A fellow intern recommended the use of windows server for security and speed reasons.

Few details about the situation: windows server got hacked due to a vulnerability which had no patch released yet and this had happened multiple times that year. Also, the company was migrating everything to Linux (servers).

The senior/lead programmer literally gave him a GTFO face and pointed at the door.

Everyone was giving him the GTFO face by the way, he didn't know how fast he had to get out 🤣

A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).

From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.

What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.

This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.

Security tester: Injects XSS into a rich text editor and flags it for a vulnerability.

"Oh that's fine, let's just disable right click on our page so no one can inspect the page and inject anything."

...

My boss ladies and gentlemen.

Corporate IT: YOU MUST COME INTO THE OFFICE. WE JUST RECEIVED AN URGENT NOTIFICATION FROM APPLE OF A SECURITY VULNERABILITY IN iOS DEVICES. YOU HAVE BEEN IDENTIFIED AS HAVING A MAC ASSET. COME INTO THE OFFICE IMMEDIATELY AND UPDATE IT.

Dev: I don’t use that mac, it sits in my office desk drawer unplugged. I’ll update it if I ever need it for anything. Which I won’t, we don’t do iOS dev anymore.

Corporate IT: NOOOOO!!! YOU MUST UPDATE IT NOW!!!

Dev: I’m not wasting time driving into the office this week. We have an important deadline we’re working on, I can’t afford to lose 2 hours to this. Plus it can’t be turned on right now, It’s been unplugged for 2 years.

Corporate IT: THAT WOULDN’T STOP A HACKER!!

Dev: …

This happened at my last internship. There was this other intern and he was a TO THE FUCKING MAX windows fanboy and whenever someone said something bad about windows he'd go full rage. Also, he'd sometimes spend half an hour at my desk explaining why windows was the best and Linux sucked.

This one time, I read about a newly discovered windows vulnerability and told the employees so they'd update quickly and they were like ' thanks for the notification mate!' And then that guy came up to me telling that 'Linux also has severe vulnerabilities sometimes'. YES I FUCKING KNOW THAT I'M JUST TRYING TO GET PEOPLE TO UPDATE FOR THEIR SECURITY YOU FUCKING ASSHAT. I got really mad. Still, fuck that guy.

!rant
The change log from notepad++ update. The last paragraph is the cream!

" The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.
It doesn't mean that CIA is interested in your coding skill or in your sex message content typed in Notepad++, but rather it prevents raising any red flags while the DLL does data collection in the background.

It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it. If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch.

Checking the certificate of DLL makes it harder to hack. Note that once users’ PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home. We are in a f**king corrupted world, unfortunately. "

Forgive me father, for I have sinned.  Alot actually, but I'm here for technical sins.  Okay, a particular series of technical sins.  Sit your ass back down padre, you signed up for this shit.  Where was I?  Right, it has been 11429 days since my last confession.  May this serve as equal parts rant, confession, and record for the poor SOB who comes after me.

Ended up in a job where everything was done manually or controlled by rickety Access "apps".  Many manhours were wasted on sitting and waiting for the main system to spit out a query download so it could be parsed by hand or loaded into one of the aforementioned apps that had a nasty habit of locking up the aged hardware that we were allowed.  Updates to the system were done through and awful utility that tended to cut out silently, fail loudly and randomly, or post data horrifically wrong.

Fuck that noise.  Floated the idea of automating downloads and uploads to bossman.  This is where I learned that the main system had no SQL socket by default, but the vendor managing the system could provide one for an obscene amount of money.  There was no buy in from above, not worth the price.

Automated it anyway.  Main system had a free form entry field, ostensibly for handwriting SELECT queries.  Using Python, AutoHotkey, and glorified copy-pasting, it worked after a fashion.  Showed the time saved by not having to do downloads manually.  Got us the buy in we needed, bigwigs get negotiating with the vendor, told to start developing something based on some docs from the vendor.  Keep the hacky solution running as team loves not having to waste time on downloads.

