|
ExcessBLarg! posted:Prime numbers exist above 10,000, so the claim that 9533 is the largest prime is pretty laughable. As for why, I'm not a Mathematician so I won't explain it in a rigorous way, but intuitively there's nothing particularly special about "10,000" to think that there aren't prime numbers larger than that.
|
# ? Nov 24, 2015 19:16 |
|
|
# ? Oct 15, 2024 23:54 |
|
related to the recent dell stuff, i was just linked this: http://rol.im/dell/ arbitrary service tag disclosure via dell's "tribbles" software.
|
# ? Nov 24, 2015 20:14 |
|
also, seems that a new POS malware that is extremely sophisticated is making the rounds: https://thestack.com/security/2015/11/24/modpos-retail-malware-is-not-the-work-of-script-kiddies/quote:‘ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. We believe other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.’
|
# ? Nov 24, 2015 20:26 |
|
deep impact on vhs posted:also, seems that a new POS malware that is extremely sophisticated is making the rounds: https://thestack.com/security/2015/11/24/modpos-retail-malware-is-not-the-work-of-script-kiddies/ Not particularly special in terms of its capabilities, but it has been floating about for a while it appears. Here's some links to look at: https://www.virustotal.com/en/ip-address/130.0.237.22/information/ https://www.symantec.com/security_response/writeup.jsp?docid=2014-121211-5404-99&tabid=2 I can't share the report directly as it's tied to my work account, but I can share excerpts: quote:iSIGHT Partners has been tracking a sophisticated malware framework with individual modules that are difficult to detect and are typically packed kernel drivers, suggesting the malware author’s sophistication level is high. It should be noted that it has probably been picked up in the wild by an AV vendor well before this report came out (as per my previous links) but iSIGHT is the first team to figure out what is going on here. quote:This driver contains the actual POS scraper code that collects credit card track data from memory. We believe the malware authors target specific POS software processes; however, in one sample we observed the malware injecting code into credit.exe and hooking the “__vbaStrCopy” function. Stolen credit card data is AES-256 encrypted and stored in the Windows Installer directory using random characters for the filename and a “.bin” filename extension, such as C:\WINDOWS\Installer\{GUID}_<random_characters>.bin. Lain Iwakura fucked around with this message at 00:23 on Nov 25, 2015 |
# ? Nov 25, 2015 00:20 |
|
OSI bean dip posted:Not particularly special in terms of its capabilities, but it has been floating about for a while it appears. Here's some links to look at: This is precisely why our credit data does not hit our internal systems at retail locations, it (somewhat) traverses the same network, segmented via VLAN to the router and goes straight out to the credit processor. We USED to handle credit reconciliation, but decided to get out of the extreme PCI hell (and legal liability) and pay a 3rd party to assume the risk. basically you swipe a card on the verifone, it's segmented on say VLAN 3 which nothing else lives on, and that heads from switch to router and off to credit processor, our hands are (mostly) wiped clean of all those shenanigans.
|
# ? Nov 25, 2015 00:46 |
I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords. My use is very mundane. Mostly I want to have my music on the same drive as everything else, but have everything on the drive encrypted. I want to get back to using encryption as a common part of my habits. So should I have the mundane items on a separate logical volume or is bundling it all together equally secure? Probably going to go with Veracrypt unless there's something glaring that I haven't turned up?
|
|
# ? Nov 25, 2015 03:35 |
|
i honestly don't know, that's kind of a weird setup since i'm used to people either encrypting everything or nothing. is this going to be for linux or something else?
