/sec/ - Information Security General

Thanks to the last thread I started doing wargames for the first time on overthewire last night. Learned heaps and now I'm addicted. Thanks based /sec/.

Stop being paranoid

It's only paranoia if they are not out to get you.
If you get stuck try to not look up an answer. They really are the best way to learn.

>If you get stuck try to not look up an answer. They really are the best way to learn.
Don't listen to this idiot. There are fucking THOUSANDS of them in existence, and if you didn't know if a technique before looking at the answer, then guess what? You've still learnt something!

t. butthurt skiddie

What. I'm not butthurt at all. I've looked up the answer for dozens of challanges, and learnt something new every time. Sorry that you're upset that writeups are actually beneficial to the community

Not sure if this has a place in the resources for threads like this but it is really good for people starting out,
> securityinabox.org

Could always use more resources. Anyone else compiling a list of relevant information for the field? I've started compiling a spreadsheet that's got resources, tools, companies, important individuals, good twitter accounts to watch, and feeds where disclosed vulnerabilities are reported as I like to research and try to replicate those. Anyone else record similar stuff?

Guy from I do.
Anyone in IRC or should we use these threads as a place to communicate? I am also on jabber if you aren't I suggest it. Pidgin + otr for windows/linux.

is me
I've been thinking we should have a telegram chat but haven't suggested anything yet. Would be a good way to share other resources between our more active posters. I've never bothered to check out jabber but I'll look at it. We should use this thread for most communications though, we need the bumps and I'm sure lurkers appreciate it.

PS I do want to share compiled information though just not super publicly. There's only so much that can be compiled alone, especially when trying to test out every tool I come across.

>IRC guide

>telegram

t-telegram is bae m-man

> IRC hardening guide,
pastebin.com/EibQ8P0x
This is /sec/ not
> using closed source crypto blindly.
Get on IRC or hang out in the thread, Telegram is botnet as fuck.

I mean, you're right, but we're all already botnetted to hell, unless you're top tier privacy autist you have a closed source NIC driver on every device you own anyway for example.

This is a fallacy
> en.wikipedia.org/wiki/False_equivalence
Just because you used something that is closed source in order to get a network interface up, (assuming that you do) isn't equal to communicating on servers that are closed source.

Alright got me there, approaching this from a different angle then, how is telegram botnet just cause it's closed source? A Washington DC based company that sells 0-days to world (United States) governments just uped their payment for a flaw in telegram and other end to end encryption messaging services to a half million. thehackernews.com/2017/08/hacking-secure-messenger-encryption.html?m=1 That's good enough evidence to me that (((they))) don't have a backdoor into telegram yet.

Are you clueless?

We need something that provides plausible deniability and a degree of anonymity, not privacy. This is an open thread on a Thai paper machete board. Open collaboration provides more information to the masses and is often better unless you are doing black hat work. We could use a slack channel even and it wouldn't make a practical difference for most of the primary threats people here face. Not saying we should, but telegram, tox etc are just memes. Something that accepts proxied traffic and supports tls is really all you need because of the difficulty of establishing pfs in a group chat where you can constantly be desynchronized.

I mean, at it's heart /sec / is all about security threat modeling if you really think about it. If protecting against nation states is your cause for concern then well, GOOD FUCKING LUCK. This goes back to using the same technology that is open source and industry accepted as being secure, Telegram isn't this technology.

This aside, I have a SICK 0-day for you regarding telegram

> Register with phone number
> No other form of auth (single form, read:something you have)
> Someone else gets your phone number by social engineering your phone provider
> beep boop, Hi I am (username) and I have 100% access to /chatlogs/
If you can't see the flaw in this alongside the shitty crypto, I got nothing for ya.

C++ or Java?

...

Good post. I went through google voice to get a phone number I just use for telegram to better cover myself, but uh, I went through google voice so I already lose. Telegram definitely has some limits I didn't fully consider before.

> If protecting against nation states is your cause for concern then well, GOOD FUCKING LUCK.
Difficult, not impossible. I've got most of my vectors covered, hardware's turning out to not be as hard as I thought.

