Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "security"
"You should use Windows server!"
It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.28
Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
"It could be a modified bomb"
"But this is a Tablet!"
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
"Yes, because the Battery is not removable..."
"But my Laptop Battery is also not Removable..."
"I dont have anymore Time for an Argument"
"So I can board the Plane?"
"No, the Ticket will be refunded"
WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!30
An incident which made a Security Researcher cry
I was working on my laptop finishing up my code while waiting for the flight which was late . Meanwhile two guys (I'm gonna call them Fellas) in black suit and shades came to me
Fella : Sir you have to come with us .
Me : *goes along with them*
Fella : Sir please proceed *points towards the door . The room has a round table with some guys discussing something *
Fella 1 : Your passport please
Me : *Hands over the passport*
Fella 1 : Where are you traveling to sir?
Me : India
Fella 1 : Put your laptop in the desk sir.
Me : Sure thing
Fella 2 : What were you doing there? *Taps the power button*
Me : Just finishing up my work .
Fella 1 : Or hacking our systems?
Me : Seriously?
Fella 2 : The password please .
Me : Here you go
*5 minutes have passed and he still can't figure out how to use the machine*
Fella 2 : Which Windows is this?
Me : It's Linux
Fella 1 : So you are a hacker .
Me : Nope
Fella 1 : You are using Linux
Me : Does it matters?
Fella 1 : Where do you work?
Me : *I won't mention here but I told him*
Fella 2 : So what do you do there?
Me : I'm a Security Researcher
Fella 1 : What's your work?
Me : I find security holes in their systems .
Fella 1 : That means you are a hacker .
Me : Not at all .
Fella 2 : But they do the same and they use Linux .
Me : You can call me one .
*After 15 minutes of doo-laa-baa-dee-doo-ra-ba-doo amongst them I dunno what they were talking , they shutdown the computer and handed over it to me*
Fella 2 - So you are somewhat like a hacker .
Me - *A bit frustrated* Yes.
##And now the glorious question appeared like an angel from river ##
Can you hack Facebook?
Me - 😭😭😭33
Definitely my security teacher. He actually expected us to actively learn the stuff and put effort into our education. He guided us through malware analysis and reverse engineering, simplifying it without insulting us.
We had students who thought they knew everything and he corrected them. We had arrogant students he put in place.
He treated us like adults and expected us to act like adults.
That's the only class I enjoyed studying for, because he would tell us exactly what wasn't on the exams (it was an intro course, didn't need to know the math). There were no trick questions.
I told him about the shitty teacher and he helped me through that confidence block. He helped me realize I *can* make it through the workforce as a female in security because I will work my ass off to be the best I can be. He reminded me why I love computers and why I want to go into forensics.
He's been a great mentor and role model and hiring him is one of the few things my department did right.7
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P40
A dude with a THICK Russian accent just called me offering server security services.
After I politely declined, he insisted on a free audit of my servers. I declined that as well.
Now I’m backing up our DB’s and going through my nginx logs.
Am I being racist?22
Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security24
> installs devRant app on my iPhone
> too lazy to type my 18-char random password on mobile
> password manager app not on App Store yet
> dig up my old Macbook
> install XCode & homebrew package manager
> install 2 other package managers using homebrew
> install App deps from the 2 package managers
> query stackoverflow for why my deps fail to install
> open App in XCode
> setup Apple provisioning profile
> trust my certificate on my iPhone
> dig up an old router & setup a local WiFi network
> start a server on my laptop to serve my PGP keys
> download my PGP keys to my iPhone
> app crashes
> open an issue on github with steps to reproduce & stacktrace
> type my 18-char random password
> rant on how I wasted an entire afternoon13
So my Cyber Security lecturer was talking about scam emails and how potential hackers can spoof their identity in order to gain information or get some malware on your PC.
Since this was all really obvious, I decided to email him with a crude scam email myself for the lols.
To his credit he saw the funny side.5
"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me14
What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.16
Presenting my paper on PHP Security in IEEE conference today... Wish me luck. I hope it gets published 😃🤞4
A conversation with our network/system admin.
Me : Can I install linux on my computer, windows is slow and terrible.
Him : No, if you use anything but Windows in this company, you will be fired for bypassing our security protocols. Its written in your contract.
Me : *boots up my Macbook*13
So our public transportation company started to sell tickets online with their brand new fancy system.
• You can buy tickets and passes for the price you want
• Passwords are in plaintext
• Communication is through HTTP
• Login state are checked before the password match so you can basically view who is online
• Email password reminders security code can be read from servers response
Oh and I almost forgot admin credentials are FUCKING admin/admin
Who in the fucking name of all gods can commit such idiocracy with a system that would be used by almost millions of people. I hope you will burn in programming hell. Or even worse...
I'm glad I'm having a car and don't have to use that security black hole.17
Found a security hole....
A fast food delivery service had an ID for every order it Said
"example.com/order/9237" - i go 9236... finds another persons order, address, and phone number
So What should i do?
i thought of making a crawler and then make statistics on everyones orders and send Them a link 😂20
I wonder why "Date of your first kiss?" and "Name of your first love?" aren't standard security questions.
I think there are way less people around you who know an answer to these than "what's the name of your first pet?" or "The last name of your mother?".46
Found a private api key on a github project. Created a pull request with key changed to “TH1S5HOULDB3SECR3T!iMBECIL5“ comment was “security fix“ i wonder if they accept4
"We don't need iThemes Security. It will just slow WordPress down."
As opposed to the other four dozen plugins of which most are useless, inefficient or not even supported anymore?
You extra-thick pickle ticklers.6
PM: We need security on signup, the password entry should contain "A capital letter, 2 numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin."
I competed in two competitions Computer Security and C++ Programming and I got 6th in Security and 1st in C++!!12
Started using longer passphrases for logins, colleague starts to tell people I'm doing bad things because"no one needs a password that long"
I get reprimanded by my boss
How the hell does this even happen smh23
Got a call from a recruiter today. (Keep in mind that using WhatsApp is about a requirement over here.)
R: so can I app you (I hate that word to the fucking point) with further details?
Me: *oh fuck this is gonna get me fucked again* uhm I don't use it so yah...
R: ohhh okay, security reasons?
Me: *slight relief* yes indeed, sir
R: oh fair enough, you can always just text and call me!
*very relieved feeling*
It's for either a cyber security or linux job by the way.31
If the below is you, please stop. I'm starting a revolution called #AnswerTheQuestion
A: Hey, just checked your code, you have a huge security issue in XYZ, you should really address that.
B: Oh god I had no idea, how do I fix it?
A: Well it depends on how you *want* to fix it, no one solution is always the right one.
B: ... Ok, well could you give me some advice?
A: Well, there are many ways to approach this kind of work, but all I can say is that this way, is definitely not the correct one.
B: ... Ok, well how would you do it?
A: That would depend on the customer requirements.
B: ... the requirements is to have a website that isn't easily hackable, what do I do?
A: Nowadays, its pretty hard to make a website completely not hackable.
B: ALL THE SERVERS ARE SHOWING RED, PLEASE HELP ME!!!
A: ........ you really shouldn't prejudge colours. The colour red doesn't always mean danger, depends purely on the use case.9
First rant, please take pity on the noob! 😐
Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫
Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...
... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.
So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.
Makes you consider the amount of control these big companies have over your life 😶17
We have a customer that runs an extremely strict security program, which disallows any type of outside connection to their servers.
In order to even correspond with them via email you must undergo background checks and be validated. Then you sign an NDA and another "secrecy level" contract.
Today they had a problem, I was the one assigned to fix it. I asked for a screenshot.
We already use an encrypted mail service, which runs via a special VPN that has enough layers of protection to slow down a photon to the speed of a snail.
The customer's sysadmin encrypted the screenshot and sent it to me.
I open the screenshot and....
He runs Windows 10, uses Google Chrome and has Facebook's WhatsApp desktop app flashing orange in the tray.
I'm a programmer and an aspiring cyber security specialist. Yesterday, after I gave a presentation about smart bulb hacking, I heard through a coworker that a cyber security company is interested in talking to me. Yay!13
I recently found a company that used employee social security numbers as their login username and their MMDDYYYY as their password (which could not be changed) also their entire network was using a router with no wifi password set. :/8
I literally cringed today when my neighbor wanted help installing an app, she didn't tell me it was her banking app... And the thing I needed to help with was logging in... So she told me her bank details...
Even though I said (multiple times) it was dangerous to do so, and that she can't just trust people with this kind of information...
WHY ARE PEOPLE SO GOD DAMN STUPID WHEN IT COMES TO SECURITY!9
Seriously fuck mandatory security questions, these are my options:
What year did you meet your spouse?
What is your favorite book as a child?
I didn't have a favorite book. (and still, don't)
In which city did you meet your spouse?
What is the first name of the first person you went to prom with?
Didn't go to prom.
Which state did you first visit (outside of your birth state)?
I've been to about 43 states and can't remember when I started traveling, how the fuck am I supposed to know?
In which city was your spouse born?