|
# ? Nov 25, 2015 16:01 |
|
ok, i misread your post, sorry i think you're overthinking this- you're better off using dm-crypt if you're on linux; as for windows/mac, i really don't know since i haven't really used encryption on either (don't own any macs and my gaming pc doesn't need to be encrypted)
|
# ? Nov 25, 2015 17:30 |
|
I don't see much reason to bother splitting data up between multiple encrypted volumes if each of them is going to use the same encryption and have a password of equal complexity. I guess having multiple volumes would force an attacker to try and break each one individually but breaking just one should be essentially impossible anyway. And if some flaw in VeraCrypt/TrueCrypt allows an attacker to break one volume easily they would be able to break multiple volumes the same way anyway. For me the question would be whether or not to have a separate or even an unencrypted volume for the OS. If I have an unencrypted volume for the OS then I can boot the machine and use it for basic things like web surfing and email without needing to mount the encrypted data volume. This allows other people to use the PC without needing to know a password and it keeps your encrypted data safe and unmounted when you are not using it. The downside of course is that you, and other people, can use the PC without needing a password and poke around on the OS drive all they like and look for stuff that you might have accidentally saved there and forgotten to move to the encrypted volume. If you encrypt the entire drive, OS and all, then you would need to enter the password for the encryption every time the machine boots up. This is nice for keeping people from using your PC but it could get annoying if you ever have to reboot frequently for any reason. It also means that your data is mounted and accessible at all times when the machine is running. This is convenient but also reduces the security of your data as VeraCrypt/TrueCrypt are intended to secure data at rest when the volume is not mounted. I think the best of both worlds would probably be to have the OS on one volume and your data on another volume with both volumes encrypted with very different passwords. That way you can give out the OS volume password to people who you want to allow to use the PC and it keeps random people from poking around on the OS drive without the password. And your data is still safely unmounted when you are not using it but simply checking your email or whatever.
|
# ? Nov 25, 2015 17:39 |
|
How common is DNS-based command and control / data exfiltration at this point? Does it only show up in APT-level attacks or has it started to filter down to more off-the-shelf type malware?
|
# ? Nov 25, 2015 18:37 |
|
wyoak posted:How common is DNS-based command and control / data exfiltration at this point? Does it only show up in APT-level attacks or has it started to filter down to more off-the-shelf type malware? Here's a question for you: what is an APT and why do you use that term?
|
# ? Nov 25, 2015 19:14 |
|
OSI bean dip posted:Here's a question for you: what is an APT and why do you use that term? Actually just ignore that part completely, how common is communication over DNS these days? wyoak fucked around with this message at 20:38 on Nov 25, 2015 |
# ? Nov 25, 2015 20:36 |
|
Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.
|
# ? Nov 25, 2015 22:03 |
|
M_Gargantua posted:I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords. Encrypt the whole thing, enter your password at boot. Do bitlocker with the whole drive, or whole of C: or whatever, or VeraCrypt, or do the Linux version where you install it with one (1) encrypted LVM. Your swap partition should be encrypted, your "OS" stuff should be encrypted, all under the same thing, because what if it writes data there, like some log file or Tmp file? The whole purpose of this is if somebody steals your laptop from your car, or breaks into your house and steals your computer. Nobody's gonna cold-boot your stuff, you aren't going to get held up at gunpoint and be thankful your "important" stuff is on a different VM that was locked at the moment. (If that were a realistic concern, you should be using a completely separate computer.)
|
# ? Nov 25, 2015 23:28 |
|
Mr Chips posted:Can you explain the mathematics for the first bit for everyone else who's interested in understanding why? This is Euclid's theorem. (In this case, Wikipedia probably has a simpler explanation, next to scanning a textbook.) Also, small primes can be easily guessed, which is supposed to be the hard part about RSA. M_Gargantua posted:I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords. I don't think there's any reason not to just encrypt everything. I'm not sure what the windows equivalent is, but I've used the single group LVM/LUKS approach sarehu mentioned without any issues, and without doubting it. You only need one key, too. I also wouldn't trust the OS to not write something telling with multiple volumes mounted. Also it's easy to make sure that my swap partition/file is encrypted. This is what I'm talking about : LVM on LUKS. You just leave the boot partition unencrypted. I think there's a way to finagle GRUB into using an encrypted kernel image and initramfs too, but I never tried. dougdrums fucked around with this message at 16:15 on Nov 28, 2015 |
# ? Nov 28, 2015 16:11 |
|
http://malwarefor.me/2015-12-01-angler-ek-sending-cryptowall/ angler ek + cryptowall info with pcaps and samples
|
# ? Dec 2, 2015 16:48 |
|
Inspector_666 posted:It seems like when people get to brute force passwords these days it's because they were able to get the hashes via a compromised account and download the table, rather than somebody hammering a webserver or something. It's still annoyingly common unfortunately. Apple iCloud celebrity nudes thing was cause they didn't have rate limiting on the webserver for instance.
|
# ? Dec 6, 2015 21:46 |
|
facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php
|
# ? Dec 17, 2015 23:14 |
|
deep impact on vhs posted:facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php
|
# ? Dec 17, 2015 23:36 |
|
deep impact on vhs posted:facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php Uh. Did you read the article? He did get paid.
