What are
/r/AskNetsec's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/AskNetsec:
The most popular Services mentioned in /r/AskNetsec:
Have I been pwned?
Cybrary
DigitalOcean
Kali Linux
Hybrid-Analysis.com
Tails
Shodan
Amazon Web Services
Malwr
elasticsearch
Tor
Let's Encrypt
Cloudflare
Qubes OS
KeePass
The most popular Android Apps mentioned in /r/AskNetsec:
Packet Capture
JuiceSSH - SSH Client
SkipLock
FreeOTP Authenticator
Signal Private Messenger
Fing - Network Tools
Syncthing
Keepass2Android Offline
Yubico Authenticator
Enki: Learn better code, daily
Microsoft Authenticator
VirusTotal Mobile
Wifi Analyzer
ooniprobe
The most popular VPNs mentioned in /r/AskNetsec:
The most popular reviews in /r/AskNetsec:
I would recommend using 2fa for your accts (if you haven't already done so) to also be on the safe side after the password changes. I know it's a large cleanup but definitely worth it imho. Also consider using Troy Hunt's https://haveibeenpwned.com to track whether your info has been in data breaches.
Good luck!
I work for DigitalOcean, what kind of logs?
We don't log traffic, if that's what you're asking. We log things like Droplet Creates, Destroys, etc — activity within the control panel. We don't log anything that happens on your droplet, with one exception: metrics.
We collect your general bandwidth usage (speed in/out and how much data), CPU usage, and disk I/O usage. If you have our monitoring agent installed, we collect things like your disk space usage, memory usage, etc. We don't see any specific data — the metrics are only collected in order to (A) ensure the platform is healthy and (B) provide the information to you.
If some crazy law was passed and we were required to log that network activity, the only logs would be from that point forward, and it'd probably take us a long time to even be able to technically implement something like that on such a large scale. The storage alone would be extremely expensive.
Also, knowing our executive team, we'd fight such legislation tooth and nail, as would pretty much every other provider.
Keep in mind that you have control over the logs on your droplet itself. If you're in legal trouble and we receive a subpoena for that data, we'd be legally obligated to provide it. If it's encrypted or if it doesn't exist, ¯\_(ツ)_/¯
https://www.digitalocean.com/legal/privacy/ and https://www.digitalocean.com/legal/enforcement/ have all the legalese, but are worth reading.
Uninstalling apps on macOS can be frustrating since Apple doesn't provide a standard means of doing so. I personally use AppCleaner and have for years.
[edit] Anyone care to explain why the downvotes? Genuinely interested, since my response is relevant to OPs question.
Protonmail it's becoming the trendy and secure alternative to Gmail, at the moment they have a super secure e-mail services compatible with PGP and a great VPN service called ProtonVPN, however they are also creating a whole world of services like calendar, agenda, and so on... Soon they will completely replace Google services.
I'm using it and I'm happy with.
I was a solo consultant from 2005-2007 and supported my family of four during that time.
I suggest working to become recognized for your expertise before you go solo.
I prepared by blogging, writing many articles and two books, presenting at conferences, and teaching classes. Additionally I was a consultant for a security company for several years, which meant I had a lot of contacts who might hire me for work as an independent. When I was considering going solo, I emailed many of them to let them know I was considering an independent path.
I decided to make the leap when a prospect said they had months of work for me to do. I left my job, but that prospect was all talk! Fortunately I found plenty of other work to compensate.
I paid my bills by scheduling and teaching independent classes. Above that I consulted, which was "bonus" at that point.
I read this book back then. It's from 2000 but the overall message is still relevant:
https://www.amazon.com/Serf-Surfer-Becoming-Network-Consultant/dp/0782126618
Be sure you take care of the "infrastructure" issues early -- taxes, business bank accounts and credit cards, insurance if you need it, etc.
Finally, it's best to decide right away if you intend to be a solo consultant, or if you are starting a business that would employ others. The latter is more complicated, obviously.
It's extremely hard work and the pressure is enormous. Two years was plenty for me but I'm glad I did it. Good luck!
I wouldn't go with tunnelbear any more. Bought by McAfee, which has a history of, er, unreliability.
Private Internet Access or NordVPN are probably your best bets right now.
Also, install HTTPS Everwhere, and be sure you manage custom lists for sites it doesn't automatically work with.
This is about CORS - it’s also known as a “first party cookie” aka cross domain analytics - read how folks do it via segment.com @ https://segment.com/blog/introducing-cross-domain-analytics-unify-customer-profiles-across-your-brands/
To do it - you just pick ONE domain for the entire company and then append all domain cookies to that and add that domain to the cors xss headers to prevent cross site scripting while allowing the cookie to be appended to a 3rd party domain. It requires a dns tweak and a JavaScript tweak but it’s pretty standard enterprise architecture.
I build analytics stacks like this - Facebook just rolled out a 1st party cookie to help get around safari 3rd party blocking - read about that @ https://marketingland.com/facebook-to-release-first-party-pixel-for-ads-web-analytics-from-browsers-like-safari-249478
Google definitely has a cross domain cookie to stitch all domains to one central 1st party domain. This helps to track users across domains, ensures you don’t have audience splintering, and helps with a variety of Lifetime Value churn attribution models.
Fun thread :)
If you want a trustworthy VPN, use your own.
Any VPN service is privacy by policy and is an issue of trust. You do not gain privacy just because you use a VPN. Study after study has shown free VPNs, including some paid VPNs, log everything you do, even when claiming not to and sell that data onto third parties or whoever wants to buy it. A VPN is only ever as good as the company's privacy policy, but since VPNs are not regulated, nobody is holding VPN services to account for any breaches of any policy. If you need privacy, use Tor, don't rely on a VPN.
