Infosec Press

Reader

Read the latest posts from Infosec Press.

from acrypthash

Incident Response: Scam Attack Against Retail Stores

Yesterday our stores experienced a scam attack via phone call claiming to be from the IT department and wanting to test refunds on high value items in order to get free money. Later in the campaign, they change story to claim they were from a VoIP provider. Unfortunately, one or two stores fell victim, but many others remained vigilant.

As a response, our security team deployed the following: – Created a war room for the few members involved. – Sent out communications to all employees involved (we have internal tools for this) – Used OSINT to investigate the phone number being used (the threat actor was dumb enough to use the same number for all attempts). – Blocked the number through our provider (though changing number is obviously very easy. This was done because it was the only number being used at the time.) – Did EDR scans on all store PCs from people that called in. Side Note – This is where communication with non tech savvy people can be difficult. During the social engineering process, the person at the register is instructed to reach a point in the process where you have to enter a credit card number. Reports from one end user claimed the that cc number was entered in automatically by the threat actor on the phone. They claimed no other assistance was given to access the PC, no mouse movement was performed, just the number entry. This does not make any sense to me. I did the following to investigate, but found zero IoCs: – full EDR scan on the endpoint – PCAP review for any malicious connections – RMM software installations – ELK log review – folder review – confirmed scheduled tasks Nothing substantial was found to show that a threat actor had accessed the PC and entered in the cc number. Personally, I think the end user reporting this claimed it happened this way to protect themselves. Regardless, nothing was found.

Through good communication and best security practices we were able to get this incident under control relatively fast. A big take away from this is going to be ACL build out for the feature that allows for the access of refunds through manual entry. Too many people seem to have access to this feature by default.

There is an obvious pattern that must be brought up so we as analysts and blue teamers can remain vigilant. Threat actors are starting to realize how easy social engineering truly is and the power that comes with it. We must keep our end users aware of these threats and train them to question the true intentions of people when something doesn't feel right. Typically when your gut questions something, you're usually right. For our team, we are going to be working closely with our help desk team over the next few weeks to improve their verification process and social skills to learn when something malicious is happening. Happy Hacking!

 
Read more...

from Amy’s tech stuff

start by drawing a n by n grid of points

  ╭─────── n ───────╮
╭ o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
n o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
╰ o  o  o  o  o  o  o

take the dots on the main diagonal and move them over to the side

  ╭─────── n ───────╮             1
╭    o  o  o  o  o  o             • ╮
│ o     o  o  o  o  o             • │
│ o  o     o  o  o  o             • │
n o  o  o     o  o  o     ==>     • n
│ o  o  o  o     o  o             • │
│ o  o  o  o  o     o             • │
╰ o  o  o  o  o  o                • ╯

we can see the points in the diagonal can be arranged into a line of 1 by n points, thus the main square without the diagonal is n²-n

we can also see that the remaining dots are divided up into two mirror images of each other, mirrored along the main diagonal. Since it can be evenly divided into two, it the remainder must be even

  ╭─────── n ───────╮
╭    •  •  •  •  •  •
│ o     •  •  •  •  •
│ o  o     •  •  •  •
n o  o  o     •  •  •
│ o  o  o  o     •  •
│ o  o  o  o  o     •
╰ o  o  o  o  o  o

We can also slide all the point of one halve towards the other, creating a rectangle

  ╭───── n-1 ────╮
╭ •  •  •  •  •  •
│ o  •  •  •  •  •
│ o  o  •  •  •  •
n o  o  o  •  •  •
│ o  o  o  o  •  •
│ o  o  o  o  o  •
╰ o  o  o  o  o  o

This gives us the factored form of the expression n (n-1)
From this expression we can see that it must always produce an even result as it takes the product of two consecutive numbers, one of them must be even, and the product of two numbers is even if either number is even

#math

 
Read more...

from Amy’s tech stuff

I recently came across Veilid, a new network focused on secure communication, similar to TOR, but mixed in with distributed storage and a promise of true decentralization without any blockchains or coins.

Both the website and DefCon talk are a bit lacking in explanation at this moment, with a promise of more documentation coming soon. Looking at the repository however gives slightly more insights.

This guide seems to be the most complete introduction at this point.

Also looking through the slides might also give some more crumbs of detail.

TL:DR; Distributed storage

The network provides two kinds of storage:

Block storage allows to store medium sized chunks of data (up to 1MB) onto the network. These are accessed by their hash and are immutable. Nodes can choose to actively become a provider of a block, and nodes will cash retrieved blocks based on demand
(Note: at this point the block store is not implemented yet but is firmly on the roadmap)

Distributed hash table (Key/Value store) is for smaller chunks of (mostly text) data that can be modified by it's owner. These, as the name implies, are accessed via a key. Nodes can register to be informed of changes.

TL:DR; Networking

Everyone participating in the Network is a node, and all nodes are treated equally. Nodes can choose how much or little traffic they are willing to relay, and how much data to store.

At the start a node reaches out to a bootstrap server with a known address, which tells the nodes what other nodes in the network it can contact. From there the new node asks them for information on more peer in the network. This bootstrap server will usually be the main veilid bootstrap server, but can be your own, especially if you want to create a smaller, isolated network for some reason.
Once the node has info on it's peers it will not need to bootstrap again, unless all known peers stop existing the next time it attempts to join.

Since nodes can change, user identity is given by a public/private keypair which identifies a user and allows them to modify their data.

Routing your traffic by relaying it through other nodes is optional. Every user has a list of routes they can be reached by, which change frequently. These routes can just be the user's node itself it they don't want to receive traffic anonymously or a chain of nodes that lead to the user's node. The same thing applies to sending data. You can either send your data though a route of relays of your choosing to hide where it is coming from, or just send your traffic to the receivers route directly.