Right, The point of my post also was. Don't think that nation state actors need to break the crypto when they have every company that transmits/ receives on cellular networks by the balls. They will take the path of least resistance and just get a SIM issued rather than break some closed source Russian crypto.

I am not saying that it is impossible but what I am saying is if you are going to do it, at least do the footwork yourself. Don't use some meme chat app and expect the crypto to "just werk"
also,
> Are you sure that the supply chain for the hardware is secure ;)

For any one individual its impossible. The reason we advocate for more privacy tools is to raise the costs of doing it so it can't be done on a massive scale. You can break on persons encrypted device with enough time and money, but you can't break everyone's because the cost becomes prohibitively expensive.
Even if it was, most consumer hardware is vulnerable to side channel attacks. AES is trivial to break on a lot of consumer hardware.

>I am not saying that it is impossible but what I am saying is if you are going to do it, at least do the footwork yourself. Don't use some meme chat app and expect the crypto to "just werk"
Just making small talk, user :o)
> Are you sure that the supply chain for the hardware is secure ;)
Yeah, I source all of my hardware directly from Shenzhen (and Mongolia for more important pieces). Personally inspect all pieces myself to make sure they're not tampered and then reflash and assemble all of it.
>For any one individual its impossible. The reason we advocate for more privacy tools is to raise the costs of doing it so it can't be done on a massive scale. You can break on persons encrypted device with enough time and money, but you can't break everyone's because the cost becomes prohibitively expensive.
Encryption is not an end all in any sense of the word. It stops local law enforcement and skiddies from seeing your "Anarchy" torrent folder and doujinshis. The proper OPSEC is to not have any information that needs encryption. Most communications are wasted or do not warrant communication, thus a long-term app like Tox/WhatsApp/flavor of the month is not good and starts edging closer to a 100% certainty of being compromised the longer it's around. "Breaking" encryption is trivial for nation-states and usually, as you said, it's done through side channels and no resources are wasted.

Third stop-motion arrow here meant for you.

Picture of your board or STFU

> encrypt all the things
true.
> side channel
also true.
Big if true, I am not a hardware guy.

Since this is /sec/, I am looking into getting a new mobile. It needs to be "smart", I am not looking to defend all of the possible vectors but I am looking for something with a good amount of control. Currently I am looking at the LG V20 because of the removable components and microsd compatibility. If has any info on what chips/manufacturers to avoid. I have a friend who told me to stay away from anything Qualcomm but I am not sure if that is possible. Custom ROM w/o GAPPS, implied.

Anyone else sad about no more hardened gentoo kernel? What other alternatives are out there?

No phone is safe. Practice good OPSEC and don't do anything serious on a phone. Run traffic through encrypted VPN and stay safe.
OpenBSD.

Here are some misc bookmarks that I have here
> twofactorauth.org/
List of all sites that support 2fa
> securityinabox.org
Digital security tools and tactics
> isc.sans.edu/links.html
SANS links list, includes malware informatuion, /sec/ dashboards, /sec/ news, /sec/ blogs and /sec/ advisories

what's with the /sys/admin "split"? why did it die so fast?
why does /sec/ attract so much drama? is it because of the usual elitism in infosec?

Golang

the client is foss.

>i.imgur.com/9V6gBaD.png
Skiddies can't learn to shut their faggot mouths and lurk like reasonable newkids. And sysadmins thinking they're elite hax0rs opining on topics they do not know about.

How to use Chacha20-poly1305 with luks/dm-crypt/cryptsetup? If it is not possible with these, what would you suggest for an encrypted file system on GNU/Linux?

>infosec
infosec is a dumb meme

I think these threads should be had every 2 days. Not enough people for a whole general.

I do understand that the telegram client is FOSS, the server isn't and thus the service isn't FOSS.
/sys/? The amount of people who do actual technical shit on Sup Forums is low, mostly threads about phones/video cards/this vs that. Plenty of other places exist for sysadmin types to talk shit and I'm not 100% sure Sup Forums is that conducive for success on these types of threads even though personally, I enjoy them.

