using Citrix)?
When sites load JS from CDNs like jsdelivr.net or cloudflare, is it any assumptions they are safe? Is there any way to check?
For example, a page uses the below JS to swipe through photos
Currently, I am working on completing both of these degrees. I finished an associates in cybersecurity in community college for free on an athletic scholarship, and earned another full ride for up to 12 credits a semester at university. However, in order to complete this degree, I have to take between 15-17 credits a semester, which is not only incredibly time consuming, but expensive as well. However, if there is a major benefit to completing both degrees, I will do it. I am in Michigan if that helps.
I'm trying to wipe an ssd, but it doesn't seem to have any manufacturer supported secure erase tool. I plan on doing a windows slow format and then encrypting the drive with bitlocker and then wiping the drive again. Would this be effective at preventing data retrieval?
I recently started to work on a python project to improve my network security and protocol analysis skills.
I am trying to write a tool that reads rdp banners on port 3389 programatically using scapy . In the repo linked below there is 2 attempts of doing this, the first via subprocess call using nmap with lua scripts (easy solution), the second one instead uses scapy to mimic an rdp client. Using wireshark I figured that I can see some interesting info in TLS packages. So far I got this far but not enough to complete the project! Any help would be really appreciated https://github.com/CyberRoute/rdpscan . Ideally I would like to grab stuff like: Remote Desktop Protocol NTLM Info: OS: Windows 10 (version 1607)/Windows Server 2016 (version 1607) OS Build: 10.0.14393 Target Name: RDP NetBIOS Domain Name: RDP NetBIOS Computer Name: RDP DNS Domain Name: rdp FQDN: rdp
is anyone familiar as to where to or can you point me somewhere with a wordlist of most common usernames for forums like vbulletin or phpbb?
For example, Event ID 11 File create, there is no LogonGuid or session being referenced. https://ossemproject.com/dd/dictionaries/linux/sysmon/event-11.html
I suspect it's because users create processes, but (in sysmon's view) processes create files. Is that correct ?
I prefer video to get started with something.
Currently, I am learning OWASP top 10. These are the concepts that I am learning:
F5 devcentral (gr8 vids)
But I don't think they were teaching me how to exploit properly using DVWA. I want something that does it.
A few days down the road, I think I have secured all the major leaks, changed all PWs etc. However, I want to gain a better knowledge of how this all works.
I realized while clearing the websites that there are differing levels of security. For instance, some websites require 2FA. Some need 2FA even after you shared your CC details. I learnt that I didn't use the same combination for a lot of sites.
I do not do a lot of online shopping so I figure I am safe after my precautions.
The original breach was on Discord, with a certain name and PW combination. So I guess I am only as vulnerable as what was on Discord? Or do hackers then go across the Internet searching for that same user and pass combination? (That would be a lot of sites...)
I'd like to know more about exactly what kind of breach and the aftermath, as well as what I can do to prevent it from happening again (besides what I've already done)
<university name> is carrying out updates to improve Wi-Fi service for students across the University. Changes will be rolled out over the coming months, commencing <time, date>.
From <time, date>, you may be presented with a new pop-up certificate when connecting to <university name> Wi-Fi networks.
When you see this certificate pop-up, select ‘Connect’ to accept and connect.
You must accept this new certificate in order to access the Wi-Fi. This action will only be required once for each device you use to connect to the <university name> Wi-Fi network.
I saw this yesterday in my uni e-mail. I'm wondering by accepting this new certificate, will the university be able to monitor every online activities? How can I mitigate the risk, is a VPN or VM enough? Unfortunately, there's no information of the nature of the "Certificate" so idk whether it will be an SSL, root or CA cert.
Edit: Thanks four all your replies. I guess it's just an annual update of the certificate, nothing "additional", I was overthinking.
I’ve recently been tasked with establishing an organizational threat model using an existing threat model framework (Microsoft, Octave, Trike, Pasta, etc…).
I’m in the process of evaluating the use cases for each to best determine which one fits my organization the best, but was curious which ones other people use and why.
for a CTF I'm doing
I am currently setting up a security lab, and one of the hands-on exercises requires retrieving NTLM Hash from the memory (lsass) of a Windows host in the lab.
