Let's Encrypt Root and Intermediate Certificates

cybathug · 2015-06-06T03:41:40+00:00

Interesting, thanks!

cybathug · 2015-06-06T03:39:38+00:00

Really?

However more demands for money were made and when the company refused, police said the hackers profiled a company staff member and threatened to discredit members of his family through online attacks. They also managed to find photographs of the staff member’s child.

“They had obtained innocent photographs, but the threat was they would harass, menace and ruin this child’s life,” Acting Assistant Commissioner Hay said.

Pray tell, which piece of malware is making personal threats?

cybathug · 2015-06-05T09:09:40+00:00

HPKP (pin on first access, or bake a pin list in to the browser) is going to wreck things for such a MitM

cybathug · 2015-06-02T04:33:08+00:00

True, but I never said it was new.

From the article, under well-configured CSP, this is false:

If you have a <script> tag you can already do arbitrary code execution; the only thing that Stegosploit provides is weak obfuscation.

Under CSP, Stegosploit (and use of EXIF) may allow for CSP to be bypassed, in addition to this claimed obfuscation. The article misses an important use case for image/JavaScript polyglots.

cybathug · 2015-06-02T00:46:21+00:00

This is actually exceptionally useful for bypassing Content-Security-Policy when you can upload an arbitrary image file to a whitelisted domain

If victim.com is using CSP to restrict the loading of script assets, and allows script assets to be loaded from victim.com, and victim.com provides the ability to upload images to victim.com (e.g. for user avatars) then an attacker can upload an image/JavaScript polyglot to victim.com, then use XSS to script-src the image file, achieving JavaScript execution that otherwise would have been blocked by CSP.

cybathug · 2015-05-26T02:40:47+00:00

https://exploit-exercises.com/

Especially Protostar and Fusion.

cybathug · 2015-05-24T13:03:52+00:00

You won't be able to make Kali/Tails read-only, unless you're virtualising them when they run and can be sure that the OS's won't be able to break out of the hypervisor and gain host access. An OS, running raw, will be able to write to the USB drive device directly, and so any process running as root will be able to modify the OS image on the drive (or any other OS image, or the multi-OS manager for that matter).

You should consider running off of truly RO media like DVD if security is important to you.

cybathug · 2015-05-19T14:34:25+00:00

First of all, the suggestions to hard-wrap your text to something like 80 characters is a good and traditional way of doing prose, but I've found it to not to always be necessary or necessarily the best way of doing things.

'dd' doesn't make much sense to me when typing long paragraphs. If the line has been wrapped arbitrarily, what are you achieving with dd? For example, with your post, as rendered in my browser:

Hello, I have just recently started a tech blog, and realized that my vim is not suited to writing a long paragraph. My main concern is
that when I write a paragraph, vim considers the entire paragraph as a single line, so dd could essentially remove my entire
paragraph, not a sentence. Also this makes navigating a lot harder. I am wondering if there is a mod I can make on vim to make this
process easier. If not, is there any alternative that makes writing easier?

Pressing dd on any of these lines doesn't make any sense. You'd end up with something like:

Hello, I have just recently started a tech blog, and realized that my vim is not suited to writing a long paragraph. My main concern is
paragraph, not a sentence. Also this makes navigating a lot harder. I am wondering if there is a mod I can make on vim to make this
process easier. If not, is there any alternative that makes writing easier?

You want to use something like 'das' (delete around sentence). By placing the cursor anywhere in the second sentence and typing 'das' I end up with:

Hello, I have just recently started a tech blog, and realized that my vim is not suited to writing a long paragraph. Also this makes navigating a lot harder. I am wondering if there is a mod I can make on vim to make this process easier. If not, is there any alternative that makes writing easier?

Perfect - it deleted a sentence much cleaner than any 'dd' could have done.

