cybersecurity

The original post: /r/cybersecurity by /u/momob2492 on 2024-10-04 20:47:10.

---

Or the worst thing you've noticed hardly anyone else wants to deal with on the job?

The original post: /r/cybersecurity by /u/professor_bond on 2024-10-04 20:20:12.

---

Apple’s latest operating system update, macOS 15 Sequoia, has disrupted several major cybersecurity tools used by enterprises and macOS users. The update, released on Monday, has reportedly broken functionalities of security tools developed by CrowdStrike, SentinelOne, Microsoft, and ESET, causing frustration among both developers and end-users.

The original post: /r/cybersecurity by /u/nick313 on 2024-10-04 20:06:17.

The original post: /r/cybersecurity by /u/ISeeDeadPackets on 2024-10-04 19:53:48.

---

While everyone has their detractors, I think most can agree that Crowdstrike has been a respectable choice over the years. I'm currently evaluating solutions (looking at SOC/MDR/SIEM) and I'm really kind of leaning their direction in spite of the recent issue. My principal concerns are centered around any legal consequences that might still be coming and their ability to weather them.

Am I nuts?

The original post: /r/cybersecurity by /u/kingkaann on 2024-10-04 19:49:51.

---

https://youtu.be/QAglUbhcbeI?si=4IzCvLTsMG5hWKhu

The original post: /r/cybersecurity by /u/Hot_Kaleidoscope3864 on 2024-10-04 19:44:12.

---

Hi! Is there anyone who has solved Twinkle Lab? (Hack the box) I'm struggling to get the flag for user and root! And I don't even see one single walkthrough on the internet! So has anyone done this lab before?

The original post: /r/cybersecurity by /u/urosperko on 2024-10-04 19:17:08.

The original post: /r/cybersecurity by /u/ioncehackedmyschool on 2024-10-04 19:15:58.

The original post: /r/cybersecurity by /u/professor_bond on 2024-10-04 18:49:37.

---

The cybersecurity landscape has again been shaken by discovering a new set of malicious packages hosted on the Python Package Index (PyPI) repository. These deceptive packages masquerade as legitimate cryptocurrency wallet recovery and management tools, but they are designed to siphon sensitive data, ultimately putting user assets at risk.

Read our full article: https://cyberinsights.dev/pypi-fake-crypto-wallet-recovery-tools-steal-data/

The original post: /r/cybersecurity by /u/No_Exp1anations on 2024-10-04 17:01:06.

---

So, I'm trying to make a very, very basic document to help my analysts document where our new servers differ from a VERY secure (Read as, completely broken) baseline. Concept being that I'd like to hand this document over to vendors and have them let me know which things they will need to change in order to make their product work. My org was completely without any structure on this so it is a completely from scratch situation.

I'm trying to get to as close to 'zero trust/functionality' as possible and have them work backwards from there and only enable things that they need in order for stuff to function. Is this an okay approach or am I being unrealistic? If so, suggestions? Otherwise, am I missing anything?

Disable Unnecessary Services

(Windows)

1)      Remote Registry

2)      Windows Error Reporting

3)      Fax Service

4)      Print Spooler

5)      Bluetooth Support

6)      Server

7)      NetBIOS over TCP/IP

8)      Internet Information Services (IIS)

9)      Windows Media Player Network Sharing

(Linux)

10)  Avahi-daemon

11)  CUPS (Common Unix Print System)

12)   Bluetooth Services (Bluetooth, hciuart)

13)   RPCbind

14)   Samba (SMB)

15)   NFS

16)   Sendmail/Postfix

17)   X Window System (X11)

18)   DHCP Client

19)   TFTP (Trivial File Transfer Protocol)

20)   SNMP (Simple Network Management Protocol)

21)   Zeroconf/Multicast DNS (mDNS)

22)   NIS (Network Information Service)

____

Disable Unnecessary Ports

(Windows)

File Sharing and Printer

1)      Port 137-139 (NetBIOS over TCP/IP)

