Migishu posted:

Security Fuckup Megathread - v13.0.1 - looks like them secfuck boys are at it again

ymgve posted:

what, you don't have files valuable enough to pay $200k for a small chance to get them back?

(I assume it's supposed to be milliBTC but lol)

apseudonym posted:

That was me, and I'm gonna stand by that with skill its not impossible to catch using things like timing and sizes and such signals, I worked with people who built tools for this kind of stuff (and sold them to lovely human being ) and I hosed a lot of lovely tor stealth projects that tried to mask as other things.

Thankfully Egypt blows and hasn't blown the money on people who can

Winkle-Daddy posted:

Hey sec fuckup thread! I know I've seen some awesome posts about what cipher suites should be enabled...does anyone have a config or can link to an ideal nginx SSL config? Specifically for ssl_protocols and ssl_ciphers?

ate all the Oreos posted:

check out sslscan which does most of the things ssl labs does but you can run it locally.


yeah i think that's where i originally got mine from, then i massaged it until i was happy. here's mine if anyone cares:

code:

ssl_prefer_server_ciphers on;
ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers               "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

other useful settings you should read up about and probably use are:

- ssl_dhparam
- ssl_session_*
- ssl_stapling

also if you're a cool ssl bro and are 100% sure you'll only use SSL forever you wanna do:

code:

add_header                Strict-Transport-Security "max-age=15768000; includeSubdomains;";

SpaceClown posted:

Hey sec boys how would SWIM go about haxx0ring all the un1337 n00bzz?

negromancer posted:

YES! it's stored in ~/.ssh/authorized_keys I thought?

see, that's why I only run scripts at night, and write them in the daytime. The strength of weed I get from my friend ranges from "nice realizing high" to "I might be in a coma so I'm gonna watch Oceans Eleven on repeat".

Westie posted:

just got owned via plesk, i'd like to sha-



maybe not

Migishu posted:

wasn't there some thing about the filezilla guy being an absolute rear end in a top hat for not patching known, ancient, bugs or some poo poo about him being stupidly arrogant?

OSI bean dip posted:

this is getting interesting

Subjunctive posted:

you don't have to keep usable CC info for that

Aquarium of Lies posted:

lol a company I'm interviewing at had an unsecured mongo instance get ransomewared very recently

pr0zac posted:

In other news, back a while I referenced fears that Russia had access to Telegram, but didn't have much more than speculation to back it up, one thing hidden in the trumppissgate docs is confirmation that yes, Russia has access to Telegram

pr0zac posted:

Sorry, I'm on phone waiting for my wife's car to be fixed thus lack of details.

http://www.theverge.com/2017/1/11/14237136/trump-leak-telegram-security-cracked-russia-encryption

Rooney McNibnug posted:

Yeah, this is a really good talk and Theo owns. Theowns.

OSI bean dip posted:

i threw an egg at his house once

Ur Getting Fatter posted:

??

Kazinsal posted:

they charge you fifteen bucks to wrap your bag with a pound of cling wrap

hackbunny posted:

just my luck, I get out of kitty jail just in time for the thread to be disappeared <>

italy is currently being rocked by a bizarre scandal of the cyber persuasion. the occhionero siblings, entrepreneurs in the finance sector, freemasons and by all accounts smart people (he's a nuclear engineer, she's a chemistry phd), are found to be conducting a multi-year spearfishing campaign against politicians, entrepreneurs and... other freemasons. their spyware appears to have been entirely developed in-house, and it's been active since at least 2011. kaspersky describes it as "amateurish" but I've gotten my hands on a recent sample and it appears to have been developed by someone who, if not a cybercriminal, has at least an idea of how malware analysis is done and how to slow it down. well, at least the anti-analysis protection and obfuscation was, and I know it's not a commercial framework because the few unobfuscated strings are unique to the malware

on the other hand, the occhionero siblings made huge, gigantic opsec blunders, and I argue that they had outside help with the malware development, because they clearly aren't serious criminals. consider the strongest piece of evidence against them: the malware exfiltrates data by sending e-mails and uses a commercial component to do so, which requires a license code to unlock. not only the malware contains said license code, but italian police asked the fbi for help, the fbi obtained the name of the licensee, and it was the occhionero brother: the guy had virtually embedded his real name in his phishing malware

on the other other hand, when the police came to arrest them, the brother rebooted the bitlocker-encrypted computer and now refuses to provide the password, while the sister locked her smartcard by entering the wrong pin several times. it's not going to help them much because the amount of evidence against them is impressive: they didn't just embed personally identifying information in the malware, they also hosted the c&c server on their company's website, and they talked about their dirty business on regular cleartext phone calls, that the police duly wiretapped

all considered, the campaign wasn't terribly successful. of about 18000 targets, only about 10% are estimated to have been compromised

the motive is still a mystery. insider trading seems to be the current consensus

the malware samples I've seen raise some extremely obvious red flags when run in the simplest of the automated analysis tools, and they're clearly part of a shared lineage dating back years, so it's a little amazing to me that it took so long for it to be noticed

flosofl posted:

Cool post, and keep us updated. This seems bizarrely inept.

I'm just wondering what the significance of being a freemason and targeting freemasons was. Is freemasonry different in Italy compared to the US? In my area they seem to be guys who hang out once a week and help sponsor kids/families to the Shriner's hospital. Honestly, they seem like Elks with less pancake breakfasts.

hackbunny posted:

crazysim posted:

i should add there's a de4dot integrated/engine replacement of ilspy called dnspy

Boiled Water posted:

i look forward to living in a country where power outages are rare because infrastructure is maintained


but i'm already there

Wiggly Wayne DDS posted:

you mean it's time to switch to a 2017 browser when OpenOpera releases

shadowban all opera users, especially the ones changing user-agent

Loving Africa Chaps posted:

Epic troll of Assange Barry O, good job

BangersInMyKnickers posted:

hey windows comes with the best and easiest to configure crypto stack baked in to the os but lets gently caress that all up with some linux garbage