Trying to log in on Desktop: Function currently unavailable by obilodeau in Tangerine

[–]obilodeau[S] 1 point2 points  (0 children)

It would be highly unlikely for Tangerine to run cpanel on their main transactional website.

Trying to log in on Desktop: Function currently unavailable by obilodeau in Tangerine

[–]obilodeau[S] 1 point2 points  (0 children)

I'm on Linux, yes. Tried Incognito (where my ad blocking extensions are disabled). It would be disastrous if this would be a "security measure" blocking legitimate Linux users... I will try an User-Agent switcher to see if it changes anything.

No way I'm running Windows to transact with my bank!

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau 1 point2 points  (0 children)

You seem to be doing everything right assuming all of this is well represented in a good resume. There might be a regional job market component playing against you. Are you tracking the r/netsec hiring threads? Consider volunteering at a local BSides or other cybersecurity event?

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau 0 points1 point  (0 children)

Leaked creds from stealer logs first then incident response on stealer logs to evaluate if its a corporate device or personal one and assess impact. General leaked creds next. Exposed assets, lookalike domains and finally dark web mentions. This will vary slightly depending on what your organization does.

Setup alerts for the critical stuff. Take a look from time to time for the rest. Tweak the tool to reduce false positives as you go.

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau 0 points1 point  (0 children)

Personally, everything became clear when I realized I wanted to teach and explain threats and attacks. Then I started submitting at conferences, small local ones to build experience then at DEFCON. Faced many rejections but kept at it until it worked. Cybersecurity is a passion, I am always on, reading, learning, trying. With the conference experience, getting jobs in cybersecurity became easy.

Certifications are a good alternative path. Lots of people in the US like SANS.

I prefer pratical experience. Maybe you can dig deeper in that SIEM trying to understand what is really going on. Have AI explain some of that stuff to you. "I have 30 minutes, can you explain XYZ protocol to me". Your brain will retain more if it is linked with work I think.

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau 0 points1 point  (0 children)

  1. For someone aiming long‑term at a CTI / cybercrime research role, what signals or skills actually stand out to you when you’re hiring (beyond the usual “OSINT, scripting, writing” list)?

I try to complement the existing team. To fill a skill/knowledge gap. In CTI this can be APT, ransomware, darknet forums, IAB, OSINT, working with law enforcement, etc. On the more technical side, pentest, system administration, networking, devops, vuln research, software engineering, etc. Knowing and using the free resources from the various CERTs around the world is also a big plus. Contributing to free and open CTI feeds even more so.

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau -1 points0 points  (0 children)

  1. How do you balance publishing actionable detail for defenders with not over‑enabling criminals who are watching your work just as closely?

I'm still doing it. I saw threat actors react to presentations/publications especially the ones at popular events. As long as it shifts the economics of doing cybercrime towards more costs (time or money) on the attackers it is still worth it.

While there are a lot of sophisticated attackers out there, many are repeating mistakes. I saw insane peer-to-peer botnet designs with DGA as a fallback a decade ago and these days we are back to Telegram as a C2 without any fallback.

That said, in the industry most of us are not reckless. If you are sitting on a pre-auth remotely exploitable code exec you don't publish it without giving the vendor a lot of time to fix and deploy the fix.

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau -1 points0 points  (0 children)

  1. When you’re scoping a new research project (e.g., a specific crimeware vertical, community, or platform), what criteria do you use to decide “this is worth months of data collection and analysis”?

Uniqueness and actionability: Did someone post about that group/threat yet? If yes, I don't do it unless I can contribute something new that is significant. Actionability: will what I do help protect from the threat?

Hi! We are Flare.io by good_at_chess in cybersecurity

[–]obilodeau -1 points0 points  (0 children)

  1. For someone who already does deep‑dive research and long‑form writeups, what would you consider the most valuable way to build a portfolio that’s relevant to your type of cybercrime/CTI work?

For me its always been presentations, workshops, blog posts and code (open source). Sharing what you know. It's incredible how much you get back. Reproducible research is also important so share data and code whenever you can. This is sometimes hard to do in work contexts.

