woland @woland@infosec.exchange

Let's see. When I was younger I liked telephones. A lot. I still do. That included exploring the PSTN and causing general mischief. I have a Western Electric 1D2 payphone in my bedroom. Among other hobbies... I'm an amateur radio operator, Linux user, open source supporter and electronics meddler. I admire any human who has the patience to work in infosec.

I can't really stomach the wallowing echo chamber of Twitter, so maybe this will be better.

#introductions #infosec #linux #opensource

I just did this again this week with SAN and Fibre Channel and iSCSI. Send help.

My problem with studying for certifications is that I will get to a certain subject and inevitably want to know everything about it at opposed to the basics covered in the book. This sends me down rabbit holes and makes studying take a lot longer. Like, oh a brief summary of IPv6? Let me now go online and research everything about it, and NDP, and ICMPv6, and DHCPv6, and what is this Stateless Address Auto-configuration I keep hearing so much about and where does ff01::2 go? Sigh.

I've been using Linux for 15+ years, and I'm still learning commands! dmidecode is awesome. If you ever want to get detailed CPU/BIOS/hardware information, this is one of the commands to use. #linux #foss

https://www.linuxtechi.com/dmidecode-command-examples-linux/

Some sophisticated malware going around targeting Russian-speaking diplomats and government targets; it uses Tor-based communications and GSM fingerprinting. Ongoing since 2013. https://www.bleepingcomputer.com/news/security/new-malware-spies-on-diplomats-high-profile-government-targets/

Disturbing story about how a man tracked down, stalked, and assaulted a woman near her home by examining a selfie she took and noticing the reflection of a bus stop in her pupils. He then used Google maps to find where she lived. Be safe everyone. #osint https://www.asiaone.com/asia/obsessed-fan-finds-japanese-idols-home-zooming-her-eyes

Ever hear of Ken Thompson, computer scientist who worked at Bell Labs and one of the creators of Unix? Well, someone just cracked one of his old BSD passwords. A+

https://leahneukirchen.org/blog/archive/2019/10/ken-thompson-s-unix-password.html

So a Florida woman was recently arrested after police found dozens of pipe bombs she had made, and I'm glad nobody was hurt. But I found it humorous that the bombs were secured with what look to be two Master Lock 141Ds. #lockpicking

This book is invaluable. Tribe Of Hackers features opinions and advice from a diverse group of people in #infosec and I'm better for having read it. Main takeaway: get involved and never stop learning; there are people who just want a security career and then there are hackers.

Priorities: I was working and then BOOM! Got an email from an infosec school with a "hack challenge" in it. Not interested in thier classes but I must solve it. It's a standard logic puzzle. I work it out on a piece of paper and submit it and get a free sticker. Worth it.

Just woke up. Had a dream that I was at an event doing a CTF and I won. I picked a prize from this table after winning but it turned out all the prizes were meant for children. "Nobody told me the prizes were for kids!" I said. Then the organizer said "Ma'am, the contest was for children."

"New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS"

Looks like SimJacker has been used for quite a while. Full report comes out in October.

"What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries."

https://thehackernews.com/2019/09/simjacker-mobile-hacking.html

So I was watching #ITChapterTwo and there are multiple scenes with a phone number from one of the characters in the movie - 207-159-4557. That's a real Maine area code/NPA too. Called it but it doesn't go anywhere. Just disconnected. 😓

It's been a great day so far! Started sparring again (I'm an amateur boxer when not reading technical manuals) and then when I got out of the ring I checked my phone and saw I got off the waiting list for my local BSides. I'll be going to my first ever infosec/hacking conference in a few weeks! I'm excited to meet people locally.

Last night I was playing bar trivia (presented on the bar's TVs via PowerPoint) with some friends and realized the trivia company's website had some hidden directories and in them were images that they used on their slides when revealing answers for that day, which gave me the answers to all the questions. I looked at the first 3 and when I realized what they were I stopped. Didn't want to ruin the fun. Your welcome, trivia company.

I would love it if journalists could pose as law enforcement like these people did and see how many times the teclos would give over the GPS data, but of course that would be very illegal. It's scary stuff.

So generally, all you have to do to get someone's current GPS data from a telco is 1: find the telco's law enforcement outreach number, which is not difficult 2: create a fake Web site that looks like you belong to a legitimate law enforcement entity 3: call and tell the telco representative that the matter is urgent and could lead to the immediate death of someone if the info is not handed over. -- It has worked over and over again, and these are only the cases they caught.