I've had episodes with encryption of the entire hard drive. Now I don't have it encrypted on my computer (but I will be changing my computer) and there is an experience that has changed my life.
On Wednesday I ordered a hard drive to resuscitate my old laptop (to present it). The choice fell on 128GB SSD, which I ordered in the shop - as a new one.
I connected the drive to my laptop and tried to upload Windows (not for me :D). Unfortunately the laptop had a problem with booting the flash drive, but finally I saw a driver charging window. It was weird for me, because there is usually an installer window.
However, the computer restarted all the time and I noticed that it's not from the Flash Drive that the system is booting, but from the disk - WTF I thought.
I plugged the disk into a USB pocket and started to check what is happening. I was surprised to see the data ... and this is someone else's.
The drive was corrupted and did not allow to write the data (in SSD it's a protection). Someone brought the drive to be repaired probably, but the service technician probably decided that the drive was to be thrown away and the store tried to sell it a second time ... with someone's data.
I think encryption is good practice. Ofc. in EU if you buy something by internet, you can return it in 14 days and received money back (any reason ... no reason is also reason :D)
I was surprised to see the data ... and this is someone else's.
And the next thing you did was to search for wallet.dat. right?
PoC||GTFO=("proof of concept or get the fuck out") is another huge collection of awesome hacker/computer stuff.
I'd compare it to Paged Out! (btw, issue 3 comes soon!). Actually I'd compare Paged Out! to PoC||GTFO because it's older.
As with many good books, I haven't read it completely (yet?). But I am sure you'll find at least 1 in this huge pack of articles.
Maybe it's "ELFs are Dorky, Elves are Cool"?
( ) ( ) )\ ) ( /( ( ( * ) )\ ) ( /( (()/( )\()) )\ )\ ) ` ) /((()/( )\()) /(_))((_)\ (((_) (()/( ( )(_))/(_))((_)\ (_)) ((_) )\___ _ _ /(_))_ (_(_())(_))_| ((_) | _ \ / _ \((/ __|| || |(_)) __||_ _|| |_ / _ \ | _/ | (_) || (__ | || | | (_ | | | | __| | (_) | |_| \___/ \___|| || | \___| |_| |_| \___/ |_||_|
As I have a little "holiday" today because of the next project - something for you. A film not mine, but very interesting - about a Polish hacker who was not an expert on hacking ... And yet he managed to do a lot of damage.
How to Obscure Any URL is old (1999) but URLs are old too so...
Also, it shows how hard it is to parse URLs (don't do it yourself), which reminds me of a video:
Wow, very interesting. I'm more interested in how someone comes up with such ideas.
The crazy test cases often get generated by computers. For example this pseudo program could have found a bug like in the video:
- generate a url
- let parser 1 decide whats the host in that url
- let parser 2 decide whats the host in that url
- if they don't agree, print url (one of both parsers is wrong!)
- go to beginning
Ofc I'm leaving out a lot of things here, but that is the rough approach I'd use to find bugs like this.
If you're interested read the fuzzing book, I've linked it and other resources about fuzzing here.
https://reperiendi.wordpress.com/2020/04/03/how-i-recovered-over-300k-of-bitcoin/
Back in January of 2016, he had bought around $10K or $15K of Bitcoin and put the keys in an encrypted zip file. Now they were worth upwards of $300K and he couldn’t remember the password.
Found on hackernews.
DEF CON talk: https://www.youtube.com/watch?v=iFS25HfTe20
A collection of links and videos that I saved. What's fuzzing?
Check out fuzzingbook.org.
I recently found some WAF bypasses that I thought could have been automatically generated.
Obviously I went down that road and started to write my own fuzzers.
This post is actually just to share some of the links I saved during the past months.
I want to share some things that helped my computer find some neat bugs!
The Fuzzing Book is probably the first thing I'd recommend to everyone that asks me something about fuzzing.
It's huge, so huge you probably won't read it completely before a fuzzer you made finds a bug.