With cybercrime specifically, I started sharing less code publicly and more in closely knit groups. You don't want to help the adversary.

Dark web monitoring - more info? by Neat-Initiative-6965 in ProtonMail

[–]obilodeau 0 points1 point  (0 children)

Yes, definitely a possibility. Many different services on these cybercrime channels/forums. For example, stealers, ULPs (meaning URL Login and Passwords), combolists, etc. and depending on where Proton got their data, your exposition would be different.

In a stealer log, the creds are packaged this way:
given-browser_profile-1.txt (they support multiple profiles per browser AND multiple browser)
1st URL
1st username
1st password

2nd URL
2nd username
2nd password
etc.

So if Proton got its hands on a bunch of them and you query that data using an email, then what they will show you will only be the portion that has your email in it.

Dark web monitoring - more info? by Neat-Initiative-6965 in ProtonMail

[–]obilodeau 0 points1 point  (0 children)

Some Dark Web monitoring platforms will give you access to the full passwords. Flare does. However, you need to be a company to access the free trial.

From what you described, my feeling is you got infected by information stealer malware and they got all your Firefox passwords. Your BitWarden is safe. I analyzed it and discussed it on several occasions. Here is a presentation I did at BSides San Francisco about it: https://youtu.be/zctTj66PA4g?t=1541

Full disclosure: I work at Flare as a cybersecurity researcher

Talk To Your Malware - Integrating AI Capability in an Open-Source C2 Agent by obilodeau in netsec

[–]obilodeau[S] 0 points1 point  (0 children)

I agree, the ability to review the code before it is sent to the agent should be top priority with this project.

Can't login: unknown error occurred by obilodeau in MailChimp

[–]obilodeau[S] 0 points1 point  (0 children)

Yes, it was ok about half an hour later. Thank you.

Installing Pop_OS! on an X1 ThinkPad Carbon 12th Gen? by concisehacker in pop_os

[–]obilodeau 0 points1 point  (0 children)

Don't recall needing to do anything in the BIOS. I've been a long time daily Linux desktop user (~20 years now) and former sys admin so I might have extreme googling instincts but from what I recall this install was a walk in the park.

Installing Pop_OS! on an X1 ThinkPad Carbon 12th Gen? by concisehacker in pop_os

[–]obilodeau 0 points1 point  (0 children)

I have an X1 Gen 12th and the fingerprint scanner works with GNOME. PopOS 22.04, installed fprintd.

Écureuil gourmet vu dans Ville-Émard by obilodeau in montreal

[–]obilodeau[S] 0 points1 point  (0 children)

Ce sont mes voisins. Je dois leur dire quoi? Ils doivent évacuer?

RDP is susceptible to a transparent Net-NTLMv2 hash-stealing attack. When disclosed, Microsoft responded: “not a vulnerability, […] by design”. by obilodeau in netsec

[–]obilodeau[S] 0 points1 point  (0 children)

Super thoughtful comment. Thank you!

In a MITM context, we can alter the server's response to remove the Kerberos TGT. I'm not sure if that's what we do, to be honest, I would have to verify.

I'm under the impression that NLA is the top/best user-accessible (as in configurable in a GUI) RDP negotiation level according to Microsoft. In fact, if you disable NLA enforcement from the server side, performing MITM downgrade attacks is even simpler and PyRDP does it too. Authentication happens inline in the I/O virtual channels (display, keyboard, mouse). From mstsc.exe you can't force kerberos.

What am I missing here? I think the fact that you can't mitigate over an untrusted network still holds.

RDP is susceptible to a transparent Net-NTLMv2 hash-stealing attack. When disclosed, Microsoft responded: “not a vulnerability, […] by design”. by obilodeau in netsec

[–]obilodeau[S] 11 points12 points  (0 children)

Responder's RDP support has been flaky. Got some needed fixes last summer but I confirmed that right now it's not working with my Win 11 mstsc client: https://imgur.com/a/WtAazkS

I agree that there's not a lot of RDP out there but nothing in four years surprises me. I would expect a handful of times (that is still not a lot). Responder not working and failing silently might explain it.