Again I'm single.
In which city did your oldest sibling get married?
I don't have any siblings.
C'mon, at least let me create my own question because right now I have no choice but to make up random shit and write it down in LastPass as a note.5
Just looked at the anonymous analytics I collect on the security/privacy blog.
No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.
Directory Traversal attacks. Really? 🤣
Nice try, guys.44
Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.
Was searching for an online note taking app which also provided open source end to end encryption.
After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!
Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).
Went to the Q/A section because that's really weird.
Saw the answer to that question:
"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".
I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.
Too badly I never received a reply.
People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!
The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.
This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.
Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!37
Someone asked for an RSS feed for the security/privacy blog, I thought?
Well, hereby! There are three feeds:
https://much-security.nl/main.xml - a feed which is updated with both blog posts and external links relating to privacy/security I find interesting/useful.
https://much-security.nl/own.xml - a feed only containing the blogs posts themselves. For people who are only interested in that part.
https://much-security.nl/external.x... - a feed only containing external links. For people who'd like to stay updated on recent cyber security/privacy thingies.
Tracking: every time a feed is visited, a redis value for that feed get's incremented. No time, ip addresses, user agent or whatsoever is saved. Just one variable getting increased once.
New domain name will also be revealed soon (probs tomorrow, going to bed soon as I've just been sick) :D.
Oh and just a warning, the main/external feed are the only ones populated with exactly one item right now :P31
One does not simply encrypt the exam tips and give it to the students in a computer security introductory module.
I'm penetrationtesting a network and the servers on said network
The network administrator and IT security officer knows this, because they hired me..
TL;DR a scan caused the network to crash.
Today I received a very angry email going "Stop scanning NOW!" from one of the IT departments.
Apparently I crashed their login server and thus their entire network...
It happened d the first time I scanned the network from the outside and they had spend an entire day figuring out how and repairing the service they thought was the problem, but then it crashed again, when I scanned from within the network.
Now they want to send me a list of IP's that I'm not allowed to scan and want to know exactly what and when I'm scanning...
How crap can they be at their job, if they weren't able to spot a scan... The only reason they found out it was me was because the NA had whitelistet my IP, so that I could scan in peace...5
(The PM is pretty technical)
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*
It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?10
Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.
What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.10
What is the worst thing that can happen if you report a security vulnerability to a company?
Get banned by them!
I reported a vulnerability to a company on their Facebook page(cause they don't have an email id where I can report this) and they just banned me from their page. It's really annoying me now.
And the worst thing is that they have still not fixed the issue, I wonder why the hell they banned me then.
I am planning to exploit the vulnerability and teach them why security is so important now.27
Me: Browsing the security of a website.
Tell the website developer that they are using the SHA-1 hashing algorithm for encrypting the credentials of it's registered users.
Them: Yeah, so what?
Me: You shouldn't be using an algorithm which was exploited years ago in the age of 2016.
Them: Don't worry, nothing will happen.
Dear all wonderful ranters,
I apologize profusely in advance if over the next few days I cannot contain my anger at people and rant about non-dev things. I promise I will try my best to not do this, but there are very few places (none) other than here where I feel comfortable enough to express myself freely and not censor my words.
I will be working as a security guard (3rd job) for a car show full of pretentious assholes who have a tendency to think I'm their servant. I have wonderful bosses who have my back, and there are truly amazing people in attendance as well, but if someone tries to run me over again after a long ass day, I might need to vent.
I fully accept any and all down votes, and will likely delete the rant after it's out of my system, unless there's a conversation going in comments (I wouldn't do that to you).
Please bear with me while I try boot to strangle everyone I come across. I'm hoping this year is the year everyone is nice, but history tells me that's naive and won't happen.
All my love,
Your (co)queen who may end up arrested for using her bionic arm to rip their balls off and feed them to their wives13
The coolest project I've worked on was for a certain country's Navy. The project itself was cool and I'll talk about it below but first, even cooler than the project was the place were I worked on it.
I would go to this island off the coast where the navy had its armoury. Then to get into the armoury I'd go through this huge tunnel excavated in solid rock.
Finally, once inside I would have to go thru the thickest metal doors you've ever seen to get to crypto room, which was a tiny room with a bunch of really old men - cryptographers - scribbling math formulae all day long.
I can't give a lot of technical details on the project for security reasons but basically it was a bootable CD with a custom Linux distro on it. Upon booting up the system would connect to the Internet looking for other nodes (other systems booted with that CD). The systems would find each other and essentially create an ad-hoc "dark net".
The scenario was that some foreign force would have occupied the country and either destroyed or taken control of the Navy systems. In this case, some key people would boot these CDs in some PC somewhere not under foreign control (and off the navy grounds.) This would supposedly allow them to establish secure communications between surviving officers. There is a lot more to it but that's a good harmless outline.
As a bonus, I got to tour an active aircraft carrier :)10
This is from my days of running a rather large (for its time) Minecraft server. A few of our best admins were given access to the server console. For extra security, we also had a second login stage in-game using a command (in case their accounts were compromised). We even had a fairly strict password strength policy.
But all of that was defeated by a slightly too stiff SHIFT key. See, in-game commands were typed in chat, prefixed with a slash -- SHIFT+7 on German-ish keyboards. And so, when logging in, one of our head admins didn't realize his SHIFT key didn't register and proudly broadcast to the server "[Admin] username: 7login hisPasswordHere".
This was immediately noticed by the owner of a 'rival' server who was trying to copy some cool thing that we had. He jumped onto the console that he found in an nmap scan a week prior (a scan that I detected and he denied), promoted himself to admin and proceeded to wreak havoc.
I got a call, 10-ish minutes later, that "everything was literally on fire". I immediately rolled everything back (half-hourly backups ftw) and killed the console just in case.
The best part was the Skype call with that admin that followed. I wasn't too angry, but I did want him to suffer a little, so I didn't immediately tell him that we had good backups. He thought he'd brought the downfall of our server. I'm pretty sure he cried.5
As a firm supporter of information security, it really "irks" me to see people get up and walk away form their desks without locking their machines... Anyone else with me on this?!19
Security for 2017: Because SSL has nothing to do with security, and just Google's way of increasing it's monopoly...19
A client obsessed with *security* won’t give us access to the server that hosts the website we built.
Code release involves building templates, compressing the changed files into a zip folder, and emailing them to the client with instructions on where the changed files go8
Setting up my new second hand thinkpad with Linux Mint KDE.
I just chose for harddisk encryption.
My password is so freaking long and complicated and I didn't write it down so let's start learning this fucker out of my head 😅13
***JUST BECAUSE SECURITY***
My father deleted the email with the credential for our ISP (pppoe: username and password), and I need it to connect a router.
Just called the tecnical service, after a couple of minutes they gave it to me.
They sent to me both username and password.
Asking me where to send (which mail).
I DIDN'T EVEN KNOW HOW IS CALLED THE CREDENTIAL I NEED.
Obviously, I just had to say the accountholder of the bill.
Now I am super scared, i can virtually access any account.8
Some of you might have seen it already, those who didn't just have to.
One of the best rants I've read lately.
"Our security auditor is an idiot. How do I give him the information he wants?"
Me lost in my work, interrupted by two dudes claiming they wanna do a security audit on my pc.
Me: Go ahead!
Them : (accessing the mail site and sees creds auto filling.) what is this? This is a clear violation of security policy
Me : I use password manager called keepass. It's the most secure way to manage your credentials with key and password protection. I go ahead and lock the database and refresh to show there's no auto fill.
Them : (a little startled) still this is against policy, blah blah... You've not got authorization from us to install it...
Me : okay will do.
After some rounds of bullshit,
Them : tries to login using their credentials to report the *findings*. Takes a pause and asks, my password won't get stored right?
Me : This is not a fucking key logger.
Me (internally) : Just the fact that they think you're capable of identifying security issues bums me!7
My IT team installed Antivirus on my 5 year old Mac Mini due to company security policy after the recent Ransomware attacks.
Now my Mac is slow as fuck. They are not even providing me new Mac, due to budget constraints. Totally fucked.
Fuck Ransomware. Fuck security policies. Fuck my company. Fuck everyone. Fuck everything. 😤12
Security tips guys :
use iptables -A INPUT -j DROP to secure your servers.
NO ONE can access your servers now... NO ONE...21
soo... 5 days ago I ranted because of the "security" of the wifi on a restaurant.. here goes anotha one.10
My friend tells me #Linux has demons that work in the background! Does that mean Linux users are evil too?! #imscared4
Typical TSA (Airport Security)
Security: Please put all of your handheld objects and your outer clothes in this basket.
Me: (puts my bag, in flight luggage, and takes out laptop, bluetooth speaker, bluetooth mouse, bluetooth keyboard, tablet, android phone, dongle bag, and windows phone)
S: (stares at me as if I am a rich kid)
M: May I go through?
M: (smirks, and goes through metal detector)
M: (oh shit.)
Scanning Officer: Raise your hand!