2)      Port 445 (SMB)

 

Remote Desktop and Management (See Remote access Hardening)

3)      Port 3389 (RDP)

4)      Port 22 (SSH)

 

Database

5)      1433 (MSSQL)

6)      3306 (MySQL)

7)      5432 (PostgreSQL)

 

Email and Messaging

8)      Port 25 (SMTP)

9)      Port 110 (POP3)

10)      Port 143 (IMAP)

 

Web and Application

11)      Port 80 (HTTP)

12)      Port 443 (HTTPS)

13)      Port 8080 (alt HTTP)

 

File Transfer

14)      Port 21 (FTP)

15)      Port 69 (TFTP)

 

Old or Insecure

16)      Port 23 (Telnet)

17)      Port 161-162 (SNMP)

 

Multimedia and Streaming

18)  Port 554 (RTSP)

19)  Port 1755 (MMS)

 

Misc

20)  Port 6660-6669 (IRC)

_______

Secure System Accounts

1)      Rename or disable default accounts not in use.

2)      Dedicated service accounts with least privilege.

3. Disable all other logins

______

Secure Boot

1)      BIOS/UEFI passwords.

2. Secure Boot.

_____

Remote Access Hardening

(Windows)

1)      Use Network Level Authentication (NLA).

2)      Limit RDP access to internal IP ranges.

(Linux)

3)      Disable root login over SSH.

4)      Change the default SSH port (22) to non-standard port

______

Security Features

(Windows)

1)      Enable DEP (Data Execution Prevention)

2)      Enable ASLR (Address Space Layout Randomization)

(Linux)

1. Enable SELinux or AppArmor

______

Network Configuration

1)      Disable IPv6

2)      DNSSEC

_____

Server Protocols

 

Disable

1)      Multi-Protocol Unified Hello

2)      PCT 1.0

3)      SSL 2.0

4)      SSL 3.0

5)      TLS 1.0

6)      TLS 1.1

 

Enable

7)      TLS 1.2 (and above)

____

Cyphers

 

Disable

1)      NULL

2)      DES 55/56

3)      RC2 40/128

4)      RC2 56/128

5)      RC2128/128

6)      RC4 40/128

7)      RC4 56/128

8)      RC4 64/128

9)      RC4 128/128

 

Enable

10)  Triple DES 168

11)  AES 128/128

12. AES 256/256

______

Hashes

 

Enable

1)      MD5

2)      SHA

3)      SHA 256

4)      SHA 384

5)      SHA 512

______

Key Exchanges

 

Enable

1)      Diffie-Hellman

2)      PKCS

3)      ECDH

_____

Client Protocols

 

Disable

1)      PCT 1.0

2)      SSL 2.0

3)      SSL 3.0

4)      TLS 1.0

5)      TLS 1.1

 

Enable

1)      TLS 1.2

_____

Cypher Suites

 

Enable

1)      TLS_AES_256_GCM_SHA384

2)      TLS_AES_128_GCM_SHA256

3)      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

4)      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

5)      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

6)      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

 

Disable

1)      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

2)      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

3)      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

4)      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

5)      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

6)      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

7)      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

8)      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

9)      TLS_RSA_WITH_AES_256_GCM_SHA384

10)  TLS_RSA_WITH_AES_128_GCM_SHA256

11)  TLS_RSA_WITH_AES_256_CBC_SHA256

12)  TLS_RSA_WITH_AES_128_CBC_SHA256

13)  TLS_RSA_WITH_AES_256_CBC_SHA

14)  TLS_RSA_WITH_3DES_EDE_CBC_SHA

15)  TLS_RSA_WITH_NULL_SHA256

16)  TLS_RSA_WITH_NULL_SHA

17)  TLS_PSK_WITH_AES_256_GCM_SHA384

18)  TLS_PSK_WITH_AES_128_GCM_SHA256

19)  TLS_PSK_WITH_AES_256_CBC_SHA384

20)  TLS_PSK_WITH_AES_128_CBC_SHA256

21)  TLS_PSK_WITH_NULL_SHA384

TLS_PSK_WITH_NULL_SHA256

___

Encryption

 

