Websites
Cyber is a site from Vice Media Group that focuses on current issues and news related to cybersecurity. Features guest technology reporters who bring in interesting, relevant stories that will both hold your interest and help keep you informed about what’s happening in the field.
End of Life is a searchable database of the applications, operating systems, programming languages and protocols with a registered product life cycle. It’s a great way to quickly check when a product intends to end or limit support.
Free Tools
etl2pcapng allows you to view ndiscap packet captures with Wireshark, thus overcoming the Windows use of etl files intended for ETW-centric tools like Microsoft Message Analyzer. It “converts a netsh trace start/stop trace into something wireshark can read.”
KeePass is an open-source password manager that allows you to generate and securely store strong random passwords for each site or application. KeePass databases are encrypted with AES-256, ChaCha20 and Twofish, which provide the best security available in the industry.
Jellyfin allows you to collect, manage and stream media from your own server. View from a web browser, Roku app, Android, iOS (including AirPlay), Android TV, Fire TV device, Chromecast or existing Kodi installation. Best of all, there’s no tracking, phone-home or central servers collecting your data. Killer bit of software, and GPU transcoding is free.
CapRover is a fast, intuitive app/database deployment tool and web server manager for NodeJS, Python, PHP, ASP.NET, Ruby, MySQL, MongoDB, Postgres, WordPress and more. Harnesses the power of Docker, nginx, LetsEncrypt and NetData with a focus on ease of use. I’ve been using it for years now, for both commercial and personal projects, and it’s a blessing for early prototypes, demos and personal projects. The ‘One Click Apps’ means you can deploy way too many docker services without the whole nasty proxy, certificate, service management.
Coherent PDF is a command-line tool for manipulating PDF files. Allows you to merge/split, encrypt/decrypt, scale/crop/rotate, bookmark, annotate, impose, compress without loss and convert to/from JSON.
WireGuard is a secure, speedy VPN with state-of-the-art cryptography. Its simplicity is a welcome alternative to IPsec, and its performance beats OpenVPN. This cross-platform, general purpose VPN is suited for use on both embedded interfaces and super computers in a wide variety of circumstances.
IRTT uses UDP packets to measure round-trip time, one-way delay and other metrics. Sends packets for a fixed period and then produces both user and machine parseable output. I likes it for monitoring connection performance: “I use [this] to simulate a voice call (where jitter matters the most) to a server where I can control the network. I use a custom tool to parse the output and insert it into influxdb for graphing/alerting.”
Sshwifty provides an SSH and Telnet access interface that allows you to connect computers and servers via a standard web browser.
Filelight is a usage visualization app for local, remote and removable disks. Features configurable color schemes, mouse-driven file navigation, file/directory copy or removal from the context menu and integration into Konqueror and Krusader. Adds, “Maybe not as feature-rich as WizTree, but available on Linux as well as Windows.”
pre-commit-opa: Pre-commit git hooks for Open Policy Agent (OPA) and Rego development.
cloud-forensics-utils: Python library to carry out DFIR analysis on the Cloud.
ChopChop: ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.
GitGoat: GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub. GitGoat is a learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.
Podcast
The Art of Network Engineering is focused on the tools, tech, and people at the leading edge of the field. You’ll hear the latest news on products, technology, certifications and more. BananasGorilla_ adds, “I like the hosts and they’re full of good info and experiences.”
The Brothers WISP is an international geekfest on all things networking/ISP/WISP. Listen in as a group of experts dig into topics related to the tech involved in providing reliable networking and wireless internet service.
Network Break is a weekly show that discusses current news of particular interest to Networking Pros. This fast-paced podcast analyzes what’s going on in the world of IT, including current developments among vendors and the new products and tech deals that will keep you informed about what’s happening in the field. These guys have made me sound so smart in so many meetings. Subscribe: iTunes | RSS
Training Resource
Davidbombal is an educational site full of tech-focused tutorials and courses that can provide value for IT professionals from newbie to advanced. Offers lots of great free tutorials and resources to help bring your skills to the next level.
Tip
A clarification on the confusingly worded relationship between an ‘ethernet cable’ and ‘ethernet’:
“A protocol is independent of the medium that transports it. What we call Ethernet cables are really shielded or unshielded twisted pair CAT 5/5e/6/etc cables, terminated with RJ45 plugs in TIA 568 A/B wiring. That’s complicated to say, so we just refer to the cable by its purpose, which is typically to carry Ethernet frames.