Up next: Setting up a node and playing with it

#veilid

 
Read more...

from z0ds3c

Nuclei is a tool that allows you to scan web targets for various vulnerabilities and misconfigurations using predefined templates¹. Here are 10 powerful one-liners that you can use with Nuclei to find interesting and potentially exploitable issues:

  • Scan for all CVEs in a target list: cat targets.txt | nuclei -t cves/ -o results.txt

  • Scan for all exposed panels in a target list: cat targets.txt | nuclei -t exposed-panels/ -o results.txt

  • Scan for all subdomain takeovers in a target list: cat targets.txt | nuclei -t subdomain-takeover/ -o results.txt

  • Scan for all XSS vulnerabilities in a target list: cat targets.txt | nuclei -t xss/ -o results.txt

  • Scan for all SSRF vulnerabilities in a target list: cat targets.txt | nuclei -t ssrf/ -o results.txt

  • Scan for all SQL injection vulnerabilities in a target list: cat targets.txt | nuclei -t sqli/ -o results.txt

  • Scan for all open redirects in a target list: cat targets.txt | nuclei -t redirects/ -o results.txt

  • Scan for all misconfigured CORS policies in a target list: cat targets.txt | nuclei -t cors/ -o results.txt

  • Scan for all prototype pollution vulnerabilities in a target list: cat targets.txt | nuclei -t prototype-pollution/ -o results.txt

  • Scan for all RCE vulnerabilities in a target list: cat targets.txt | nuclei -t rce/ -o results.txt

 
Read more...

from z0ds3c

Top 5 Tools for CTFs

Capture the Flag (CTF) competitions are a great way to test and improve your cybersecurity skills. They involve solving a variety of challenges, such as hacking into websites, cracking passwords, and reverse engineering malware.

To be successful in CTFs, it's important to have a good understanding of a variety of cybersecurity topics, as well as the right tools. Here are our top 5 picks for the best CTF tools:

  1. Burp Suite

Burp Suite is a powerful web application security testing tool. It can be used to perform a variety of tasks, including intercepting and modifying HTTP requests and responses, scanning for vulnerabilities, and fuzzing.

  1. Ghidra

Ghidra is a free and open-source reverse engineering tool developed by the National Security Agency (NSA). It can be used to disassemble and analyze machine code, as well as to debug and create software exploits.

  1. Nmap

Nmap is a network mapping and security scanning tool. It can be used to identify all of the devices on a network, as well as the services they are running and the ports they are open on.

  1. SQLMap

SQLMap is an automated SQL injection and database takeover tool. It can be used to exploit SQL injection vulnerabilities in web applications and gain access to underlying databases.

  1. Python

Python is a general-purpose programming language that is widely used in the cybersecurity community. It is a good language for learning and scripting, and it can be used to solve a variety of CTF challenges.

In addition to these tools, it is also important to have a good understanding of the Linux command line and basic networking concepts.

Here are some additional tips for success in CTFs:

Practice regularly. The more CTF challenges you solve, the better you will become at it. Work with a team. CTFs are often more fun and successful when you work with others. Don't be afraid to ask for help. There are many people who are willing to help beginners learn about CTFs and cybersecurity. With the right tools and skills, you can be successful in your next CTF competition!

 
Read more...

from JR DePriest

My eyes are open. My eyes are open so I must be awake. What is that sound? What is that clicking sound? A black stick is falling toward my eyes. I see it. But I'm not blinking. My eyes aren't closing. My eyes can't close. The stick moves past. It's alive. Without moving my head. I can't move my head. I see my wife beside me in bed. Reading. “Please help me,” I say. She ignores me. I see the black sticks again. Legs. They are legs. Weaving. Spider legs. I lift my hand to brush them away. My hand doesn't lift. My arm doesn't move. My arms are made of stone, concrete. They will not move. I feel something on my sternum. Heavy. Round. Like a living bowling ball. Directing the spiders on my face. I can hear them. I know their language. But they are whispering. I ask them, “Why are you doing this?” “What are you doing?” The spider on my sternum shifts. The spiders on my face say “Hush.” Spiders don’t have the concept of a “tone of voice”. But. These two spiders spinning the web to cocoon my head. They seem very patronizing. I haven't earned the right to know what they are doing. My eyes close. I am lost in time. It's almost silly when I find out. The spiders are aware of the popularity of Spider-Man. They think that sounds like a good idea. A spider-human hybrid would be wonders for their reputation. I was chosen as one of the test beds for the brightest spider minds. I would not be their final achievement. No. But I would be experimented on. Techniques would be perfected. I was adrift in time. My eyes open and I am free. I stand and see a well-lit living room. I see an indoor swimming pool, in ground. Not large, but exceptionally clean and inviting. I walk forward and feel my body. The limbs are lanky. Extra tissue has been removed or replaced. My skin seems paper thin on my hands. I step into the water of the pool. It's warm. I expected it to be cool, but it's warm. I lower my head into the water and breathe. I can breathe underwater. I feel the water on my head. My hair is short. I see my golden silk house clothes billow in the water. I exit the pool on the other side, using the concrete steps. A little girl, perhaps 10 years old runs up and smiles at me. “I hate it when you go in the water,” she says. “Sometimes you stay down there for 15 minutes!” She's so young that 15 minutes must seem like eternity. “You'll understand when you're older,” I say. I don’t recognize my own voice. I half-remember a lifetime of experience. Decades. It's breakfast time. One of my daughters is cooking breakfast. I can smell the sizzling meat. I feel a warm surge down my legs. I look down and see hundreds of small brown and gray spiders spread out from my pants. I can hear them. Each of them. I know them. Every one of them. Not by name. They don't have names. But we are connected. They know me and I know them. I know what they know and see what they see. But I don’t see it. I just know it. They are going on patrol. They will keep out the vermin. They will be the barrier at the edge of our domain. They will die to protect us. My body sways and my legs carry me to the table. There are other family members already sitting, all female. Women and girls. I am a grandmother, perhaps a great-grandmother. In this house, I am the Mother of All Spiders. I remember for the spiders. They have short lives. To them my mind is vast. My lifespan nigh immortality. I am their computer. I am their incubator. !!!!!!!!!!!!!!!!! The children! My face turns toward the front room. Before I can form a coherent thought. My hands reach down in front of me and grip the floor. My legs bend and crack. My legs reach up behind me and grab the ceiling. My arms bend and crack . My arms reach up above me and grab the ceiling. My throat aches. My mouth opens wide. I rush along the ceiling. Faster than I imagined possible. I burst through the doorway. I see a man. I know him. He has his hand inside his jacket. He's reaching for something. I snarl and a glob of webbing is projected out of my throat at high velocity. It hits the man in the chest. He's knocked backwards and onto the floor. “No need for that,” he says. He pulls out an envelope. He waves it in the air. My legs reach down to the floor. My legs crack and bend. My arms let go of the ceiling. My arms crack and bend. The spinnerets in my throat retract. The two halves of my jaw reconnect themselves. “You didn't knock,” I say. He stands up. He shakes his head. “When the day comes, you will never see me coming.” He hates us. We know. He knows we know. He doesn't care. He waggles the envelope. “Just take it.” I take the envelope. It is addressed to our family. “Mayor thought it'd be funny to have me deliver your invitation.” I open the envelope and start reading. My spiders will keep their eyes on our guest. And my mind is connected to their minds. My mind is connected to their eyes. I read the invitation: cordially invited… demonstration of advances in science and medicine… honored guests… I remember now. We, the spiders and I, decided to collaborate with other scientists. The best spider minds are very young and naïve compared to the best human minds. It made sense. “I hear they're planning to show off something with centipedes,” he says. My children shift uneasily. The man straightens his jacket and makes a sinister finger gun gesture. “Be seeing you,” he says, before leaving of his own accord.

