At Black Hills Information Security we were brand new to info sec once too! With that in mind we want to help everyone become more educated in this exciting field that's changing so quickly! We offer webcasts free to anyone who's interested, a blog on our website, and with our pen testing we're hoping to better educate our customers so they can always be improving their environments. We think it's summed up pretty brilliantly in this quote from Richard Feynman: “Study hard what interests you the most in the most undisciplined, irreverent and original manner possible.”
✉ MailFail Extension (Firefox) and other resources m.ail.fail/ 🔗 Jack's list of DKIM selectors - github.com/ACK-J/MailFail/blob/main/DKIM_Selectors.txt - 🔗 Download the extension - addons.mozilla.org/en-US/firefox/addon/mailfail/ - 🔗 github repository - github.com/ACK-J/MailFail/ - 🔗 Reconstruct private keys from the two prime numbers - gist.github.com/ACK-J/487d0de5737458d953ca818a0645b09b - 🔗 Send DKIM signed emails script with a private key - gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3 - 🔗 Here's a bonus that wasn't in the presentation - Python script that takes in a list of domains and checks them for DMARC misconfigurations - gist.github.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9 - 🛝 Webcast Slides - www.blackhillsinfosec.com/wp-content/uploads/2024/06/SLIDES_BHIS_MAILFAIL.pdf /// 🔗 Register for webcasts, summits, and workshops - blackhillsinfosec.zoom.us/ze/hub/stadium
Jack did great -- having someone technical give the webinar is fantastic. We got a good (review for me) technical explanation of SPF/DKIM/DMARC and why they really aren't that great. I'll stay tuned for more on the strength of this presentation --- the inclusion of misuse cases was one of the strongest points.
There are still only 13 root servers. The reason for the limit has to do with the UDP packet size. Some roots do allow for an Anycast instance, but that instance is still the same IP as the primary root server that is being anycast’d. Speaking as a person that once ran L-Root for 3+ years
So, an interesting discussion all around concerning the biometrics topic. I found that it was missing some context in the discussion however, where no one mentioned that there are already other national protective laws under HIPAA; and there really needs to be correlation related to how that applies as well, and where the cross-over might exist. The CO state law takes inclusive steps to couple biometrics under state privacy laws (in the absence of an overall, cohesive national set), but I'm curious where the thought was that gaps existed in HIPAA that needed this type of additional regulation. Regardless of knowing about this law, this concept has led to some interesting group discussions lately. Are hosted data centers now, or going to be, responsible for providing HIPAA related audit data, in addition to SOC 1/2, as part of the reporting to their clients? Biometrics are a huge part of their security controls and they have lots of client data.
That is not at all how it’s being used. Yes, it is Drone as First Response. But just as they would when physically on scene they can assess. And engage if the presented situation called for engagement and or simply be able to surveil and on going situation and provide live updates for those headed and to arriving on scene.
The DNS and BIND book should be required reading for anyone working in IT. The amount of people that only have surface level understanding of DNS is astounding.
I used my Flipper to find all the secret codes for my TV. It's been helpful because my TV needs an occasional hard reboot which I can do using an undocumented ir command. It was also awesome when I was pranking my nieces and nephews.
Ethics, company have none. It’s all about money. Disclose after 90’days of just like Google does period. Then sue the vendor aka MS for dragging their feet.
To me the biggest problem trying to use direct IP communications are the shared IP addresses. My setup is fairly typical so it's a good example. I have multiple web sites on my primary server and multiple servers behind my IP addresses. Without DNS information in the header the traffic can't be routed properly. In addition I use Cloudflare just like nearly 20% of the web. Direct incoming traffic would just hit my firewall and get "Unable to connect". Cloudflare also uses shared IP addresses unless you want to give them a kidney each and every month. If you try an IP you get from querying my DNS records you get "Error 1003" "Direct IP access not allowed". All that is before we even talk about residential configurations that are often CGNAT. I think DNS is here to stay for a while.
the secret is to screenshot the solution before playing. I wish someone had explained this before on the RSAC speech. Because I had no idea how to share the deck on zoom with other people. dang it people. it's always the simple things.
Is Recall any worse than an RCE though? It has an “ultimate use after free vuln” vibe, but from a security perspective, is it really worse? Computers are vulnerable, we might as well get to use the AI.
I think Just a Clever Simulation is exactly right at 28:45ish about Windows Recall. People won't really care until they are personally confronted with something they don't like. It could be a hacker blackmailing them, a family member or friend using your computer and seeing something you didn't want them to see, or SUPER pushy advertising calling out your exact behavior along the lines of "You looked at that potato twice today. Are you sure you don't want to buy it?"
I took the Cyber Deception course few years ago and can highly recommend it! I did pay what I could at the time, and then got a few additional courses from Antisyphon that were excellent!