Other cables can carry Ethernet. This is seen in a lot of HDMI cables for smart TVs.
Ethernet cables don’t have to carry Ethernet. In my line of work (corporate audio/visual) they can be used to carry control signals such as RS-232, or broken down into their twisted pairs to carry audio signal from microphones.”
Java Decompilers
Useful if you don’t have Java source code, only the .jar. You can also do Android .apk -> dex2jar -> Java decompiler to examine Android apps.
As Built Report is a Powershell framework to automatically document your configurations. Explains it can “…create documentation reports for VMware, VxRail, Rubrik, Nutanix, NSX, Cisco UCS, Pure Storage and many more under development… We run this weekly now via automation as it gives us a clean point in time snapshot of the environment. Useful going back in time to compare the environment when you have admins who like to randomly change things without following ITIL process for change management.” Learn more here.
Twinkle Tray provides a quick way to manage the brightness levels of multiple monitors through your system tray. Offers one-click access to sliders that control brightness levels for all compatible monitors.
Kerberoasting
skelsec/kerberoast: Kerberoast attack -pure python-
ShutdownRepo/targetedKerberoast: targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print “kerberoast” hashes for user accounts that have a SPN set.
Retrospected/kerbmon: KerbMon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
Vulnerability Detection
almandin/fuxploider: Fuxploider is an open source penetration testing tool that automates the process of detecting and exploiting file upload forms flaws.
ucsb-seclab/dr_checker: DR. CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers. This repo contains all the sources, including setup scripts. Now with an Amazing UI to view the warnings along with corresponding source files.
splunk/attack_range: A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Python Pentesting
Chudry/Xerror: Xerror is an automated penetration tool, which will help security professionals and non-professionals to automate their pentesting tasks.
Ha3MrX/Hacking: Ha3Mrx Pentesting and Security Hacking
Telefonica/HomePWN: HomePwn – Swiss Army Knife for Pentesting of IoT Devices
Google’s business-friendly phone list has a big problem
Google has a whole program designed to help you know which Android devices are guaranteed to be as up-to-date and secure as possible. But when you actually start digging into its recommendations, you find some pretty alarming patterns.
Lots of the phones on Google’s Android Enterprise Recommended list — a list of devices that come with the promise of “timely security patches and clear information about major updates,” among other things — simply aren’t keeping up with the program’s most basic vows. And yet, they’re still being featured prominently as part of the official Google collection. Even worse, this pattern’s been going on for years now. My hope is that drawing attention to this issue will not only make everyone aware of the realities surrounding these mostly meaningless recommendations but also lead to some manner of change. Knowledge truly is power in a situation like this — and, if we’re lucky, it might also be the first step toward accountability.
Google I/O is now just days away
Google kicks off its annual I/O extravaganza this coming Wednesday, and we’re expecting to see plenty o’ juicy new revelations about our favorite platforms, apps, and devices.
It’s all but certain Le Googlé will give us a clearer picture of Android 13’s still-hidden headline features at its upcoming event — but beyond that, rumors suggest we could get our first glimpse at the potentially pivotal Pixel 6a midrange phone along with the long-fabled Pixel Watch. Plus, big-ticket items aside, I/O almost always includes a bunch of small but significant updates to services like Photos and Assistant. And honestly, those less emphasized announcements often end up being the ones with the most meaningful, lasting impact on our day-to-day lives.
You can find the full I/O schedule as well as live streams of all the action on the official Google I/O website.
Android’s navigation system could be getting a(nother) makeover
An unassuming item on the I/O agenda suggests Android’s system-wide back navigation command is about to get a hefty injection of extra intelligence.
The specifics on what exactly this means are still slim, but the session describes how “the future of Android” will introduce “predictive back navigation” into the software. Given the fact that Android’s current swipe-in-from-the-side back gesture often overlaps with other swipe-oriented actions, it certainly seems like some manner of A.I.-related smarts could be coming into the equation and helping your phone figure out what you’re trying to do based on the current context. That could bring a big and very Googley enhancement to the core act of getting around Android — something we’d all appreciate, even if we don’t explicitly realize why.
This in-depth analysis has a thoughtful overview of what we know so far and how it could all come together.
Add a custom button into your Android browser
Google’s in the midst of rolling out a really cool new feature to its Chrome Android browser: an optional new button that sits in the browser’s address bar area and gives you one-tap access to the app’s share command, new tab command, or voice search system.
What’s especially cool is that you can pick which of those options seems most useful to you — or you can let Chrome automatically decide which option you’re most likely to need at any given moment and contextually change the button for you.
Google is slowly rolling this new feature out as we speak, which means you might not have access to it on your phone for a matter of days or maybe even weeks. But with about 10 seconds of simple tweaking, you can enable it on any Android device this minute.
Here’s the secret:
- Open up Chrome on your phone.
- Type chrome:flags into the address bar.
- Type adaptive into the search box on the screen that comes up.
- See the line labeled “Adaptive button in top toolbar customization”? Tap the box beneath it and change it from “Default” to “Enabled.”
- Tap the blue Relaunch button at the bottom of the screen.
And that’s it! Once the browser reloads, just tap the three-dot menu in its upper-right corner and select “Settings” followed by “Toolbar shortcut.” You’ll be able to turn your fancy new feature on right then and there and select exactly how you want it to work.
Grant yourself a time-saving tab superpower in Chrome on your computer
Another interesting new time-saver is on its way to Chrome right now — this time, on the desktop side.
Google’s cookin’ up a cool new shortcut system for the Chrome computer browser that’ll let you rearrange tabs within a window without ever having to lift your precious fingies off your keyboard. And if you (a) tend to keep as many tabs open as I do and (b) are as obsessed with keyboard shortcuts as I am, you’re definitely gonna love this.
The way it works is simple: You just hold down Ctrl and Shift on your keyboard and then hit Page Up to shift a tab over to the left within its current window or Page Down to move it over to the right.
There’s no telling when this feature will make its way out of development and into your grubby little paws, but you can give yourself identical powers this second by installing the creatively named Keyboard Shortcuts to Reorder Tabs extension in your Chrome desktop browser.
Once you install it, that’s it: You’ll have those exact same tab-shifting keyboard shortcuts at your disposal and ready to use whenever the urge strikes. You will have to reload any tabs that were already open prior to the extension’s arrival before they’ll work with it, but from that moment forward, the power will be yours.
Web Security
silentsignal/SemGWT
Extracting GWT RPC method information from generated JavaScript using Semgrep, by Silent Signal.
Cloud Security
CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions
A walkthrough by Rhino Security Labs of the new vulnerable_lambda scenario in the CloudGoat pentest training tool.
How to control access to AWS resources based on AWS account, OU, or organization
New IAM condition keys to make it simpler to control access across org boundaries: aws:ResourceOrgID, aws:ResourceOrgPaths, and aws:ResourceAccount.
Implementing Cloud Governance as a Code using Cloud Custodian
InfraCloud’s Alok Maurya describes how to use Cloud Custodian auto-detect and remediate noncompliant resources. For example, deleting old EBS snapshots, stopping EC2 instances that aren’t running approved AMIs, changing any allowing of ALL on port 22 to just the VPN IP, and a few Kubernetes-related examples.
Container Security
doitintl/kube-no-trouble
Easily check your Kubernetes clusters for use of deprecated APIs, by DoiT International.
Compromising Read-Only Containers with Fileless Malware
Sysdig’s Nicholas Lang describes how to attack a container with a read-only root filesystem, and gives an example of attacking an in-memory data store (Redis) with fileless malware that executes in-memory.
Basically the trick is to use shm / tmpfs which lets you create a mounted file system that uses virtual memory instead of a persistent storage device. You can download your malware or shellcode to tmpfs and then execute it from there.
Politics / Privacy
DODC/turncoat
A tool for or enumerating Telegram Bot secret messages.
Mental Health Apps | Privacy & security guide
Mozilla did a study and found mental health apps have worse privacy protections than most other types of apps. Prayer apps also had poor privacy standards; the team found. Overview of the findings by The Verge.
Google now lets you request the removal of personal contact information from search results
You can now request the removal of personal contact information, such as a phone number, email address or physical address. Prior to this expansion, the policy mainly covered information that would let other people steal your identity or money, such as banking and credit card details.
Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document
“We do not have an adequate level of control and explainability over how our systems use data,” Facebook engineers say in leaked document.
Inside Industry 100 – the on-loan CTO
NCC Group’s Ollie Whitehouse shares his experiences on i100, a program that brings industry staff into NCSC teams on a part-time basis to enhance collaboration between UK government and industry on cyber security. I think public/private partnerships for the purpose of keeping everyone safer is great. If you want a weekly APT/malware-focused detailed summary, check out his Blue Purple newsletter.
Red Team
pwn1sher/frostbyte
By Sudheer Varma: A POC project that combines different defense evasion techniques to build better red team payloads. “The idea is to embed an encrypted shellcode stub into a known signed executable and still manage to keep it signed like how the Zloader malware did.”
A blueprint for evading industry leading endpoint protection in 2022
Vincent Van Mieghem shares 12 techniques that can allow you to execute malicious shellcode without getting flagged by industry leading EDR tools, like CrowdStrike and Microsoft Defender for Endpoint.
Misc
ByteChek is moving to a 4-day work week!
ByteChek’s AJ Yawn describes how by focusing on deep work and removing distractions, he’s found ByteChek can both be a better place to work for employees and more productive.
Research suggests that in an eight-hour day, the average worker is only productive for two hours and 53 minutes due to distractions from instant messaging, eating, socializing and other things.
I believe that focus is a superpower and enables you to drive more outcomes in less time.
I’ll take a focused 32 hours over a scattered 40 hours every time.
The codes of comic books
Technically a “comic” is a set of pictures in sequence that tells a story. This virtual “exhibit” by Google Arts & Culture walks through the history of comics, going back to 1842. Learn about the origin of why comic book pages are divided into boxes and more.
Redactle
A daily browser game where the user tries to determine the subject of a random obfuscated Wikipedia article, chosen from Wikipedia’s 10,000 Vital Articles.
The Complete Guide to Warding Off Junk Mail
How to stop receiving the junk mail you probably don’t care about: redit card, loan, mortgage and insurance junk mail, catalogs, coupons and marketing offers, etc.
Impossible Physics: Meet NASA’s Design for a Warp Drive Ship
“A number of scientists are currently researching the feasibility of warp drive (and EMdrive and a number of other modes of faster than light travel); however, most think that such forms of space travel simply aren’t viable, thanks to the fundamental physics of our universe.” Here’s a model of a ship that moves faster than light by deforming spacetime around it:
AppSec
atsign-foundation/sshnoports
By The @ Company: A way to SSH to a remote Linux host/device without that device having any open ports (not even 22) on external interfaces. All network connectivity is outbound and you don’t need to know the target’s IP address.
Finding 0days in Enterprise Software
Slides from Assetnote’s Shubham Shah’s NahamCon talk. Nice walkthrough of taking apart proprietary software, auditing complex code bases, mapping attack surface, chaining vulnerabilities, finding variants, and more.
Conferences
fwd:cloudsec CFP
fwd:cloudsec is probably the best cloud security conference, well worth submitting and/or attending. Round One closes April 22nd, Round 2 closes May 22nd.
Diana Initiative: CFP
The Diana Initiative is a great con that emphasizes having a diverse speaker line-up. First round closes April 25th, second round closes May 30th. They’re also hosting a CTF.
DEF CON Skytalks CFP
Closes May 31, rolling acceptances starting the first week of May.
Cryptography
Themes from Real World Crypto 2022
Trail of Bits’s William Woodruff summarizes several talks and their key takeaways. Major themes:
- Trusted hardware isn’t so trustworthy
- Security tooling is still too difficult to use
- Side channels everywhere
- LANGSEC in cryptographic contexts
Real World Cryptography Conference 2022
NCC Group’s Marie-Sarah Lacharite et al share summaries of 9 RWC talks. One that seems particularly interesting to me is “An Evaluation of the Risks of Client-Side Scanning.” As more systems begin using end-to-end encryption, the law enforcement community is concerned about their lack of visibility. How can we balance privacy/not backdooring everything with catching criminals?
Tutorial
Microsoft best practices for managing IoT security concerns offers advice for how to build a truly secure IoT solution for your organization. Explains how to design your solution to achieve optimal security that can help you avoid falling prey to potential threats. Read more at Microsoft’s Zero Trust paper.
Get all public folders and permissions using PowerShell is a blog post that walks you through how to generate a complete set of reports on your public folders. Resulting reports include: all public folders, get mail-enabled public folders, public folder size report, view public folder statistics, find public folder items and get public folder permissions.