Enable

Windows

1)      Bitlocker

Linux

2. LUKS

____

Anti-Malware

Install

1. CStrike

____

Database Hardening (Where Applicable)

 

Oracle

1)      Disable External Procedures

-          extproc

2)      Disable Unused Database Links

3)      Disable Unused File Handling

-          UTL_HTTP

-          UTL_FILE

 

Microsoft SQL

1)      Disable xp_cmdshell

2)      Disable OLE Automation Procedures

3)      Disable Ad Hoc Distributed Queries

____

Application Control

 

1)      Application Whitelisting

-          Applocker (Windows Server)

-          SELinux/AppArmor (Linux)

2. Restrict Execution of Scripts

The original post: /r/cybersecurity by /u/Mpacanad1 on 2024-10-04 16:37:09.

---

Hi,

I'm looking for a vulnerability scanner for the following:

• Windows Server (Azure hosted)
• Fortinet firewall and AP
• Cisco switches
• Netgear
• VMware
• Printers and scanners (agentless)

I was considering Nessus but would like to get some additional suggestions.

The original post: /r/cybersecurity by /u/CISO_Series_Producer on 2024-10-04 14:48:50.

---

Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.

If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Jonathan Waldrop, CISO, The Weather Company.

To get involved you can watch live and participate in the discussion on YouTube Live https://youtube.com/live/A2vRb64UPxU?feature=share or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.

Here are the stories we plan to cover:

T-Mobile data breaches cost company $31.5 million

In a settlement with the Federal Communications Commission (FCC), T-Mobile has agreed to pay a total of $31.5 million following a series of data breaches over the last few years. The settlement includes $15.75 million in civil fines and and the other half of the money is to be spent on bolstering the companies cybersecurity measures, including adopting zero trust architectures and multi-factor authentication. The breaches which started in 2021, involving millions of current, former, and prospective customers, exposed personal details like Social Security numbers, driver’s license numbers, and other personal information.

(The Record)

Deepfake scam hits U.S. senate

U.S. Senator Ben Cardin says he was the victim of an elaborate deepfake operation that impersonated a former Ukrainian Foreign Minister. The operation, which nearly duped the high-ranking government official, involved a fake Zoom call with what appeared to be a live audio-video connection, which seemed normal based on previous conversations the senator’s office had had with this Ukrainian official. It wasn’t until the imposter started asking specific questions such as demanding an answer on the senator’s stance on long-range missiles into Russian territory that Cardin’s staff ended the call. At which point staff confirmed the call was indeed fake. There is currently an open investigation into the situation.

(Dark Reading)

Public records systems riddled with security flaws

Security researcher Jason Parker disclosed dozens of critical vulnerabilities found across 19 commercial platforms for US public records used by courts, government agencies, and law enforcement. Some we’ve already covered on this show, like the Georgia voter registration database with a voter cancellation vulnerability. Other systems allow attackers to elevate user status to administrators, reset passwords, or access admin dashboards. Many required no advanced access, which could be done by anyone registering an account. Parker began researching these systems last year, eventually working with the Electronic Frontier Foundation to contact vendors. All disclosed issues have been fixed, and no signs of active exploitation exist.

(Ars Technica, Medium)

Rackspace breach sparks vendor blame game

Following up on the story we brought to youyesterday on Cyber Security Headlines, after the enterprise cloud host, Rackspace, was hacked on September 24, a vendor blame game has kicked off. Initially the Rackspace incident was attributed to a zero-day flaw in ScienceLogic’s SL1 monitoring app. However, ScienceLogic is now shifting the blame to an undocumented vulnerability in a different bundled third-party utility. While ScienceLogic declined to identify the responsible third-party, the company indicated that, upon identifying the flaw, they “rapidly developed a patch to remediate the incident and have made it available to all customers globally.” Attackers were able to pivot from the monitoring software to other internal Rackspace servers to compromise sensitive data of users who have now received breach notices.