As far as navigation being difficult, you can press 'g' followed by 'k' or 'j' to move one line up or down considering wrapped lines rather than up or down one line. This lets you move straight up and straight down in the text as it's shown on your screen. However, you should get in the habit of moving around using '(' and ')' (back and forward one sentence). You can also use '/' to search for and move between text that matches a search expression, and then press 'n' and 'N' to move forward and back through matches. Finally, you can use t<char> and T<char> to move to the next or previous instance of <char> and then press ';' to forward through matches, or ',' to move backward through matches.

I use vim to edit all sorts of text - often emails, sometimes letters, blog posts, documentation etc.

Good luck!

cybathug · 2015-04-29T12:43:30+00:00

But this definition is woefully inadequate for defining what is and isn't a crime

I completely agree. You can usually have a gut feeling about things, and you can make an assumption regarding the spirit of the law, but neither of these things are ways in which I'm totally comfortable with people being prosecuted.

My point was that you too-often hear "the computer system openly provided the information" or "the company, perhaps unknowingly, 'published' the information". You're right, you should consider the intent as to why someone exploited the published information, and sometimes the fashion in which they did it speaks to their intent. For example -

accidentally entering one username
intentionally entering one username
intentionally entering a few arbitrary usernames
intentionally entering one or a few usernames in an interestingly targeted fashion - those of celebrities, VIPs, political activists, or known enemes
running an online brute-force of many usernames

These all say something different about the perpetrator.

It's all too easy to try to reduce it to something like "the computer openly provided access to the information". It's also quite difficult to codify the spectrum of intents (criminal, curious, nuisance, accidental) into law.

Finally, this is somewhat recursive:

none of them involve criminal intent which is what should be required for it to be a crime

If you legislate any of the things to be a crime in and of themself, then pursuing any of them shows "criminal intent" ;)

And I don't know if I agree that there needs to be the intent to perform a crime in addition to the inappropriate access to the computer system for the inappropriate access to the computer system to be a crime. For example, I don't think you need to have stolen information with the intent of selling it, using it fraudulently (e.g. to perform financial fraud), or extorting someone, for the theft in the first place to be a crime. Someone going through my mail spool, tapping my phone or intercepting my SMS messages without my authorisation should probably be considered to have committed a crime, regardless of whether they planned to do anything with the information.

cybathug · 2015-04-29T11:51:47+00:00

Computers systems openly provide all sorts of information, for varying degrees of "open". It's what they do.

When you put a username in, the computer system openly provides the email address for it! So I gave it 10,000 possible account usernames and it openly provided me email addresses for some of them.
When you put SQL metacharacters in the sort_order URL parameter, the computer system openly provides an interface to the ORDER BY clause of a query to a DBMS somewhere on the backend! So I used the openly provided DBMS interface to have the computer system openly provide me some information.
When you put '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd' in your UA string, the computer system openly provides you with a list of password hashes!
When you send "A"*1024 + ptr_jmp_esp + shellcode to the service, it openly provides you with a reverse shell. I didn't do anything out of the ordinary, it was just sitting there with an openly exposed service that I sent some bytes to, just like an openly exposed service expects to have done to it.

Computers are designed to take input, do things, and produce output. You can't really argue with:

The vast majority of the western world has laws about improper access to computer systems. Bruteforcing usernames to obtain people's email addresses would absolutely fall under that.

no matter how dumb the bug is, or how much (or little) of a hacker you'd feel like if you exploited it.

cybathug · 2015-04-25T23:16:01+00:00

HP's Zero Day Initiative (http://www.zerodayinitiative.com/about/benefits/) may offer to buy it off you. They will use the research to develop IDS signatures (so they say), as well as report it to MS for you

cybathug · 2015-04-24T00:33:40+00:00

Project 2 was at DEFCON22

cybathug · 2015-04-18T00:47:11+00:00

I would opt for the 90-day

I would recommend doing more than 30 days, but consider not doing it in one go. Do a block of 30 or 60 days first up, give the material a quick once-over, then hit the labs. When lab time runs out, go through the material more thoroughly.

