Introduction to analysing full disk encryption solutions

I’ve written a couple of times on the subject of boot loaders and full disk encryption, but I haven’t really explored it in more detail. With this blog post I hope to dive a bit deeper into how to actually start performing these type of analysis and why they are useful to perform. I’ll start … Continue reading Introduction to analysing full disk encryption solutions

Link: https://diablohorn.com/2019/05/21/introduction-to-analysing-full-disk-encryption-solutions/

Singapore, Cisco, and Israeli Spyware – Paul’s Security Weekly #604

In the Security News, Singapore passes an anti-fake news law, WhatsApp Vulnerability Exploited to Infect Phones with Israeli Spyware, major security issues found in Cisco routers, and Microsoft Releases Security Updates to Address Remote Code Execution Vulnerability! Paul’s Stories Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities – Help Net Security Passwords […]
The post Singapore, Cisco, and Israeli Spyware – Paul’s Security Weekly #604 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/m4uxm71wI0k/

[python]Capturing username and password from http login

Clear text site Nowadays it is quite rare to find http login page, because http is insecure, information sent towards the http site is all clear text, if there is a man in the middle sniffing packets to reveal the username and password is possible. Sniffing class I have written a class in python to … Continue reading [python]Capturing username and password from http login

Link: http://cyruslab.net/2019/05/16/pythoncapturing-username-and-password-from-http-login/

Firewalls, Paul Asadoorian – Enterprise Security Weekly #137

    Paul will be giving a technical segment on firewalls. Paul talks about an enterprise open-source firewalls? Hardware: https://www.amazon.com/gp/product/B074XPR3VJ Software: PfSense (https://www.pfsense.org/) Setup: Full Show Notes Visit https://securityweekly.com/esw for all the latest episodes! Hosts           Announcements Register for our upcoming webcasts with Kaseya, SaltStack, and DomainTools by going to securityweekly.com/webcasts . If […]
The post Firewalls, Paul Asadoorian – Enterprise Security Weekly #137 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/tPF2ZYFK3QI/

