Scott Mortimer @ScottMortimer@infosec.exchange
Information Security geek, Old School RPG nerd, and wannabe fiction writer.
https://scott.mortimer.name
Linux distro hacked on GitHub, “all code considered compromised” – Naked Security
WiFi's tougher WPA3 security is ready
WiFi's tougher WPA3 security is coming to your router in the near future.
https://www.engadget.com/2018/06/26/wpa3-wifi-security-official-launch/
You would think that an internal system that is being used to perform SSH Brute Force attacks against other systems would be handled immediately when reported. Maybe next time I will start blogging publically about it in detail and see if that wakes somebody up.
Had to report SSH Brute from MIT system twice. I really hate organizations that don't take their internal security seriously.
Time: Mon Jun 25 22:53:55 2018 -0400 IP: 18.82.1.150 (US/United States/electrochem-d825.mit.edu) Failures: 5 (sshd) Interval: 3600 seconds Blocked: Temporary Block for 86400 seconds [LF_TRIGGER] Log entries: Jun 25 22:53:11 magian sshd[32631]: Did not receive identification string from 18.82.1.150 Jun 25 22:53:45 magian sshd[32643]: Invalid user ana from 18.82.1.150
Cheap roomba!
It's time for TLS 1.0 and 1.1 to die (die, die)
https://www.theregister.co.uk/2018/06/19/ietf_calls_for_formal_tls_1_0_1_1_deprecation/
Learn it. Love it. Live it. Configure it.
https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
Learn it. Love it. Live it.
https://www.wired.com/2016/11/what-is-perfect-forward-secrecy/
Five steps to becoming an #InfoSec professional overnight:
1) Buy an obscure domain name, a black hoody and a Guy Fawkes mask.
2) Create a website with the following stylesheet:
background: #000;
h1,h2,h3,h4,h5,h6,p {
font-family: "Courier";
color: Green;
}
3) Replace your OS with Kali; Google how to use Metasploit & Aircrack. Dude, you're a 1337 hacker now, your Vista partition ain't gonna cut it.
4) Donning said hoody and mask, turn the lights off and boot Kali.
5) HACK THE WORLD!!
Kicking the Rims – A Guide for Securely Writing and Auditing Chrome Extensions
Want a quick feel for the future of Web publishing?
1. npm install -g dat
2. Ask friend to install Beaker Browser (https://beakerbrowser.com/install/)
3. mkdir mysite && cd mysite && echo "Hello, world!" >> index.html
4. dat share
5. Ask friend to open the DAT URL you’re given in Beaker Browser. They’ll see the index page with “Hello, world!”
CopperheadOS has imploded
https://news.ycombinator.com/item?id=17289536
#hackernews #tech
Rocking my #Mastodon lewk
Index of more than 900 infected Drupal sites:
PSA: if a user habitually boosts stuff you don't want to see, you can turn off boosts just for them without unfollowing them
view their profile in the regular masto UI and you'll see a "Hide boosts from X" in the hamburger menu
this can make the whole experience a lot less annoying, but it's not well-known!
I'm in the process of setting up some regulated servers that require a bit higher #security than the average. This document on SSL and #TLS deployment was quite informative. Might be of interest to others. #devops
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Gitleaks is a command line tool written in Go that searches an entire repo history for common secrets and keys