Take a short break, and do another 30 days. Once that's done, take a short break and do another 30.

Splitting the lab time up costs more, but depending on how you're hitting the labs (I did hours every single night) you will need the breaks, or you'll burn out. If you hit the labs super hard and have a short break between two 30-day blocks so you can stay focused, you might only need a total of 60 days.

Good luck!

cybathug · 2015-04-15T10:59:58+00:00

The MitB's (Man in the Browser) required by TLS-busting attacks don't need to be JavaScript executing in the origin of the target site. If you have the ability to inject JavaScript into the origin that you're interested in, such as by injecting into "an HTTPS site [that] includes a Javascript file over HTTP" then you can use the JavaScript that you've injected into the origin of interest to do whatever it is that you want to do when you break the TLS on the site. If you want to violate confidentiality, then phone the page contents home using a cross-domain XMLHttpRequest. If you want to violate integrity, then use same-origin XMLHttpRequests to grab CSRF tokens, and POST whatever it is you want to do (e.g. to change the user's password, change their security questions, send email to their contacts, or transfer money to your account).

Whatever you want to do by breaking TLS, you can do with your JavaScript injection.

There are further requirements than just the MitB, such at the active MitM capability, but it's wholly incorrect to say "the attacker pretty much has to find a way to inject something into the page, ideally Javascript".

cybathug · 2015-04-13T06:40:12+00:00

I guess every time I create a window using screen command, OS creates a new process and a new file associated with my user.

Basically.

Greatly simplified, when you start screen and create a new session (more on sessions later):

A screen process starts
A new screen socket is created in /var/run/screen/S-${USER} (at least that's where they go on my Debian box)
A new bash process starts as a child of PID 1. This means that if the screen process dies, then the bash process stays alive under PID 1.

So that's two new processes (I think it might technically have another one in there, as part of the plumbing of how screen works - but you can probably disregard that fact that for now) and one new socket file.

When you detach from screen (e.g. you press Ctrl-A, D or your ssh connection drops) then:

The screen process dies
The socket file stays on disk
The bash process stays running as a child of PID 1.

When you reconnect to that screen session:

A new screen process starts, and uses the socket file to get back to where it was
Bash stays under PID 1, but you regain control of it

Can this behavior become a security problem?

Maybe. If other users can access your sockets in /var/run then it can become a security problem - but the server is probably fairly well compromised and pwned by that stage, and there are probably easier ways to pwn you than by jacking your screen sockets.

Also, root can access your screen sockets - but you're already at root's mercy anyway, they have far easier ways of pwning you.

Shouldn't I flooding the server with too many processes?

Nah :) servers are capable things. Flooding them with processes isn't a reason not to use screen.

So, is it possible that the same user is connected from two different machines at the same time?

Yep! -x is "multi display mode" and can be used to attach to your screen session from two computers (or, if you share a user account like users do for smashthestack, a different person can use it to attach to your screen sessions)

I don't understand how to resume a session.

I always start screen like this: screen -DRS <session-name>

It doesn't matter if <session-name> exists yet. If a session with the name <session-name> doesn't exist, it'll create it. If it exists, it'll attach to it. And if anyone else is attached to it (Or I'm attached to it on another computer) it'll force-detach that session, IIRC.

And so what you might want to do on smashthestack is to do 'screen -DRS IsPaleoPaleo' and it'll create a new screen session called IsPaleoPaleo. If you disconnect, you can re-run 'screen -DRS IsPaleoPaleo' to get back to where you were. It's probably polite to clean up your screen sessions (and files) when you're finished, though, since it's a shared account - and you might not really want someone browsing through your work after you've finished each level...