Machinae v1.4.8 – Security Intelligence Collector

Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes, and SSL fingerprints. It was inspired by Automater, another excellent tool for collecting information. The Machinae project was born from wishing to improve Automater in 4 areas:Codebase – Bring Automater to python3 compatibility while making the code more pythonicConfiguration – Use a more human readable configuration format (YAML)Inputs – Support JSON parsing out-of-the-box without the need to write regular expressions, but still support regex scraping when neededOutputs – Support additional output types, including JSON, while making extraneous output optionalInstallationMachinae can be installed using pip3:pip3 install machinaeOr, if you’re feeling adventurous, can be installed directly from github:pip3 install git+https://github.com/HurricaneLabs/machinae.gitYou will need to have whatever dependencies are required on your system for compiling Python modules (on Debian based systems, python3-dev), as well as the libyaml development package (on Debian based systems, libyaml-dev).You’ll also want to grab the latest configuration file and place it in /etc/machinae.yml.Configuration FileMachinae supports a simple configuration merging system to allow you to make adjustments to the configuration without modifying the machinae.yml we provide you, making configuration updates a snap. This is done by finding a system-wide default configuration (default /etc/machinae.yml), merging into that a system-wide local configuration (/etc/machinae.local.yml) and finally a per-user local configuration (~/.machinae.yml). The system-wide configuration can also be located in the current working directory, can be set using the MACHINAE_CONFIG environment variable, or of course by using the -c or –config command line options. Configuration merging can be disabled by passing the –nomerge option, which will cause Machinae to only load the default system-wide configuration (or the one passed on the command line).As an example of this, say you’d like to enable the Fortinet Category site, which is disabled by default. You could modify /etc/machinae.yml, but these changes would be overwritten by an update. Instead, you can put the following in either /etc/machinae.local.yml or ~/.machinae.yml:fortinet_classify: default: trueOr, conversely, to disable a site, such as Virus Total pDNS:vt_ip: default: falsevt_domain: default: falseUsageMachinae usage is very similar to Automater:usage: machinae [-h] [-c CONFIG] [–nomerge] [-d DELAY] [-f FILE] [-i INFILE] [-v] [-o {D,J,N,S}] [-O {ipv4,ipv6,fqdn,email,sslfp,hash,url}] [-q] [-s SITES] [-a AUTH] [-H HTTP_PROXY] [–dump-config | –detect-otype] … See above for details on the -c/–config and –nomerge options. Machinae supports a -d/–delay option, like Automater. However, Machinae uses 0 by default. Machinae output is controlled by two arguments: -o controls the output format, and can be followed by a single character to indicated the desired type of output: N is the default output (“Normal")D is the default output, but dot characters are replacedJ is JSON output-f/–file specifies the file where output should be written. The default is "-" for stdout. Machinae will attempt to auto-detect the type of target passed in (Machinae refers to targets as "observables" and the type as "otype"). This detection can be overridden with the -O/–otype option. The choices are listed in the usage By default, Machinae operates in verbose mode. In this mode, it will output status information about the services it is querying on the console as they are queried. This output will always be written to stdout, regardless of the output setting. To disable verbose mode, use -q By default, Machinae will run through all services in the configuration that apply to each target’s otype and are not marked as "default: false". To modify this behavior, you can: Pass a comma separated list of sites to run (use the top level key from the configuration).Pass the special keyword all to run through all services including those marked as "default: false"Note that in both cases, otype validation is still applied. Machinae supports passing an HTTP proxy on the command line using the -H/–http-proxy argument. If no proxy is specified, machinae will search the standard HTTP_PROXY and HTTPS_PROXY environment variables, as well as the less standard http_proxy and https_proxy environment variables. Lastly, a list of targets should be passed. All arguments other than the options listed above will be interpreted as targets. Out-of-the-Box Data SourcesMachinae comes with out-of-the-box support for the following data sources:IPVoidURLVoidURL Unshortener (http://www.toolsvoid.com/unshorten-url)Malc0deSANSFreeGeoIP (freegeoip.io)Fortinet CategoryVirusTotal pDNS (via web scrape – commented out)VirusTotal pDNS (via JSON API)VirusTotal URL Report (via JSON API)VirusTotal File Report (via JSON API)Reputation AuthorityThreatExpertVxVaultProjectHoneypotMcAfee Threat IntelligenceStopForumSpamCymru MHRICSI Certificate NotaryTotalHash (disabled by default)DomainTools Parsed Whois (Requires API key)DomainTools Reverse Whois (Requires API key)DomainTools ReputationIP WHOIS (Using RIR REST interfaces)Hacked IPMetadefender Cloud (Requires API key)GreyNoise (Requires API key)IBM XForce (Required API key)With additional data sources on the way.HTTP Basic Authentication and ConfigurationMachinae supports HTTP Basic Auth for sites that require it through the –auth/-a flag. You will need to create a YAML file with your credentials, which will include a key to the site that requires the credentials and a list of two items, username and password or API key. For example, for the included PassiveTotal site this might look like:passivetotal: [‘myemail@example.com’, ‘my_api_key’]Inside the site configuration under request you will see a key such as:json: request: url: ‘…’ auth: passivetotalThe auth: passivetotal points to the key inside the authentication config passed via the command line.Disabled by defaultThe following sites are disabled by defaultFortinet Category (fortinet_classify)Telize Geo IP (telize)TotalHash (totalhash_ip)DomainTools Parsed Whois (domaintools_parsed_whois)DomainTools Reverse Whois (domaintools_reverse_whois)DomainTools Reputation (domaintools_reputation)PassiveTotal Passive DNS (passivetotal_pdns)PassiveTotal Whois (passivetotal_whois)PassiveTotal SSL Certificate History (passivetotal_sslcert)PassiveTotal Host Attribute Components (passivetotal_components)PassiveTotal Host Attribute Trackers (passivetotal_trackers)MaxMind GeoIP2 Passive Insight (maxmind)FraudGuard (fraudguard)Shodan (shodan)Hacked IPMetadefender Cloud (Requires API key)GreyNoise (Requires API key)IBM XForce (Requires API key)Output FormatsMachinae comes with a limited set of output formats: normal, normal with dot escaping, and JSON. We plan to add additional output formats in the future.Adding additional sites*** COMING SOON ***Known IssuesSome ISP’s on IPvoid contain double-encoded HTML entities, which are not double-decodedUpcoming FeaturesAdd IDS rule search functionality (VRT/ET)Add "More info" link for sitesAdd "dedup" option to parser settingsAdd option for per-otype request settingsAdd custom per-site output for error codesVersion HistoryVersion 1.4.1 (2018-08-31)New Features Automatically Defangs outputMISP Support (example added to machinae.yml)Version 1.4.0 (2016-04-20)New features "-a"/"–auth" option for passing an auth config file Thanks johannestaas for the submission"-H"/"–http-proxy" option, and environment support, for HTTP proxiesNew sites Passivetotal (various forms, thanks johannestaas)MaxMindFraudGuardShodanUpdated sites FreeGeoIP (replaced freegeoip.net with freegeoip.io)Version 1.3.4 (2016-04-01)Bug fixes Convert exceptions to str when outputting to JSON Should actually close #14Version 1.3.3 (2016-03-28)Bug fixes Correctly handle error results when outputting to JSON Closes #14Thanks Den1al for the bug reportVersion 1.3.2 (2016-03-10)New features "Short" output mode – simply output yes/no/error for each site"-i"/"–infile" option for passing a file with list of targetsVersion 1.3.1 (2016-03-08)New features Prepend "http://" to URL targets when not starting with http:// or https://Version 1.3.0 (2016-03-07)New sites Cymon.io – Threat intel aggregator/tracker by eSentireNew features Support simple paginated responsesSupport url encoding ‘target’ in request URLSupport url decoding values in resultsVersion 1.2.0 (2016-02-16)New features Support for sites returning multiple JSON documentsAbility to specify time format for relative time parametersAbility to parse Unix timestamps in results and display in ISO-8601 formatAbility to specify status codes to ignore per-APINew sites DNSDB – FarSight Security Passive DNS Data base (premium)Version 1.1.2 (2015-11-26)New sites Telize (premium) – GeoIP site (premium)Freegeoip – GeoIP site (free)CIF – CIFv2 API support, from csirtgadgets.orgNew features Ability to specify labels for single-line multimatch JSON outputsAbility to specify relative time parameters using relatime libraryVersion 1.0.1 (2015-10-13)Fixed a false-positive bug with Spamhaus (Github#10)Version 1.0.0 (2015-07-02)Initial releaseDownload Machinae