S: (Hovers the detection stick around my body, but it doesn't ring, tells me to pass through the detector again. Still rings. Super confused. Asks me to do this 2-3 times more. Still same.)
M: Aha! I have my bluetooth earphones here! Sorry!
S: (stares at me, as if he is saying what a f****** weirdo)
My stuff comes out. I put my devices in the bag. The scanning officer stares at me.
To be continued....12
This guy has a weird sense of system security if he thinks an SSH MOTD will keep unauthorised people away. Because you know, setting SSH permissions would be too sensible.17
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7
Scammer calls claiming to be windows security expert.
Them: "sir, your windows computer is sending error code. Please turn it on so I cam Fix it. "
Me: "windows? I have a mac."
Them: "um.... " *hangs up*
"Whenever a user creates their account, they get an email with their password. We also get a copy of said email which makes it easy to troubleshoot any issues when they ring us." -- I was so tempted to hand in my resignation on the spot...7
So my office is located in the oldest part of the hospital I work at. Weird shit happens here, especially at night. Currently working on configuring our security cameras, stand by for triply shit.12
> Builds CLI tool to generate app security tokens
> immediately leaks first set of tokens in public commit
I astound myself with own stupidity sometimes.
Warning: long read....
I got a call this morning from a client who was panicking about not being able to login to his web panel.
So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.
It turns out there was an error was showing: Disk quota exceeded.
So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.
Went looking trough FTP to see where he has so many files and try and remove some.
Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.
The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.2
I've been pleading for nearly 3 years with our IT department to allow the web team (me and one other guy) to access the SQL Server on location via VPN so we could query MSSQL tables directly (read-only mind you) rather than depend on them to give us a 100,000+ row CSV file every 24 hours in order to display pricing and inventory per store location on our website.
Their mindset has always been that this would be a security hole and we'd be jeopardizing the company. (Give me a break! There are about a dozen other ways our network could be compromised in comparison to this, but they're so deeply forged in M$ server and active directories that they don't even have a clue what any decent script kiddie with a port sniffer and *nix could do. I digress...)
So after three years of pleading with the old IT director, (I like the guy, but keep in mind that I had to teach him CTRL+C, CTRL+V when we first started building the initial CSV. I'm not making that up.) he retired and the new guy gave me the keys.
Worked for a week with my IT department to get Openswan (ipsec) tunnel set up between my Ubuntu web server and their SQL Server (Microsoft). After a few days of pulling my hair out along with our web hosting admins and our IT Dept staff, we got them talking.
After that, I was able to install a dreamfactory instance on my web server and now we have REST endpoints for all tables related to inventory, products, pricing, and availability!
Good things come to those who are patient. Now if I could get them to give us back Dropbox without having to socks5 proxy throug the web server, i'd be set. I'll rant about that next.
Rocketeer Games, you 've not heard of them but when you click Forgot password, you get the password alright, the original one IN PLAINTEXT.
Should I email them about how bad of a security practice that is?
Here's the email they sent me:14
We recently took over development of an app. Upon inspection the API had no security, and passwords were stored in plain text. While the manager was slightly concerned, it wasn't a big deal....
That was until, using only a browser, I found the bosses account and personal email address.
Minutes later I was in his gmail, Facebook and credit cards account.
Improving security is now concern #1, and my boss is "suffering" 2 factor authy on everything.7
Client: why do I have to use such a hard password for this website?
Me: For security reasons to protect your content and identity of your clients.
Client: Can't you just use the password that I'm used to? I use it on my banking software, and I've never been hacked so it should be good enough for you!
Me: what's the password that you want me to set up for you?
Client: you ready to take it down?
Me: go ahead.
Client: T ... U ... R ... D. You got that?
Me: ... Yes ...
I work at a place where security is really high when it comes to server access. Today I was in urgent need to get admin access to a server, this is a real pain. Luckily I found an xml in version control containing the credentials for the web application which happens to be an admin account! Lucky me, saved me at least two weeks of waiting to get admin access!4
Pro security tip:
Use a very simple password because h4x0rs expect a difficult one so they can't cr4ck yours9
Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!
I sat there giggling dramatically for a while.
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.3
I passed my Security+ cert exam! I know a lot of people say it's super easy, but it actually has a lot of really specific networking stuff, and some legacy tech specifics, etc.6
A follow up from my previous rant about a dev colleague in the security company we work for consistently forgetting to lock his screen...he's done it again, so I made him a dickbutt loop this time6
Clicking "forgot my password" and getting a mail with my password in clear text. Sending a mail and asking why they don't care about security. The answer I'm getting is "it's a feature, makes things easier". Yeah...5
Tell me, am I weird for liking minimalist HTML websites more than those fancy CSS ridden ones? Like, for example, a website whose design I adore is linfo.org. Their website is so simple and easy to look at, without any distractions.
Also @linuxxx's website "Much Security" has a very neat simplistic design, AND it has a dark theme. Website designers, please make your websites simple.13
Sooo I've been working on an ancient php 5.6 project that did not have any documentation and was a homemade "framework" created 7 years ago. The original creator is long gone and no one else knows a lot about this project.
When I first looked into it I almost immediately noticed the security flaws...
Old outdated libraries
a "development" feature to easily turn dev mode on/off
BY A GET PARAMETER!
it spits out full sql queries and php warnings -.-
Oh and did I mention that the site is a webshop.... and has a backdoor password?
AND THAT THE CUSTOMER REQUESTED THAT?3
So I have seen this quite a few times now and posted the text below already, but I'd like to shed some light on this:
If you hit up your dev tools and check the network tab, you might see some repeated API calls. Those calls include a GET parameter named "token". The request looks something like this: "https://domain.tld/api/somecall/..."
You can think of this token as a temporary password, or a key that holds information about your user and other information in the backend. If one would steal a token that belongs to another user, you would have control over his account. Now many complained that this key is visible in the URL and not "encrypted". I'll try to explain why this is, well "wrong" or doesn't impose a bigger security risk than normal:
There is no such thing as an "unencrypted query", well besides really transmitting encrypted data. This fields are being protected by the transport layer (HTTPS) or not (HTTP) and while it might not be common to transmit these fields in a GET query parameter, it's standard to send those tokens as cookies, which are as exposed as query parameters. Hit up some random site. The chance that you'll see a PHP session id being transmitted as a cookie is high. Cookies are as exposed as any HTTP GET or POST Form data and can be viewed as easily. Look for a "details" or "http header" section in your dev tools.
Stolen tokens can be used to "log in" into the website, although it might be made harder by only allowing one IP per token or similar. However the use of such a that token is absolut standard and nothing special devRant does. Every site that offers you a "keep me logged in" or "remember me" option uses something like this, one way or the other. Because a token could have been stolen you sometimes need to additionally enter your current password when doings something security risky, like changing your password. In that case your password is being used as a second factor. The idea is, that an attacker could have stolen your token, but still doesn't know your password. It's not enough to grab a token, you need that second (or maybe thrid) factor. As an example - that's how githubs "sudo" mode works. You have got your token, that grants you more permissions than a non-logged in user has, but to do the critical stuff you need an additional token that's only valid for that session, because asking for your password before every action would be inconvenient when setting up a repo
I hope this helps understanding a bit more of this topic :)
Keep safe and keep asking questions if you fell that your data is in danger
Every time I got a mandatory security question, I type in "go fuck yourself with a cactus". There's only one answer for all of them.6
At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.5
This is the most hilarious stackoverflow rant ever, quote:
"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."
Anyone hear about the emergency patch that Microsoft just released? Its a RCE vulnerability CVE-2017-11937 which ironically targets all of Microsoft's security products.
Basically when Windows defender scans a specially crafted file the attacker can run code as the LocalSystem. Nice one Microsoft!2
This is just priceless. I submitted my thesis to an academic congress, which sent me this confirmation email. They are so 'concerned about security' that they assured me the email is legitimate by including MY PASSWORD.3
WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!
My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.
I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.
I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?
Please forward this email to the right person, if your are not responsible for the security of the website.
He can basically see the contents of my wp-config.php. How has he managed this?81
"Ultron brings to you the best in security and encryption, directly taken from IE 5.5."
My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦♂️
Any better suggestion?15
Security rant ahead, you have been warned!
As part of a scholarship application, our government requires a scan/copy of the applicant's credit card. Since the IBAN is now on the back, you have to send both sides.
The back is also where the CVC (security code) is. Any bank will strictly tell you NOT TO EVER SHARE IT - not even with them!
To make things even more fun, you now have the option to send this over email which is, of course, NOT ENCRYPTED!!!!!
I'm basically sending all the info needed to steal all my money over an unencrypted connection to an underpaid secretary, who will print it out and leave it on their desk for anyone with decent binoculars to see.
These people are fucking insane!!!!10
Someone at work asking me about whether the controller system for our door security can access the Internet. I'm explaining that the reason they can't access Google on it is that it is on an isolated network for security. They wanted to install some remote desktop software on it that some idiot had recommended.
Then I actually get asked: "If it can't see Google... Maybe can it see Firefox?"
