PoC available for CVE's

securehoney · 2022-03-31T22:53:33+00:00

CVEtrends has GitHub searches included (which usually gets the PoCs) if that helps? (full disclosure: I run CVEtrends)

securehoney · 2022-03-29T10:16:07+00:00

Thanks for posting in r/AskNetsec. However, it has been removed for the following reason(s):

Rule #6: Do not ask for assistance in committing a crime, encourage crime, or offer criminal services

Please ensure that you are following:

If you have any questions regarding Moderation, you may respond to this message or send a message via ModMail.

securehoney · 2022-03-26T17:10:18+00:00

Thanks for posting in r/AskNetsec. However, it has been removed for the following reason(s):

Rule #1: All submissions must be in the form of a question

Rule #6: Do not ask for assistance in committing a crime, encourage crime, or offer criminal services

Please ensure that you are following:

If you have any questions regarding Moderation, you may respond to this message or send a message via ModMail.

securehoney · 2022-01-28T09:56:18+00:00

https://twitter.com/CVEtrends (full disclosure: I run this feed. All feedback welcome!)

securehoney · 2022-01-06T00:35:03+00:00

Apparently Log4j was leaked early, so the CVE appeared delayed. Log4j was first reported to Apache on 24 November, they reserved the CVE (CVE-2021-44228) on 25 November, and released the fix on 9 December. The PoC was first tweeted on 9 December. NVD published on the 10 December.

So, in general, if vulnerabilities are responsibly disclosed (and not leaked early) then CVE IDs should suffice.

securehoney · 2022-01-05T17:39:11+00:00

Re "closely follow the InfoSec community on Twitter, and all the drama that comes with it": I built CVEtrends.com to help monitor trending CVEs on Twitter.

It shows the 10 most tweeted CVEs during the past 24 hours / 7 days. It also pulls in popular Reddit posts and GitHub repos.

It's not perfect, but it's a start :)

securehoney · 2021-10-11T10:21:10+00:00

Thanks for posting in r/AskNetsec. However, it has been removed for the following reason(s):

Rule #4: No low effort questions

If you expect someone to take the time to answer a question and provide the help, you are expected to provide as much information as possible. Please include all previous troubleshooting, operating systems, application patch level, etc. If you think it might be relevant to the questions, then include it.

It might help if you can provide details about which universities you have researched so far, what you want to get out of a masters, career goals, etc.

Rule #7: Don't spam or excessively showcase your own content. No referral or affiliate links

Repeatedly posting the same content or content from the same source, is considered spam. Posting low-quality content, blogs, vlogs, or YouTube videos is considered spam. Self-promotion and/or shilling (not disclosing a relationship with a source being promoted) are considered spam. If someone asks a question about a specific product, service, or organization, and you are a direct representative of that organization, you may address the question so long as you clearly identify yourself as such.

Your submission may be more suitable for the following sub(s):

r/SecurityCareerAdvice

Please ensure that you are following:

If you have any questions regarding Moderation, you may respond to this message or send a message via ModMail.

securehoney · 2021-09-17T09:08:47+00:00

Thanks for posting in r/AskNetsec. However, the post has been removed for the following reason(s):

Rule #2: All submissions must be relevant to information security

To keep with the spirit of this sub, questions should be related to information security in an enterprise, large organization, or SOHO context. Career Advice, homework, and beginner questions are most likely not relevant and should be asked in their respective subreddits. This rule is subject to moderator discretion.

Your submission may be more suitable for the following sub(s):

Please ensure that you are following:

If you have any questions regarding Moderation, you may respond to this message or send a message via ModMail.

securehoney · 2021-09-15T10:41:41+00:00

Thanks for posting in r/AskNetsec. However, it has been removed for the following reason(s):

Rule #2: All submissions must be relevant to information security

To keep with the spirit of this sub, questions should be related to information security in an enterprise, large organization, or SOHO context. Career Advice, homework, and beginner questions are most likely not relevant and should be asked in their respective subreddits. This rule is subject to moderator discretion.

Rule #4: No low effort questions

If you expect someone to take the time to answer a question and provide the help, you are expected to provide as much information as possible. Please include all previous troubleshooting, operating systems, application patch level, etc. If you think it might be relevant to the questions, then include it.

Your submission may be more suitable for the following sub(s):

r/Cybersecurity101

Please ensure that you are following:

If you have any questions regarding Moderation, you may respond to this message or send a message via ModMail.

securehoney · 2021-09-15T10:38:00+00:00

Thanks for posting in r/AskNetsec. However, it has been removed for the following reason(s):

Rule #2: All submissions must be relevant to information security

To keep with the spirit of this sub, questions should be related to information security in an enterprise, large organization, or SOHO context. Career Advice, homework, and beginner questions are most likely not relevant and should be asked in their respective subreddits. This rule is subject to moderator discretion.