You'll see tons of redditors recommending VPNs like ProtonVPN. What nobody tells you is ProtonVPN is the sub tier of NordVPN, both services are run by the exact same company, using the exact same servers, so the quality between the two is more or less the same, even though one is free and the other is paid. Whether free or paid your data is still mined. Both are based in Lithuania, in the exact same office of the exact same building, and both VPN services are owned by Protonvpn LT UAB - also known as Tesonet UAB, although in their attempt to push a privacy agenda and hide their real identity, they advertise as being separate companies in Switzerland and Panama respectively. Tesonet UAB is a data mining company.
In short, if your want a good VPN, run your own. Do not rely on a third party VPN.
I wasn't aware of any password dumps from GameStop but it could have just been a quick paste and not publicized much. Have a look at https://haveibeenpwned.com - it aggregates all the high and low profile dumps it can get and will let you know if your creds have been leaked.
If things are posted online, publicly, and without a robots.txt (at some point, they can be protected later), google is going to crawl it. No matter how obscure the site is, if it is the only site where your email shows up in plain text it's going to be one of the first results.
Best thing you can do you've already done - changing all your shared passwords - but I hope you've changed all of them to something different. Having a bad password can let attackers compromise an account, but sharing passwords means attackers can get into every account, no matter how strong the password is.
It should be possible with multiple Wifi adapter/devices, but you'll need software that supports multipath TCP (or something like Speedify) to take advantage of this trick.
Even so, you obviously can't go faster than the overall bandwidth available, whether the limitation is imposed by a slow net connection or by a limit on all clients collectively.
I currently have this one
https://www.amazon.com/GL-iNet-GL-AR750-300Mbps-pre-Installed-Included/dp/B07712LKJM
There is a newer model out there that has wireguard support that looks pretty nice and only $70. I have been debating on upgrading, but I dont have a wireguard server up.
If you are using it as a main OS, then I would recommend Parrot Linux over Kali.
Parrot doesn't run as root by default and I believe it to be more secure by default. It has all the same tools that Kali has.
Troy Hunt is very transparent about how he runs https://haveibeenpwned.com/ the methodology isn't time or resource intensive. Plus, he announces additions to his dataset, including the name under which the breach is traded.
He also offers a service to check all email addresses from a particular domain, but requires proof of control of the domain. Various types of proof of control are in this article: https://www.troyhunt.com/im-pwned-youre-pwned-were-all-pwned/
It wouldn't be hard for one of these companies to ask for a TXT record to be added to DNS then just use haveibeenpwned.
I'm not saying this is how everyone is doing it, but it would be the almost cost effective way that I can see.
https://www.virtualbox.org/manual/ch06.html
Scroll down to the section 6.2. Introduction to networking modes
>Internal networking
>This can be used to create a different kind of software-based network which is visible to selected virtual machines, but not to applications running on the host or to the outside world.
So if your vms have no business reaching out to the internet, then use internal for all your testing.
Just realize that only your kali linux box will be able to access the vulnerable machine.
The most likely scenario is that you have reused passwords, which have been made available in dumps from compromised websites you've used. Check out https://haveibeenpwned.com/, use a password manager like lastpass, and enable two-factor authentication when possible.
So.. A VPN in terms of the ones you see in Youtube ads is just someone else's computer which you use to access the internet instead of your internet service provider.
The choice comes down to this: Do you trust NordVPN etc. more than your local ISP?
In a public Wifi this is clear-cut: A VPN may be useful. But for your home connection it does not make any sense for the vast, vast majority of people. And that is assuming the VPN provider is actually trustworthy and not a scam-like bullshitting enterprise (I would classify all the VPN providers using advertising with misrepresented claims as such). If you really need a good VPN, I can recommend Cryptostorm.
> nothing to actually verify the end server is the real/authentic server for the site
Yes it does. If a fake server is trying to impersonate a legit website with a forged cert, your browser will warn you.
> There are plenty of commercial products out there that can forge/intercept certificates
This can only work if the enterprise imported its own CA in their corporate browser. On your own personal non-compromised browser, this can't happen. Your browser will warn you of the forged cert.
Now with the recent introduction of Certificate Transparency, https is technically known as impossible to forge. You can't prove us otherwise with a credible source. Because there are still not even academic research papers demonstrating how this could be done in practice. Technically, as far as we publicly know, it's not even technically feasible for big spy agencies like the NSA to forge https without getting caught right away by the security community before any damage is done.
> his whole "SSL all the things" trend is nothing more than another way to sell something
But it's free now! What are you talking about? Check out Let's Encrypt
> This HTTPS nonsense is an annoying "evolution" of the web
It's not annoying, it's an indispensable necessity. Browsing the web through http is dangerous. Not only for the eavesdropping, but also because the packets can be tampered with on the fly to inject malicious code in the page you are viewing, or malware in the binary files you downloaded, then infect your computer because you thought you were browsing a trustable website.
Everything should be https already. There is no legitimate reason not to. The only reason everything is not https already is because some people are still not aware of it, or dragging their feet and taking too long to https everything, or the "anti-vaxxers" of the web like you giving shitty advises based on misguided beliefs.
Private Internet Access seems to be the most popular "good" one; it's not as cheap as some of the competition, but the speeds, variety of connection methods, and apparent lack of tracking are all great.
Have a look at KeePass. It is open source so you can download all of the binaries and source code needed to compile the program. When I was beginning development/code it always helped when I could look at other code that has been properly vetted by tons of experts (and I'm still by no means an expert).
Keepass may be a starting point for your project too. Who knows?
Have any of you run VPN on their mobile 24/7? I have a NordVPN account, but only use it when I feel I need to. I might give it a shot, including the kill switch option, just to see if I notice any performance impact.
NO, you have not been hacked. The mail is a scam.
Ways to sort this out:
Stop using lame passwords. Hint: if you can find it on Troy Hunt's excellent HaveIbeenpwned website it's a lame password. If it's part of rockyou.txt it's a lame password. If it's less than 15 characters it's a lame password.
Stop reusing passwords
Enable multi-factor-authentication wherever possible. SMS is not a valid second factor.
use a password manager
stop believing crap you get via mail
Sorry to react this annoyed but you're probably the umpteenth person to ask this in the last weeks.
Maybe the mod team would be willing to sticky this or put it into the side bar?
Professermesser.com has a good video course for free, and you can buy a pdf cram guide for a few bucks if you need it. When I took sec+, I just did the video course and bought some practice tests.
​
Udemy.com also has some good courses for pretty cheap. I know they have a few on Kali, as well as for pentesting.
​
For basic routing/switching, it would probably be beneficial to try packet tracer or GNS3 to get some practice with the command line if you don't have access to physical equipment.
​
Also, I would recommend just playing with some tools on your own computer. You can make a kali boot drive and dual boot your computer or just use a VM, so you can play with some of the tools.
Howdy. The concept of defense in depth is that to prevent any sort of attack you need layers of defense to thwart different types and degrees of attacks. Keep in mind that nothing will secure you completely. ANY security measure you take is only making it harder for someone to spy, crack, infiltrate, etc.
VPN among other uses is preventing someone from reading your traffic in flight, say, at your ISP. You are correct the VPN does nothing for traffic once it leaves the VPN. That doesn't mean a VPN is pointless, in fact the VPN did its job and protected traffic on the tunnel.
If you have sensitive Email you need to look into end-to-end encryption with Email clients. Then an E-mail provider with transport layer security and encrypted storage. Of course even with that you still have weak points.. for example you could have a keylogger on your system logging what you type when you are composing the E-mail on your system. That one weak point doesn't make the rest of the security pointless if those efforts are covering your primary threats.
The point is, determine where the threats are and if you need to address those threats then do what you can. Every bit helps. Think in degrees and stages of defense, not in a binary on/off way. Think CASTLE, with moat, outer wall, inner wall, guards patrolling, etc.
BTW Proton mail (https://protonmail.com/) is an interesting secure (more secure than many) Email provider. Research it and check it out.
Ummm... Tbh that sounds like you are paranoid, however if you are not a troll or mentally ill and someone is seriously targeting you the best thing you can do is change your phone number and carrier if possible. After that you need multiple Google voice accounts or a similar service. Never give out your real number to anyone. Also get something like a yubikey, if possible multiple ones. Also it may be worth taking your current devices to be analyzed by the police. After that dispose of everything and maybe even sell it once it has been wiped. By a cheap laptop and either run something like qubes or tails. Pay a company to install a professional business network in your house and encrypt all outbound traffic with a vpn. Also use different vpn services among your different devices. NordVPN, ExpressVPN, and VyperVPN are pretty good. Setup multi factor authentication for your different accounts, and use different email addresses in addition to that.
I wouldn’t use anything other than Mullvad.
Usually review sites list VPNs in the order of the largest referral fee, and most of these VPNs likely keep logs, despite what they say.
Mullvad doesn’t do referrals (which is why they’re noticeably absent from virtually every review site), they don’t do promotions, they ask for zero personal info, and they will let you even pay any way you want. You literally get an account number and that’s it. Whatever you pay, however you pay, only goes to the account. It’s not associated with your personal info at all. They’re the only VPN that I even remotely trust.
Also you probably have a virus or malware installed that’s forcing you to Yahoo. Backup your important shit and do a clean install of your OS.
IMO, there is still a need. Every http site is still vulnerable to active man-in-the-middle attacks. Someone can inject JS and all kinds of nasty stuff. ISPs, hotels, airports, and more have been known to engage in shady practices like injecting ads into unencrypted sites that you visit (example). A lot of people just don't consider this to be part of their threat model. Some aren't aware of it, others just don't care.
Here’s where I can point you. The browser requests a connection to example.com. This will be done with a socket syscall utilizing AF_INET or AF_INET6.
The application will then switch from user mode to kernel mode to allow the kernel to call that socket function call. (See the Man page on socket, $man socket) https://man7.org/linux/man-pages/man2/socket.2.html
Once that socket is created the application will context switch back to user mode.
That socket is an abstraction for programs to communicate over the internet. Inside the kernel are different modules. These modules communicate to the Ethernet hardware. https://www.kernel.org/doc/html/latest/networking/device_drivers/ethernet/index.html
So browser <-> Linux abi (socket) <-> kernel module <-> Ethernet card
There’s still lots of layers of abstraction here, like pci bus or usb bus.
That’s just to make a connection to the site without TLS. You still need to send HTTP across that socket and receive it back from the server.
Hope that gets you on your way.
The explanation doesn't make a lot of sense, because if you are using a Tor browser, your (client's) public IP isn't visible either. So even if somehow the captcha app had a bug that caused it to send packets via a real interface instead of via Tor, it wouldn't know the IP of the FBI machines to send the packets to.
I think the more likely explanation is the one toward the bottom of the article; that some error caused the server to put up a 404 or 403 error page or similar, which included the site's real IP address (like this).
Check out the OWASP Mobile Security Testing Guide and the Mobile Application Hacker's Handbook.
i found this helpful for some hunting usecases.
also a great overall SOC design document. teaches how to create fully reaiized use cases and not just dump data to siem expecting magic to happen :)
Shodan randomly crawls the Internet 24/7; i.e. it doesn't do sweeps and it doesn't do a full scan 1 IP at a time. It generates a random IP, a random port and then checks that combination. Has Shodan found anything open recently after you closed the ports? You can run the following command to get a breakdown of when the banners were collected in Shodan:
shodan host --history <IP>
Here's a short video how to do it:
And keep in mind that it takes a few weeks for a result to expire in the results to ensure it wasn't just a temporarily closed port (or bad connection issues which can happen a lot for ICS). You can also submit a scan request to Shodan using the CLI if you want Shodan to immediately crawl your IP and check the ports (this will do a full scan):
shodan scan submit <IP or netblock>
Here's a video on how to do it:
We can also look at the specifics if you email with more information.
I'd tell you, but then I'd have to kill you. OPSEC and all.
Nah, just kidding. I use [enterprise-grade](/r/ubiquiti) router/firewall, switch, and AP, configured with decently strong security (for a [simple flat LAN](/r/homenetworking), anyway, I don't segment the network yet). I have my own [DNS filter](/r/pihole), which feeds to my router for any local hostname resolution before being sent upstream to Quad9 instead of my ISP's DNS.
I also segment my /24 so that all my devices are set on assigned IP addresses with logical groupings (these devices are in this range, those in that range, etc), leaving only a small DHCP pool for new clients (new devices yet to be assigned, or guests). I also have alerts on my AP so that I am aware of new devices connected, in case someone finds a way on to my network.
I use multiple browser for different purposes and threat models, and apply [HTTPS Everywhere](/r/eff/) and NoScript on them. One of the browsers has a VPN which I enable for some things but may or may not enable in other cases.
I also have a small server with some VMs, each with different purposes. Some are kept offline, some are online, but connected to the ISP only through a VPN. Others are LAN-only.
I keep all systems that touch the Internet up-to-date with the latest patches. Local devices I often run in custom configurations, such as modified firmware.
I use strong passwords and 2FA on all critical systems. And my 2FA does not rely on anything vulnerable to SIM-jacking.
It's Lenovo, its deliberate... they really don't care :/
http://www.makeuseof.com/tag/now-three-pre-installed-malwares-lenovo-laptops/
Don't buy Lenovo kids they even compromise your bios:
https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/
If you believe your computer is compromised, then it may already be too late. Antivirus’s are notoriously bad and will not detect well written malware. I recommend you shut off your computer, boot Linux off a flash drive or CD (recover only important files, as some might be modified by the malware), wipe your hard drive (search up DBan), and re-image it with a new OS. If the malware has infected your bios or ROM, it is basically over (just burn the computer), and get a chrome book.
If you believe just your accounts have been compromised, then check https://haveibeenpwned.com/ . My intuition tells me that your accounts have been in some well known dump, and they were able to laterally compromise your Twitter through your email. Change all your passwords to separate passwords, and turn on multi-factor authentication for all your prized accounts (email is the most valuable, because it can reset other accounts).
No holes, just design insufficiencies given the current state of cryptanalytical tools.
Also, you can mount BLTG drives under Linux:
http://superuser.com/questions/376533/how-to-access-a-bitlocker-encrypted-drive-in-linux
Self-signed certs in general provide no security. If your client blindly accepts a self-signed cert, an attacker can trivially MITM the traffic [1] and record/alter any packets in either direction. It's no better than HTTP.
You /can/ securely use your own certs if you control the trusted certificate store on the client. That's generally not the case though.
Look into StartSSL and Let's Encrypt for no-cost certificates.
WiFi Analyzer is useful for detecting WiFi signals if you have an Android device handy. What you mean by "covert WIFI signals" is a whole other question.
> Is it my 12 lettered password, a combo of small and capital letters and a couple of numbers?
Maybe. Did you use it on a different site? Check out https://haveibeenpwned.com
>Also, is it more secure to use RiseUp e-mail, or perhaps ProtonMail? etc. My current password is a much more robust combo, but from my experience, no one brute-forces anymore...
No. Use gmail. It's worth investing $20 for a yubikey. Googles documentation on setting them up is confusing. Here's a short guide. https://techsolidarity.org/resources/security_key_gmail.htm
If you navigate back to resources at the top of the page there are guides on setting up your Yubikey with twitter and Facebook as well.
>Just for the sensitive stuff, like banking and money
What banking are you doing over email? I trust iMessage/signal/whatsapp/snail mail with banking info/tax documents. I wouldn't send it over email. Email will never be secure.
There are numerous security issues dating back to your version of Drupal, including the dreaded "Drupalgeddon" vulnerability. Drupalgeddon was so bad that the Drupal security team said that unless you patched it within 5 hours, your site was probably compromised.
My advice would be to assume the website has already been compromised, and to start fresh in a new hosting location. Anything else, and you will never be sure that your site's integrity is whole.
That said, going forward, my advice is to only use stable-release modules (no betas, alphas, dev releases, etc), and to patch everything as frequently as possible. Drupal Security Team issues patches every Wednesday, so you should be able to plan for them and update as needed.
Edit: I'm not a Drupal developer, I am a security analyst who works at a location with numerous Drupal websites under our purview. It's my job to make sure our Drupal installations are secure.
You could check and see how they're sending the data.
Download the community edition of this tool, which is used, among other things, to inspect web traffic between the browser and server: https://portswigger.net/burp/communitydownload
There's a little set up you would have to do. Navigate to your bank's page normally, then go to Burp and turn intercept off so traffic can flow freely. Configure your browser's proxy settings to use Burp and install the Burp certificate in your browser (Burp provides instructions for both of these). Then, just log in to the site, and you should be able to see how the login information is sent.
Because salting.
Check this link for how a tool like you want would be created http://shiflett.org/blog/2012/jun/leakedin
Now this tool works because linkedin's passwords were hashed but not salted, which compounds the decryption process. I think reading the following link would help your understanding of the process - but in short, from my understanding, a password used on two different sites which should be employing separate/different salts will have two different resulting hashes, which would make what you're looking for infeasible.
http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right
For a free VPN + mail option, check out ProtonMail and ProtonVPN; I've used both with no issues for 3 months so far. Their mail servers are in Switzerland, which means that all your mail is protected by Swiss privacy laws. Their VPN has a bunch of different hosts, some with Tor, and their free tier comes with American, Dutch, and Japanese servers. Good UI, and I trust the developer team. Also, your best bet as a daily driver would be Tails like someone mentioned in this thread already or Qubes OS. Before you do anything though, make sure to read into them and get a general understanding of what's happening under the hood and how trustworthy the tools are. ProtonVPN for instance is a relatively new tool, so it's not as time-tested as Tails. Do your research! Boa sorte meu camarada :)
VPNs obfuscate the traffic inside of them. Instead of seeing the traffic going to Netflix and Google and Facebook, etc, they see a connection elsewhere, then a lot of garbage. It's like a wrapper around anything you do inside of it. So yeah, it's still applicable even inside a VM, as that traffic is effectively encrypted and looks like nonsense from the outside. Do be on the lookout for DNS Leaks.
Meaning I can chill memory chips way down using a can of compressed air, pull them out of the box, and then read the entire state of the computer.
It's been demonstrated as feasable: http://www.zdnet.com/blog/security/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/900
All your full-disk encryption, ssl, etc... so long as it was in memory at the time, I can get it all.
If something has firewire, then that has live direct access to memory. Bam, DMA attack: http://en.wikipedia.org/wiki/DMA_attack
Call someone: 1-800-662-HELP (4357)
It looks like you are experiencing the onset of schizophrenia does anyone in your family history have that?
https://www.webmd.com/schizophrenia/guide/schizophrenia-paranoia#1
The stock config of the windows firewall is designed to allow all outbound. It can be turned up to give the per-app granular control, just very few people realize it and assume it sucks. The interface isn't the greatest, but it is surprisingly powerful and can be scripted through the command line / powershell.
http://www.howtogeek.com/112564/how-to-create-advanced-firewall-rules-in-the-windows-firewall/
From what I see, HTTPS-Everywhere rulesets just list which sites have https so they can redirect you correctly. If there is no https version of the website, you obviously won't be able to access the website securely, but most widely used version have HTTPS enabled, or already redirect their normal website to HTTPS.
As far as I know HTTPS Everywhere has absolutely nothing to do with encryption and everything to do with redirecting to more secure versions of websites.
I previously used Lynis to do a complete Linux audit. It works pretty well.
​
After the scan, the result is stored in /var/log/lynis.log. You can get the warning with grep Warning /var/log/lynis.log or the remediation suggestions with grep Suggestion /var/log/lynis.log. It's quite easy to use.
Endpoint Protection: Cylance (most home versions of AV blow ass)
VPN: AirVPN - no exceptions.
Browser Extensions: Origin
Network Enhancements: PiHole
Backups: Synology with CloudShare
Encryption: Bitlocker
Make sure, whatever the choice, that it's a "no log" VPN. CyberGhost is, and is actually quite fast. I have no complaints. Also, when using it, I get no DNS leakage. So, that's a plus too! You can test it at .
WPA or WPA2?
Make sure WPS is off.
Also, you gained nothing hiding the SSID. http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/?PageSpeed=noscript
On iOS:
- Apps cannot access any files outside their bundle
- Apps can only communicate with each-other if they're from the same developer, or through the clipboard
- iOS is only ever updated by Apple, so none of this "<Vendor> decided to release their own version with some outdated libraries"
- Apps are manually inspected by Apple employees before being posted to the App store
The last note isn't part of the security of the operating system, but does make a large difference for average users.
On Android:
- Apps can view the whole filesystem, and are segmented by each running as a different user
- Apps have several IPC mechanisms available
- Vendors can release their own versions of the operating system, and may choose not to track security patches from Google
- Apps are submitted only to automated testing before going live to the Play Store
Android can absolutely be secure, if you're careful with your unix permissions, make sure all of your IPC is bug-free, and have a phone that receives immediate security patches from Google. But what's more secure out of the box? iOS hands down.
Why do you want a password complexity metric? Are you running a site and want your users to pick good passwords? I'll assume that's the case.
Step 1: Pick a good minimum length (definitely not less than 12. Maybe 16. Maybe even 20.).
Step 2: Check passwords against HIBP. Reject the password if it's on the list.
Step 3 (optional): Give positive feedback for better passwords. You can either do this based on length. Or you can do it based on complexity using a library like zxcvbn.
Ability to create scripts(bash and Python) and being very comfortable on the Linux command line will matter a lot, don't underestimate it.
Hit up vulnhub and start working on being able to break those VMs before you put down money for lab access. OS just released a free training program for learning to use Kali(https://www.kali.org/news/introducing-kali-linux-certified-professional/) the cost of its certification is a lot cheaper than the OSCP. Starting off by going after the OSCP would likely be an expensive (but very educational) experience.
Once you can comfortably attack the vulnhub VMs with Kali somewhat successfully then you should be safe to buy the OSCP lab access/attempt. I would recommend getting the 60 day lab pass as 30 days is likely not going to be enough unless you can devote yourself to it full time everyday. I first bought the 30 day pass then got another 60 for reference.
The other thing that is glossed over a lot when talking about the OSCP is writing ability and note taking discipline. My final write-up was nearing triple digits(lab and exam combined), a well organized and clean write-up can be the point difference to get you into the pass range.
You can set your API keys as environment variables on your server. The way you'd go about doing this varies based on your production environment. For example, if you're working off of a kubernetes cluster then you could define a secrets file, then expose your secrets in your environment: https://kubernetes.io/docs/concepts/configuration/secret/
Run a brute force/dict attack using a password database. http://nmap.org/nsedoc/scripts/telnet-brute.html You could also install nessus and run it to see if the surveillance system is vulnerable to any known exploits. Then install Metasploit, read up on the exploits and how to execute them. Obtain root escalation and change telnet password
- Download VirtualBox
- Download Ubuntu
- Install VirtualBox
- Create a new machine in VirtualBox
- Select the Ubuntu iso as your installation media
- Follow the directions that the Ubuntu installer gives you
- Start opening your risky files from within the Ubuntu VM
The only purpose of the salt here is to prevent pre-computation; the time to crack any given password remains the same.
Assuming a brute-force approach, this keyspace table suggests 357942375000 possibilities for a len=6, 1/0/0/0 (single number required).
Hashcat benchmarks suggest something around 2-3GHash/s for SHA1.
If I haven't flubbed the numbers (it's late) that puts something like 120secs to bruteforce an entry at the low end.
Smarter dictionary/template-driven approaches could well be faster.
There is still a validation procedure in place. You try to get a cert for goggle.com, you will be denied. If you can't show proof that you own the DNS name you want a cert for, you should be denied.
The fine print
https://letsencrypt.org/documents/ISRG-CP-September-9-2015.pdf
Lastpass or 1Password are popular options for encrypted, multiplatform password managers.
Just don't forget your master password, and use their password generator to create unique passwords for every site.
So much easier than the 'brain list of mutilated password combinations' that I relied on for years :)
If the owner decides to take action, you'll be found guilty regardless of what you claim your intentions are. The sqlmap website states that
> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws
Search around this sub-reddit; most of the advice given includes using pentest tools against webapps (in a VM/localhost env).
Lastly, I have no idea how many other websites have you tried pentest tools on but... stop doing this.
https://www.elastic.co/webinars/introduction-elk-stack
There's talks of integrating it with Squil, ignore splunk/OSSIM unless you are huge/want to burn money.
Watch a few videos on people dumping all their logs/pcaps/etc into Elsa, normalizing with Logstash and custom views with Kibana.
One more thing to throw in the pot here. Has your team considered an upgrade path for Django 1.7? I'm assuming since you are on Django 1.7, you probably have a good number of other outdated libraries.
The reason I ask is that Django 1.7 reached end of life 2 years ago, which means it isn't getting security fixes. Even Django 1.8 LTS is reaching end of life in 6ish months https://www.djangoproject.com/download/#supported-versions
It is a bit of a pain in the ass. I personally did the 1.8 and 1.10 upgrades for a ~150-200k line Django codebase, both took me somewhere between 1-2 weeks if I remember correctly. I didn't do 1.9 so I can't speak to that, but 1.11 was trivial. However, keeping up to date with their security releases will help.
Thunderbird has nothing to do with google, so if that's his only reason he doesn't know what he's talking about. That said, it's more likely that outlook would still be required for IT reasons unless you are a very small company. gpg4win includes an outlook plugin, but I have never tried it.
Who knows. If you don't pay, you're the product, not the customer. Servers cost, and they are probably logging everything you're doing online and sell your data. I suggest you to buy a VPN, especially a service who is not in a 14 Eyes Country, and a service who has a good privacy policy. A good example is NordVPN or ProtonVPN, but there are many others out there.
I also use ProtonMail and NordVPN. They provide pretty secure services. I also use PrivacyBadger, and also never use the public Wifi. Of course, a VPN should secure you when you on public wifi but still extra security will never do harm.
It isn't as straightforward as it should be, but All recent versions of Windows Include Powershell, and it is pretty easy to compute a sha1/md5/sha256/etc hash with Powershell.
Download 'tails-i386-1.7.iso' https://tails.boum.org/download/index.en.html.
cd "the download directory" $filename='tails-i386-1.7.iso' $hashprovider = new-object -TypeName System.Security.Cryptography.SHA256CryptoServiceProvider # $hashprovider = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider $hash = [System.BitConverter]::ToString($hashprovider.ComputeHash([System.IO.File]::ReadAllBytes($filename))) If ($hash -eq '372ba423c46ce76393f5e8cd64136e5e9c4a806def993951fe8dbf7d93be2546') { "Valid sha256 hash" }
Of course if you are really paranoid, you won't depend on a hash, instead you will use GPG. But if you don't already have that, can you trust that you download the latest GPG?
> if the NSA ever controls a significant portion of the TOR network nodes (50.0001%?), then the networkis less secure and becomes useless
And thats why everyone should consider hosting a tor node.
Not quite. If you enable 2FA you can disable offline login which makes the local copy not decrypt-able using your master password. Also, on Windows the local cache is additionally protected from offline attacks (see here: https://lastpass.com/support.php?cmd=showfaq&id=425 )
Have you tried following the instructions on the Snort website? https://www.upcloud.com/support/installing-snort-on-ubuntu/
Metasploitable uses an ubuntu distro, so the instructions on their site should be exactly what you need.
I had no idea these things were in demand. I work in hosting and see all types of shell (including c99, etc) uploaded on a regular basis.
They just get nuked normally. No guarantees they are not backdoored of course. I literally just did a grep across my quarantine folders for c99shell and pasted it as-is. I take no responsibility if you get yourself pwn'd, etc.
http://0bin.net/paste/-BXOykoFkwAyz37q#dY9ktg5bK5v7W5fyf3hB0rSuedAG8qdwT2FzAs55wBt
That being said, stick it on a VM in a private network and you should be grand. After all, someone else was using this one to compromise sites.
Since nobody else seems to be responding...
Your concerns are valid, however, I haven't found a reason to distrust KeePass yet, and it is still the best solution (IMO) out there.
1) Yes, some packages are coming bundled, specifically those that use the "Sourceforge installer" or some such. I don't believe keepass makes use of this, and I haven't seen any signs of adware. If this is still a concern, use the portable version or use the direct download link. More info about bundled adware http://www.ghacks.net/2013/07/17/sourceforges-new-installer-bundles-program-downloads-with-adware/
2) I haven't looked into the certificate, but my guess is it's simply a self signed cert. In other words, the only problem with it is that it isn't signed by a certificate authority that is automatically trusted by your computer. Possible reasons for this? KeePass doesn't want to spend $50-ish to purchase a cert, especially considering they aren't making money off their product.
If this is true then it doesn't mean their cert is any less secure. Your connection is still encrypted. It just isn't natively trusted.
I don't generally read books as I learn more from watching/doing but I would look at https://www.cybrary.it/ - I've recently found out about it and I keep returning to watch more. It is really great for all sorts of certification.
what makes you think they haven't already gotten your mac address from the logs?
Unless you've been running something like Mac Changer for the last 6 months or so just give it to them, unless you are going to keep your system to the changed address you provide.
Going a step further, your corporate network should not have personal systems on the same network, and each should be using a different external IP to assist in this and other issues.
IF i was facing this, I would change my external IP for my corporate network to a new IP in my /28
Absolutely. Use whatever interface monitoring tool you want (tcpdump, wireshark, etc...).
- While sniffing, run a tool that has the existing functionality. I recommend using Nmap and then use some fragment options. http://nmap.org/book/man-bypass-firewalls-ids.html
- Once you have a saved pcap, use the rdpcap() option in Scapy. So...
pckt_array = rdpcap("/path/to/fragment_scan.pcap")
Then you can roll through the array objects (each packet) with pckt_array[0], pckt_array[1], etc...
--You can cut down a lot of manual searching by using a good capture filter--
... You can also manipulate and then forward on packets in-script using the lfilter value passed to the sniff function.
It will respond with a RST packet. I was pretty sure this was the case but could not find a source, but then I remembered nmaps idle scan.
"A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored."
Source:
I understand your situation but I do find it hard to believe you searched for a half an hour. The answer is available on Kali's website, specifically http://docs.kali.org/installation/troubleshooting-wireless-driver-issues. I found this by searching kali wireless
Section 1.0 point #5 Unless your card is USB, it will not be useable (VMWare/VirtualBox/QEMU will virtualize EVERY PCI device)
If you continue your search you will find that it is possible to use the host as a gateway to your wireless NIC in a virtual environment. Concerning your second question, simulating a wireless network is as simple as setting up multiple machines using a wireless interface.
Short answer, you can't know who's operating it. Access points can present certificates to authenticate themselves. You'd need to know that the certs are legitimate and valid in order to verify the AP as legitimate or 'authentic'. At any rate, unencrypted WIFI is easily intercepted whether or not the AP is operated by a legitimate vendor or a hacker. VPN is your friend here.
As for shutting it down, you can send DEAUTH to all clients, thus effectively shutting the AP down. It will only work for as long as you are actively sending the frames.
After a lot of struggle I was able to get the Hamachi VPN ARM linux build to work on some of my older stuff.
It was not very straight forward, I copied a number of libs from another system to get it to work, but after adding dropbear to it, I was able to ssh into the phone from anywhere.
You should look into 1Password for Families. Their new 1Password X client runs in Chrome on Linux and Chrome OS.
Keepass supports 2FA. Your Master Password to your key db can consist of multiple (optional) components.
From the Keepass Docs:
> Your KeePass database file is encrypted using a master key. This master key can consist of multiple components: a master password, a key file and/or a key. For opening a database file, all components of the master key are required.
So you can carry with you a key file, and remember a master password -- you will need both to unlock the database. If you like, you can store the key file on a USB stick and carry that around on your physical person.
If someone gets ahold of your key file, they won't know your master password, they still won't have access.
if someone figures out your master password, but doesn't have the key file, they still won't have access.
Also check out KeepassXC, a fork of Keepass with some nice features.
You can interactively view requests, and create replacement filters on them. You can also pass all options by cli arguments.
It has a kinda funky UI, but you get used to it pretty quick.
Recently did a test where it was much more difficult to reverse engineer the app since it used compiled libraries instead of just Java. I believe they used Xamarin. It doesn't prevent reverse engineering but it makes it more difficult which is the best to hope for
Edit: phone autocorrect fail
a Virtual Private Network service is basically a way to tunnel data from one point of the network to another, using encapsulation and eventually encryption.
You may tunnel almost any protocol within levels 2 to 5 of the OSI model using any encapsulation.
Many encapsulations exists and a lot are considered "standards". Few of them integrate ecryption, it's more often a separate layer on the tunel's endpoints (generally a software that creates a virtual network interface).
For instance, OpenVPN uses its own protocol to encapsulate Ethernet or IP and IPv6 traffic (working in either level 2 or 3 mode) and encrypts data using an SSL library if asked for. SSL-based VPN software are generally not interoperable because the encapsulation method is not stadard.
Other encapsulations, like L2TP, MPLS, GRE and so on, are mostly used as standards in access network design. L2TP is generally used to collect traffic from DSLAMs to the ISPs routers, GRE is often used to establish a direct channel between two distant routers, and MPLS is used for, well, almost everything more complex, including L2VPNs and L3VPNs that ain't designed to provide encryption. You'd have to add another encapsulation layer (usually GRE) with added encryption (generally IPSec) to encrypt MPLS traffic.
So Zenmate IS a VPN if it does what it states : encapsulate and encypher data to route it accross their network.
The question is : who would be stupid enough to use that ? I mean, they provide a free service using costly network ressources and aim at channelling all your web traffic through their software. Doesn't it sound a little too familiar ?
I think Signal does most of what you want. I'm not sure about video chatting, I've never tried that, but as long as both of you have the app installed texts/pictures should be encrypted. For the non-tech savvy, it works just like any other messenger, including sending texts to people who don't use the app (although those won't be encrypted).
As for Linux/Windows, they have a Chrome app that's currently in open beta. You can request admittance and try it out. Since it's a Chrome app, it should run on any OS that can run Chrome (Linux/Mac/Windows).
It won't "cut it down a lot" - he will still get the same number of attempts. Your advice is still good, however.
Set up PKI and disable passwords entirely.
Dont know about Firefox but Chrome do have a per-user install which can be installed directly to the users appdata, therefor not needing admin rights.
http://superuser.com/questions/592015/where-is-chrome-exe-in-windows-8
Personally I think online password generation feels really weird, but in the age of lastpass and co. that might just be old-fashioned me.
After skimming the source code it looks like the password generation happens in Javascript, that means in your browser. So it can be assumed that the generated password is not sent elsewhere. If that is actually the case then I believe it is okay to use.
As an alternative, Lastpass also offers a password generation site: https://lastpass.com/generatepassword.php
Generating secure passwords is a good idea, of course, but think about how you are going to store them. If your reply to this is Keepass, then just use the built-in password generator.
The VPN is useful for hiding your browsing from your ISP. I also have a Masters in Cybersecurity and I don’t know why your friend would say that except for in niche cases like people picking VPN services that sell your data.
Bare in mind that your operating system (Windows/Mac) is also capturing this telemetry data so you’re not really hiding it from them either. I’m you also have a footprint online that companies like Google are incredible at tracking. Some people will literally buy ProtonVPN then log into their Facebook/gmail and be like “haha no one can see me now”…
Hi I recently installed mail in a box it needs Ubuntu 14.04 x64 as base OS, for me is working great with multiple domains, can handle mail accounts and you can upload your web pages there, check it out !!
You can do it in Qubes-OS by using a non-usb (PS/2) keyboard. Set up a sys-usb vm and you can selectively mount it using USB passthrough.
You will find yourself on the end of an uncomfortable phone call with your ISP if you try to zmap the internet. You run the very real risk of taking down one of their upstream routers from session exhaustion, but if you still want to go that route and you are ready to handle all of the abuse complaints you are going to get, MassScan can scan the entire internet in a few minutes.
Also, most of the data you are looking to gather already exists in Shodan
I do it as part of my general SOC/IDS duties. For the most part I leave it to the EmergingThreats team.
I also have a subscription to this service, which is an automated sandbox:
https://www.hybrid-analysis.com/
The big trend to be aware of is fileless malware, particularly malware that is written in a scripting language like PowerShell. Windows 10 is 'immune' to traditional packed executable malware, as it has native binary whitelisting built in. This is actually easier to reverse if you can get a sample, as you can just look at the scripting language. Deobfuscation is a simple manner of replacing an exec call with a print.
Another big trend to watch out for is "Next-Generation" endpoint security, like Cylance, CrowdStrike and FireEye HX.
A VPN helps protect the traffic leaving your computer and coming back to it. You still have no idea who else may be on the same public network that could maliciously connect to your machine and see everything as you do it. A VPN is a good start, but keep a good firewall up, keep software updated and try to only connect to trusted hotspots. Be wary of others impersonating a trusted hotspot name too. There's still a lot more to think of than that...but if you trust where you are connected, at least do what I said above. Here is a good VPN with a good deal for those in the US.
If your main concern is feeling safe, you could always use a locally stored database via keepass for your bank info and other extra-sensitive information. Putting a password-protected keepassxc database on an encrypted USB is a pretty simple setup for some very good security.
Uh, don't you mean that it was vulnerable to RCE? To directly quote its wiki:
>A remote code execution vulnerability has been spotted in use against some users running PyBitmessage v0.6.2. The cause was identified and a fix has been added and released as 0.6.3.2 here. If you run PyBitmessage via code, we highly recommend that you upgrade to 0.6.3.2. Alternatively you may downgrade to 0.6.1 which is unaffected.
Also...
>If it were really revolutionary, I would've definately heard about it till now.
This really doesn't say a lot.
Take a look at zeek (formerly bro).
Also, an elk stack (elasticsearch, logstash, kibana).
Zeek can be added to elk. Elk has a ton of plugins. If you can get them in between the firewall and your ISP, you can track all the traffic. I have a spanned port at home so all traffic for my router also goes to my zeek/elk stack.
Hostility towards established learning technologies that aren't currently popular is a serious problem. The big push towards containers and orchestration technologies over the past decade or so has too often come at the opportunity cost of basic sysadmin skills.
Hint: a few lines of Perl shouldn't scare you and Linux from Scratch is your friend.