It's a new semester and the introductory class for a General Ed is going on.
Prof: What do you want to be when you are done with engineering?
Me: I'd like to be in the security domain but I'm still not sure.
Prof: Then why are you doing Computer Science? You can just get a job as a security personnel.
Tl;dr stupid password requirements
Password must not contain any non-alphanumeric characters.
Your Password change was not accepted. Enter your current Password correctly following the rules for New Passwords. Please try again.
Passwords must be between 8 and 12 characters in length and MUST contain each of the following:
At least 1 lower case character (a-z)
At least 1 upper case character (A-Z)
At least 1 numeric digit (0-9)
But, MUST NOT contain:
more than five repeating characters in a row (e.g. 111111356 would not be valid, but 112233445 would be valid)
spaces or other special characters
NOTE: Your new password cannot be the same as any of your 10 previous passwords.
Are you fucking kidding me? Only (26+26+10)^8 through
(26+26+10)^12 different passwords to go through? It's like the oxygen wasters that built this website give zero fucks about security.
Why? This is the site that manages money and investments. Just allow passwords up to 64 characters, allow any ascii character and just fucking encod the characters to prevent any Injunction.4
Client from a big company requested that all sensible data should be encrypted, passwords included.
We agreed that was OK, and that we were already saving the hashes for the passwords.
The reply was "Hashes should be encrypted too"4
Someone ask to me as a security engineer.
Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?10
Trying to log in as a vendor on a client's timesheet web portal,
Web only accessible on safari,
Latest Java must be installed,
Java security must be set to highest, but Java applet for 2 very specific domain must be allowed,
An Avast antivirus must be installed for reason as below,
Must access the web, wait for applet to run and check computer's security settings, only if it's satisfactory will then redirect to a login page,
In which I spent an hour trying to figure out why I cannot login with my username, until another friend has same problem, what in common between us is both our names are long, and after experimenting, we found out that inputting only 20 characters of our name enabled us to login,
After login another tiny app will be installed and activate a VPN, in which then we are able to access the actual system,
The VPN will only active for 15-20 minutes tops, after that we will be kicked out and had to repeat the whole process,
Sometimes it works, sometimes it's not, even worse sometimes the only way to make it work again is to restart the computer, and redo the steps in exact same way
Because nothing says "security" like some good ol' Base64 encoding. Bet whoever wrote that code was wearing mirror shades.1
Having a conversation with a guy who aced all of his high school and college that now works as a security expert for a local company. He's also known as the most relaxed person in that company because he manages not only to remain calm, but also to calm down the angriest client. He's like a fucking magician.1
Today, the security department stopped our new project and told us to work on the last project instead because of a top-secret security flaw.
Problem is, they are not allowed to tell us what the problem is. FML2
A few years ago, we had a lesson on git and stuff, and we had to create our first repository and push something on it to get familiar with the thing.
Our teacher jokingly said at the end "And always remember, no password in a repository!", and I thought to myself "who can be dumb enough to do actually do something like that?"
Now, guess which piece of shit had to reinstall two of his fucking servers because of security issues coming from not one but github repositories?4
IT security calls to tell me my new password, because it is poor practice to send it over encrypted message.
New password = password
I'm glad we are taking security so seriously!4
Guys, this I am very tired of companies auto generating passwords for you and sending them to you in an email using plain text. Do they not care about the security of their systems?
I found a company called SDF.org which claims to have been established in the 90s. Their website, even the server feels very old school. But I would think that if a company is really that old, WHY DO THEY SEND YOU PASSWORDS IN PLAIN TEXT FORM. You've got to be kidding me. Has noone ever tried to hack them before? Are they not worried at all that their dial-up service is going to go down?9
Security Horror Story:
A password authenticator which is case-insensitive and all special characters are treated as the same value. As a bonus, all passwords are truncated to 4 characters.3
How do I know the email is from twitter?
Easy, just check for https and if the links *contain* twitter.com. and the browser shows a padlock, its legit!
I don't like these type of security tips.
Do they don't know SSL can be obtained for free
And twitter.com.somedomain.com can trick people too.
I think Twitter should update there security *tip* in the world where SSL is free and anybody can make a twitter.com sub domain. This can cause some trouble.6
tldr; Windows security sucks. You as a org-admin cant do anything about it. Encrypt your device. Disable USB Live boot in the bios and protect it with a STRONG password.
First of i just want to say that i DO NOT want to start the good ol' Linux VS Windows debate. I'm just ranting about Windows Security here...
Second, here's why i did all of this. I did all of this mainly becuase i wanted to install some programs on my laptop but also to prove that you can't lock down a Windows pc. I don't recomend doing this since this is against the contract i signed.
So when i got my Laptop from my school i wanted to install some programs on it, sush as VS Code and Spotify. They were not avalible in the 'Software Center' so i had to find another way. Since this was when we still used Windows 7 it was quite easy to turn sticky keys in to a command prompt. I did it this way (https://github.com/olback/...). I decided to write a tutorial while i was at it becuase i didn't find any online using this exact method. I couldn't boot from a USB cause it's disabled in the bios wich is protected by a password. Okey, Sticky keys are now CMD. So let's spam SHIFT 5 times before i log in? Yeah, thanks for the command promt. Running 'whoami' returned 'NT SYSTEM'. Apparantly NT System has domain administator rights wich allowed me to make me an Administrator on the machine. So i installed Everything i wanted, Everything was fine untill it was time to migrate to a new domain. It failed of course. So i handed my Laptop to the IT retards (No offense to people working in IT and managing orgs) and got it back the day after, With Windows 10. Windows 10 is not really a problem, i don't mind it. The thing is, i can't use any of the usual Sticky keys to CMD methods since they're all fixed in W10. So what did i do? Moved the Laptop disk to my main PC and copied cmd.exe to sethc.exe. And there we go again. CMD running as NT System on Windows 10. Made myself admin again, installed Everything i needed. Then i wanted to change my wallpaper and lockscreen, had to turn to PowerShell for this since ALL settings are managed by my School. After some messing arround everything is as i want it now.
'Oh this isnt a problem bla bla bla'. Yes, this is a problem. If someone gets physical access your PC/Laptop they can gain access to Everything on it. They can change your password on it since the command promt is running as NT SYSTEM. So please, protect your data and other private information you have on your pc. Encypt your machine and disable USB Live boot.
Have a good wekend!
*With exceptions for spelling errors and horrible grammar.4
I swear, the next time I hear a web developer say to me: "Yeah let's pretend as if the security hole in the website isn't there, because truth be told, i cannot be bothered to fix it."4
Nothing like taking a company IT security training that requires Flash.
The first step to be able to run the training?
Override your browser's security setting to allow Flash to be able to run.
Anyone else see the irony here?1
I wrote an article about how common practices make us vulnerable to security breaches and what steps to take to prevent them. Thought I'd share it here. Any kind of feedback is most welcomed!
Network Security at it's best at my school.
So firstly our school has only one wifi AP in the whole building and you can only access Internet from there or their PCs which have just like the AP restricted internet with mc afee Webgateway even though they didn't even restrict shuting down computers remotely with shutdown -i.
The next stupid thing is cmd is disabled but powershell isn't and you can execute cmd commands with batch files.
But back to internet access: the proxy with Mcafee is permanently added in these PCs and you don't havs admin rights to change them.
Although this can be bypassed by basically everone because everyone knows one or two teacher accounts, its still restricted right.
So I thought I could try to get around. My first first few tries failed until I found out that they apparently have a mac adress wthitelist for their lan.
Then I just copied a mac adress of one of their ARM terminals pc and set up a raspberry pi with a mac change at startup.
Finally I got an Ip with normal DHCP and internet but port 80 was blocked in contrast to others like 443. So I set up an tcp openvpn server on port 443 elsewhere on a server to mimic ssl traffic.
Then I set up my raspberry pi to change mac, connect to this vpn at startup and provide a wifi ap with an own ip address range and internet over vpn.
As a little extra feature I also added a script for it to act as Spotify connect speaker.
So basically I now have a raspberry pi which I can plugin into power and Ethernet and an aux cable of the always-on-speakers in every room.
My own portable 10mbit/s unrestricted AP with spotify connect speaker.
Last but not least I learnt very many things about networks, vpns and so on while exploiting my schools security as a 16 year old.8
"Using MD5" !? What year are we in again?
NOTICE OF DATA BREACH
Dear Yahoo User,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.
What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5)2
Today my fellow @EaZyCode found out a local Hosting Provider has a massive security breach.
He wrote an Plugin for Minecraft with an own file explorer and the ability to execute runtime commands over it.
We discovered that this specific hosting provider stores the ftp passwords one level above the FTP-Root. In FUCKING PLAIN TEXT! AND THE MYSQL PASSWORD TOO! And even more shit is stored there ready to be viewed by intelligent people...
It's one of the fucking biggest Hosting provider Germanys!
But, because EaZyCode has such a great mind and always find such bugs, I give him the title "Providers Endboss" today, he has earned it.
