recentpopularlog in

bwiese : cybersecurity   976

« earlier  
CISA Emergency Directive 19-01: Doing Things the Easy Way in Splunk
Action One: This action requires that within 10 business days agencies audit all public DNS records (on authoritative and secondary DNS servers) for .gov or other agency-managed domains to ensure that they resolve to the intended location. If any do not these should be reported to CISA

Action Two: This action requires that within 10 business days, the passwords for all accounts on systems that can make changes to each agency’s DNS records be updated.

Action Three: This action requires that within 10 business days, multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency’s DNS records be implemented. [Note: CISA provides additional guidance for cases where MFA cannot be achieved within the allotted time range].

Action Four: This action requires that within 10 business days, agencies begin monitoring Certificate Transparency logs, provided by CISA via the Cyber Hygiene service, and assess whether any newly issued certificates were unauthorized.
cybersecurity  dhs  cisa  dns  mfa  tls 
yesterday by bwiese
I Do Not Like Your Ransom Scam. I Do Not Like It, SamSam I Am.
An Analytic Story recently released in the Splunk Enterprise Security Content Update (ESCU) app includes searches designed to help detect infection vectors and behavioral signs of this dangerous ransomware, such as writes to system32, writes with common ransomware extensions, batch files under system32, and remote desktop protocol (RDP) brute-force attacks. To leverage this story, as well as the more expanded story entitled "Ransomware," download and install the latest version of ESCU from Splunkbase.
splunk  ransomware  analytics  cybersecurity  rdp 
yesterday by bwiese
Hackers could read non-corporate, Hotmail for six months | Ars Technica
Late on Friday, some users of Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts, and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1st and March 28th of this year. Microsoft confirmed this to TechCrunch on Saturday.

The support account would also have only had access to free accounts, and not to paid Office 365 email.

reason for the hack in the first place- access to the iPhone user's email account, it's possible to dissociate the phone from the iCloud account, and subsequently to reset the handset
cybersecurity  outlook  email  iphone 
3 days ago by bwiese
SecuritySynapse: Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-PSK
In our previous article we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network to showcase the abilities of this inexpensive and flexible setup. In this article we will continue to test our setup by attacking our home router running WPA (Pre-Shared Key) PSK--walking you through the attack from start to finish.
cybersecurity  kali  wireless  pentest  howto 
8 days ago by bwiese
Forensic Investigator | Splunkbase
The TekDefense Forensic Investigator app is designed to be a Splunk toolkit for the first responder. Most tools do not need Internet access with the exception of a couple which use API calls. This Splunk app provides free tools for the forensic investigator which include, but are not limited to the following:
- VirusTotal Lookups
- Metascan Lookups
- Automater
- Base64 conversion
- XOR conversion
- HEX conversion
splunk  app  forensics  cybersecurity 
8 days ago by bwiese
Home — OSSEC
OSSEC watches it all, actively monitoring all aspects of system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring. With OSSEC you won't be in the dark about what is happening to your valuable computer system assets.
sysadmin  opensource  cybersecurity  hids  ids  monitoring 
15 days ago by bwiese
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers - Motherboard
half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those system

new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine

The infamous Flame spy tool, developed by some of the same attackers behind Stuxnet, was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers
asus  cybersecurity  backdoor  kaspersky  ioc  apt  supplychain  scrm 
20 days ago by bwiese
Operation ShadowHammer | Securelist
certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well. - check MAC addresses targeted

Kaspersky Lab verdicts for the malware used in this and related attacks:

Domains and IPs:

Some of the URLs used to distribute the compromised packages:

Hashes (

cybersecurity  asus  backdoor  scrm  kaspersky  ioc  supplychain 
20 days ago by bwiese
Asus was warned of hacking risks months ago, thanks to leaky passwords | TechCrunch
“Companies have no clue what their programmers do with their code on GitHub,” said the researcher.

A day after we alerted Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean.
asus  cybersecurity  scrm  github  certificates  backdoor 
20 days ago by bwiese
Data-tracking Chrome flaw triggered by viewing PDFs – Naked Security
Researchers have spotted an unusual ‘trackware’ attack triggered by viewing a PDF inside the Chrome browser.

Security company EdgeSpot said it noticed suspicious PDFs, which seem to have been circulating since 2017, sending HTTP POST traffic to the tracking site

The behaviour only happened when a user viewed a PDF using desktop Google Chrome – when opened in Adobe Reader the PDF’s behaviour returned to normal.

