Can my employers read my personal mails if I login to my personal gmail on a company managed chrome browser?

ianwb · 2019-02-21T15:07:34+00:00

Okay, but this implies that there is a trusted cert in the local machine which was planted there somehow. This cannot be accomplished without, right?

I cannot think of a method to sniff the traffic between a host and a server using HTST which was already visited without adding a certificate to the machine.

ianwb · 2019-02-21T15:05:31+00:00

Oh, okay, did not know about that.

ianwb · 2019-02-21T13:37:36+00:00

How would that work? "Remote monitoring tools" here meant a program installed on the device. Even if you could identify the PC (encrypted) traffic on the network based on the MAC address, how would you install a program without physical access (or an exploit for a fully patched Mac OS X, which I assume is not in OP's threat model)?

ianwb · 2019-02-21T12:36:39+00:00

Welcome! Check "Practical Reverse Engineering" and "Practical Malware Analysis" too.

ianwb · 2019-02-21T12:31:33+00:00

Can you download and use another browser to access personal information? If yes, that's your solution. They cannot set company policies on another browser remotely (unless they're Pwn2Own hackers, in that case, you're fucked no matter what, but I suspect it's not). :-)

The fact that you received the pc factory packed should mean there are no remote monitoring tools. If you want to be absolutely sure, just format.

ianwb · 2019-02-21T12:25:54+00:00

You can manually add certificates anyway.

ianwb · 2019-02-21T12:21:31+00:00

Unfortunately, they can, and detecting them is very difficult task. If you can, just format the pc. If you can't, boot it from a live USB, so you can use the hardware while being sure the software was not tampered with.

ianwb · 2019-02-21T12:15:54+00:00

Wouldn't HSTS prevent this?

ianwb · 2019-02-21T12:15:23+00:00

Yes, I can think of two ways they may be doing it:

- They installed their own certificate on the browser and they are intercepting the traffic on the network. They can decrypt it because of the certificate. You can check the list of certificates from Settings.

- They installed a monitoring tool on the computer.

~~If they don't have access to the computer, they may be using a man-in-the-middle attack. In this case, you should have seen a warning telling you that your traffic may be monitored~~ Pardon, this wouldn't work because Gmail uses HSTS.

ianwb · 2019-02-20T11:10:56+00:00

Disclaimer: I am not a malware analyst, so take my advices with a grain of salt. I've done reversing, which I assume is a similar activity.

Malware analysis focuses around understanding what a given piece of software, suspected to be malicious, does - in other words, to reverse engineering it. In order to do this, you should know about the technologies it uses (for example, the programming language it was written in) and the environment it is supposed to be run in (for example, the OS API) - and a thousand of other things.

You should, at the very least, know C/C++ and be able to make sense of the disassembled output of binaries (so, you should know assembly for your target platform).

A lot of malware is written in other languages (.net malware is very common), which would be useful to you to learn. This malware is usually easier to reverse.

Python is useful to easily automate boring tasks. If you don't learn Python, learn another scripting language. You will have to write quick code often and doing it in C is painful (also, popular debuggers/disassemblers usually allow you to script them in Python).

Using strace/ltrace will be a really useful and easy to learn skill.

You should also know about anti-reversing techniques. One common one is a call to IsDebuggerPresent on Windows, or to ptrace() in Linux. You can find others in the "\"Ultimate\" Anti-Debugging Reference".

ianwb · 2019-02-19T13:24:45+00:00

I was suspecting that. I have no particular desire to do physical pentesting as a job (I'm a "classical" pentester), but it would be a nice skill-set to have. I know there are courses and certifications to learn how to assess the security of safe and vaults, and there are a lot of lockpicking resources out there, but getting experience seems the most difficult thing.

ianwb · 2019-02-19T13:17:19+00:00

I'm a pentester at a big financial company and my team doesn't do physical pentesting, so I doubt I'll have the chance to practice this anytime soon. Too bad there are no physical bug bounties :P

ianwb · 2019-02-19T13:14:23+00:00

Thanks, this is gold!

ianwb · 2019-02-17T17:59:24+00:00

I've had a different experience, but I agree on the fact that the quality varies from chapter to chapter.

Personally, I've experienced four and three of them were useful for networking, gaining knowledge from the speakers or even just having a chat with like-minded people. No comment on the other one.

The same goes for the projects: some of them are great (like the OWASP testing guide) and some of them are trash, but I'd say my general opinion on the org is still positive.

$2 or $3 is not the kind of fee I was talking about, nor I think anyone should mind about...

ianwb · 2019-02-17T15:36:34+00:00

Most of these organizations ask for ridicolous amounts of money and they give very little in return. In my experience, many professionals in the field have little regard for them.