>the server isn't
So what? The messages are end-to-end encrypted.

Please see my posts

github.com/Hack-with-Github/Awesome-Hacking
github.com/carpedm20/awesome-hacking
github.com/enaqx/awesome-pentest
github.com/wtsxDev/Penetration-Testing
phrack.org/

Some links you might enjoy
But how can you choose from the amount of resource available ? Reversing is interesting, like cracking, cryptography, web hacking, software hacking, hardware hacking... How do you stop being overwhelmed by all the choice and actually do someting ?

Also, root-me.org is an excellent website for training in security.

>
I was under the impression that both telegram and signal allowed you to see the public key of the other person. I might have been wrong.

>closed source Russian crypto
The crypto is open and at the client side.

So what are good places for sysadmin stuff ?

AES w/ ssiv works just as well. What's up w/ all these crypto histers?

AES a bad.

> I was under the impression that both telegram and signal allowed you to see the public key of the other person. I might have been wrong.
Nah, their calling "secure system" gives you emojis to read to make sure the call is "secure". I prefer Signal.
>The crypto is open and at the client side.
That's fine but what kind of metadata is getting leaked to the server? I guess we don't know because the server is closed source. We have a pretty good idea though, just search "metadata leak telegram" see what pops
Unfortunately resources for this kind of stuff are limited to more social networks / old style forums that generally are shit. I will contribute in /sys/ threads but I wouldn't say they are justified unless the market demands them. Anecdotal but I have never seen these threads in my time browsing Sup Forums. Also I think that most sysadmins see their knowledge as something that isn't to be shared because they think helping educate others is a risk to their job security but this could be anecdotal. Also most sysadmins shitpost somewhere else because if they are any good their systems can kind of just run themselves with minimal interaction and maximum automation. That being said here are some
> stack exchange
> spiceworks
> leddit (I FUCKING KNOW IT SUCKS OK)
> serverfault

>I prefer Signal.
Which also happens to be a cancerous bullshit.

>but what kind of metadata is getting leaked to the server?
You know that from the client.

>I guess we don't know because the server is closed source.
You would not know anything extra if the server was foss. After all they could easily use a modified server without telling you.

it sends a sms code to the phone number though

Can someone post the spamhaus blacklist (comma delimited).
Thanks.

You're right. You can be stuck because something is difficult or you can be stuck because you really don't know what technique to apply or what place to look at. In the latter, looking up a solution is a great way to learn, provided you try it yourself afterwards

> Which also happens to be a cancerous bullshit.
Damn that was a good review, in comparison I wish I would have put that much effort into my replies in the thread starting here How much does Telegram pay you to come in threads like this? If people don't want to use Telegram what problem do you have with that? You still haven't responded to any of my other concerns other than the fact that you are protecting the closed source nature of the server. Cool dude use whatever the fuck you want.

> get issued SIM by fraudulent means
> receive text message
> authenticate as SIM owner
Same way people keep getting their Coinbase accounts owned.

>If people don't want to use Telegram what problem do you have with that?
Wut? Did I say anywhere that I have a problem with that? All I did was to just dispute your bullshit.
Not everyone you disagree with is a shill, in fact I am not even using telegram.

>You still haven't responded to any of my other concerns
I only responded to things that I considered interesting enough to talk about. If you have something specific to ask me then feel free to do so.

Don't you think that authenticating with a SMS phone number and nothing else is inherently flawed? I am not even a FOSS guy but I guess I don't see the reason for it in encrypted systems, even if they are server side. Especially if you are operating as a non-profit.

should /sec/ make their own irc server?

I don't know, should we?

Not sure where to look, besides posting on Sup Forums. I am looking to buy 0days/exploits for popular social networking services like Instagram, Twitter, Snapchat, Facebook, YouTube, Kik. I am also looking for exploits of popular email providers.

What Kind?
- Accessing sensitive account information, like email, phone number
- Accessing the account itself
- Being able to reset the password for any account or change any of its information so it can be reset

I am very experienced in this scene and have hacked celebrities and accounts for other people. Unfortunately all of mine are patched.