Data sent included the user’s IP address, the Chrome and OS versions, and the full path of the PDF on their computer.
cybersecurity  chrome  pdf  vulnerability 
27 days ago by bwiese
Palo Alto Networks has transformed itself with more than $1 billion in acquisitions - MarketWatch
Palo Alto PANW, -0.30%  announced last week it is acquiring Demisto for $560 million, its fifth acquisition of the past 12 months. Demisto is a so-called SOAR — or security orchestration, automation and response — company that uses machine learning to aid in automating cybersecurity functions.

Palo Alto announced it was buying cloud-threat defense company RedLock for $173 million in cash in October, a $100 million acquisition of Israel-based endpoint detection and response company Secdo in April, a $300 million acquisition of public-cloud infrastructure security company a month before that, and a $105 million deal in February 2018 for LightCyber, a company specializing in so-called “Behavioral Attack Detection solutions” that pick up on attacks that slip past more traditional security controls. In that time, management has gone through drastic changes from a year ago with former Google exec Amit Singh taking over as president in November, and former SoftBank exec Nikesh Arora taking over as chairman and CEO in June.
cybersecurity  paloalto  demisto 
7 weeks ago by bwiese
Accidental Sabotage: Beware of CredSSP – PowerShell Magazine
To get around this issue, PowerShell provides the CredSSP (Credential Security Support Provider) option. When using CredSSP, PowerShell will perform a “Network Clear-text Logon” instead of a “Network Logon”. Network Clear-text Logon works by sending the user’s clear-text password to the remote server. When using CredSSP, Server A will be sent the user’s clear-text password, and will therefore be able to authenticate to Server B. Double hop works!

general rule is: Don’t put high trust credentials on low trust computers.

you should always try to design your systems to work with single-hop rather than double-hop so that CredSSP isn’t needed.

Microsoft has made changes to Windows Server 2012R2 and Windows 8.1 to eliminate clear-text credentials from being stored in memory. This means that an attacker who runs Mimikatz will no longer see your clear-text credentials. An attacker will still see your NT password hash and your Kerberos TGT, both of which are password equivalent and can be used to authenticate as you over the network.

