Full stop: You are never too old to learn about security. Whether you are looking for a late-in-life occupational change or just a new hobby, you can always learn this as a new skill.
Youtube generates revenue from user ad views, and it’s logical for the platform to implement restrictions to prevent people from downloading videos or even watching them on an unofficial client like YouTube Vanced. In this article, I will explain the technical details of these security mechanisms and how it’s possible to bypass them.
...
Since mid-2021, YouTube has included the query parameter
n
in the majority of file URLs. This parameter needs to be transformed using a JavaScript algorithm located in the filebase.js
, which is distributed with the web page. YouTube utilizes this parameter as a challenge to verify that the download originates from an “official” client. If the challenge is not resolved andn
is not transformed correctly, YouTube will silently apply throttling to the video download.The JavaScript algorithm is obfuscated and changes frequently, so it’s not practical to attempt reverse engineering to understand it. The solution is simply to download the JavaScript file, extract the algorithm code, and execute it by passing the
n
parameter to it.
...
Many projects currently use these techniques to circumvent the limitations put in place by YouTube in order to prevent video downloads. The most popular one is yt-dlp (a fork of youtube-dl) programmed in Python, but it includes its own custom JavaScript interpreter to transform the n parameter.
Un de mes podcasts favoris depuis quelques années !
Voici quelques épisodes que je recommande en particulier :
Aujourd’hui on se penche sur une technique de piratage très maligne, vu qu’elle repose principalement sur : votre répondeur. Martin Vigo, un expert en cybersécurité, a mis au point un soft qui permet d’exploiter des répondeurs du monde entier. En y accédant, il peut ainsi aller réinitialiser les accès de nombreux services utilisant la double authentification, comme Whatsapp, Paypal, Facebook ou encore Linkedin, bref, tous les services qui peuvent vous envoyer un code par téléphone.
Je recommande cet épisode en particulier, avec un excellent REX / PostMortem de Stéphane Lenco sur une gestion de crise à Thalès, ciblé par le rançongiciel / ransomware LockBit
Another set articles covers the code in more depths:
Source: @ebsauvage
You can use this program but I wrote a simple python script which enumerates the exported functions from the provided DLL (
dll-def.py
)A simple way to prevent DLL hijacking from happening would be for applications to always use absolute paths instead of relative ones. Although some applications (notably portable ones) will not always be able to do so, applications located in \system32\ and relying on DLLs in the same folder have no excuse for doing otherwise. The better option, which only very few Windows executables seem to do, is to verify all DLLs before loading them (e.g. by checking their signatures) - this would largely eliminate the problem.
Dans cet article, nous allons voir comment craquer une archive chiffrée protégée par un mot de passe en utilisant :
- L’attaque à clair connu de Biham et Kocher sur des archives Zip (PKZIP) basées sur la méthode de chiffrement ZipCrypto Store (peut être étendu à ZipCrypto Deflate).
- Une attaque classique par liste de mots sur d’autres archives chiffrées telle que les archives Zip (WinZip) basées sur la méthode de chiffrement AES (128,192,256), 7-Zip ou encore RAR.
Pour réaliser cette attaque, il faut au moins 12 octets de texte en clair connu et au moins 8 d’entre eux doivent être contigus. Plus le texte connu contigu est grand, plus l’attaque est rapide.
Outils employés : bkcrack, haiti, John the Ripper
FROM: https://sebsauvage.net/links/?rN1X9Q
git-remote-gcrypt is a git remote helper to push and pull from repositories encrypted with GnuPG, using a custom format
Supported backends are local, rsync:// and sftp://, where the repository is stored as a set of files, or instead anywhere gcrypt will store the same representation in a git repository
The aim is to provide confidential, authenticated git storage and collaboration using typical untrusted file hosts or services.
Tested: it works fine and is very easy to setup:
git remote add gitcrypt gcrypt::git@...
git config user.signingkey ...
git config gcrypt.participants ...
git push gitcrypt master
To encrypt only SOME files in a git
repo, better look at git-crypt
TL;DR version of lessons from the post:
- Writing open source software can be very rewarding in ways you can’t predict
- Be in it for the long haul
- Ship it and ship regularly
- Have broad, open-ended goals
- If you care enough, you’ll find the time
- No one cares about your unit test coverage
- There’s no shame in marketing
- Clear it with your employer
- Foster community
- Keep it enjoyable
Source: https://www.reddit.com/r/Python/comments/smta85/lessons_learned_from_my_10_year_open_source/
adversaries can attack the encoding of source code files to inject vulnerabilities
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
cf. https://fr.wikipedia.org/wiki/Fichier_de_test_Eicar
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
FROM: https://sebsauvage.net/links/?0rGdAQ
Pour vous amuser à en créer en Python, avec fpdf2:
#!/usr/bin/env python3
# REQUIRE: pip install fpdf2 pdf417 qrcode
import fpdf, pdf417, qrcode
EICAR = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
pdf = fpdf.FPDF()
pdf.add_page()
pdf.set_font("Helvetica", size=30)
pdf.text(90, 20, "EICAR")
pdf.text(10, 60, "PDF-417:")
pdf.image(pdf417.render_image(pdf417.encode(EICAR)), x=10, y=60)
pdf.text(10, 140, "QRCode:")
pdf.image(qrcode.make(EICAR).get_image(), x=35, y=145)
pdf.output("eicar.pdf")
il est facile, en utilisant de multiples sites web, de deviner des numéros de carte bancaire valides, et de deviner également les dates d'expiration et le CVV (cryptogramme visuel).