Link: http://feedproxy.google.com/~r/PentestTools/~3/M0K8gqllktU/machinae-v148-security-intelligence.html

Cynet Free IR Tool Offering Empowers Responders to Know and Act Against Active Attacks

The saying that there are two types of organizations, those that have gotten breached and those who have but just don’t know it yet, has never been more relevant, making sound incident response a required capability in any organization’s security stack.To assist in this critical mission, Cynet is launching a free IR tool offering, applicable to both IR service providers in need of a powerful, free incident response platform, and to organizations that either suspect security incidents and want to get immediate visibility into what happened, or that know they have a breach and need to respond immediately.The Cynet Free IR tool offering for IR providers can be accessed here.The Cynet Free IR tool offering for organizations can be accessed here. Incident response is about getting two things done as fast as possible: accurately knowing breach scope and impact; and ensuring that all malicious presence and activity are completely eliminated. Cynet introduces unmatched speed and efficiency into both aspects with its new free IR offering.“We see that many organizations and service providers struggle to get the threat visibility they need,” said Eyal Gruner, co-founder of Cynet. “IR is an extremely time sensitive process and having the required threat visibility up and running in minutes is a must.”The need to deploy an additional product is in many cases a hurdle – in an IR context, fast and seamless deployment is not a nice-to-have. It will often make the difference between successful containment and critical damage. Another delaying factor is the need to manually hunt and investigate for threats by correlating activities and configurations.Cynet 360 is ideal for incident response purposes for several reasons. Its SaaS-based, lightspeed distribution enables coverage of thousands of endpoints in minutes. Its automated threat discovery radically reduces the manual investigation time, and its complete set of remediation actions enables responders to recover from any type of threat. With Cynet you can, among other things:Get instant visibility to all entities in the internal environment: users, hosts, files, running processes and network traffic.Easily locate live attacks and determine their scope and impact.Remove malicious files, disable compromised users and block risky network connections with the click of a button.Automate threat discovery and removal processes.Leverage Cynet central management  to distribute other open source tools across the environment.Hunt for threats in real-time using IOC feeds.“It’s true that incident response is many times outsourced, but we’ve put a lot of thought into Cynet 360 so it can be used by an internal team as well,” said Gruner. “There’s a lot of gray area here. What if you only suspect a breach but are not sure? Cynet IR can easily tell you what’s going on. Once you know, you can decide if you handle it internally or not.”Like it or not, breaches are part of our reality. To acknowledge that means to ensure that you have what it takes to confront them. Anyone that’s involved in incident response, whether as a service provider of end user, should seriously consider upgrading its current capabilities with Cynet free IR.IR consultants and service providers can access Cynet’s free IR tool offering here.Internal IT and security teams can access Cynet’s free IR tool offering here.

Link: http://feedproxy.google.com/~r/PentestTools/~3/4Q01gW4bYSs/cynet-free-ir-tool-offering-empowers.html

April 7, 2019 – Hack Naked News #217

    This week, software flaw exposed most dell computers to remote hacking, Israel neutralizes cyber attack by blowing up a building with hackers, an expert that found hundreds of vulnerable Jenkins plugins, a bug in Mirai code allows crashing C2 servers, and how researchers discovered a highly stealthy Microsoft Exchange Backdoor! In the expert […]
The post April 7, 2019 – Hack Naked News #217 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/VOLvN7Sucew/