Loving you ❤️
Edit: we used SendMail with runtime commands and sended too many empty Spammails (regret noting)32
Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.
There are no username or passwords and the screenshot is not a first time sign up screen.
All I need to login is a surname, postcode and DOB - all information easy enough to find online.
Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.
I mean I'm logged in now and have no option to set an account password :|3
A team at school spent 3-4months on an eStore web app, for selling items. The title was "Securing your eStore".
When they were done with their presentation, the examinator asked: "But... You haven't said a thing about the security part."
"Oh, sure we did, as we showed you, we added validation on the email address and credit card text fields etc. If you press the Pay button here, you will get an alert()-dialog telling you which fields are invalid..."2
And may I present to you, another reason to hate WordPress!
Saw a classmate returning an plain text password from a function to try to push it in a JSON file for an API we have to build for class.
I try to correct him and show him a few things that are better practices and for security, I get yelled at and called a know-it-all for trying to help... I'm so done with people -.-4
We are required to use corporate SSO for any authenticated internal websites, and one of the features they require you to implement is a "logout" button.
They provide a whole slew of specifications, including size and placement/visibility, etc. They provide an SSO logout URL you must redirect to after you take care of your own application logout tasks.
Makes sense... except the logout URL they provide to serve the actual SSO logout function broke over 3 months ago, and remains non-functional to this day.
Apparently I'm the first person (and perhaps one of the only people) who reported it, and was told "just not to worry about it".
So, we have a standing feature request to provide a button... that doesn't actually work.
Corporate Security - Making your corporation _appear_ more secure every day...2
many from the outside world believe incognito is the purest form of anonymity and security.....because its logo has a suspicious man with a hat and an overcoat2
So I just started a part time job in a hospital research center - because the processing is long I got a temporary user name and password (that belong to the main HR secretary) so I can start work straight away (mainly data analytics)
I can access edit create or delete everything in the entire fucking database. On my first God damn day.
In the 2nd largest hospital in the fucking country.
Agh. How do systems survive with so many dumb security breaches?4
I wanna make you feel what you have brought into my house!!
I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.
Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.
But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!
So whoever is responsible - I will find you - and you will never see me coming.4
During a design meeting, our boss tells me that Vertx's MySQL drivers don't have prepared statements, and that in the past, he's used a library or his own functions to do all the escaping.
"Are you kidding me? Are you insane?"
I insisted that surely he must be wrong; that no one would release a database library without built in support for query arguments. Escaping things by hand is just asinine and a security risk. You should always use the tools in the database drivers, as new security vulnerabilities in SQL drivers can be found and fixed so long as you keep your dependencies up to date.
He told me escaping wasn't as tricky as I made it out to be, that there were some good libraries for it, and insisted Vertx didn't have any built in support for "prepared statements." He also tried to tell us that prepared statements had performance issues.
He searched specifically for "prepared statements" and I was like, "You know they don't have to be called that. They have different names in different frameworks."
Sure enough, a short search and we discovered a function in the Vertx base database classes to allow SQL queries with parameters.
When you've been looking forward to a lecture on security only to find out you have to hack their website in order to register and you're completely lost 😫5
Conversion topic: a security feature the PM doesn't like
PM: but WordPress doesn't do this.
Me: yes but WP is hacked every couple weeks and isn't exactly a security standard!
Debate continues for 5 minutes... And I'm forced to remove the feature 😑1
Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.1
We developed this website plus custom CMS for an university. I told them that we could host the entire system and take care of it for an annual fee but they decided to host it in house because security. The IT guy didn't ask for my public key, he sent me a password. By email. Less than 8 characters long. Only recognizable abbreviated words. And a dot.3
So today it finally happened.
Npm modules broke my system and / or endangered the security of my system.
Installed a global cli utility
That utility depends on package A
That depends on package B
That fucking install a bin called sudo
Yeah.. You heard it right a bin called sudo.
This bin goes in the global module folder that is piped in your path variable.
Now everytime you type sudo you are running somebody else code instead of your system utility.
I am shivering and at loss of swear words.
Opened an issue on the cli that started this matrioska game of horror.
Who the fuck tought that a bin called sudo would be a good fucking idea?
Oh and yes is even an harmless package that try to provide the sudo experience for windows (I went in to check the code of course..)
And I frigging need that cli for work
For now I aliased the sudo in my bashrc still i feel vulnerable and naked now.10
When an application has tons of security holes and fixes never make it into sprint prioritization because "they're not new features"4
I freelanced for a startup one time, and found out they had ten of thousands of records stored in their DB about dental patients, inducing name, address, social security #, some medical history, etc. All in plain text. Worst part is they hired me after a 20 min phone call, and didn't even sign a NDA!
Makes me paranoid to use the Internet knowing what some of these companies do.2
Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...
Also usb ports disabled... :(6
I am doing some freelance work for a client who is thankfully mindful about security. I found out that they are so strict with their access because they had a huge data breach last year.
Today I was given access to their repo for connecting to their AS400. In the docker file the username and password were included and were the same for dev and prod. They also are performing no sql injection prevention. They are just joining strings together.1
I find it hilarious the total misconception of hacking that the general public has. I tell people I know cyber security (Not as much as a lot of people around here) but it is a hobby of mine and I find it very useful/interesting.
But I can't stop but laugh when someone is like, can you get all the text messages my bf receives?
Can you hack this for me can you back that?
C'mon even if I knew how to do that without being caught you think I would even admit that to you. Do hackers just walk around with an index card pasted to their forehead of their skill? It's not even slightly reasonable to think this lol even for someone who doesn't know about the field
My university has a internal developed system, where everything is managed from e-mails, exams to personal data.
What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)
I don't know how to feel about this, it just hurts :(1
PM asked me to develop an application to fetch data from the customer's DB, which would require an access security token provided by the customer. To get the token, I would have to travel to Germany (I live in Portugal) to get it personally (it's not possible to have someone else pick it up for me).
It turns out the security token is a completely closed environment, with its own OS, without the possibility of installing any application or communicating with the exterior. The laptop itself would boot from the token's OS.
It was concluded I would have to hack the security token, which is completely non compliant. So the PM decided not to go forward with it.
But now, I have to go Germany anyway to pick up the security tokens because they forgot to order them for these other guys who would be using them to access the customer's DB manually and they don't want to delay the project anymore.
Oh, and the security tokens cost the project 500€/month each...4
Stackoverflow has introduced the latest evolution in computer security - Dance Dance Authentication
A lot of larger companies seem to be a happy about forcing employees to change their password every three months or so. They do it for security measures so that it is more difficult to break through the system, however most people end up making the worst passwords.
Instead of forcing a very good password on them every year or two maybe, they all end up having passwords like: "Summer16", "Qwer1234", "London15".
I used to work for our national police, and this was the case there as well...8
Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .
Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .
I've been interested in security for years but despite knowing the theory I've always had this disconnect with actually doing it, about two years ago I finally managed to find and exploit my first cross-site scripting vulnerability in my companies Product whilst doing some routine acceptance testing. It was a penny drop moment for me which has led to some very interesting projects and It was pretty badass.
I was 5 years old. My dad had just bought a Commodore 64. For the first few months, I just play games on it. But then I was watching a kids show, where they had kids showing off how they could program the computer. I was instantly in awe, And asked my mom to take me to the library the next day that I could pick out a book on computer programming. Fast forward to high school: It was 1995 and the movie "Hackers" had just hit theatres. I was in my freshman year and I met a bunch of kids who called themselves hackers. I learned a few tricks from them, went and saw the movie (terrible as it was in retrospect) and inspired me to pursue hacking as a career. At present I work for cyber security firm in Toronto as a DevOps Engineer, helping to build tools that will help developers write more secure code. On my 10% time at work by often take on consulting tasks and get a chance to sit in on pentests.2
What server monitoring do you use, both for statistics and security?
tl;dr ends here
Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.15
Security Issues with Chrome:
My dad was just saying that his work wouldn't let him use Google Chrome because of its supposed 'security issuse'. Just wondered if anyone knew of any real 'security issuse' with chrome that are legitimate? Or is it all just rumours...12
Today we start working on a app that learns biometric data from the user for extra security, so if some one else uses my account... The system would know and shuts the bad user out. Although we use an api for the biometric data collection, it's still epic! 😀😀😀
Only bad thing is that the deadline is next week3
Buying a new USB from Tesco
So their password reqs are:
1 number or special char
Anyone else think that's ridiculous? There really can't be very many possibilities there4
May interest a few people on here: https://security.infoteam.ch/en/...
(note I'm not affiliated with them nor have I tested the product, so don't ask me about that, I just found the read interesting)
When customers pretend to really care about security but then share server folders to "everyone" 🤨2
Anyone here has any apps that they want to get tested for vulnerabilities and stuff?
I am training for job in it-security field but it's hard to find a starting point for testing a real app/site/whatever
So I would like to test some stuff you guys make, just for fun9
Why is it that security (hacking) distros went so popular?