(SecurityWeek)

California privacy legislation now includes neural data

The law passed last Saturday and part of it focuses on human neural data which is now in danger of being sold and traded by data brokers. The backstory here is about neurobiologist Rafael Yuste who discovered he could take over the minds of mice by turning on certain neurons in their brains with a laser. This led to an awareness that human neural data could be manipulated and sold in similar ways. As Yuste stated, “If you can decode your mental activity, then you can decode everything that you are — your thoughts, your memories, your imagination, your personality, your emotions, your consciousness, even your unconsciousness.” This new law allows people to “request, erase, correct, and limit what neural data companies collect from them.”

(The Record)

Sellafield nuclear site fined £330,000 for cybersecurity failings

Updating a story we covered in June, the company managing the Sellafield site, the largest nuclear site in the UK, with the world’s largest store of plutonium, pled guilty to three criminal charges over cybersecurity failings and “alleged information technology security offenses” during a four year period between 2019 and early 2023. “Sector-wide difficulties recruiting suitably qualified staff” led to the failure to carry out annual security checks, despite assuring Britain’s Office of Nuclear Regulation it had done so.” Sellafield and the British government continue to deny claims by The Guardian newspaper that the site may have been compromised by hacking groups linked to both China and Russia.

(The Record)

Recall redesign: reinforced and removable

Responding to customer reaction to the release of its new AI-powered feature, Microsoft has now announced improvements to Recall including stronger default protection and the ability for it to be removed, and that it will be an opt-in feature by default. Microsoft’s vice president for Enterprise and OS Security, David Weston, revealed on Friday that the revised release will also automatically filter sensitive content, and will allow users to exclude specific apps, websites, or private browsing sessions.

(BleepingComputer)

NordVPN begins post-quantum support rollout

The popular VPN provider joined the smattering of companies getting ready for the advent of quantum computing. NordVPN rolled out upgraded protocols that comply with the new NIST standards for post-quantum encryption. This isn’t a full rollout; the post-quantum encryption is only available on its Linux client. The company said it will use data from its Linux rollout “as a stepping stone” to a broader transition but only committed that it will “strive” to bring it to all of its applications. Nord said this feature came in response to an uptick of “harvest now, decrypt later” attacks, even if practical quantum computing isn’t on the horizon yet.

(ZDNet)

The original post: /r/cybersecurity by /u/Proof-Focus-4912 on 2024-10-04 14:11:13.

---

New SOC analyst here.

I saw this tool mentioned in a post about malicious IP identification tools. Can someone explain how I can use this in a Windows environment? I have very minimal coding experience, and little Linux experience. I couldn't figure out where I even started with this. Thanks!

 https://github.com/pirxthepilot/wtfis

The original post: /r/cybersecurity by /u/old_tomboy on 2024-10-04 13:06:48.

---

I've had two years' experience in a company developing software and doing cybersecurity research for about a year. My focus is always on the security area and that's where I've been focussing my studies.

My native language is Portuguese, I've been studying English since I was eleven years old, even if it's not perfect English yet, it's enough to communicate. However, I love learning new languages, and I'm keen to learn Korean because I like the culture.

However, I don't know if I have the courage to give up the time for something other than my career. Since I see a lot of people talking about how good South Korea is at cybersecurity, I wonder if learning the language could put me ahead. What do you think?

The original post: /r/cybersecurity by /u/countpissedoff on 2024-10-04 06:58:44.

---

Hi folks,

Everywhere I have ever worked I have always mandated that contract employees have a different badge flash colour and an email address that identifies them as a contractor and not an employee - I have been doing this for so long that I cannot remember the actual reason and justification for it - anyone care to weigh in on why and what standard (if any) requires it?

The original post: /r/cybersecurity by /u/goodbar_x on 2024-10-04 12:49:45.

---

Hello, I heard CJIS Audits happen about every 3 years for all agencies, but I wasnt sure if that meant Criminal Justice agencies OR of that included non-criminal justice private contractors doing work for the criminal justice agencies. Basically wondering if the private contractors get audited independently or if they naturally get audited when the criminal justice agency they do work for gets audited.

The main driver is if we do work for multiple CJ agencies I'm wondering if we'll be getting audited whenever any of them get audited.

The original post: /r/cybersecurity by /u/cyberLog4624 on 2024-10-04 12:46:54.

---

If everything goes well I will do an interview for a soc position (apprenticeship).

Being my first interview I'm a bit nervous. What do interviewers usually ask? What do they ask for the technical part of the interview? I'd like to review some topics to be as prepared as I can possibly be Thank you in advance

The original post: /r/cybersecurity by /u/Molaprise on 2024-10-04 12:41:40.

---

Thanks to everyone who participated in our poll on Password Managers! Take a look at our blog compilation of the top recommendations based on your votes and comments - https://molaprise.com/blog/the-most-recommended-password-managers-according-to-reddit/

The original post: /r/cybersecurity by /u/CYRISMA_Buddy on 2024-10-04 12:21:28.

The original post: /r/cybersecurity by /u/pwntheplanet on 2024-10-04 11:06:13.

The original post: /r/cybersecurity by /u/evilevidenz on 2024-10-04 10:04:05.

---

I was just thinking about the following scenario:

1. Make a chat bot website that uses some form of Large Language Model (LLM) as a backend
2. Hopefully attract a lot of users
3. At some point in time do the following:
   • If the user asks about a problem on his/her computer: Send a predefined answer that installs some kind of malware/virus on the users computer
   • If the users asks about anything else: Send the standard LLM answer
4. Do what you want?

While costly, one can combine this with any form of subscription and leave the website running for a few months. The major problem is that I can target single users and the risk of being exposed is low, since the injected prompt is not publicly visible. So its quite different to just posting instructions to install malware on e.g. Stackoverflow. And I don't see any way of preventing this form of attack.

• Most users wont be able to tell what a terminal command does and blindly trust the output of the chat bot
• Currently there is no way to check if an output was generated by a model
• One could theoretically train a smaller model that verifies if an output matches a prompt, although most people wouldn't/cant run this extra model locally

And of course one can extend this idea by spamming the internet with fake websites that "solve tech problems" by installing malware with a terminal command and hope that these instructions make it into the training set. I'm excited to hear your ideas about this and how to mitigate these risks for the 0815 user?

The original post: /r/cybersecurity by /u/anynamewillbegood on 2024-10-04 08:57:29.

The original post: /r/cybersecurity by /u/barakadua131 on 2024-10-04 07:26:05.

The original post: /r/cybersecurity by /u/TiredSOCAnalyst on 2024-10-04 06:35:34.

---

Without delving into too much detail, over the past 4 years I’ve grown to watch my SOC (US-based) lay-off analysts, reducing the number to just one analyst per day/night for 15 clients with an unmanageable workload.

Given that this is not a unique experience, I was wondering if anyone else has just walked away from their SOC job with nothing else lined up. Alternatively, feel free to share your SOC trauma experiences!

The original post: /r/cybersecurity by /u/QuirkyMost950 on 2024-10-04 06:34:49.

---

In the recent months in our company, we had been researching MDR providers and we finally landed on AW as a preferred vendor, specifically due to their ability to support our tech stack (a lot of the vendors we considered do not seem to work with our EDR solution - Trendmicro), but the problem is that they don't seem to be able to support a PoC to validate their tooling and that males me a bit nervous. So I am wondering if any of AW's current or former customers could shed some light on your experience with them. Thanks in advance.

For context, we are an SMB SaaS company of about 650 employees primarily servicing the financial sector (DORA is a big focus for us). While the IT footprint is relatively small, we do have about 4000+ compute resources spread across multiple cloud providers (AWS, GCP, AZURE and OCI).