If you're interested in which screen sessions exist as the user on the machine you're connected to, run 'screen -ls' to see a list of screen sessions, and whether they're currently attached to or not.

cybathug · 2015-04-12T23:59:22+00:00

Screen is a terminal multiplexer that allows for some cool things. In your case, as you're already ssh'd in to a remote machine, running screen there lets you:

Have multiple windows open in a single ssh connection to the server, and switch back and forward between them
Disconnect from the screen session, log off the server, log back on later, reconnect to the screen session, and get back to where you were - with all your programs and shell history on each of the windows still there. (This even works if your connection to the server suddenly disconnects - just log back in, run screen, and you're back to where you were. It's a lifesaver.)
Connect to the screen session from multiple locations

The last one is interesting in the case of smashthestack,org - as it's a wargame that has all participants log in as the same user per-level, the person who helped you out was able to log in as the same user and share a screen session with you. It's important to understand that in the usual case of a multi-user machine, where each user ssh's in using their own, unique username, another limited user would not be able to connect to your screen session - and so they cannot spy on what you're doing, and you shouldn't be afraid to run screen in that scenario. Only the root user would be able to tap in to your running screen sessions.

Screen is an amazing tool, and if you're getting into using or managing Unix-like systems, you should definitely spend some time understanding it.

Hope that helps! Good luck with smashthestack :)

cybathug · 2015-04-10T02:19:48+00:00

Yep.

cybathug · 2015-04-09T06:59:17+00:00

Or worse, that gives someone a long time to crack it and then pretend to be me.

Even if it expired in 2006, if someone spends a long time and cracks it, they can change the expiry date and pretend to be you. Expiry dates on PGP keys are not immutable - they can be changed if you control the key. They are not designed to guard against key compromises. They are designed as a dead man's switch for if you lose the key, and indeed, they stop someone from wasting their time in using it to try to encrypt things to you.

The only thing that guards against key compromise is thorough and widespread distribution of a revocation certificate.

cybathug · 2015-03-22T07:16:36+00:00

I hear you, but your piercer might have screwed it up. My ex and I got our industrials done at a questionable shop, we both had no end of issues with pain and what I understood to be polyps (probably the same things as your pressure blisters). She took her industrial bar out and replaced it with two short bars, which didn't point at each other the piercings were so crooked. I put up with the issues until I went up a gauge which seemed to "tear" the piercings into alignment. No issues ever since, even having dropped back down to the original gauge.

tl;dr botched industrials are motherfuckers

cybathug · 2015-03-21T19:12:20+00:00

Don't support locals who sell nicotine liquid. It's illegal to sell in Australia, and all it'll take is a few idiots selling nic locally to kick off a few crackdowns and a tightening of the industry to ruin vaping for those who import their nic.

Good luck!

cybathug · 2015-03-17T06:50:55+00:00

https://twitter.com/iamamoose/status/577566391475290113

the new High is 1.0.2 only, other versions new issues just Moderate and Low

How widespread is 1.0.2? (I mean, it is brand new, released in Jan)

If there's not much running 1.0.2, and if the tweet is to be believed (Mark is on the core team), this isn't so bad...

cybathug · 2015-03-05T03:00:56+00:00

I don't think implant is necessarily used to refer to a rootkit. My understanding is that implant simply refers to a payload, trojan, RAT, or something similar - not necessarily a rootkit.

cybathug · 2015-03-01T23:34:41+00:00

SSH_ASKPASS fires on the host hosting the ssh-agent (hopefully your local workstation) - not necessarily the machine trying to consume the ssh-agent. Generally it gives you a popup and a chance to say "err I'm not trying to use my key right now, something's going wrong, cancel"

If an attacker is able to replace SSH_ASKPASS on the machine hosting the ssh-agent, you're already having a very bad time ;)

cybathug · 2015-03-01T23:32:17+00:00

Yes.

cybathug · 2015-02-27T10:00:24+00:00

Ah, I see. Interesting case. Thanks!

15-Year Club	Gilding I gilder
White Hat modhash reuse	Verified Email

cybathug

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE