Infosec Digest – June 2017


@author Randy Gingeleski

@since 07/07/2017

@see infosec digest


To start, a friendly reminder to enable 2FA. Weigh the pros (more convenient…?) and cons (may still show up on locked homescreen depending on privacy settings, someone could social engineer Verizon into switching phone number or possibly forwarding) of doing it over SMS.

I revisited an older post – Exploring CORS Misconfigurations for Bitcoins and Bounties – and think it’s still very relevant.

Anti-AI AI – “The wearable prototype device is designed to identify synthetic speech and alert the user that the voice they’re listening doesn’t belong to a flesh-and-blood individual. Developed as a proof of concept in just five days, the prototype makes use of a neural network powered by Google’s Tensorflow machine learning software.”

“Naturally, you should hide that activity as much as possible, i.e. don’t do it from your work computer. Use a private device with TAILS, TOR and VPN. Do not google for TAILS before downloading it. Spoof your MAC address. Don’t pay for the VPN with your credit card. Either use a free trial, or pay with Bitcoin that you bought anonymously (e.g. use LocalBitcoin and pay with cash in a place with no CCTV coverage). Send the coins through a mixer for additional security. Make sure to use TOR while using any of these services. You could also use a public WiFi instead of doing it from home, but there might be a chance that you get caught by some camera. Use DuckDuckGo as your search engine instead of Google. Don’t save any data you don’t have to. If you do have to save data, store it in an additionally encrypted container on your encrypted device that you only keep open for as long as you need it.” – 9e7b96475 on /r/netsec

I posted this article by my co-worker Jay before, but it was re-posted on my company’s blog this month.

Warp – “secure and simple terminal sharing.” Let the games begin!

MacSpy – MacOS malware as a service. Not an insect.

Here’s a mind map of practice software to haxx. Don’t be overwhelmed – pick a category, pick a site, and go.

/r/netsec talks about whether North Korea is a real cyber threat.

How I Stole Your Siacoins

Hey if you commit to Github with “remove password”, I’m someone malicious is going to find it. Change your password.

Unexpected Journey Into The AlienVault OSSIM/USM During Engagement … a quote from it I’m having tattooed on my back – “Being a penetration tester makes us feel like a group of traveler.”

Here’s a bunch of weird shit you can do with Windows API calls.

Hitler Reacts to Not-Petya

Reminder: OneCoin is a Ponzi scheme.