Visiblement, le système VISA est sensible à ce genre d'attaque, mais pas MasterCard.
Le principe consiste à entrer le numéro de carte sur de multiples sites web, et d'essayer de commander
Source : https://sebsauvage.net/links/
What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?
tl;dr: User countermeasures:
- Noreply-Email-Address: Every GitHub user should either use a dedicated commit email address or GitHub’s noreply-email-address service, also enabling the option to block accidental command line pushes.
- 2-Factor-Authentication: Every GitHub user should have 2-Factor-Authentication enabled
- Raise Awareness: it’s the duty of developers aware of this issue toinform their colleagues about it
sed -i "s/$real_email/$github_email/" /opt/*/.git/config
Usine hydro-électrique, génératrice diesel, système d’aération, métro, silo, haut fourneau, système de production de bio-gaz ou d’eau potable… Tout y passe. Autant, les VNC d’avant, ça ne pouvait pas trop faire de dégat sinon la compromission de la machine en question, autant là on parle de systèmes qui peuvent conduire à des morts…
Issue #2 is out !
Paged Out! is a new experimental (one article == one page) free magazine about programming (especially programming tricks!), hacking, security hacking, retro computers, modern computers, electronics, demoscene, and other similar topics.
Include a crazy prime Python quine ! (page 35) O.O
This article shows how to construct a non-recursive zip bomb that achieves a high compression ratio by overlapping files inside the zip container. "Non-recursive" means that it does not rely on a decompressor's recursively unpacking zip files nested within zip files: it expands fully after a single round of decompression. The output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB → 281 TB) at the limits of the zip format. Even greater expansion is possible using 64-bit extensions. The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most zip parsers.
$ python3 -m zipfile -e overlap.zip .
Traceback (most recent call last):
...
__main__.BadZipFile: File name in directory 'B' and header b'A' differ.
How does a tiny repo cause git to run out of memory? The secret is that git de-duplicates “blobs” (which are used to store files) to make repositories smaller and allow using the same blob when a file remains unchanged between commits. Git also allows de-duplication of “tree” objects (which define the directory structure in a repository).
git-bomb
tries to make a billion files, however it only has 10 references to the file blob and only has 10 tree objects in all.
We are left with A1, A4, A5 and A9 as somewhat relevant and a dozen of other attack vectors common app faces with no single mention.
A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.
Journalists watch out—you may be unintentionally revealing sources.
Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text
since Google has already deployed QUIC in the Chrome browser and on its sites, it already accounts for more than 7% of Internet traffic.
Also mention this creepy & fascinating attack : http://codebutler.com/firesheep
Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)
Embeddable in :
few realize how absolutely devastating and omnipresent this vulnerability can be
Pour vous donner un exemple de la vulnérabilité des outils comme la messagerie Outlook, en 2016, l’Annudef’ (l’annuaire du ministère de la Défense) a été téléchargé deux fois et on ne sait toujours pas par qui.
😲😱😩
Or how I obtained direct publish access to 14% of npm packages (including popular ones)
"Here you have a trivially simple method of injecting legit-looking messages into text conversations with anyone, providing you know how your target stores the spoofee sender in their contacts. In the UK, that’s largely the difference between starting with 07, and +447.
The utterly exquisite reality is that, if your target then replies, that reply goes to the real sender, who is overwhelmingly likely to reply something like “what the hell are you on about?”, this being the first they’ve heard of this shady business. Does that look like backtracking or denial? I ain’t no Member of Parliament, but it sure sounds like it to me."
afl = american fuzzy lop
cf. http://lcamtuf.coredump.cx/afl/
"Luckily, afl-fuzz can leverage lightweight assembly-level instrumentation to its advantage - and within a millisecond or so, it notices that although setting the first byte to 0xff does not change the externally observable output, it triggers a slightly different internal code path in the tested app."
On peut facilement se créer l'équivalent d'un token d'authentification avec son smartphone. Il existe des applications respectant un protocole standardisé pour cela: OTP (One Time Password). L'intérêt de l'OTP est que vous n'avez pas besoin de connexion entre votre client OTP (votre smartphone) et le serveur. Ils peuvent générer et contrôler la validité des OTP de manière déconnectée. Ce système peut donc fonctionner même si vous n'avez pas de réseau GSM à portée.
Ce protocole permet de créer un code qui ne sera utilisable qu'une seule fois. Nous allons juste ajouter un champ de saisie dans le formulaire de login. Vous allez voir, ce n'est vraiment pas compliqué.
...password reset feature readily disclosing whether an email address already existed on the site...
Frankly, it's an exception when a site doesn't leak data through one of these enumeration risks in the password reset, registration and login features.
TL;DR : do not use autocomplete
Use rel="noopener noreferrer"
So which security considerations are relevant at an early stage?
reverse - Reverse engineering for x86 binaries. Generation of pseudo-C.
A step-by-step account of an overnight digital heist
binglide - Visual reverse engineering tool showing some of the current techniques.