Additionally, even though your clear-text credential is not saved in memory, it is still sent to the remote server. An attacker can inject malicious code in the Local Security Authority Subsystem Service (LSASS.exe) and intercept your password in transit. So while you may not see your password with Mimikatz anymore, your password can still be recovered by an attacker.
credssp  powershell  password  cybersecurity  mimikatz 
7 weeks ago by bwiese
Working with Passwords, Secure Strings and Credentials in Windows PowerShell - TechNet Articles - United States (English) - TechNet Wiki
Best Practices
Where possible do not ask for passwords and try to use integrated Windows authentication.
When it is not possible or when specifying different credentials is useful, cmdlets should accept passwords only in the form of PSCredentials or (if username is not needed) as SecureString, but not plain text.
If you need to ask user for credential, use Get-Credential cmdlet. It uses a standard Windows function to receive password in consistent and secure manner without storing it in memory as clear text.
Credentials should be passed to external system also in most secure way possible, ideally as PSCredentials too.
Password should not be saved to disk, registry or other not protected storage as plain text. Use plaintext representation of SecureString when possible.
powershell  password  reference  cybersecurity 
7 weeks ago by bwiese
Securing your PowerShell Operational Logs – Stuff n Things
powershell operational logs with passwords captured in the script
- anyone can typically view the logs on the system
- workaround is to encrypt the log files for decryption later (not SIEM compatible)
- temp solution: set 'ChannelAccess' registry key for the security descripter of the logs to limit access to only Admins
powershell  logs  cybersecurity  eventlogs  password 
7 weeks ago by bwiese
A New Wave of the Separ Info-Stealer is Infecting Organizations through “Living off the Land” Attack Methods - Deep Instinct : Deep Instinct
Use Cypherpath for malware sandbox analysis
1) Notified of new malware
2) Goto Hybrid Analysis – dig around a bit until you find a shared sample
a. Download sample
3) Add sample to Cypherpath shared folders
4) Spin up an isolated Windows instance on Cypherpath.
5) Run malware in this isolated vm on Cypherpath
6) Explore artifacts and RE
malware  cybersecurity  sandbox 
7 weeks ago by bwiese
Securing Domain Controllers Against Attack | Microsoft Docs
As previously described in the "Misconfiguration" section of Avenues to Compromise, browsing the Internet (or an infected intranet) from one of the most powerful computers in a Windows infrastructure using a highly privileged account (which are the only accounts permitted to log on locally to domain controllers by default) presents an extraordinary risk to an organization's security. Whether via a drive by download or by download of malware-infected "utilities," attackers can gain access to everything they need to completely compromise or destroy the Active Directory environment.
cybersecurity  microsoft  reference  guidance  internet 
9 weeks ago by bwiese
How To Use The 2012 Active Directory PowerShell Cmdlets From Windows 7 – GoateePFE – Archived
Until now I haven’t needed the CredSSP feature in PowerShell. Here’s the problem. We use Kerberos for authentication from our local workstation to the intermediate remoting server, but then the remoting server is not allowed to pass our credentials to the server targeted by the cmdlet. This makes two hops. The AskDS blog has a classic article that explains this Kerberos scenario in much better detail (Understanding Kerberos Double Hop). The CredSSP feature allows the intermediate remoting server to pass our credentials to the target server.
powershell  cybersecurity  credssp 
9 weeks ago by bwiese
NTLMv1 Removal – Known Problems and Workarounds | IT Connect is worth a read to understand much of the background behind NTLM. But as good as that article is, it isn’t comprehensive. Referencing (see section entitled “NTLM Referral Processing”) will help you understand how NTLM logons work across a trust. Note that this is why you won’t find many NTLMv1 logons on any domain controllers. You will find most NTLMv1 logon events on the member servers that allow NTLMv1–those member servers are the key and you should target them as the point of leverage to identify which clients are using NTLMv1. You then fix the clients, fix the servers, then fix the DCs. Then find out you missed some clients and servers
cybersecurity  ntlm 
9 weeks ago by bwiese Library Archive
The library is no longer being updated as of October 1, 2018. NSA Cybersecurity (formerly "information assurance") information from October 1, 2018 onward will be available at The library houses all site files, which includes: Information Assurance (IA) Guidance, software downloads, program documentation, supporting documentation, product reports, and Information Assurance Advisories (IAA) and Alerts. Please note that some items require login.
nsa  cybersecurity  reference  guidance  history 
10 weeks ago by bwiese
RDP (Remote Desktop Protocol)
Destination Host
RDP session connection start/end time and date, source host IP address, logged-in user name and account domain, and success or failure connection (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log)
rdp  threathunting  cybersecurity  microsoft  dfir 
11 weeks ago by bwiese
A Response to "The Cloud is Evil..." | Ponder The Bits
- AWS, by default, logs API access to/from most (if not all) of its resources, namely to the console and EC2 Instances (systems/machines/hosts you provision and use)
- recommend alerting on VPC Flow Log creations as an attacker could also harness this capability to snoop on what’s going on within your network
aws  dfir  cybersecurity  logs 
11 weeks ago by bwiese
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits
notes and tips on tracking RDP events
Event ID: 1149 - Description: “User authentication succeeded” (NO - only successful connection)
Event ID: 21
Description: “Remote Desktop Services: Session logon succeeded:”
TL;DR: Indicates successful RDP logon and session instantiation, so long as the “Source Network Address” is NOT “LOCAL”.
Event ID: 22 - Description: “Remote Desktop Services: Shell start notification received:”
TL;DR: Indicates successful RDP logon and shell
Event ID: 24 - Description: “Remote Desktop Services: Session has been disconnected:”
Event ID: 25 - Description: “Remote Desktop Services: Session reconnection succeeded:”
Event ID: 39 - Description: “Session <X> has been disconnected by session <Y>”
Event ID: 40 - Description: “Session <X> has been disconnected, reason code <Z>”
Event ID: 23 - Description: “Remote Desktop Services: Session logoff succeeded:”

Event ID: 4624 - LogonType: 10 (RemoteInteractive / a.k.a. Terminal Services / a.k.a. Remote Desktop) OR Type 7 from a Remote IP (if it’s a reconnection from a previous/existing RDP session) - Description: “An account was successfully logged on”
Event ID: 4625 - Description: “An account failed to log on” (Logon_Type=10 or 7)
Event ID: 4778 - Description: “A session was reconnected to a Window Station.”
Event ID: 4779 - Description: “A session was disconnected from a Window Station.”
Event ID: 4634 - Description: “An account was logged off.” (Logon_Type=10 or 7)
Event ID: 4647 - Description: “User initiated logoff:” (not all RDP)

Event ID: 9009 - Description: “The Desktop Window Manager has exited with code (<X>).”
dfir  rdp  eventid  reference  cybersecurity  microsoft 
11 weeks ago by bwiese
New malware found using Google Drive as its command-and-control server
backdoor Trojan, called RogueRobin, which infects victims' computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.

Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate 'regsvr32.exe' application to run it, eventually installing the RogueRobin backdoor written in C# programming language on the compromised system

The new malware campaign suggests that the APT hacking groups are shifting more towards abusing legitimate services for their command-and-control infrastructure to evade detection.

It should be noted that since VBA macros is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code.
cybersecurity  google  threathunting  malware  c2  backdoor  macro 
12 weeks ago by bwiese
WhiteHat Security: Top 10 Application Security Vulnerabilities of 2018
Magecart breaches systems and replaces the JavaScript that handles payments with malicious code to send payment details to the hackers completely unbeknownst to the end user.
cybersecurity  api  vulnerability  2018  webapp 
12 weeks ago by bwiese
USPS Site Exposed Data on 60 Million Users — Krebs on Security
The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.
usps  api  cybersecurity  vulnerability  databreach 
12 weeks ago by bwiese
5.25 Million Unencrypted Passport Numbers Accessed in Starwood Breach
In November 2018, Marriott announced a data breach where there was unauthorized access to their Starwood Preferred Guest reservation system and that the data for up to 500 million guests had been compromised. In an update today, Marriott has stated that the amount of affected customers is lower than expected at 383 million, but that 5.25 million unencrypted password numbers were accessed.

- access to data such as passport numbers, Starwood Preferred Guest (SPG) account details, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
databreach  cybersecurity  passport  marriott 
january 2019 by bwiese
Troy Hunt: Here's Why Your Static Website Needs HTTPS
adversaries / govs / business / ISP / etc - will inject content into website connections, including ads, malware, cryptomining, etc
https  tls  ssl  cybersecurity  http  spoofing  mitm 
january 2019 by bwiese
NSA - Cybersecurity - Resources
Resources for Cybersecurity Professionals
nsa  cybersecurity  reference  pdf 
january 2019 by bwiese
China's Five Steps for Recruiting Spies in the US | WIRED
The majority of Chinese espionage cases over the years have involved ethnic Chinese, including Chinese students who came to the US for college or advanced degrees, got hired at tech companies, and then absconded back to China with stolen trade secrets. Historically, very few Chinese spying cases have featured the targeting or recruitment of Westerners. But this year has seen a rash of cases of Americans allegedly recruited to spy on China’s behalf, encouraged to turn over sensitive military, intelligence, or economic information—at least one of which started with a simple LinkedIn message.
1) Spotter 2) Assess - MICE: money, ideology, coercion, and ego
3) Developing 4) Recruiting 5) Handling
china  cybersecurity  spy 
january 2019 by bwiese
WPA3 Wi-Fi is here, and it's harder to hack - CNET
JUNE 25, 2018 - Most recently, researchers found a flaw they called KRACK, which could let attackers on the same Wi-Fi network access your internet traffic without a password. Device manufacturers released patches for the problem, and the Wi-Fi alliance required all new routers to be tested for the vulnerability. It was a repeat of a lesson from a decade earlier, when researchers found a different problem in the encryption that keeps internet traffic secure on a Wi-Fi connection.
wifi  wpa3  cybersecurity 
january 2019 by bwiese
Hacker Discloses New Unpatched Windows Zero-Day Exploit On Twitter

The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via administrator-level privileges.

The zero-day vulnerability resides in "MsiAdvertiseProduct" function of Windows that’s responsible for generating "an advertise script or advertises a product to the computer and enables the installer to write to a script the registry and shortcut information used to assign or publish a product."

According to the researcher, due to improper validation, the affected function can be abused to force installer service into making a copy of any file as SYSTEM privileges and read its content, resulting in arbitrary file read vulnerability.
exploit  microsoft  github  cybersecurity 
december 2018 by bwiese
Windows Server restart / shutdown history - Server Fault
event ids to monitor (quoted but edited and reformatted from article):

Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.
Add to that a couple more from the Server Fault answers listed in my OP:

Event ID 1074 (alternate): "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.
Event ID 1076 (alternate): "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
windows  eventid  cybersecurity 
december 2018 by bwiese
Hacker Hurricane - blogspot
Thursday, July 12, 2018
Come learn how to hunt on Windows quickly - SANS Threat Hunting & IR Summit
threathunting  cybersecurity  blog  eventid  windows 
december 2018 by bwiese
Splunk App for Windows Event Logs
The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed.