|
# ? Dec 17, 2015 23:37 |
|
https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics/10153799951452929 Response from Facebook CSO.
|
# ? Dec 17, 2015 23:45 |
|
Wiggly Wayne DDS posted:have you been near a bug bounty in your life? the man went well beyond scope and is lucky he isn't in jail considering he didn't touch any user data, only confirm he was able to pivot to a bucket containing user data, i'd say he was fairly safely within scope now, if he had downloaded, altered, accessed or otherwise gotten at user data instead of just the bucket it was hosted on, then i'd agree with you, but it's pretty clear that he didn't also, the timeline didn't load for me initially so i was unaware that he got paid, but i'd still say that what he found is deserving of a fair bit more than what he got
|
# ? Dec 18, 2015 00:21 |
|
deep impact on vhs posted:considering he didn't touch any user data, only confirm he was able to pivot to a bucket containing user data, i'd say he was fairly safely within scope he kept a copy of undisclosed sensitive material for over a month after notifying them of the initial bug, then worked off of that to try and pull more payments you'd be pushing the limits on a pentest by doing this, nevermind a bug bounty
|
# ? Dec 18, 2015 00:26 |
|
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 also it turns out juniper hosed up and their netscreen vpn can potentially be MITM'd, at least that's what i'm gleaning from what i've seen so far
|
# ? Dec 18, 2015 00:27 |
|
deep impact on vhs posted:http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
|
# ? Dec 18, 2015 00:32 |
|
OSI bean dip posted:Here's a question for you: what is an APT and why do you use that term? You can substitute the word "targeted attack" for APT when you see the term if you want to: (A) get the gist of what the person is saying (B) not make a giant production over the stupid "WHAT IS AN APT REALLY?" argument
|
# ? Dec 18, 2015 00:49 |
|
Rakthar posted:You can substitute the word "targeted attack" for APT when you see the term if you want to: Yeah. No. You're not answering the question correctly. How did you come to this conclusion that those two answers are acceptable?
|
# ? Dec 18, 2015 00:53 |
|
OSI bean dip posted:Yeah. No. You're not answering the question correctly. How did you come to this conclusion that those two answers are acceptable? I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?
|
# ? Dec 18, 2015 00:56 |
|
Rakthar posted:I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?
|
# ? Dec 18, 2015 00:57 |
|
Rakthar posted:I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this? No. You do not understand the guy's question nor did you answer mine. Again, answer my question: how did you come to the conclusion that APT stands for what you have described to me? Do you know the origins of "APT" for that matter?
|
# ? Dec 18, 2015 00:58 |
|
Wiggly Wayne DDS posted:You're not willing to try and understand a concept, so are taking shortcuts to avoid the tough questions? So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what? Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question? [edit]Really, my credentials on APT for a freaking acronym holy hell.
|
# ? Dec 18, 2015 01:01 |
|
OSI bean dip posted:No. You do not understand the guy's question nor did you answer mine. Again, answer my question: how did you come to the conclusion that APT stands for what you have described to me? Do you know the origins of "APT" for that matter? Hello, using my expert knowledge, I have reconstructed this guy's impossible to parse query as: "Is malware using DNS callbacks for C2 communication generally limited to malware that would be used in targeted attacks, or would also be found in commodity malware such as crimeware, ransomware, etc"
|
# ? Dec 18, 2015 01:03 |
|
Rakthar posted:So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what? Rakthar posted:You can substitute the word "targeted attack" for APT when you see the term if you want to: Rakthar posted:Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question?
|
# ? Dec 18, 2015 01:12 |
|
Wiggly Wayne DDS posted:This is called a shortcut: Are you familiar with the term 'paraphrase' quote:You opted into answering the question, don't be surprised if you get replies back. No one asked you for credentials, and you are entirely missing the point of the original question. I don't know what the gently caress you're saying to me in this exchange, and I have a feeling you don't either. A guy asked a pretty simple question and got told to gently caress off by someone who was too dumb to understand what he was asking. I pointed out that the question was simple and straightforward, then paraphrased the question when pressed. That's about it. Hopefully we are now on the same page and can return to the exciting topic of infosec and malware discussion. Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered?