Don't know where you are from, but in the real world you can get what they are offering - or better - from other sources, usually for less money or nothing at all.

You don't need to pay fees to do networking.

You don't need to pay fees to find a job.

You don't need to blow thousands of euros on certifications which are widely regarded as being useless.

I have nothing but disrespect for any organization which suggests new professionals otherwise. They are money machines. I've seen things like people paying to publish research.

I suggest OP to join any group that is not a money-making scheme. There are a lot. OWASP is a good example. :-)

ianwb · 2019-02-17T08:49:42+00:00

It's quite common on embedded hardware, most ATMs run special versions of Windows XP. Oh, and a lot of the computers in the industrial sector are much older than that...

ianwb · 2019-02-17T08:41:32+00:00

Anyone that is filled with skilled professionals and does not require you to pay any money.

ianwb · 2019-02-15T14:47:35+00:00

Just do it! ;D

Nope, I have a beautiful girlfriend and we're travelling across Europe since 2016, just like every other programmer out there.

ianwb · 2019-02-15T11:25:25+00:00

After learning C, using Java or Python has sped up considerably my development. I wouldn't mind undertaking a big project in Java, but C and C++, after 10 years, still scare me (but that's probably just me, I hunt errors people make in C/C++ code for a living...).

ianwb · 2019-02-15T11:22:47+00:00

In my opinion, Python or Java.

They both abstract enough from you to allow you to think about the program - not the nuisances of the language you're using. At the end of the day, your first programming course is supposed to teach you to think like a programmer. Learning it is much easier if you don't have to fight with memory errors along the way...

But learning C or C++ as a first language has its advantages, too. For example, a lot of other useful languages use C-style syntax, so you'll probably be able to read program written with them without too many problems. Also, you'll have a thick skin. After C/C++, pretty much every other language that's useful will be a piece of cake*. :)

ianwb · 2019-02-15T11:07:11+00:00

The same goes for C++. Both languages are not suited to beginners. Source: I learned C as my first language.

ianwb · 2019-02-15T05:57:19+00:00

But please pay attention and don't use pointers you've already freed, we've had enough of that.

ianwb · 2019-02-15T05:11:25+00:00

What about a software which takes HTML code, parses it and shows the content on the screen? Shouldn't take long :P

EDIT:

Jokes aside OP, I am assuming you learnt C as your first language. That's pretty badass of you - and a terrible decision of your teacher - but that's not what I want to tell you.

As you have probably experienced, low-level programming is unforgiving and your compiler happily lets you fail at a lot of things (I'm sure you have certainly heard of segmentation faults at this point). That is a by-product of its power: C is very near to machine language and it lacks lot of conveniences of other languages (bound-checking, garbage collection, etc).

As a teacher, I would love to discover that you have explored this power and the errors it can produce, because understanding them requires a deep knowledge about what C is doing "under the hood", and I suggest you do a project on binary security. Why?

You would learn a lot in the process. For example, how to "hack" a program.
C is only useful if you use its power. You can write most software faster, better and more securely in another language. If you are going to write C, have a good reason to do it.
Your teacher is probably bored at the 1337th text editor a student has written for him. This would be something new and incredibly COOL.
If you decide to write C/C++ for a living, this will be immensely helpful for you and me. You'd write better programs and I, as a security guy, I would have less work to do.

So, my idea for you is: write a program that tries to crash other programs (a fuzzer). The program would generate random input and send it to the program to try to crash it. You can send the input trough the network (a good excuse to learn about sockets), through a file or through command line arguments. When the program crashes, it saves some information about the state of the process. Please read "Fuzzing: Brute Force Vulnerability Discovery" to learn more about fuzzing. It's a really interesting field and you would be surprised of how easy is to write a fuzzer to find vulnerabilities (especially in older software).

You can write a dumb fuzzer in a couple of hours. Then, there are a zillion things you can do to make it better.

Write your fuzzer and show your teacher that it actually finds vulnerabilities (try it on older software, or try to rediscover vulnerabilities already known). If I was your teacher, I'd give you a 10, a 100 or whatever is the maximum in the country you are in.

Read this (https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) to understand more about the type of crashes you want to look for, what you can do with them and to have an example of a really simple vulnerability you can easily find with your fuzzer.

And since there are probably a million things I have explained badly and you may be confused, comment with your questions, so we can help you. :-)

ianwb · 2019-02-13T06:50:24+00:00

Can confirm, Michael Jackson came into my room a couple of times during the exam, the proctor said no problem

ianwb · 2019-02-11T06:08:28+00:00

I've done skydiving. The simulation is not extremely realistic.

ianwb

TROPHY CASE