I see more and more posts pictures even on devrant featuring them. Even I see people at my uni that are on kali. I can't believe all of them are that into security. I even know two linux noob friends that wont listen to advice and went to kali as first distro.
I'd never use kali/parrot/whatever vs my current manjaro setup... I'd rather go back to arch.8
My IT-teacher has a website. Aside from it looking like from 1980 (which is ok), he has a "security js Mail decryption":
You can just run this link (open email app and read it) or use the same function and same href in the browser console and read it. It sounds so stupid.
(Yet I figured out he probably doesn't want bots to spam his mail, so maybe I am stupid)1
So I was like "imma be smart with my internet security and put 2 factor on my GitHub" only to find out I'm getting authenticating errors on trying to push. Disabling 2FA makes it work again.
GitHub y u do dis D:6
Anybody else feel like their Internet traffic constanty being monitored after downloading pen testing tools?
Have our identities been added to lists of potential cyber criminals :/
(For ethical purposes - involving your own site's security!!)2
Security check at the airport, I hand hover my surface pro as usual, the guy asked if I have also an ipad... Lol man I don't need that expensive toy limited to stupid apps1
Got hired to do a pentest for a small local business. The complete program - those are the fun contracts! Client filled out an info sheet, signed the terms of engagement, etc.
Scan all the IPs they gave me, do my thing and get access to the first machine. Proceed to dump user credentials, local db, etc. The rest goes kinda well, too.
"Holy shit, this is going nicely."
Write up the report, send it to the client. Today I receive an email, basically saying: "What the fuck dude, this is not our shit. But nice template though."
Had a conference call with them after and it turned out that their stupid sysadmin forgot to mark that their IPs are dynamically assigned by the ISP. It was mentioned TWICE on the form in BOLD. All he had to do was tick a fucking box. Why can't people read things at least twice when it's about security?
Now I owned a completely unrelated box and have to talk to those guys. That'll be one embarrassing call to make.4
So in just a matter of minutes my job security has crashed and any week could be my last again all because my jobs head office decided to change everyones positions in management...
So once again I'm back to square one in yet another useless fucking job search with barely anything to offer other than 5 years of retail experience and 3 years of IT support... Fan-fucking-tastic, would almost be more survivable to just go on centre link at this point -,-
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)3
I think that my interview on Tuesday went well, 2 hours after the interview, i got invitation to second round of interviews and a simple " find security flaws in this code" test by email
It may have something to do with the fact that first thing in said i interview was: here is a list of security issues on the recruitment system you are using, it apparently stores passwords in plaintext and ******(Redacted)******
I'm feeling pretty good right now3
Working at a local seo sweat-shop as "whatever the lead dev does't feel like doing" guy.
Inherit their linux "server".
- Over 500 security updates
- Everything in /var/www is chmod to 777
- Everything in /var/www is owned by a random user that isn't apache
- Every single database is owned by root sql user
- Password for sudo user and mysql root user same as wifi password given to everyone at company.
- Custom spaghetti code dashboard with over 400 files in one directory, db/ api logins spread throughout these files, passwords in plain text.
- Dashboard doesn't have passwords, just usernames to login
- Dashboard database has all customer information including credit card stored in plain text
- Company wifi is shared by other businesses in the area
I suggest that I should try to fix some of these things.
Lead Developer / Tech Director : We're an SEO company, not a security company . . .10
Ugh, been debating with a client for an hour about basic backups and security practices and want to tear my hair out. How do you guys deal with stubborn clients?5
Why. Why is it that so many websites out there still specify a maximum password length.
If your "secure password" solution was all that secure, then why would the database care if I use a 8 char password or a fucking 500k one? It all gets hashed into a string of a fixed length anyway!
But, it might just be that all these "secure services" store their passwords in fucking plain text. Then the database would indeed care. So much for security I guess...6
Recently I started to be interested in how code actually work. I do a for-loop or an if-statement but how do they actually work at the lowest level.
Another thing I've been interested in is security. I thought about learning how to hack my own systems in order to learn how to write more secure code and keep people out. But I'm a little afraid that as soon as I start look at how to hack, the police will storm through the window and take my computer 😂😂9
Just found out about this: https://publiccode.eu/
If you live in the EU and care about privacy, security and/or open source you might want to check it out.
To sum it up: The idea is to have all software written for and bought by public authorities, governments and such published under open source licenses to enable every citizen to verify the integrity of that software (and give all the other advantages of FOSS).3
Some Devs need to be better about sharing info. Like, I don't want to play 20Qs just to learn how to configure a system I never used. You have job security, don't worry! Other people are allowed to know what ya know; you don't need to impress anyone!1
Signed up for an account on an online store, which then proceeded to send me my full password in plaintext, and in an unencrypted email.
Sent them an email 3 weeks ago detailing the security issue (i was extremely nice about it), but no response.
What else can i do?8
So today a colleague confessed to an attempt to troll my computer by SSHing into it and playing random songs. Thankfully he did not manage but he would just happen to do it the day we have a security audit.
They tell me to only review security in the security reviews I'm doing (and if I bring to attention that they're implementing a weak encryption so even though they're not using it at the moment it might cause issues so be careful with that they say to only review security 😵) and then I see this mssql in a where:
AND ISNULL(field, 0) IS NULL
And I think wtf, should I report that? I did and it's a bug and they're thanking me now....
God dammit it's hard to "review security" here...3
A fellow uni student shared this deal with everyone in our security course. The first place I thought of re-sharing it was here.
Hopefully my fellow devranters will find this a good deal.5
So much talk about wannacry and security, but everyone will forget in a few weeks and go back to using old unpatched OS with vulnerabilities.. Why don't people understand that security is a necessity, not a luxury!6
I just said "bye" to all my Whatsapp groups, and finally got rid of that service ! (meaning deleting my account as well, not just uninstalling the app).
It's so hard to make people understand what is happening and what I think about security/privacy... Guess I'll have to wait for people to finally come to Signal or Keybase if they want to reach me more efficiently :)12
I'm a computer engineering student.
I'm very much interested in Systems and networking.
That's why I was thinking of persuing cyber-security as a career option.
But I'm not quite sure if that is a good choice.
Also I don't know how to proceed in order to achieve excellence in cyber-security.
It would be a great help if you guys could help me.
Today, carrying my dinner to a table in our universities cafeteria, I passed by the table of a professor. He had a book on his table titled "Hacking Handbook". It contains chapters on httrack, ping, port scans and the like (I checked that on Amazon).
The professor drank a coffee, then got up to get some food. His table was directly next to the wall separating the food corner from the tables. He stayed away from his computer for two or three minutes. Both table and computer where totally out of his field of vision during that time. His computer was not locked and Outlook was open.
The professor teaches IT security.5
Besides my project which im currently working on. Im really exsited to complete the course which im enrolled in right now which will allow me to apply for the offensive security certification and CEH :D2
Dude at work floats the idea of creating separate Github accounts for personal and work for security. My response:
While we're discussing options, we should also consider maintaining a list of users as a CSV^H^H^H MS Excel file, and install an authentication server that runs off the laptop of an "IT Administrator". That way it'll be super secure because hackers cannot access any system outside of working hours, as well as the days that said admin is off from work.3
I stumbled upon this github repo , thought anyone working on a web app could get some tips from it :
Hope this helps.3
Am I the only one that browses Security.stackexchange just because I am interested and want to learn?
Wowza..... Security certifications get expensive! Gonna have to spend half the week writing one hell of a business case for the certs my team needs!2
My country has the best security experts. They convince people that they are not thiefs, Then when people believe them and give them their data, They change the password.1
This is not a rant. Not really. It's more expressing my own insecurity with a certain topic, which somehow upsets me sometimes (the insecurity, not the topic though).
I have nearly no knowledge about security/privacy stuff. I mean, yeah, I know how to choose secure passwords and don't make stupid DAU mistakes. The very basics you would expect someone to have after a CS bachelor's degree.
But other than that... Nothing. And I would like to get a bit into that stuff, but I have no clue where to start. First getting my head wrapped around low-level stuff like network layers? Or something completely else.
This topic is so intimidating to me as it seems huge, I have no idea where to start, and I feel that if you don't have "full" knowledge, you are going to make mistakes which you might not even notice.
I sometimes get really scared about having an account hijacked or similar. Also in our job it seems to become more and more of a topic we should know about.
Anybody got any advice?
I am looking for a way to improve my knowledge in security in general for professional reasons and my knowledge about privacy for private reasons.
It's just, every time I start reading something related it seems that I am lacking some other knowledge etc...12
Remember, while software security is important, not enough physic security completely ruins that.
It doesn't matter how secure your software is if the attacker has it for an unlimited amount of time.
It doesn't matter how secure your network is, if the attacker can walk up to an unlocked computer.
It doesn't matter of you use the best hashing algorithm, if the attacker has the whole database.
If you walk away from your computer for too long and don't lock it, I will mess with it. I won't do anything nasty, but I will teach you about physically securing your devices.1
Let’s not teach security in our online full stack web development course and let people worry about it when they get a developer job. If this keeps up I’m getting a lot of big bounties in the future 😞5
Has anyone used python within cyber security?