|
# ? Dec 18, 2015 01:45 |
|
Rakthar posted:Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered? Okay. First off all, stop talking as if you're getting hurt by my asking questions about your inability to understand that "APT" doesn't mean "targeted attack". If you had any clue about what you were talking about, you'd understand that "APT" was a term created by Mandiant to describe a group that was a "state actor", not a "targeted attack" or some other nonsense that you picked up from some marketing brochure at a lovely vendor event. I am not trying to malign your ego here by making you state your credentials as if you had any reading comprehension skills, you'd have noticed I did not once ask that. All I asked is if you understood what "APT" means and just like a lot of people out there, you do not. Only one vendor is allowed to use "APT" and that is Mandiant/FireEye, as they use it to describe what they suspect as state actor groups. The term is misused just as much as "0-day". So unless you are describing a state actor, an "APT" is not a loving targeted attack. Now to answer your question: what the gently caress are you trying to get at? Targeted attacks will use any means to get out with whatever level of obfuscation. Any malware author engaging in a targeted attack will have scoped out your network enough to determine whether or not they need to communicate over DNS, HTTP, or the hell of it, UUCP. If I am going to target your organization, I sure as gently caress am going to use whatever means to get out. This seems like an un-researched question really because if you had any clue about "targeted attacks", you'd not be asking how they'd engage in them.
|
# ? Dec 18, 2015 01:53 |
|
Rakthar posted:Are you familiar with the term 'paraphrase' wyoak posted:It's a bad acronym, but I mean high level attacks that are aimed specifically at a certain target. cheese-cube posted:Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.
|
# ? Dec 18, 2015 01:56 |
|
OSI bean dip posted:Okay. First off all, stop talking as if you're getting hurt by my asking questions about your inability to understand that "APT" doesn't mean "targeted attack". If you had any clue about what you were talking about, you'd understand that "APT" was a term created by Mandiant to describe a group that was a "state actor", not a "targeted attack" or some other nonsense that you picked up from some marketing brochure at a lovely vendor event. I am not trying to malign your ego here by making you state your credentials as if you had any reading comprehension skills, you'd have noticed I did not once ask that. All I asked is if you understood what "APT" means and just like a lot of people out there, you do not. When people use the term APT colloquially, they mean "An attack where a guy or organization is targeting me." Does that mean a guy in a chinese military center doing dumps of your dc / exchange server or does it mean a russian crimeware guy trying to put POS malware on some system, it doesn't matter. It means that a guy is spending effort and assigning an operator to accomplish a task. And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for. You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker. This answer: quote:cheese-cube posted: So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues. Here's a writeup on DNS based C2: https://zeltser.com/c2-dns-tunneling/
|
# ? Dec 18, 2015 02:11 |
|
Rakthar posted:So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally. Wiggly Wayne DDS fucked around with this message at 03:21 on Dec 18, 2015 |
# ? Dec 18, 2015 03:09 |
|
Rakthar posted:So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally. No. I am giving you the definition based on the organization that actually created the term "APT" (which if you are unsure because so far I believe you are, stands for "Advanced Persistent Threat"). You're giving the definition of APT based on how you've been marketed to. I am not sure why you're trying to refute this unless you're in marketing for an anti-virus firm or some company that claims to be "next-generation" [insert poo poo box here]. When people (like you and many others) throw the term "APT" around, they mean that "they have no clue what they're talking about but have bought into the hot new buzz word to try and push their poo poo products". When someone says that they offer "APT protection", they're just offering protection from threats. No specific product is going to protect you from a targeted attack because as the statement reads: it's a targeted attack, meaning that you've been scoped out, researched, and they've crafted their attack specifically at you and nobody else. This is the sort of thing that a vendor will have a hard time defending against because of the fact that whatever protections you have in place could become meaningless because the aggressor has taken that poo poo into account. Throwing around "APT" generally means you have no clue and probably shouldn't be talking as some sort of expert in here. Unless you work for FireEye/Mandiant, you have no loving business using that term. quote:And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for. You have no clue how a targeted attack works. quote:You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker. Why are we talking about this in relation to CryptoLocker? By the way, why are you bringing up malware from 2013 in relation to a targeted attack? Or are you going on unrelated tangents in some feeble attempt to demonstrate knowledge in something? quote:So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues. OK. Great. Why are you going on about this in relation to targeted attacks?
|
# ? Dec 18, 2015 03:16 |
|
|
# ? Oct 15, 2024 23:54 |
|
OSI bean dip posted:. Unless you work for FireEye/Mandiant, you have no loving business using that term.
|
# ? Dec 18, 2015 03:32 |