For this, I would like to inject this hash as it would be with a legitimate RDP connection or with a RUNAS command. However, I need to shut down the machine before deploying it across multiple instances, so I cannot inject it into a snapshot and restore the snapshot. The machine must be turned off.
Does anyone have one or more simple solutions, without custom binaries, to preserve this hash in memory or make it reappear after a reboot?
Hi fellows, I have a question.
If I set a custom "TEST" header to a value of "TEST", wouldn't this prevent CSRF completely?
So, the attacker should add a custom header "TEST" to the request and it will cause preflight request. Since the preflight request will fail, the actual request will not be sent to the example.com.
What I don't understand is that why we need to generate a unique CSRF token for the session of the user and send it in the body since we can do it in a much more simple way? Doesn't this method completely prevent CSRF scenarios?
Before i made the jump from HD to security, my company had used a few products. One being TennableIO and now we use Rapid7 InsightVM.
Both are good and what sold us on the R7 tool is the ability to create remediation projects and set up alerts for various things.
We came across an issue recently however, is that R7 only has a core set of software they scan for vulnerabilities. If there are CVE's that we would like added, we can submit a ticket, but there is no guarantee that those CVE's or that software tracking will be added.
We do utilize the Intune suite with Defender ATP as well. And Defender has a decent vulnerability management system in place, but again, we found that this particular software, though the CVE's were listed, they were flagged as not supported. So we requested the support for them.
What is a good vulnerability scanner or a good plugin for R7 or Defender that can be customized by adding software to be scanned and monitored? The software in question in this instance is Qlik Sense. It's used by some top fortune 500/100 companies. One would think that beyond companies like Microsoft, Google, Amazon, etc, that software like this would be actively monitored.
With R7's process, it can take up to 6 months to get added to the pool of supported products. It could also take longer or not make the list at all. IT wasn't until the recent Cactus Ransomware exploit that we found the Qlik Sense had a slew of high and critical vulnerabilities.
We are working on a SAM solution due to the amount of cloud based products and 3rd party software that is used. But from a security standpoint, I feel we also need to be able to scan machines, servers, etc. for vulnerabilities to work with end users, vendors/partners to make sure the software is secure.
Nipper seems to be getting worse, with lots of false positives for even simple things like a 10 rule Cisco file.
Given the recent price hike (which I don't think is remotely justified), would anyone have any suggestions for an alternative tool to scan firewall / switch config files for best practice, rule complexity etc?
Thinking of getting a Flipper Zero, mainly for RFID stuff. If you've used it:
How's the performance?
Pros and cons, particularly for RFID?
Most useful use cases you've tried?
Just looking for some honest, straight-up feedback.
To whoever might answer my questions, thank you so much.
Url scan results:
Clicked on link by accident through email when browsing on phone, now worried.
Window defender says no malware but I heard it is not reliable enough, browser download history has nothing suspicious there aswell.
I need an app to monitor whatsapp / messenger / text messages on employee issued phones. Is there some software that can legitimately do this?
This is for use in Mexico, where we have seen employees make side deals that are unauthorized.
I am using a macbook air m2 and i was following the bettercap tutorial and trying a deauth attack
but no matter how many times i try it doesn't work all devices connected to my house wifi still stays online without being logged out, how do i know even if it is working
My wifi card details
Card Type: Wi-Fi (0x14E4, 0x4387)
Supported PHY Modes: 802.11 a/b/g/n/ac/ax
Supported Channels: 1 (2GHz), 2 (2GHz), 3 (2GHz), 4 (2GHz), 5 (2GHz), 6 (2GHz), 7 (2GHz), 8 (2GHz), 9 (2GHz), 10 (2GHz), 11 (2GHz), 12 (2GHz), 13 (2GHz), 36 (5GHz), 40 (5GHz), 44 (5GHz), 48 (5GHz), 52 (5GHz), 56 (5GHz), 60 (5GHz), 64 (5GHz), 100 (5GHz), 104 (5GHz), 108 (5GHz), 112 (5GHz), 116 (5GHz), 120 (5GHz), 124 (5GHz), 128 (5GHz), 132 (5GHz), 136 (5GHz), 140 (5GHz), 144 (5GHz), 149 (5GHz), 153 (5GHz), 157 (5GHz), 161 (5GHz), 165 (5GHz)
Wake On Wireless: Supported
Auto Unlock: Supported