I really want to get into cyber security. I'm curious what programming languages are used within that industry.4
Well for starters the website that gave you assignments on security of web applications shouldn't have an SQL injection vulnerability on the login page.
Next would be the method of teaching, they would skip what not to do and go straight to what you should do. This in turn causes people to use the exec command in php that actually takes a POST parameter.
And stop allowing teachers to be lazy fucks that don't explain shit and only give you assignments.
And finally when telling the teacher that a method he uses would cause another vulnerability the teacher should properly fix this issue not say it is for an "advanced course".
Yes I am pissed
Mfw on azure/iot conference, one presenter shows his certificate validation, to connect to all devices in his house:
"lets not be paranoid about security"
Why the fuck is debit cards that don't need a PIN for transactions even a thing? What is so difficult to understand or implement in a two factor authentication? Like do these companies have meetings where some fucktard proposes removing a crucial security feature and the others just nod approval?6
Doing a talk on 'Security in PHP' and live demo on web attacks and safeguard tips this Saturday. Any tips fellow Ranters...?14
So after waiting 3 days for an ID to get into a computer, I'm now told it's going to take 12-14 hours before I can do online security training just so I can actually start working. I'm only at this job for a month and I'm not going to even touch any real work at this rate...
Oh well, at least I'm paid by the hour, not by the amount of work
Trying to get my head round LDAP for , what will eventually be, a government project.
Security up the wazoo is difficult1
Cure for Imposter Syndrome:
Go try to find a freelancer for a project, for something like "adding OAuth to existing .net web API 2 and angular.ja project" and many many developers respond. You will be shocked at how little they know, they say they understand the job but are clearly incompetent.
Best job security ever. Also, just suck it up and do it yourself 😆
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.12
INFO/WARNING: Some HP audio drivers for certain HP laptops have "integrated keyloggers" enabled. The audio driver would log your keystrokes to look for special keys and saves them to a public folder on your PC (Windows).
I really wonder what kind of total retards decide to implenent features in this way.
That moment when you convince your team's project manager to finally encrypt the config files before comitting them to source control..1
I've implemented my own version of IoT all over my room and home.
Hope the protocol I've designed has proper security...1
Team are getting into using Machine learning for anomalous behaviour detection for authentication and traffic behaviour... It's so interesting and another useful tool in our security arsenal
Anyone there who uses a mac, and are somewhat conscious about security, I recommend reading through this page:
Any ranting about choice of OS and hardware, I'll show you why my nick is ChainsawBaby
For all of you security curious: this is a course from Finnish uni and FSecure (the company of Mr Hypponen himself), it's free and will probably get really interesting (at least, I hope)
You could even be able to get some credit points, although this might only apply to our Nordic friends.
Had a client whom was using the staging system on my server as cdn, remote computing, etc... because his prod server was a cheap vhost while the vm was a beast compared to it. I shut it down without telling. I just got a call that his site is now slow a f and full of errors.
I kindly told him that there was a recent security breach called dirty cow. Then I told him that I shut the vm down because it would mean security risk for him since there are no patches available yet and only Power on again with there was work for me to do.
If you want resources pay for them1
What's the best natural language processing software that won't f you up?
I'm a big fan of Alexa's capabilities but we all know that Alexa is to security what North Korea is to democracy.
Is there any software that can compete with powerhouses that are Alexa, Google home, Siri or cortana?4
Learning information security yet again after doing multiple information security things for company and manager is pushing to do it saying "due immediately" and they're after sending "a number of emails" (it's due in a month and they sent 1 email).
Annoying that these things must be done again and again just because someone in sales let something slip or left their journal behind like a dumb dumb. It's not like I'm never off-site with my stuff or I interact with customer(s) yet1
When a junior develops an API call which return the user information and there is session_key and password encrypted in it too.
Dude! do you even know some basic security ! Please don't just Select * From table join table only !3
I'm studying for the Security+ cert exam. I hate how I'm getting practice questions wrong because I mix up the port numbers between SFTP and FTPS! As if I wouldn't Google that in a heartbeat if I was configuring a firewall...
Been thinking about taking up server-side programming (I'm mobile).
Should I go with something like node.js, which I'm a bit familiar with and is quite popular or should I try another language/platform? Maybe Rust (given it's similar to Swift) or even Swift itself.
Any good resources (tutorials, guides, etc.) would be much appreciated, especially if they focus on security.
Me and other dev discussing how to easily get stacktraces during UAT
Other: Wont it be better if the users can send us the stacktraces themselves?
Me: No, we have to catch unhandled exceptions and just display a generic message to avoid accidentally dumping sensitive info to the client.
Other: Okay, let's just do console.log() instead
In highschool right now and I'm seriously interested in network and information security. I recently managed to work out possible internships at some top security firms based out of sweden. I am super stoked and am excited to see the pros work. Might be interesting.
Yeah, so when you create an account just about anywhere nowadays, you need to choose a strong password. Fair enough. But then, some sites/services/systems require a second password, sort of a password hint as an extra security for retrieving your first password in case you forget it. Well OK...That hint question just becomes very *in*secure when you must choose from some extremely stupid presets like "In which town were you born?" or "What was your mother's maiden name?", all of which are trivia that for most people can be easily googled, or looked up on facebook ffs. And these "in which town did this or that happen?" questions? As there is only one town in my country it's not a long shot that I was born in Mariehamn, met my partner in Mariehamn and had my first job in Mariehamn. Security questions for imbecils.4
I've been wondering about renting a new VPS to get all my websites sorted out again. I am tired of shared hosting and I am able to manage it as I've been in the past.
With so many great people here, I was trying to put together some of the best practices and resources on how to handle the setup and configuration of a new machine, and I hope this post may help someone while trying to gather the best know-how in the comments. Don't be scared by the lengthy post, please.
The following tips are mainly from @Condor, @Noob, @Linuxxx and some other were gathered in the webz. Thanks for @Linux for recommending me Vultr VPS. I would appreciate further feedback from the community on how to improve this and/or change anything that may seem incorrect or should be done in better way.
1. Clean install CentOS 7 or Ubuntu (I am used to both, do you recommend more? Why?)
2. Install existing updates
3. Disable root login
4. Disable password for ssh
5. RSA key login with strong passwords/passphrases
6. Set correct locale and correct timezone (if different from default)
7. Close all ports
8. Disable and delete unneeded services
9. Install CSF
10. Install knockd (is it worth it at all? Isn't it security through obscurity?)
11. Install Fail2Ban (worth to install side by side with CSF? If not, why?)
12. Install ufw firewall (or keep with CSF/Fail2Ban? Why?)
13. Install rkhunter
14. Install anti-rootkit software (side by side with rkhunter?) (SELinux or AppArmor? Why?)
15. Enable Nginx/CSF rate limiting against SYN attacks
16. For a server to be public, is an IDS / IPS recommended? If so, which and why?
17. Log Injection Attacks in Application Layer - I should keep an eye on them. Is there any tool to help scanning?
If I want to have a server that serves multiple websites, would you add/change anything to the following?
18. Install Docker and manage separate instances with a Dockerfile powered base image with the following? Or should I keep all the servers in one main installation?
19. Install Nginx
20. Install PHP-FPM
21. Install PHP7
22. Install Memcached
23. Install MariaDB
24. Install phpMyAdmin (On specific port? Any recommendations here?)
I am sorry if this is somewhat lengthy, but I hope it may get better and be a good starting guide for a new server setup (eventually become a repo). Feel free to contribute in the comments.28
When you hear that the "advanced hollistic security" product the client bought is a basic firewall...1
Thinking of #password requirements: MumbaiNawazuddinSiddiqui123 is a valid password no? Has a capital, special character and numbers?7
Anyone have much success with Kali/WiFi penetration testing?
I've been tasked with trying to break WPA security within a couple of hours without a dictionary attack - is that even possible?
I have an Alfa AWUS036NHA capable of monitoring mode if that makes any difference. It's my first time trying anything like this.10
Many out there say you should use 2 factor authentication with everything, but personally i feel lile that would just turn your phone into a sigle point of failure.
Phisical security is my primary worry, because loosing your phone or having it stolen yould pretty much lock you out of all your accounts.
Another thing is i don't know as much about android security, and i wouldn't be confortable managing it.
I have 2FA active for some key services, but imho a strong password is usually enough. I think its far more more importat for your overall security to avoid passwords re-use.
What do you think? Do you have 2FA on all the time?9
This stupid study guide says CA's are pronounced "cah", and CRL's are "crill".
NO! They're not. Literally no one has ever said these assanine things!1
Is there an acceptable way to deal with API secrets in an Android app that can cure the anxiety that is slowly taking over me during the past few hours that I am researching about it? Thnx.
p.s. I am not sure how people that work in security can go on with their lives and not have suicidal tendencies10
Losing faith in Netflix and their awesome open source projects.