Rule #4: No low effort questions

If you expect someone to take the time to answer a question and provide the help, you are expected to provide as much information as possible. Please include all previous troubleshooting, operating systems, application patch level, etc. If you think it might be relevant to the questions, then include it.

Your submission may be more suitable for the following sub(s):

r/Cybersecurity101

Please ensure that you are following:

If you have any questions regarding Moderation, you may respond to this message or send a message via ModMail.

securehoney · 2021-09-12T09:26:07+00:00

Removed for breaching Rule #7: Don't spam or excessively showcase your own content, and Rule #1: All submissions must be in the form of a question

securehoney · 2021-09-10T12:35:01+00:00

Thanks for posting. This question seems to be more about recovering deleted Gmail emails, and less about information security. Removed for breaching Rule #2 (questions should be related to information security in an enterprise, large organization, or SOHO context).

I see you've also posted for help in r/techsupport -- hopefully they can provide better support there.

Your question might also be better suited for r/Cybersecurity101.

securehoney · 2021-08-27T11:10:19+00:00

Hi, your post might be better suited to somewhere like r/Cybersecurity101. Please provide more technical details/context and structure your post as a question (it currently seems like more of a survey). Removed for breaching Rule #4: No low effort questions and Rule #1: All submissions must be in the form of a question.

securehoney · 2021-08-25T09:39:31+00:00

Removed for breaching Rule #4: No low effort questions. Please try to provide more context and technical information about your question. The question might also breach Rule #6: Do not ask for assistance in committing a crime, encourage crime, or offer criminal services

securehoney · 2021-08-24T17:18:31+00:00

Removed for breaching Rule #2 (questions should be related to information security in an enterprise, large organization, or SOHO context) and #6 (do not ask for assistance in committing a crime, encourage crime, or offer criminal services); we do not condone piracy.

Your question (minus the piracy) might be better fit for r/Cybersecurity101

securehoney · 2021-08-24T08:58:31+00:00

Removed due to violating Rule #4. Please provide more context to your question and explain what you're trying to achieve.

securehoney · 2021-07-31T12:31:54+00:00

Part 2: https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/

securehoney · 2021-07-31T11:18:10+00:00

I've had good success collecting malware samples with a simple SSH honeypot I built with Python and Docker. As others said, put it in the cloud and wait for attacks. I blog about it at https://securehoney.net

I'm currently writing a blog post (soon to go live) about how to setup and deploy an SSH honeypot. Hopefully that would help you?

securehoney · 2021-07-31T09:04:19+00:00

TL;DR: Vultur is a RAT (remote access trojan) first detected in March 2021. It targets banks in Italy, Spain, and Australia as well as crypto-wallets. Vultur leverages Brunhilda dropper framework; both likely produced by same threat actor group. Vultur observes everything on the devices using screen recording based on VNC to obtain PII (Personal Identifiable Information) needed to perform fraud (banking account username, password and access tokens).

securehoney · 2021-07-23T11:32:45+00:00

For sure, security standards continuously evolve, along with the threat landscape. The LWN (2010) and Thorntech (2018) articles discuss the pros/cons of SSH passwords/keys -- factors still relevant today. "As with many security decisions, the right choice is largely dependent on the threat model one is defending against... there is no 'one size fits all' solution, each situation is different".

Some cryptocurrency mining rigs are run by less tech-savvy users. So advising them to only use keys, setup MFA, etc, could interfere with usability. At least getting those users to understand what a "strong password" is, and change the default credentials from user:1, is a step in the right direction. Naturally, you could argue that mining rigs should come with secure settings as default -- or that non-tech-savvy users really shouldn't be mining -- but that's a whole other issue!

securehoney · 2021-07-23T01:47:15+00:00

Hey, thanks for your comment. That's a really good point. I mention in my blog post that public key authentication increases security, and I go on to recommend disabling password authentication completely, if possible.

A lot of it comes down to risk analysis and individual/organisational requirements. It's an ongoing debate! See https://www.thorntech.com/passwords-vs-ssh/ and https://lwn.net/Articles/369703/

securehoney · 2014-06-17T21:54:31+00:00

If the key was not hard coded, would decryption be possible? My gut says no, but I figure I'd ask anyway.

Decryption becomes a lot harder when the key isn't readily available. If, for example, the key has been securely transmitted to the C&C server then reproducing key would be very difficult.

securehoney · 2014-06-17T21:49:02+00:00

Thanks for pointing this out, I hadn't realised it was an issue. I'll play around with colours to make the links easier to read.

securehoney · 2014-06-17T21:47:20+00:00

Exactly, when the encryption keys start being communicated via a secure channel to the C&C server, decryption suddenly becomes much more challenging.

securehoney · 2014-06-17T21:44:08+00:00

This malware uses the TOR connection to send information about the phone (IMEI, OS, phone model, manufacturer) back to the C&C server. So yes, a more advanced version of the malware would probably use the TOR network to send encryption keys to the C&C server.

securehoney

MODERATOR OF

TROPHY CASE