Found SQLi vulnerability in the above free form query system, brought it up to bossman to bring up the chain.  Vulnerability still there months later.  Test using it for automated updates.  Works and is magnitudes more stable than update utility.  Bring it up again and show the time we can save exploiting it.  Decision made to use it while it exists, saves more time.  Team happier, able to actual develop solutions uninterrupted now.  Using Python, AutoHotkey, glorified copy-pasting, and SQLi in the course of day to day business critical work.  Ugliest hacky thing I've ever caused to exist.

Flash forward 6 years.  Automation system now in heavy use acrossed two companies.  Handles all automatic downloads for several departments, 1 million+ discrete updates daily with alot of room for expansion, stuff runs 24/7 on schedule, most former Access apps now gone and written sanely and managed by the automation system.  Its on real hardware with real databases and security behind it.

It is still using AutoHotkey, copy-paste, and SQLi to interface with the main system.  There never was and never will be a SQL socket.  Keep this hellbeast I've spawned chugging along.

I've pointed out how many ways this can all go pearshaped.  I've pointed out that one day the vendor will get their shit together they'll come in post system update and nothing will work anymore.  I've pointed out the danger in continuing to use the system with such a glaring SQLi vulnerability.

Noone cares.  Won't be my problem soon enough.

In no particular order:
Fuck management for not fighting for a good system interface
Fuck the vendor for A) not having a SQL socket and B) leaving the SQLi vulnerability there this long
Fuck me for bringing this thing into existence

I think we're going two sides:

For one, more and more technology is being developed/engineered which is even more and more and more intrusive as for personal privacy, I'm genuinely worried how this'll go as privacy isn't just a about not exposing certain things like passwords/bank account details and so on, it's also about being an individual who has their own thoughts, opinions and so on. If we keep taking that away more and more often, society will change and go towards the Orwell scenario (we're on our way there right now). We can change this as software/design/server engineers but that's up to us and I sadly don't see that happening quickly, also due to the 'nothing to hide' bullshit.

Second one is that were going more and more towards open source.
This is a good thing as this:
- gives freedom to devs around the world to improve software and/or modify it to suit their needs.
- gives people the opportunity to look through the source code of softwares in order to verify it as for backdoors and find security vulnerabilities which otherwise can remain hidden for the general public while spying agencies have way more resources to go vulnerability hunting.

For the people who think this isn't a good idea (even more open source), without it we'd be completely fucked as for moving forward/security/privacy. (I can give examples if wanted).

I think the hardest thing about being a programmer in college with a security emphasis is when I approach a business for a penetration test or for a vulnerability analysis (your pick) is that they almost always say, "you are pretty young don't you think?"

Ummmm not sure what that has to do with it. If it would make you feel better I have claimed bug bounties from an antivirus company, a bank, several local businesses in my area and I do this for work at my 9-5.

And this week I got this, "I think I would like someone older so we can define the goals better."

Oh so rules of engagement, yeah of course I understand that and that's something we would discuss and draw up a contract for...

"Well we really need someone more skilled."

---- End of story ----

I don't understand, you haven't asked about certifications or schooling and you glanced at my resume for exactly 5 seconds what the hell do you want? Me to double my age over night?

Anyone hear about the emergency patch that Microsoft just released? Its a RCE vulnerability CVE-2017-11937 which ironically targets all of Microsoft's security products.

Basically when Windows defender scans a specially crafted file the attacker can run code as the LocalSystem. Nice one Microsoft!

Reported an important security vulnerability inside our organization, right before getting off work. A security team member contacts me over chat asking for some details on my investigation. At the end, he tells me: "thanks, I will copy and paste this conversation on the ticket so that everyone can see".

What I imagined: he would copy and paste the conversation as is, so that every line written by me is prefixed with my name.

