Scott Mortimer @ScottMortimer@infosec.exchange

05 February 2020

Metasploit Unleashed - Free Online Ethical Hacking Course

https://www.offensive-security.com/metasploit-unleashed/

"Computer security is not too good in 2020. It’s really kind of a mess and crypto is one of the things that works. Taking away this tool would be a disaster for the entire connected world."

Experts Worry Crypto War Two May Go the Other Way

https://duo.com/decipher/experts-worry-crypto-war-two-may-go-the-other-way

I am a huge proponent of using TLS everywhere it's possible to use it, so I very much appreciate
Troy demonstrating why even statically generated websites should use HTTPS.

https://www.troyhunt.com/heres-why-your-static-website-needs-https/

Deployed 82nd Airborne unit told to use these encrypted messaging apps on government cell phones

“Unfortunately, those apps are more secure than texting in the clear, which is more or less the alternative. Granted, if a hostile party has access to the handset, that encryption isn’t particularly helpful.”

https://www.militarytimes.com/flashpoints/2020/01/23/deployed-82nd-airborne-unit-told-to-use-these-encrypted-messaging-apps-on-government-cellphones/

Time to look for alternatives.

LastPass Mistakenly Removes Extension from Chrome Store, Causes Outage

An accidental outage was caused by LastPass yesterday by mistakenly removing the LastPass extension from the Chrome Web Store, leading to users seeing 404 errors when trying to download and install it on their devices.

https://www.bleepingcomputer.com/news/security/lastpass-mistakenly-removes-extension-from-chrome-store-causes-outage/

Guard your Tomatoes, folks

Internet routers running Tomato are under attack by notorious crime gang

The Muhstik botnet has targeted other IoT devices. Now it's attacking Tomato routers.

https://arstechnica.com/information-technology/2020/01/internet-routers-running-tomato-are-under-attack-by-notorious-crime-gang/

Glad I switched to BitWarden last year.

LastPass is in the midst of a major outage | ZDNet

LastPass issue appears to impact users with accounts dating back to 2014 and earlier.

https://www.zdnet.com/article/lastpass-is-in-the-midst-of-a-major-outage/

I have been playing with TShark on my Chromebook. Works well and is quite powerful.

Use Wireshark at the Linux command line with TShark

https://opensource.com/article/20/1/wireshark-linux-tshark

Build a 10 USD Raspberry Pi Tunnel Gateway

In this tutorial I'll show you how to build an Internet Gateway for your home network using a Raspberry Pi and a HTTPS tunnel for just 10 USD.

https://blog.alexellis.io/raspberry-pi-zero-tunnel-gateway/

Anyone using Krypton and have an opinion on it?

Krypton U2F Authenticator

Unphishable, zero-touch two-factor logins

https://krypt.co/

"Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity."

An introduction to Web Authentication (WebAuthn), the new API that can replace passwords with strong authentication.

https://webauthn.guide/

Further info on SameSite cookie problem.

WTF is Chrome’s SameSite cookie update?

Google is again tweaking how its leading browser handles cookies, all part of moves by browsers to beef up privacy controls.

https://digiday.com/media/what-is-chrome-samesite/

Nice overview of cookies, CSRF, and how we can try to fix this mess.

Promiscuous Cookies and Their Impending Death via the SameSite Policy

https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/

Active Directory Security Fundamentals

A lot of (targeted) ransomware attacks have been leveraging through Active Directory and it has made the headlines. Most organizations are struggling to secure their AD, because it is complex. It r…

https://identityaccess.management/2019/12/30/active-directory-security-fundamentals/

Anyone who would willingly install an extension with a name like that deserves their fate.

A Google Chrome extension named Shitcoin Wallet is stealing passwords and wallet private keys, security researcher says.

https://www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/

Free & Open Source Modern URL Shortener

https://kutt.it/

Top 10 Best Hacking Films of All Time

Haxploitation goes to the movies

https://portswigger.net/daily-swig/top-10-best-hacking-films-of-all-time

While I will admit that I was put out by the shuttering of Google Reader, I don't find the accusation they killed RSS to be even remotely true. I switched easily to Feedly and then Inoreader and never looked back. RSS, especially in the area of podcasts, has only grown since then. Just some more click-baity nonsense that capitalizes on contemporary anti-Google sentiment.

Dan McKinley :: Google Reader Killed RSS

https://mcfunley.com/google-reader-killed-rss

Anyone Can Check for Magecart with Just the Browser

What can a normal everyday user do to check and see if their favorite shopping site is compromised? In this blog post, I will go over a few steps that don’t require any security training to perform.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/anyone-can-check-for-magecart-with-just-the-browser/