#WhenIDream #Dreams #Dreaming #Dreamlands #Writer #Writing #Writers #WritingCommunity #ShortFiction #Fiction #Paranormal #Spiders #NightTerrors #SleepParaylsis

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

 
Read more...

from beverageNotes

I've been enjoying some Eagle Rare 10 year. At 90 proof, it's not enough to warrant some ice and I've been enjoying it neat. It smells sweet with hints of cinnamon, leather, and a wee bit of cardamom. The first sip of the night is a bit hot, but it drops off and there's a lingering warmth in subsequent sips.

The flavors have been harder to pin down. It's been different on different night. Sometimes caramel. Sometimes leather. Some food may go well with this.

Adding in snacking on sharp cheddar and Triscuits doesn't affect the tasting much.

I've got more, so I'll have to revisit this. Maybe with some chocolate or something sweet.

 
Read more...

from acrypthash

Status Report

It feels good to be where I am. Over the past few months, I have been running a cybersecurity internship program. Last week that finally came to an end. It was a great learning experience for both the interns and myself. We got to see a lot of cool things and I think everyone grew. Now that there aren't interns to take up my time, I have been able to dive back into my projects and research and I feel so happy again. I am really starting to wrap up some outstanding projects.

Defcon: I attend Defcon 31 this year and learned a lot! It was a great experience and I am very happy to have gone. I created a presentation for work after cleaning up all my notes and had a really learned a lot. Now, I have a list of action items that came from the conference and my talk! Things like detection engineering and actually utilizing some of the tools that I was exposed to. I think my favorite talk was the Electron app TCC vuln that was disclosed.

Some other bits and bobs:

  • Tomorrow will be one year at my company and I AM SO HAPPY. Being a security analyst is something I've come to enjoy very much.
  • I managed to break my OpenVAS install after upgrading PostgreSQL. I ended up needing to update /etc/postgresql/14/main/postgresql.conf back to my originally configured port and restart the daemon. I also had to reassign the versioning that PostgreSQL was running in, because that failed to change properly after the upgrade as well.
  • I've gotten more into detection engineering as of late. We utilize Elastalert to send detection alerts to a Slack channel that has been built. This is a nice tool that can provide me information Sentinel One can't easily notify us of.
  • While it's nothing new, I've also been doing research into the Zerologon vuln for DCs. I am going to be downloading copies of some of our DCs and testing to confirm if we our patch is actually working as it should.
  • Our web app pen test is going to be wrapping up soon, where I will get a good look at where we stand from a security perspective on our app.
  • I've gained more forensics experience with analyzing PDFs and malicious word docs that have come in via email. It hasn't been anything too flashy just yet, but still a great experience.

For the rest of year, I have some goals set that I plan on achieving: – GCP training – GREP Cert – Better detections and more coding – BSides Philadelphia – One more good write up in 2023 about something valuable I learned. – My idea is a write up on how to efficiently exploit something like PDQ after post compromise.