Had a hard time trying to install Security Monkey : poor quality quickstart Ubuntu-only, almost no documentation, same instructions for latest (aka dev) and stable (aka prod) version, no depencies list ... oh and the UI display well only on Chrome ..
Then you surrender and just want to check the dockerized version they provide : it doesn't work neither (build fail or back end process just shut down) !!
I'm done ...
Have you ever wondered why the developer part of the tech world is so rich and full of community? Devrant is one example.
Coming from a background of IT and cybersecurity I've never felt this way before. Why the IT and security world isn't as rich?1
Because of the current debate I'm starting to get more into all the cyber security and privacy stuff.
So now I am searching for a password manager.
Do you have any recommendations for me?
Or maybe some additional tools I really need to use?
(Got PGP for mail, signal as my new messenger, a vpn and tor for now)4
@dfox Was watching your live stream today and you talked about security... You should really add an HSTS preload directive to devrant.io to prevent spoofing.1
Why everyone who claim to know a lot about web security and encryptions is not able to help me check if my system is secure :/
And some try to charge me afterwards -.-"
If they expect payment they should state that at beginning and be able to actually do something...6
Want to use Http-VPN. Now I have to use Internet Explorer and Java and have to disable all security on my system. Fml
google security support... people get mad for only TEN (?) years XP support1
Since I started my routine of checking bug logs every morning, I've had 2 instances where a website vulnerability scanner was run against a production website and generated over 2,000 Coldfusion errors.
At the time, I was super nervous about the apparent hack attempt, and hyped that the attackers never actually got in. It's nice to know that despite the various errors indicating vulnerable / breakable code, they were ultimately unsuccessful. I know now that a determined attacker could probably have wrecked our production websites. Since then I've made a ton of security-related updates and I'm actually thankful for the script kiddie getting my attention with that scan.
PS. We're now building a website for a local security company who is going to work with us to pen test the site when it's finished! Gulp.4
I took a systems security class when I was in college and the exams were the most difficult ones that I had. We had to do two exams and I felt pretty stupid on both.
Passed the exams but they gave me some doubts about my skills.
Getting all the shitty half-broken stuff because you're 'just a contractor'...
...and not being allowed to use your own top-of-the-range stuff due to 'data security policies' 😧1
Attempted to install MetaTrader 5 with wine on linux, loving the irony of "... please install using Window 7 ... trading requires maximum security" bahaha4
Is anyone in the house working on Cloud Access Security Broker (CASB)? If yes, how is the domain and what's the market value of it?
I've implemented Chat function for my app. Since I'm a security noob what is the preferred way of encrypting the messages End-to-end maybe?
I'm definitely not leaving them as plain text :)5
How many of you devs came across sites with shitty security and thought to yourself that you could take this site down easily?2
I'd love to get into a career within the cyber security industry.
Anyone got advice?
I've played around with Kali/Parrot and setup a proxmox box to perform pen testing and have a fair number of PDF ebooks and audio books on networks, security and pen testing13
So I changed my FB account password and it gave me email notification with an ip address. And then when I logged in it gave me another notification email with a different IP address this time. Should I be concerned about my network security? This is just SO ANNOYING!!!2
Hey all. So I'm a bit of an aspiring developer/engineer. I am in highschool right now and am getting to the point where I should start looking at colleges. Ive wanted to do something computer related and for a while now ive had my heart set on some sort of security engineer/tech/researcher what have you. But it has been pointed out to me that computer sciences often require several high level math courses namely Calc. Problem being I'm pretty bad at Calc and haven't been able to do too well.
I'm not too sure what I should do. I'm struggling with my highschool calc classes and and fear that college level course will just go over my head. Ive never had issues with math before until I got to Calc. Ive got some of the basics of cryptography such as hashes and cryptographic alorithms but thats about it. Do computer science degrees really rely that heavily on Calc?7
How many people on devRant are skilled with pentesting / Offensive Security? How long did it take you to understand it? How do you keep yourself from crossing over white hat territory into grey hat territory?4
Do you have an issue with Equifax hiring a Chief Security Officer having a music degree or do you think that it has nothing to do with her competency and it shouldn't be brought up as an issue after this hack.. Go!!4
When you discover a rather big security flaw in a mate code and your boss tell you that he might fix it for "version 2", for now we are good. Wtf, we are just hurting ourselves if this shit gets discovered by some other guy.
We are developing an android app for management and selling, for other company and we are a litte short in time for finishing the first version, but fuck, its a big security flaw.
For persistence, either credentials or data, is there any best practice that prefer DATABASES over FILES? Files such as JSON or txt or whatever...
Do dbs offer better perfomance or security?💾6
My dad wants to add security cameras in our home. I kind of want to go ahead and add cool stuff(like automation or something) to our house using this opportunity.
What I am thinking of right now is salvaging an old desktop with an Nvidia GPU to add face recognition and motion detection to the mix. I am also thinking I could get an Alexa echo dot or something similar and hook everything up. Another idea is using owncloud to create my own cloud.
What do you guys think? Any ideas or suggestions? Maybe a cheaper way to do stuff?7
This shithead continuously wasted 2 lectures of CNS(Cryptography and Network Security) on debating: in a link to link encrytion if encryption and decryption takes place on every node, what if attacker attacks the node while the data is decrypted.
Though I couldn't care less about the lecture but this guy brings the same issue in every lecture
Do anyone have any idea about the link to link encryption?
I know already it encrypts the whole packet with header and on each hop the data is decrypted and the destination ip address is fetched and encrypted again, but i don't know if it's possible to perform an attack on the decrypted data.3
Company automatically disables your employee login passwords after every 45 days, which is a good practice for ensuring security. However I get no notifications that my password is being disabled. The result, for the past 4 months, I've been going to IT support requesting them to let me change my password on their admin console because I forgot to change it 'once again'. Sigh.. :/2
Gf asked me to help her with getting science articles. She had some page that her university suggested students to use, but had troubles with downloading documents.
At first I was like "Hey, it says use IE, other browsers are not supported. Thats bad but.. whatever". Then it popped that she needs Java enabled - well, I guess we have to... Even updated it cause it was needed.
Restarted IE, clicked download again and... Java security blocked web app... Eh, I don't trust it but whatever, just let's check what if I whitelist it.
Got some basic view, 1 dropdown list for "file name format" (like anybody cares), path selection where to save file, and some checkbox. Lame, but let's just leave it behind.
Downloaded, it turned out to be html file, not pdf, fishy that it was single file, but hoped for some text styled with css, so I opened it and got redirected to page where I clicked download.
Checked that file content - html with empty body and script tag containing js that redirects on load.
I've been working for so long with API integrations and one part of that is security. We perform ssl key exchanges for 2-way verification and a large percent of those partners provides me with their own pkcs12 file which contains their private and public keys! What's the sense of the exchange!? I think they just implement it just to boast that they "know" how ssl works,
Hey there, I've never really done anything like this but I'm in the second year of college.
I really want to go into the security area, not completely sure but pretty inclined to pentesting.
The question is, what, in your opinion, do you think is a good starting point so I'm pretty much ready to start working when I finish my 5 year course? My college doesn't have any or many security classes, so I'll have to do it all by myself.
Let's play a game.
Theme: Security awareness - grey-hat style.
How to play:
Post the name of the site followed by actual bad-password restrictions of well-known companies in the comments.
If no-one beats me to it, I plan to share some of the more alarming ones(or all) on a twitter and tag the relative companies as well as various security enthusiasts.4
Security expert advices over security is like a priest preaching about the way of life. Both of them tend to same thing that it would protect from `evil`
I'm lost here 😑! Got a new job and I supposed to analyze/fix/update/ the communication softwares/hardwares internally. Data security is insanely important and everything should be inexpensive 😑. Any suggestion what I can use as softwares and communication tools?7
Sometimes I'll block a code submission with the words security vulnerability", then go have a 10 minute break to see if the others can spot it on their own.
from the students point of view: my it-security module last semester which had nothing new for me because i was thrown into an internship with no work prepared and had to teach myself for the whole semester in it-security which has shown me that said path was the right one for me :)
One dev at the company I work is developing an API and the response for all the requests are basically the same.
However, for example, if you request a login and your credentials are wrong the response gives you:
But if the credentials are correct, the response gives you:
Is that correct? I mean, does that compromises security?5
How much of a security risk is it to serve static data from a json file on flask? Values are posted from a mobile device to a server to groom objects to return. My coworker is giving me a lot of shit for it as the file is accessed through a relative path, but the file names are checked and sanitised. He says the objects should be in a database.3
I'm currently learning assembly in school and...I acctually kinda like it. (To my surprise). I was wondering if there were any good resources for learning about security at the assembly/system level?1
Dear Fellow Programmers,
I want to become Cyber Security Specialist and currently learning Java (beginner ). Please, tell me is it a good language for this type of activity and what else should I learn.2
If only the people behind git knew about Leonardo da Vinci's "Simplicity is the ultimate sophistication". Even https://en.m.wikipedia.org/wiki/... would have suficed. Sigh. Well, job security is not bad either.2