What he does: he writes a summary of our conversation, barely mentioning my name, making it look like that part of the investigation was done by him.

Now I have so much anger inside of me that my internal organs are boiling.

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

Putty remote executuon vulnerability(no patch yet)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unspecified input validation error when processing data, received from SSH server. A remote attacker can trick the victim to connect to a specially crafted SSH server and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Ya'll know what... If humans weren't such annoying vulnerability-searching little shits then we wouldn't have had to implement any protection against them and think of all the performance that would be saved on that. Take branch prediction vulnerability mitigation in the Linux kernel for example, that's got to make a performance hit of least 10% on basically everything.

Alas, I do get why security is important and why we keep such vulnerability mitigation running despite the performance hit. I get why safe code is necessary but still... if these people weren't such annoying little bastards.

Yeah, I was just kind of set off by the above. So much would be faster and easier if only the programmers wouldn't have to plan for people exploiting their software. Software would be written much faster and humans would progress to stuff that actually matters like innovation.

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

Apache Tomcat vulnerability "GHOSTCAT" allows read conduct files and implant web shells. All versions in the last 13 years vulnerable.

According to Security Researcher of Chaitin Tech : Due to a flaw in the Tomcat AJP protocol (the channel for Tomcat to connect to the outside, pass them to the corresponding web application for processing and return the response result of the request), an attacker can read or include any files in the webapp directories of Tomcat.

For example, An attacker can read the web-app configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through "GHOSTCAT" vulnerability.

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.

The one thing more annoying than my girlfriend is the chain of mail I get from Github saying,

"One of your dependencies has a security vulnerability."

I've been interested in security for years but despite knowing the theory I've always had this disconnect with actually doing it, about two years ago I finally managed to find and exploit my first cross-site scripting vulnerability in my companies Product whilst doing some routine acceptance testing. It was a penny drop moment for me which has led to some very interesting projects and It was pretty badass.

I reached out to a developer who's site was being contracted out to Amazon devs, because when their site launched it had a couple of security issues. This was his response:

"An additional thought/opinion... Just because a college freshman from Arizona wasn't too hungover to make the effort to notify us and take the liberty of classifying this as a security issue for us doesn't mean we need to take their word for it."

My new colegue at work was tasked with getting familiar with some Java code that had security vulnerability. He complained about slow build time for the first hour and then I stopped paying attention. At the end of day I checked on him and was like wtf how are you still trying to build this.
Turns out he ran Gradle task bootRun and watched logs of working app for 8 hours because he thought that's build xD

Don't need Netflix when you have a production deployment right before a long weekend. It has failed since last two weeks due to vulnerabilities present in one of libraries(P.S. FUCK JAVASCRIPT and Post release vulnerability scans!). You have rewritten the whole functionality from scratch twice! Security gates finally open for you, welcoming with arms wide open. So you click Deploy! DAFUQ!! FUCK MY LIFE! Deployment failed! It's only a 3 hour window to deploy! You frantically re-review your code, is it me?? Not again!! It isn't! Well, why is the deployment failing, you work against the clock. Going through configs, code, documentation! WTF is it?? Should I give up and raise a support ticket? Nope! You login to the server, sifting through logs and configs, there's a couple of other tickets with today's deadline. What are you going to do? And you get a hint! You take the hunch, change the config 5 minutes before deadline!
Get merge request approved, wait for the build, hit DEPLOY!! Nail biting 3 minutes! Your eyes fixed on the logs! Building..... Pushing instances..... Starting App..... SUCCESS!!! Finish the remaining tickets! Your long weekend still exists!

Dependency hell is the largest problem in Linux.

On Windows, I just download an executeable (.exe) file, and it just works like a charm! But Linux sometimes needs me to install dependencies.

At one point, I nearly broke my operating system while trying to solve dependencies. I noticed that some existing applications refused to start due to some GLIBC error gore. I thought to myself "that thing ain't gonna boot the next time", so I had to restore the /usr/lib/x86_64-linux-gnu/ folder from a backup.