If you do not want to share the exploit, but have it, please contact me anyways. I need someone with these 0days or exploits.

Contact me via Email

0day@activist dot com

could be interesting with everyone trying break in for fun

Does Router Keygen work for anyone ever? Everytime I use it everything is unsupported.

Is this a joke? If you were the type of person to need 0days you'd know where to look.

LMFAO you're not the only one. I hope you got 500k.
>zerodium.com/program.html

>There are four lights.

no, use freenode

>How do you stop being overwhelmed by all the choice and actually do someting ?
By not using online resources. If you really want to learn, then put away all the links you have, and go buy a textbook. Because it'll have cost you so damn much, you will work through it.

Also, the library is a good resource if you can't afford to buy textbooks. If it's a university library, they will usually have recent and popular infosec books.

No, that's the same as hoarding resources online. If you outlay real, precious money, you will utilise the resource.

Yeah, I suppose if you really need to force yourself to start reading you'll do it by spending money on books. But, I've found that having to make the trip out to the library sort of acts as a similar type of motivation (i.e. I'm going to read this otherwise I spent time and effort to go to the library for nothing). There's also a time limit because you need to return the books after a few weeks, which helps.

Time box things. Deadlines are a great motivator.

If I may, I recommend that you be very careful with compiling information. In my experience, you'll end up compiling too much information and studying/making use of very little of it. Pick a few quality resources and focus on them.

Sysadmins have nothing to do with /sec/

We should compile a list of /sec/ recommended talks and presentations. What do you guys think?

If I did this the book would just collect dust and I would hate myself for wasting money I couldn't afford to waste.

Got any more tips? Or a a guide that has tips on how to be more productive and less lazy?

Do this.

Thirded, sounds like a great idea

Don't know if this has been posted, but
>vulnhub.com/

is a great way to practice and learn pen-testing in a lab setting. It's full of user submitted vulnerable VMs.

There's also a section for some of the VMs that contain walkthroughs/write-ups on how to approach and gain root access.

Hope this helps someone.

>Don't you think that authenticating with a SMS phone number and nothing else is inherently flawed?
I do, did I claim otherwise?

>sec bump
If these were merged I'd only have to do fucking one

Larp larp larp

Focus on something narrow. Its easy to get distracted by feeling the need to hop between 10 things you have no idea how they work but that just leaves you with 10 things you sort of understand but not enough depth to do anything beyond surface level in any subject. Not to say go hyper autistic on any one niche subject, but when you are learning you have to buckle down on one thing at a time.

All you need to do to stop being lazy is when you consider doing something, do it.

> Someone else gets your phone number by social engineering your phone provider

more chance of dying to a shark attack in the bath m80

Unless you have a shit ton of money, nobody cares about you, if you think that your data is at all valuable you have serious issues with your self image, need to tone that ego down a bit and realize that you're meaningless to everyone else, especially a l33t haxor that wants to get in the wallet of some rich college history professor who doesn't know shit about technology.

Rescuing in from page 7

Well then, I'll take responsibility for organizing them but I don't have many to contribute. Please post your favourite talks, I'll watch them and maybe add to the list. Once there is a decent number of them, I'll post them so OP can add to the pasta.

I'm only bumping this so I can laugh at the thread later

How would one prevent a layer 2 mitm on a wireless network?

I know two options are host isolation, and requiring certificates to be used such as in PEAP-MSCHAPv2 authentication systems.

are there any other methods to prevent this attack on wireless?

>layer 2 mitm on a wireless network
You're gonna need to provide examples of your working out here johnny

layer 2 mitm = gratuitous arp'ing.

arp poisoning, arpm mitm, whatever.

its sending and ARP to a target informing it that the gateway IP address is now at your MAC address and you begin forwarding traffic from the target to the gateway

im just asking if in general there is a way to prevent this attack that from happening on wireless networks that is not isolating wireless clients into their own vlan.

it doesnt seem to me like there is any way to prevent this on a wlan without client isolation