The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See Feature Overview: XML Event Logs for more details.
splunk  threathunting  audit  eventlogs  windows  cybersecurity 
december 2018 by bwiese
Cisco IOS Software Checker
select IOS versions, upload "show version command output" or upload txt file
get list of Cisco security advisories, etc
cisco  ios  cybersecurity  tools  reference 
december 2018 by bwiese
Concealing Network Traffic via Google Translate | Running the Gauntlet
This translate proxying method is often used by the malware if their domain or IP is blocked. The malware uses either Google Translate, Bing Translator, or Yahoo! Babel Fish for this purpose

After the malware downloads the webpage, they can parse the embedded iframe to access the data in the page. This even allows the malware to access embedded HTML comments on the page if that is what they are after.
cybersecurity  proxy  malware  google 
december 2018 by bwiese
CDs, faxes make comeback as military file-sharing service taken offline - News - Stripes
turning to CDs, DVDs, postal mail and even fax machines.

Both the Navy and Marine Corps issued official guidance late last month saying optical discs are the only way to securely send large files that contain private information like Social Security numbers or medical data, after the military disabled the Army’s Aviation and Missile Research, Development and Engineering Center Safe Access File Exchange, or AMRDEC SAFE.
filesharing  dod  cybersecurity  army 
december 2018 by bwiese
DOD disables file sharing service due to 'security risks' | ZDNet
"The AMRDEC SAFE site was taken offline Nov. 1 as a preventative measure after government-internal agencies identified potential security risks," an AMRDEC spokesperson told ZDNet in an email.

In a statement on the AMRDEC SAFE portal, the agency said it was "uncertain if the site will be reinstated."

"AMRDEC does not manage any other secure file transfer sites, nor are we aware of any other government-run sites. In the interim, IT and mission-related questions should be directed to your specific organization to determine alternative methods for secure file exchange," said AMRDEC officials.
army  service  filesharing  cybersecurity  korea  dod 
december 2018 by bwiese
Warning: Encrypted WPA2 Wi-Fi Networks Are Still Vulnerable to Snooping
It’s quite easy for someone to monitor this encrypted traffic. All they need is:

The passphrase: Everyone with permission to connect to the Wi-Fi network will have this.
The association traffic for a new client: If someone is capturing the packets sent between the router and a device when it connects, they have everything they need to decrypt the traffic (assuming they also have the passphrase, of course). It’s also trivial to get this traffic via “deauth” attacks that forcibly disconnect a device from a Wi_Fi network and force it to reconnect, causing the association process to happen again.
Really, we can’t stress how simple this is. Wireshark has a built-in option to automatically decrypt WPA2-PSK traffic as long as you have the pre-shared key and have captured the traffic for the association process.
wpa2  cybersecurity  crypto 
december 2018 by bwiese
Decrypt WPA2-PSK using Wireshark | mrn-cciew
Now you have to go to “Edit -> Preferences -> Protocol -> IEEE 802.11” & need to “Enable Decryption” checkbox. Then click on Edit “Decryption Keys” section & add your PSK by click “New“.  You have to select Key-type as “wpa-pwd” when you enter the PSK in plaintext.

If you enter the 256bit encrypted key then you have to select Key-type as “wpa-psk“.If you want to get the 256bit key (PSK) from your passphrase, you can use this page. It use the following formula to do this conversion
wireshark  cybersecurity  wpa2  crypto 
december 2018 by bwiese
man in the middle - Why crack WEP or WPA/WPA2 PSK when it can be sniffed through monitor mode capture? - Information Security Stack Exchange
Your point 2 is a bit inaccurate. The PTK is never sent over the air in WPA; it is computed from the PMK, an AP nonce, a client nonce, the AP MAC address, and the client MAC address (this is "key exchange", but the PTK never gets transmitted). Without the PMK, an attacker who sniffs the data can't discover the PTK without doing a brute-force attack (essentially, the client sends a MAC with their nonce, using a key which is part of the PTK; the attacker tries various passphrases, computes PMK and PTK using those passphrases, and then verifies the MAC). So the attacker can sniff the handshake, but it doesn't really help them with things that aren't brute-force.
wpa2  cybersecurity 
december 2018 by bwiese
SSL/TLS inspection (MITM proxy) : networking
Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.

We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate — that is, the client is already under the control of the person who controls the proxy (e.g. the enterprise’s IT administrator). If the client does not trust the private trust anchor, the proxy’s attempt to mediate the connection will fail as it should.
chrome  cybersecurity  tls  mitm  ssl  network  monitoring 
december 2018 by bwiese
« earlier      
per page:    204080120160

Copy this bookmark:

to read