SandPaper @SandPaper@infosec.exchange
oh, maybe you all would know this.
any tips for scraping a #wordpress-based site for the urls of all posts by a particular author? I tried a few combinations of lynx -dump, wget, & grep but don't know enough about any of them.
i.e. https://site.tld/author/authorsname, https://site.tld/author/authorsname/page/2, page/3, etc., where the posts are like https://site.tld/1970/01/01/title-of-post
@cwcopa - For the basics of Linux and Bash shell scripting, I love:
- The Linux Foundation’s “Introduction to Linux”
https://www.edx.org/course/introduction-linux-linuxfoundationx-lfs101x-1
For the basics of Computer Science and application programming, I love:
- Harvard’s CS50
https://www.edx.org/course/cs50s-introduction-computer-science-harvardx-cs50x
All free.
Red team tip: send your spear phishing messages with read receipt requests to verify your email are going through to victims as most people seem to ignore the receipt requests as a minor nuisance.
Blue team tip: disable these ducking stalker requests across the board.
Wow, FileZilla’s bundled installer includes a malware downloader and the dev defends it horribly.
If using FileZilla, uninstall and find something else. Even if this issue is fixed, the morally ambiguous and defensive response is very concerning.
Just published a post on how you can set up an open source security scanner ( #owasp ZED attack proxy) for your file transfer server https://www.sftpplus.com/articles/2018/sftpplus-mft-security-scan-post.html which uses HTTP(S) authentication.
You can adapt to fit your own server.
Anyone have suggested methods of running tracert from Android (non-rooted)? I see there are various apps.
Soliciting suggestions:
I'm going to be running a meeting to go over enterprise risk assessment w/ exec management. I've worked w/ them successfully for years in other realms, so I know the players & styles, but for some reason I can't seem to get much out of these meetings. What would others make sure they impart on c level & try to get out of the meeting?
The Honeypot Writeup - What they are, why you would want one, and how to set it up
https://www.reddit.com/r/homelab/comments/8o4rws/the_honeypot_writeup_what_they_are_why_you_would/
Just heard "weaponized HR" as a term related to less defined roles, particularly for IT in this instance, so employees can be assigned to projects as needed. Please tell me this is not a new buzz word.
People REALLY don't like it when you change "delete or destroy" to "sanitize" in a contract. 🤔
Everybody: Woohoo! May 25th! It's over! I'm finally done with all the GDPR work!
Narrator: It was, in fact, NOT over. It was just getting started.
I don't get to play a lot of video games anymore. Fact is, I'd rather be making them anyway but no time for that while I study up on all things infosec.
But I don't know how to pass on this. And it's free!
https://www.humblebundle.com/store/hacknet-deluxe
Hacknet is an immersive, terminal-based hacking simulator. Dive down a rabbit hoIe as you follow the instructions of a recently deceased hacker, whose death may not have been the accident the media reports.
...Based on actual UNIX commands
Not sure if I should add a #GDPR disclaimer to my voicemail stating that callers consent to having their PII contact info stored in vm system as a joke or not.
I've been telling myself "I can't wait until 5/25 to come" as if all GDPR work will be done. I don't know why I lie to myself.
Other than the Belgian DPA apparently indicating a 5 year recommendation (https://privacylawblog.fieldfisher.com/2017/belgian-dpa-publishes-recommendation-on-gdpr-record-keeping-obligation, I can't read the original report), does anybody know how long Art. 30 documentation needs to be kept around? #GDPR
Curious. Just live chatted with an online retailer regarding a price match. They have you submit the URL to the competitors' website. I can't help but wonder if they have appropriate controls in place if that link were malicious in nature & clicked by the associate. I'm assuming they outsource the work to a third party who might not have the same sec budget. I'm sure I'm not the first person to think about this. I'm sure my brain is just being dumb.
I'm going to have to write "first rule of IR club is: don't talk about IR club" into my revised incident response procedures.
So. Many. Logs.
I came across this and think it's an interesting thought game:
https://twitter.com/chrissanders88/status/994622318067503104?s=19
Assume you've been hired as the 1st CISO of a 1000 employee org that has no dedicated sec team.
You can hire 5 people your first year. What roles do you fill?
Choose wisely, because you don't know if/when you'll ever get to hire anyone else.
Reader choice on org type.