And then there is a new level of lunacy called "conflicting dependencies". I never had such an error on Windows. But when I wanted to try out both vsftpd and proFTPd on Linux, I get this error, whereas on Windows, I simply download an .exe file and it WORKS! Even on Android OS, I simply install an APK file of Amaze File Manager or Primitive FTPd or both and it WORKS! Both in under a minute. But on Linux, I get this crap. Sure, Linux has many benefits, but if one can't simply install a program without encountering cryptic errors that take half a day to troubleshoot and could cause new whack-a-mole-style errors, Linux's poor market share is no surprise.

Someone asked "Why not create portable applications" on Unix/Linux StackExchange. Portable applications can not just be copied on flash drives and to other computers, but allow easily installing multiple versions on a system. A web developer might do so to test compatibility with older browsers. Here is an answer to that question:

> The major argument [for shared libraries] is security, that if there is a vulnerability in a commonly-used library, then only that library has to be updated […] you don't have to have 4 different versions of a library installed

I just want my software to work! Period. I don't mind having multiple versions of libraries, I simply want it to WORK! To hell with "good reasons" for why it doesn't, and then being surprised why Linux has a poor market share. Want to boost Linux market share? SOLVE THIS DAMN ISSUE!.

Understand that the average computer user wants stuff to work out of the box, like it does in Windows.

This was initially a reply to a rant about politics ruining the industry. Most of it is subjective, but this is how I see the situation.

It's not gonna ruin the industry. It's gonna corrupt it completely and fatally, and it will continue developing as a toxic sticky goo of selfishness and a mandatory lack of security until it chokes itself.

Because if something can get corrupted, it will get corrupted. The only way for us as a species to make IT into a worthy industry is to screw it up countless times over the course of a hundred years until it's as stable and reliable as it can possibly be and there are as many paradigms and individually reasonable standards as there can possibly be.

Look around, see the ridiculus amount of stupid javascript frameworks, most of which is just shitcode upon vulnerabilities upon untested dependencies. Does this look to you like an uncorrupted industry?

The entire tech is rotting from the hundreds of thousands of lines of proprietary firmware and drivers through the overgrown startup scene to fucking Node.js, and how technologies created just a few decades ago are unacceptable from a security standpoint. Check your drivers and firmware if you can, I bet you can't even see the build dates of most firmware you run. You can't even know if it was built after any vulnerability regarding that specific microcontroller or whatever.

Would something like this work in chemical engineering? Hell no! This is how fucking garage meth labs work, not factories or research labs. You don't fucking sell people things without mandatory independent testing. That's how a proper industry works. Not today's IT.

Of course it's gonna go down in flames. Greed had corrupted the industry, and there's nothing to be done about it now but working as much as we can, because the faster we move the sooner we'll get stuck and the sooner we can start over on a more reasonable foundation.

Or rely on layers of abstraction and expect our code to be compilable on anything the future holds for us.

The first time i've scripted something and found a vulnerability on a production web application was one of the best moment i've ever had, never been so excited!

(mmh, maybe i need to switch to security :D)

I once had a manager who demanded I physically print all of the Kanban cards and tape them to the office whiteboard. I was told to move the cards across the board after they were moved in TFS. I still had to keep up with my other duties in the QA department too!

Despite that, I still stayed on board with the company (the pay was good, and the work was simple.) As a QA teeter, I uncovered a rather nasty security vulnerability that would have put all of our customers data at reach to anybody. I advised my manager, and was told - just ignore it and ship the code please. I refused.

I was threatened with being fired, verbally assaulted, and challenged at the most trivial ways in everything I did after that.

Jokes on him now. I work from home in my dream job, doing what I love, with a manager who actually gives a rats ass about my concerns.

Moral of the story here - you don't have to agree with your subordinates , but you do need to validate their concerns.