 
Read more...

from JR DePriest

The cemetery asphalt is cool in the afternoon shade, identical tombstones, some hundreds of years old stretch as far as I can see. The wrought-iron gate to the inner sanctum, separated by a tall brick wall opens as I approach. I slip in and it closes silently as I navigate through the entrance maze. A right, a left, two rights, and left, and another left. I step into the courtyard and see a few of the workers pruning apple trees or working the garden. Some wave, some ignore me, some don't even notice my passage. I look up at the sanctum, a structure of stone expanded with wood, steel, and siding, ancient and modern gripping each other but never quite merging. I see a young-looking man in the massive arched doorway, thinning brown hair, slightly overweight. “Misty!” Dan calls out. “Misty Meaner!” he says with a wink and a smirk. I roll my eyes and shake my head. His grey-blue eyes invite you to fall into them, fly away, forever. His smile tethers itself to your heart and reels you in. “How old are you, again?” I ask, breaking eye contact. “That's—you know it—it's different.” he stammers. “Point taken, though.” I can feel his magnetism settling, simmering instead of boiling over. As we head inside, I can hear loud dialogue, likely from the theater. “It is,” he says, responding to my thoughts. “I've made some real progress on the 'magitech',” he gushes. “The 3D effect is next level now, with actual depth. “Only works for black and white films right now, but I'll get there.” He takes my hand. “You'll have to come by after your shift,” he offers. I shrug and bight my tongue behind a thin smile. “Be polite,” I think. He steps in front of me, using a tender gesture to raise my head. “Hey, wait.” he says squinting, hiding his charms, probing gently past my surface thoughts. “Are you okay?” I chuckle, “Actually, I feel like shit, but I've got responsibilities so here I am.” I do feel like shit. Brain fog, tight emotions, unexpected bouts of rage and crying. He sniffs the air lightly, “I didn't want to say anything last week.” “About what?” I ask. “Well—I'm not trying to be rude, but I think your hormones are off.” I nod slowly, “That would make sense.” “I haven't had bloodwork in over a year and my endo was talking about switching to injections.” He pats my shoulder, “Please take care of yourself. If it's money, you know she will cover it.” I shrug, “It's time. I have no time.” “Oh,” I start, “will the elders be upset by it?” Dan takes a deep breath and slowly releases it, “I doubt it; it's still closer to what they prefer than any cissy could manage.” “Anyway, I'll let you get to it.” He heads back to his movie theater and his experiments. I assume that's where most of the younger members are.

I remember the ad that brought me here almost two years ago: “Seeking Part-time Caregiver for multiple elderly residents. Must be well-read and have a strong voice. Services will be limited to reading and light teaching. Medical training not required.” And the part that really got my attention, “Transgender women on full HRT only.” I had to see what it was all about. I replied to the ad and met Melinda at an outdoor cafe downtown for coffee. I had water. Melinda was a fount of radiant 'house mom' energy, carefully put together comfortable but elegant outfit, expertly styled red hair, subtle 'no makeup' look makeup. Her eyes were a strange mixture of green and gold. I'd never seen gold in someone's eyes before. And her easy smile lulled me into complacency. I was spilling my deepest secrets and weird hobbies before I even noticed what I was saying. She told me about the job, about my charges, about the fact that they are mostly non-verbal and mobility impaired, but they like to be read to. I was moved to compassion. When she said the job was at an estate in the middle of a national cemetery in the oldest part of town, I was intrigued. I was taken to meet 'The Elders' and was led through a cavernous house, almost a castle, down stone steps lined with torches, to a large room filled with ancient armors, mounted weapons, and two walls of books stretching a full story high. At one end was the largest fireplace I'd ever seen. You could drive a car through it. And it was fully ablaze. I couldn't imagine how much fuel it took to burn that strongly. I was told 'The Elders' were cold blooded and liked the heat. When we got closer to the fire, I saw them, 10 pale faces with bright eyes sharing a deeply set opulent sofa, watching me, following me, each body bundled in heavy blankets or furs. “That's a good sign,” Melinda assured me. They had ignored other applicants, I was told. We stood between 'The Elders' and the fireplace. “Great and Honored Elders,” she said, bowing. “I present Misty Allen Shaffer for your approval.” I heard a sound like sighing or coughing, but so faint I couldn't tell from where. “Thank you,” she said, bowing again. She smiled at me, so wide her teeth shimmered in the firelight, “They will allow it.” Apparently, it meant I got the gig. She asked me to bring some modern science fiction from the library to read. She defined “modern” as anything after 1900. In spite of the walls of books we'd passed, they were awfully tired of what they had on hand. I'd come in and sit by the fire and read out loud for them for three hours once a every weekend, doing different voices for the different characters. They'd study me with their inscrutable eyes the entire time, never speaking, but occasionally making small noises. When I moved around, they followed me with their gazes, sometimes imperceptibly moving their heads, but often just with their eyes. I could tell what authors they liked and which they didn't although I'm not sure how. I could feel it. The particularly liked Asimov, Bradbury, and Frank Herbert but weren't fans of Philip K. Dick. When I read even newer authors like Liu Cixin or N. K. Jemisin, the vibe in the room was particularly electric. I'd caught an uneasy amusement from them when I read Peter Watts' 'Blindsight'.

