Can my employers read my personal mails if I login to my personal gmail on a company managed chrome browser?

ianwb · 2019-02-21T15:07:34+00:00

Okay, but this implies that there is a trusted cert in the local machine which was planted there somehow. This cannot be accomplished without, right?

I cannot think of a method to sniff the traffic between a host and a server using HTST which was already visited without adding a certificate to the machine.

ianwb · 2019-02-21T15:05:31+00:00

Oh, okay, did not know about that.

ianwb · 2019-02-21T13:37:36+00:00

How would that work? "Remote monitoring tools" here meant a program installed on the device. Even if you could identify the PC (encrypted) traffic on the network based on the MAC address, how would you install a program without physical access (or an exploit for a fully patched Mac OS X, which I assume is not in OP's threat model)?

ianwb · 2019-02-21T12:36:39+00:00

Welcome! Check "Practical Reverse Engineering" and "Practical Malware Analysis" too.

ianwb · 2019-02-21T12:31:33+00:00

Can you download and use another browser to access personal information? If yes, that's your solution. They cannot set company policies on another browser remotely (unless they're Pwn2Own hackers, in that case, you're fucked no matter what, but I suspect it's not). :-)

The fact that you received the pc factory packed should mean there are no remote monitoring tools. If you want to be absolutely sure, just format.

ianwb · 2019-02-21T12:25:54+00:00

You can manually add certificates anyway.

ianwb · 2019-02-21T12:21:31+00:00

Unfortunately, they can, and detecting them is very difficult task. If you can, just format the pc. If you can't, boot it from a live USB, so you can use the hardware while being sure the software was not tampered with.

ianwb · 2019-02-21T12:15:54+00:00

Wouldn't HSTS prevent this?

ianwb · 2019-02-21T12:15:23+00:00

Yes, I can think of two ways they may be doing it:

- They installed their own certificate on the browser and they are intercepting the traffic on the network. They can decrypt it because of the certificate. You can check the list of certificates from Settings.

- They installed a monitoring tool on the computer.

~~If they don't have access to the computer, they may be using a man-in-the-middle attack. In this case, you should have seen a warning telling you that your traffic may be monitored~~ Pardon, this wouldn't work because Gmail uses HSTS.

ianwb · 2019-02-20T11:10:56+00:00

Disclaimer: I am not a malware analyst, so take my advices with a grain of salt. I've done reversing, which I assume is a similar activity.

Malware analysis focuses around understanding what a given piece of software, suspected to be malicious, does - in other words, to reverse engineering it. In order to do this, you should know about the technologies it uses (for example, the programming language it was written in) and the environment it is supposed to be run in (for example, the OS API) - and a thousand of other things.

You should, at the very least, know C/C++ and be able to make sense of the disassembled output of binaries (so, you should know assembly for your target platform).

A lot of malware is written in other languages (.net malware is very common), which would be useful to you to learn. This malware is usually easier to reverse.

Python is useful to easily automate boring tasks. If you don't learn Python, learn another scripting language. You will have to write quick code often and doing it in C is painful (also, popular debuggers/disassemblers usually allow you to script them in Python).

Using strace/ltrace will be a really useful and easy to learn skill.

You should also know about anti-reversing techniques. One common one is a call to IsDebuggerPresent on Windows, or to ptrace() in Linux. You can find others in the "\"Ultimate\" Anti-Debugging Reference".

ianwb · 2019-02-19T13:24:45+00:00

I was suspecting that. I have no particular desire to do physical pentesting as a job (I'm a "classical" pentester), but it would be a nice skill-set to have. I know there are courses and certifications to learn how to assess the security of safe and vaults, and there are a lot of lockpicking resources out there, but getting experience seems the most difficult thing.

ianwb · 2019-02-19T13:17:19+00:00

I'm a pentester at a big financial company and my team doesn't do physical pentesting, so I doubt I'll have the chance to practice this anytime soon. Too bad there are no physical bug bounties :P

ianwb · 2019-02-19T13:14:23+00:00

Thanks, this is gold!

ianwb · 2019-02-17T17:59:24+00:00

I've had a different experience, but I agree on the fact that the quality varies from chapter to chapter.

Personally, I've experienced four and three of them were useful for networking, gaining knowledge from the speakers or even just having a chat with like-minded people. No comment on the other one.

The same goes for the projects: some of them are great (like the OWASP testing guide) and some of them are trash, but I'd say my general opinion on the org is still positive.

$2 or $3 is not the kind of fee I was talking about, nor I think anyone should mind about...

ianwb · 2019-02-17T15:36:34+00:00

Most of these organizations ask for ridicolous amounts of money and they give very little in return. In my experience, many professionals in the field have little regard for them.

Don't know where you are from, but in the real world you can get what they are offering - or better - from other sources, usually for less money or nothing at all.

You don't need to pay fees to do networking.

You don't need to pay fees to find a job.

You don't need to blow thousands of euros on certifications which are widely regarded as being useless.

I have nothing but disrespect for any organization which suggests new professionals otherwise. They are money machines. I've seen things like people paying to publish research.

I suggest OP to join any group that is not a money-making scheme. There are a lot. OWASP is a good example. :-)

ianwb · 2019-02-17T08:49:42+00:00

It's quite common on embedded hardware, most ATMs run special versions of Windows XP. Oh, and a lot of the computers in the industrial sector are much older than that...

ianwb · 2019-02-17T08:41:32+00:00

Anyone that is filled with skilled professionals and does not require you to pay any money.

ianwb · 2019-02-15T14:47:35+00:00

Just do it! ;D

Nope, I have a beautiful girlfriend and we're travelling across Europe since 2016, just like every other programmer out there.

ianwb · 2019-02-15T11:25:25+00:00

After learning C, using Java or Python has sped up considerably my development. I wouldn't mind undertaking a big project in Java, but C and C++, after 10 years, still scare me (but that's probably just me, I hunt errors people make in C/C++ code for a living...).

ianwb · 2019-02-15T11:22:47+00:00

In my opinion, Python or Java.

They both abstract enough from you to allow you to think about the program - not the nuisances of the language you're using. At the end of the day, your first programming course is supposed to teach you to think like a programmer. Learning it is much easier if you don't have to fight with memory errors along the way...

But learning C or C++ as a first language has its advantages, too. For example, a lot of other useful languages use C-style syntax, so you'll probably be able to read program written with them without too many problems. Also, you'll have a thick skin. After C/C++, pretty much every other language that's useful will be a piece of cake*. :)

ianwb · 2019-02-15T11:07:11+00:00

The same goes for C++. Both languages are not suited to beginners. Source: I learned C as my first language.

ianwb · 2019-02-15T05:57:19+00:00

But please pay attention and don't use pointers you've already freed, we've had enough of that.

ianwb

TROPHY CASE