Well for starters the website that gave you assignments on security of web applications shouldn't have an SQL injection vulnerability on the login page.

Next would be the method of teaching, they would skip what not to do and go straight to what you should do. This in turn causes people to use the exec command in php that actually takes a POST parameter.

And stop allowing teachers to be lazy fucks that don't explain shit and only give you assignments.

And finally when telling the teacher that a method he uses would cause another vulnerability the teacher should properly fix this issue not say it is for an "advanced course".

Yes I am pissed

If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github

I've always considered myself a stalwart proponent of strong, effective security. But I'll be damned if my company's security policy isn't choking it's developers out.

It's like whenever a developer requirement and potential security vulnerability meet, the company doubles down on the security side, ignores their dev's needs entirely, and then takes a privilege away just to punish us for having the audacity to try and do our God damn jobs.

Since I started my routine of checking bug logs every morning, I've had 2 instances where a website vulnerability scanner was run against a production website and generated over 2,000 Coldfusion errors.

At the time, I was super nervous about the apparent hack attempt, and hyped that the attackers never actually got in. It's nice to know that despite the various errors indicating vulnerable / breakable code, they were ultimately unsuccessful. I know now that a determined attacker could probably have wrecked our production websites. Since then I've made a ton of security-related updates and I'm actually thankful for the script kiddie getting my attention with that scan.

PS. We're now building a website for a local security company who is going to work with us to pen test the site when it's finished! Gulp.

Target #1 - Aim to further develop my university security project (A python based vulnerability scanner), and move this over to GitHub.

Target #2 - Aim for reaching ten contributions on open source projects and start building up my developer profile pre-graduation in September!

Hey ... Is it possible to figure out the clients path (f.e. C:\Users\...) to a file he uploaded to a website on the server side?

My boss thinks it could be done and wants me to programm it. But I think we'd need a zero day vulnerability in a specific (and probably very old) browser to do something like that... That would be a huge security issue...
Wouldn't it?

What do you think?

PHP is so insecure and vulnerable that it makes me feel unsafe. It has so many features and settings that can lead to security risks, such as register_globals, magic_quotes, and allow_url_fopen. It also has so many functions that can execute arbitrary code or commands, such as eval, exec, and system.

It is like PHP was designed by a bunch of hackers who wanted to exploit every possible loophole.

Just discovered someone I told about a hack for the computers in school (nothing difficult just booting from a USB) had a link to C2K the company that provides the system and told them about it and now they've patched it up, so in a way, it's my first security vulnerability report, in another way, I can no longer play games and program in free

Two security researchers have published details about a vulnerability in the Windows Printing Service which impacts all Windows versions.

According to a Report of ZDNet : The vulnerability codenamed 'PrintDemon' which is located in Windows Print Spooler (Windows component responsible for managing print operations). The service sends data to be printed to a USB port for physically connected printers. In a report published, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism. The bug can not be used to break into a Windows client remotely over the internet, so it's not something that could be exploited to hack Windows systems over the internet.

Anyone use docker in production handling monies and hundreds accounts? In Django in my case but doesnt matter the framework. More concerned with security and stability moving from paas to docker based paas. Worried I'll move everything to docker and end up moving back to vms bc of some issues or some vulnerability.

Devs and security researchers out there!!
I had a doubt regarding subdomain takeover vulnerability.

How to find where a site is hosted on heroku or AWS or heroku or more?

I was trying to write a script for it.

Any expertise will be welcomed.

Sometimes I'll block a code submission with the words security vulnerability", then go have a 10 minute break to see if the others can spot it on their own.

this afternoon, we got email from our pentester. He said that he got some security vulnerability in our project. He found .git/ folder in project directory in production server. He considered it as security vulnerability because user can see all git branch on remote repo. He recommend us to remove that folder but the problem is, we using CI/CD so we need that .git/ folder. My question is it bad practice to use git on production server?