Today, I was bringing a classic, HG Wells' 'The Time Machine'. Down 40 stone steps around a column, lit and warmed by torches at every fifth step. Into the visitation hall. Even in the dim light of the fire, I can see them watching me. I feel loved and involuntarily smile. “Good afternoon, everyone!” I call out. “As promised, HG Wells' 'The Time Machine' with a nameless protagonist and a look at what the future may hold, written in 1895. “I know that's few years older than you'd prefer, but trust me, it is worth it. “It gets pretty 'out there' toward the end. “You'll love it.” They study me as I read from the elaborate, carved seat by the fire. “Chapter 1,” I began, using an English accent befitting the author. “The Inventor.” I'd made it to the section where The Time Traveler loses The Time Machine to the Morlocks (who I voiced as deep throated aristocrats – inspired by Jeremy Irons performance in the movie) when the first rumble shook dust from the walls. As I look around for a source, I spot a red strobing light above the door. “Shit!” Evacuation? What was happening up there? “Uh, everybody?” I call out. They watch me intently, “We've got to go.” I'd been trained for this, drills even, although I was told it would probably never be required. I jog over to the hidden emergency exit door, trying to remember the pattern. Like a backwards treble clef, then three parallel lines, then eleven o'clock, three o'clock, seven o'clock. POP A handle appears and I struggle to slide the door which has probably been closed for longer than I've been alive. I create an opening about three feet before turning back around. The Elders still sit. They are watching me but not standing, not moving. They are supposed to follow me. “Come on!” I yell, waving at them with both arms above my head. Nothing. I reach into my bag and pull out my multitool. I stare at it in my hand, breathing hard. I slide it open and expose the knife, seeing flames dancing in reflection. “Hey, y'all!” I call out. Nothing. I'm going to have to do this. I bite my lower lip, hard, and cut a shallow, inch long gash in my left arm. The Elders lean forward but do not rise. Damn. I cut a second, longer and deeper gash close to the first. It burns and try not to scream through gritted teeth. “Mother fucker” I mutter. Blood runs down my arm to my elbow where it falls and splatters on the floor. The Elders stand and shuffle toward me, rasping from slightly open mouths. I squeeze into the hidden hallway and hold my arm where they can see it. Where they can smell it. The burning sensation runs all the way from my arm to my chest, making it hard to breathe. I did not expect it to hurt that much. How deep did I cut? I hear shouting from further down the corridor. Their language. A language I don't recognize. Flashlight beams play upon the walls and naked feet slap against the stonework. I still do not understand them but I catch words that seem familiar. 'anthropos' 'aima' Men, women in fatigues churn up from the catacombs, swarming around me, taking the arms of The Elders and leading them deeper into the passages. A man I've never seen leads me back to the reading room. I'm dizzy. “Foolish” I hear him say as he pulls a first aid kit out of his backpack. He's examining my cut which I can see spurts blood every couple of seconds. Whoops. The ground is shaking or it could just be me. “Skata” says the man looking at my arm. “Ti krima“ He shakes his head and sprays something that cleans the blood away. Then he places an absorbent pad and begins to wrap gauze. Something cracks, my ears ring, I'm on the floor. I can't move. I can't see. I hear the man scream, “Gamo to!!” Then “Gia to aima!” I can't feel my legs or arms. I'm not sure if I'm breathing. It's so heavy. I'm cold. Tired. Exhausted. I should sleep. Sleep. Yes. It's quiet. Warm. Like floating in river. Darkness.

. .. ... .... ..... —

Lightning strikes my heart. My head explodes. My arms and legs vibrate like plucked guitar strings. I hear myself screaming but the voice isn't mine. Something burrows into my throat, wiggling its way up to my mouth. My teeth clench, tear, I taste blood and bile. Sound pours itself into my ears, squeaks, groans, gasps. Pumping sounds. The flow of liquid. Sizzling steam, fire. Breaths, whispers. I smell sand, sweat, decay, perfume, incense. Something sweet. I can't name it. But I desire it more than anything I've ever wanted in my life. I can see colors that I do not recognize, outlines of life and probability. I sit up, grab my head. “Misty, you were chosen.” Chosen. I hear it. She's talking. It's Melinda. I love her. I would do anything for her. “For your selfless actions to save The Eldest Among Us, for your kindness and devotion, for your courage and calm under pressure.” My heart swells with each word of praise. “Where once there was death, now there is new life.” I feel her take my hand, our souls intermingle, our life force blends. I am hers. She helps me up. To my feet. I do not waver. I stand like a statue. I look down at my body. Naked. Small breasts, slightly protruding gut hanging over an equally small penis. Cold, but I do not shiver. I frown. This is not what I'm supposed to look like. For a moment I am ashamed. “Welcome our sister,” she says. “Misty Allen Shaffer,” a chorus of voices replies. “Receive your second gift and your secret name.” The crowd parts. “Become what you were meant to be.” A woman wearing only a solemn expression walks toward me. “Receive your second gift,” the crowd repeats. The smell from earlier. I catch it again, thicker, a current guiding me. My mouth twitches, my tongue curls itself into knots. The woman is directly in front of me now. She kneels and tilts her head to the right, exposing her neck. My heart pounds. I feel something slide and shift inside my mouth. Something stabbing my gums and lips. Without thinking, I bend down and bite the woman on the jugular. My exposed fangs effortlessly pierce the skin. The warmth of blood pouring into me is like nothing I've ever experienced. I see memories of her life, a child of poverty, sold, bought, raised almost as livestock but wanting for nothing. I feel her relief, honor, fear at being brought here tonight for me. Fire floods my body, every nerve ending tinkling like a bell, every cell ravenous and renewed. The blood wakes me, the world fills with song, like angels, like a chorus of stars in the heavens. Light pours from me. I feel strong, fast, free. Alive. I was dead. Now I am alive. “Enough,” Melinda whispers to me. I immediately stand. Someone takes the girl aside to bandage her wounds. I know their language now. I see it. I see a word. My word. “Υδατογενής“ Because I adapted myself, changed, flowed into true being. “I am Υδατογενής.”

#WhenIDream #Dreams #Dreaming #Dreamlands #Writer #Writing #Writers #AmWriting #WritingCommunity #ShortFiction #Fiction #Paranormal #Vampires #Transgender

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

 
Read more...

from beverageNotes

This evening is very pleasant and a fine end to a pleasant day. A bit on the warm side, but nowhere near has hot as it has been the past couple of weeks.

Sitting on the patio, I'm having a post-dinner dram of Red Line Elements Amburana Small Batch (https://www.redlinebourbon.com/elements-1). I picked it up for $60 from a local joint. They have several brick and mortar locations, offering a wide variety of whiskies and wine, along with smaller selections of beers, cheeses, and chocolates.

This is my second bottle and I'm a fan. The 103 proof warrants an ice cube or two and requires an “easing in” to get the bouquet—spicy caramel apple pie. That's my summation of the experience. I love it!

There's cinnamon and cloves. Hints of orange.

This offering is non-chill filtered and having learned more about the implications, I can pick out how it is not as 'thin' as Irish or Scottish whiskies.

Some neighborhood deer are in my backyard now, checking me out. The doe is chomping on some honeysuckle, which I would love to have eaten to the roots. One of the two fawns keeps laying down and neither seem very interested in eating. Maybe they're not quite old enough to have been weaned.

With this being my 3rd post, I'm probably not in any danger of creating a run on Red Line Elements Amburana Small Batch, but if you find it—it's limited to a couple of handfuls of states in distribution—and give it a go, please let me know what you think.

 
Read more...

from risibledog

William Pelley posing with dork-ass nazis of the Silver Legion (aka “Silver Shirts”) in Redmond, WA circa 1936.

Lately I keep thinking that it's a little surprising nobody has seized on the opportunity to make a recent flick about William Dudley Pelley. Maybe it's a little too on-the-nose? Might be a challenge to avoid having it scan as didactic / corny, and of course there's always the difficulty of avoiding the induction of dumbass anti-hero sympathy toward him in (maybe especially US) audiences, but the dude really has it all: – an anti-communist politic which is inseparable from antisemitism, – narcissistic, moderately-successful author & hollywood screenwriter who goes far-right, – heaps of proto-new-age woo bullshit, – a large-scale street fascist paramilitary organization (which finds particular traction in the Pacific Northwest), – high profile seditious conspiracy trial & conviction, – etc. (etc. etc. etc.)

Anyway, interesting prologue & historical context for a lot of things happening at the moment – and a pretty salient object lesson in the type of ostentatious (nonetheless very dangerous) clown that tends to spearhead any given fascist movement with demagoguery.

Knute Berger did a good little PBS bit on him not so long ago, worth checking out.

Bill Hader is good at wrecking the anti-hero tropes, so...

 
Read more...

from Armamix

I don't really think I need or want to start blogging again, but by all means. Here's a cheap tip to start things off: Test your backups regularly.

 
Read more...

from Hyperscale Security

Any week in the security press proves that, generally, most companies and institutions have struggled to implement adequate or even basic security protections, despite best intentions and effort. While the move to the cloud has its own risks, whether for IaaS, PaaS and SaaS, it also provides the opportunity to outsource many security responsibilities to a cloud provider. The cloud platforms have many security and resiliency features baked in, and it can be reasonably argued that cloud providers can bring more resources and talent to bear and through economies of scale can do a better job than their customers can.

Aside from agility and flexibility of cloud solutions, for each organization individually, a move to the cloud can be a real security and resiliency net-benefit, compared to running critical systems themselves.

Decentralized Inadequacy vs Centralized Competence

To take just one example. Organizations notoriously struggle with keeping systems up-to-date, with new vulnerabilities being disclosed all the time. Rather than having to manage that yourself, using an always-at-the-latest-version SaaS solution is a real security benefit. For each organization separately, but also in aggregate.

We have to recognize, though, that there are not that many cloud providers that we all rely on. The companies listed in the Cloud Wars Top 10 – and full disclosure, I work for one – increasingly run the critical workloads that we all rely on as customers, employees and citizens. That means if anything goes significantly wrong the impact may be widespread.

We are moving from a situation where the likelihood of an individual failure in confidentiality, integrity or availability (CIA) is higher but the impact is contained, to one where the likelihood is lower, but the impact could be catastrophic.

The Colonial Pipeline Ransomware Attack led to the shutdown of all pipeline operations by the company and caused widespread fuel shortages across the US East Coast. What is often forgotten is that the ransomware affected the billing infrastructure, not the operational systems. With such administrative systems increasingly moving to the cloud, a major incident at a cloud provider affecting thousands of companies all at the same time would have devastating cascading effects throughout the global economy and the functioning of society.

Cloud as Critical Infrastructure

I think it is reasonable therefore to see cloud providers as critical infrastructure. The IT Sector in general already is designated as such, but these designations don't yet specifically focus on the unique and growing role of cloud providers within that sector as the providers of services to everybody else.

Cloud security has so far mostly focused on the consumer-side of the Shared Responsibility model in-the-cloud. Cloud providers have also started to recognize they have a responsibility to help their custoemrs run more securely. More recently, security issues of-the-cloud such as recorded in the Cloud Vulnerability Database have got more attention, showing that the cloud providers aren't perfect. A recent incident prompted a US Senator to criticize one of them for “negligent cybersecurity practices”.

It is time that cloud providers are held to a greater level of scrutiny on their own internal operations. If failure can have significant impact on the economy, the functioning of society, and even lives, we should expect similar oversight and consequences as in Utilities, Finance or Healthcare.

 
Read more...

from serialcomplainer

Everyone who works or has worked in a medium/big/large/huge/... company I am sure encountered a lot of occasions where the security measures set in place by the company were extremely annoying, a mix of intentional slow-downs, red-taping, bureaucracy and rituals.

This is no news, as a lot of regulations impose compliance against a number of frameworks, which often prescribe a bunch of security measures to be implemented. Security means controls, and controls can be implemented well and can be...just implemented. The problem with compliance is that you often find yourself walking a fine line between useful security measures to mitigate risk and protecting people (and the organization) and complete bullshit security theater which is essentially meant to just tick a box during an audit. The more the latter is annoying to the end-user (the unlucky working class who just wants to get its job done to earn a salary to have money to spend in their free time to forget about work), the more “security” is providing.