And the authors know it's huge, they'll guide you through the book as you need it.
I think I've read about 50% already, (re)visiting different chapters at different times, resulting in different fuzzers.
There's still a lot to read, a lot to code. But I'm happy, the book tought me to automate a huge part of my work.
Here's a post about AFLs mutations that helped me a lot, I stole some "magic values" there.
This is an awesome talk, not recommended for beginners. Skim through the book first!
This video will make you hungry for more fuzzing, it isn't just about binaries! Actually I originally started to search for sql and command injections.
Here's a stream, I haven't watched it completely but Gynvael is a more than credible source for stuff like this!
The fuzzing book is a great resource! Here's a one-liner that I found useful for globbing wordlists together to test out some of the concepts there
fuzz = np.array(list(reduce(np.append, map(lambda f: np.genfromtxt(f, delimiter='\n', dtype=str), list(w.absolute() for w in pathlib.Path('wordlists').glob('**/*fuzz*'))))))
I'd also like to add that fuzzing isn't just about security. It is mostly used there, but letting computers find the bugs is useful for everyone.
"You have probably heard of the SameSite
attribute addition to HTTP cookies since Chrome 51 (and a specification thereafter). It was advertised as a CSRF killer."
Read more @ blog.reconless.com
Vulnerability Type | Affected by SameSite |
---|---|
Clickjacking | 😦Partly Dead |
XSSI | ☠️Totally Dead |
JSONP Leaks | 😦Partly Dead |
Data Exfiltration | ☠️Totally Dead |
XSLeaks | 😵Mostly Dead |
CORS Misconfigurations | 😃Mostly Fine |
Cross-Site WebSocket Hijacking | ☠️Totally Dead |
XSS | 😃Mostly Fine |
I felt like I have to share something again, so, here's a talk from "the swedish ninja".
If you don't know him yet, I have just sent you on a big journey!
You can continue your journey on his blog about hacking.
Interesting video, but I've been halfway through understanding it :D
Everyone who wishes to better preserve his privacy can ask anonymous question by asking it to us - and we will publish it from but from our account "anonask" thus hidding your identity. We can send back the reply if we see it. (email,Matrix,Reddit,others).
Details: on tor page: http://4vxkzqehjxw4m6323yrlzpewhzdl5ym3lnf4jnefcx7m624zap4325id.onion/
My PGP key: 53B98CB54F3E5AE89F67DBF2B06161EB39DA6329
Interesting concept! I also like that you use PGP. It's one of the features I want to add to ZapRead - that you can use PGP to encrypt private messages and sign posts!
Awesome idea, will look at the page later! I'd like a more detailed post in the Privacy group ;)
Buy a nano s, save that seed somewhere safe, if you are going to keep a virtual copy, put it on word with a password, later into a rar protected by a different password, put those files in a encrypted usb with yet another password.
If you are going to upload files to your Google drive or OneDrive, make sure you use different passwords than your email and put 2fa in your email.
Email protected by strong password plus 2fa.
To make sure no employee of Google or Microsoft can steal your files, put strong password on a word file, put that file in a encrypted file folder encrypted by rar. And if you can put those files into another encryption tool, so that attackers need to bypass at least 3 strong different passwords.
Once you do that don't open those files until is need it and remember all of your password because if one is lost the whole thing is lost.
Example of strong password
[email protected]&&&///
Don't use your name, or your family, or girlfriend name. Don't use something obvious that way even if you upload your files to a cloud your seed will be protected and make sure it is protected by at least 3 different passwords like that or stronger.
Don't write down your password. You must remember them only in your head.
Best way will be to write down in your brain only the 12 or 24 seed. But that's hard. I have been doing that, and it is not easy.
The most secure way will be to know your 12 or 24 words only in your head as a memory, but you must remember it and make sure by creating the wallet, memorized it and after a while check if you still can remember it like 6 months later, if you can still remember your seed after one year than you can move funds to it. But you must keep on remember it every month because memory in head is very hard.