Another problem is that to comply with many different regulations, a lot of policies are needed. A LOT. Each policy has tons of sections, subsections, sub-subsections, and so on. These are often accepted/reviewed once a year, during that beautiful process in which hundreds or thousands of employees essentially sign off company policies that they barely read and when they actually read, they barely understand (because of how the policies are written, not because of them), in the same way that we all accept EULA when signing up to Facebook or whatever cool new social network young people use.

Either way, I digress. What is the problem with many policies? Well, there are a few:

  • Maintenance is hard. Reviewing policies is one of the most boring jobs ever, and when you have tons of them, keeping them all up-to-date to the point that they are relevant, is a challenge.
  • Even harder is to maintain a framework of policies. This means that policies need to all go in the same direction, they need to live in harmony with each other, they should not contradict each other.

Enters Workstation Security

One of the largest battlefield in which compliance, security theater, security, marketing from security companies, pleasure to make people miserable and other components meet each other is the security of the workstations for the employees.

To be honest, the last year has seen a rise in attacks involving the compromise of engineers workstations, besides the usual phishing attacks (which are “on the rise” every year for the last 10 years according to prestigious security publications), so all of this is not completely unfounded.

Anyway, usually every company has an “Acceptable Use Policy” (AUP) which states what you can and cannot do with your company device(s). This includes things like watching porn, gambling, playing games but also things like installing new software. Clearly the situation gets complicated when we are talking about workstations for engineers and tech workers in general: they generally need a lot of tools to get their job done or to do it in a more efficient way. However, this often conflicts with the common requirements of getting approval for every software installed.

Besides AUP, there is also another term that companies (mostly the ones that sell products to “prevent” it) love: DLP, Data Loss Prevention. This essentially means preventing you (the employee) from exfiltrating proprietary data of the company outside the company. Concretely this translates in things like blocking USB drives on workstations, blocking certain sites (like personal email, storage sites, etc.).

DLP is security theater. Here, I said it. In most companies DLP translates into a bunch of annoying rules that make the life of people working more annoying, without solving any problem at all, against even the slightly motivated and capable malicious user.

Let's not just make a rant though, let's make concrete examples. One of the most important DLP area is the network. To avoid that you (the bad employee) would go to Google drive and upload a beautiful zip with all the company data, organizations usually install a proxy in the corporate network. Alternatively, for those working remotely (but not only, of course), the company might enforce a VPN solution with DLP integrated. What this means is that every single network packet that employees send to the network, first need to pass through this proxy, where it gets decrypted, analyzed, filtered and then sent to the destination.

This technique also inspects HTTPs (TLS) traffic, since companies install by default in every workstation a CA certificate issued by the VPN provider, that is trusted for everything. In other words, if you go to https://mysite.org from your company workstation and inspect the certificate in the browser, you will see that the certificate is actually issued by your VPN provider.

So far, this makes sense, right? It is reasonable that on a company workstation you have no expectation of privacy (and this is another reason why you should NEVER, EVER use your work devices for anything else than work), and that traffic is inspected. Unfortunately, usually the “controls” don't stop here. For a man with a big hammer, everything looks like a nail. Once you pay big money for this kind of product, you want to start using all the beautiful features it offers, and the first – I guarantee you – is the category block. We are not talking about porn, gambling, etc., we are talking about calendar, emails, etc.

Once this solution is in place, it's common to see things like “only [whatever email provider your company use, say gmail] is allowed”. Then, if you try to go to mail.proton.me, you get a big error message that tells you that the page is blocked as it's an email application. Same if you go to outlook.com (if for some reason you chose to keep your emails there), and so on. The same applies to calendars, storage applications etc.

What is the problem here? The problem is that this is bullshit. Not in the sense that it doesn't have a rationale, but in the sense that it is pretty much like trying to empty the sea with a bucket. The only achievement of this is that Sarah in accounting will have more trouble organizing her life because she can't access her work calendar from her personal devices (of course!) nor her personal calendar from her work device. Or that John from marketing will need to jump 25 hoops to access a site needed to share data with a customer (who doesn't happen to use the same system as his company), usually by requesting some manual, temporary whitelist, with lots of approvals and time wasted. That's pretty much the only achievement, because there is just no way, NO WAY that whatever pricey solution you are buying, you are actually blocking all email, storage, calendar, etc. applications on earth (or better, on the Internet). It simply will not happen. Anybody can run a huge number of opensource or even custom software to do essentially whatever. You can host a pastebin service under your personal domain, you can access your personal Gitea instance, and a solution that works based on the domain alone to be in a list, especially a blocklist, is going to be extremely ineffective. You could achieve this only via an allow-list, but good luck figuring out a list of all the websites that everyone in the company requires to access.

In fact, usually there is always someone within a company that knows “something that works”, which they use to do their job better, and which technically violates a huge number of policies, but that “since it's not blocked” automatically feels like allowed (which makes sense, to some extent).

So here there are only 2 scenarios that matter:

  • Your super expensive network DLP-blockchain-AI-web3 technology can block network traffic which contains suspicious sensitive data.
  • Your super expensive network DLP-blockchain-AI-web3 technology cannot block network traffic which contains suspicious sensitive data.

If your solution falls in the first scenario: good job! You have a technical control that works and scales. At this point, there is no need anymore to block any site for anybody in the company, because if Sarah from accounting decided one day not to use her calendar to remember about her karate lesson, but to exfiltrate company data, this holy-grail of DLP would catch it and block it. It's unclear how this solution will work with things like code (that reasonably you will sometimes paste online for searches) or credit card data (when you are doing a legitimate purchase with your card, not exfiltrating credit cards), but I will leave this to the – I am sure – extremely expensive solutions.

If your solution falls into the second scenario, then you have no technical control. There is absolutely nothing you can do to prevent a user from doing cat | tar | nc IP port and sending whatever data she wants to whatever IP she controls. You also can't do anything if she can access a file upload service hosted at https://news.kitchen.cat, which likely won't be in any list. Or you can't do absolutely anything about one of the other millions of ways to exfiltrate data in a way to bypass a simple list of domains. If you are in this situation, what benefits does it give to block a negligible part of the internet? The only benefit is to prevent people from doing mistakes likes sending accidentally an email from their personal account instead than from their work one. Is this kind of scenario worth the nuisance to all the users for everything that is blocked? Maybe it is, maybe it is not, but this is essentially what the decision should be based on. If someone starts mentioning the risk of DLP in accessing your personal email, you know that's bullshit. Some malicious insider will find another way, while the well-meaning users will just obey the rules and get annoyed in the process.

A small parenthesis is due at this point. Every security control has some gaps. It's very rare, if not impossible, to have something 100% effective. The problem is that in this context we are not talking about a bypass for a control, but rather about a few ways that the control cannot be bypassed. The efficacy is so low, that it's like claiming to have restricted access to a field by putting a door in the middle of it: you didn't help a little, you wasted the wood.

In whichever scenario your solution falls, you need to realize that as a company your main control is administrative: a policy that states that you can't share the data, and if you do so, you will have legal troubles and will get fired. Of course this will not prevent anything, but it's basically all you got. Even the most sophisticated solution won't anyway prevent anybody from taking pictures of their screen and OCR the data at scale, so it's a lost battle anyway, you might as well not annoy the users in the process.

The Virtualization Issue

When talking about DLP, and workstation security in general, another topic is virtualization. Usually the organization requires to run a bunch of tools on each workstations, agents that monitor files, processes and the network (as the one discussed before). Obviously, if you decide to run a VM on your workstation, all the tools and agents will not be present, and therefore there is a security and a DLP risk.

The security risk is that your VM can be compromised and potentially infect your workstation as well (hypervisor vulnerabilities are rare but they exist). The DLP risk is that...you guessed it, inside the VM there are not those kind of agents which we talked about before. So you could be accessing whatever site you want, for example (this mostly apply for people working remotely, and not sitting in their corporate network, where the filtering can happen outside your machine).

For these reasons, the AUP sometiems forbids the use of VMs. This is where the beauty of the bureaucracy comes into play: many new companies (especially the hip and techie ones) are now using Apple devices (Macs) as their workstations, using tools like Jamf & similar, to replace the very common Windows or (among techies) Linux workstations.

Unfortunately, modern development is also extremely tied to containers, and an engineer who can't use Docker locally nowadays is going to initiate a mutiny. Because of this reason, Docker usage is generally allowed and necessary. The beautiful side of this is that on Mac Docker Desktop uses a Linux VM, even configured in a way which is way less isolated than a regular VM would be by default (unless explicitly made so). I would like to conduct a survey of how many Mac shops ban VMs but allow Docker, because that's hilarious. If you want to run a VM with host-only network to run some tool that you are not allowed to install in full isolation, you can't do it. But if you want to run any Docker image you want, with similar (let's not say worse) isolation, you can do it.

The policy says so.

 
Read more...

from risibledog

Recently I've been finding the combination of obsidian & the omnivore plugin to be quite a useful way of maintaining a database of info from articles (etc)!

Once you've got the plugin installed in your vault (you can also find it in Obsidian's “Community plugins” browser), you can edit the Article Template as you see fit.

I'm sure there are smoother ways of setting this up, but my template currently looks like this:

#Omnivore 
# {{{title}}}

[Read on Omnivore]({{{omnivoreUrl}}})
url:: [link]({{{originalUrl}}})

{{#highlights.length}}
<!--
## Highlights

{{#highlights}}
- hl:: >{{{text}}} {{#note}}^[*{{{note}}}*]{{/note}}
 {{#labels}} #{{name}} {{/labels}} 

{{/highlights}}
-->
{{/highlights.length}}

---
{{{content}}}

I have found that it works great with the dataview plugin. I make a new markdown file to serve as an index using this code block:

```dataview
table without id
	list(file.name, url) as "article", list(date_published, author, hl) as "info & excerpts"
from #Omnivore 
where date_published 
sort date_published desc, date_saved desc
```

This creates a table with a list of the articles sorted in reverse chronological order (ie. the most recent one is at the top), and includes any excerpts which you have highlighted in Omnivore.

It ends up looking like this:

I also edited the Article Template above so that any annotations I add to a highlight can be displayed as a footnote beneath the excerpt, like this:

Some of the articles you save will inevitably not have properly formatted date_published info — those are currently excluded from the above code block. I put another code block beneath that one which looks like this:

```dataview
table without id
	list(file.name, url) as "article", list(date_published, author, hl) as "info & excerpts"
from #Omnivore 
where date_published = null
sort date_published desc, date_saved desc
```

Omnivore also has an “edit info” option for each article saved, so if you'd like to move an article without date_published info into its proper spot in the table which is sorted by date, you can open it in a browser and edit the article's date info. (This date-editing option currently appears to only be available in a web browser, not on the mobile app.)

You can also make more specialized lists of this sort by using Omnivore's “tags” feature editing the line so it reads from #Omnivore and #[NewTag] – I have also found that Omnivore supports the use of nested tags, which can help narrow or broaden the specificity of various index tables :)

P.S. – if you want quick & easy access to the markdown articles via these index files, just remove the snippet of text which says without id from the code block. That will create an extra column which is a direct link to the markdown file, like this:

 
Read more...