Formez vous à l’OSINT avec OpenFacto
OpenFacto est une association loi 1901 dont l’objectif est de fédérer et de promouvoir la scène OSINT francophone.
Formations recommandées dans l'épisode 509 du podcast NoLimitSecu consacré aux dangers de l’OSINT
Available online to play
Need to download and deploy on own host
L'histoire commence la semaine dernière quand j'ai commencé à recevoir du phishing pour le Crédit Mutuel, mais avec des URL qui pointaient toutes vers les serveurs de Wikimedia.
[...]
On se retrouve donc avec une technique insidieuse, ne résolvant vers le phishing que quand la demande est effectuée par les caches/DNS des fournisseurs Français. D'autant plus facile étant donné que la liste des IP des ces serveurs est forcément publique.
Je suis Marc Frédéric Gomez, Expert en Cybersécurité & Passionné de Technologie.
Ma mission : déjouer les menaces cybernétiques et vous garder en sécurité !
Chaque jour, je vous apporte les dernières actualités en matière de cybersécurité.
today, I would not recommend GraphQL to most people, and what I think are better alternatives.
Attack surface
Authorisation
Rate limiting
Query parsing
Performance
Data fetching and the N+1 problem
Authorisation and the N+1 problem
Coupling
Complexity
And more...
Pwning Python 3 VM via an intended feature (Disclaimer: Not a vulnerability)
Sections:
- Indexing into Known Memory
- Creating a call gadget
- Changing the page permissions using ctypes
- Crafting our Shellcode
Latest informations on Pypi and related security / vulnerabilities...
Le fondateur et dirigeant de Telegram, Pavel Durov, est détenu en France à la surprise générale. Il a été interpellé près de Paris alors qu’il venait d’arriver avec son jet privé. L’arrestation du patron de l’une des applications les plus utilisées au monde, notamment en Ukraine et en Russie, provoque depuis de nombreux commentaires, y compris sur le thème de la liberté d’expression.
Telegram est l’objet de reproches de laxisme, en raison des activités illégales qui ont été décelées sur le service.
L’arrestation de Pavel Durov parce que Telegram ne modère pas assez sa plateforme suscite une certaine circonspection chez plusieurs analystes et commentateurs. D’aucuns se demandent si d’autres enjeux n’entrent pas aussi en ligne de compte, en raison du rôle particulier du service en matière de désinformation, influence et propagande.
Polyfill.io was owned by the Financial Times web team, then moved under community management, and the last maintainer sold the project to a weird Chinese CDN company, and they moved it away from Fastly (the CDN / Edge compute platform running the OSS code for the service) and started to mess with the returned files.
From polyfill.io original creator: twitter.com/triblondon/status/1761852117579427975
Issue on their repo: polyfillpolyfill/polyfill-service/issues/2834
The domain polyfill.io is now a CNAME to polyfill.io.bsclink.cn, there has been no communication about this, or how the service is now ran (it previously depended on Fastly's edge compute platform, which is not available on this chinese cloud).
Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership. Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a dependency of OpenSSH sshd on Debian, Ubuntu, and Fedora, and other systemd-based Linux systems that patched sshd to link libsystemd.
That backdoor watches for the attacker sending hidden commands at the start of an SSH session, giving the attacker the ability to run an arbitrary command on the target system without logging in: unauthenticated, targeted remote code execution.The attack was publicly disclosed on March 29, 2024 and appears to be the first serious known supply chain attack on widely used open source software. It marks a watershed moment in open source supply chain security, for better or worse.
This post is a detailed timeline that I have constructed of the social engineering aspect of the attack, which appears to date back to late 2021.
In the lecture, Ken explains in three steps how to modify a C compiler binary to insert a backdoor when compiling the “login” program, leaving no trace in the source code. In this post, we will run the backdoored Go compiler using Ken’s actual code. But first, a brief summary of the important parts of the lecture.
Full stop: You are never too old to learn about security. Whether you are looking for a late-in-life occupational change or just a new hobby, you can always learn this as a new skill.
Where to Start?
Conferences
Hands On
A breakdown of what constitutes the software supply chain and how to secure each stage
Software Supply-Chain (SCC) attacks has become so critical that it has been driven by the government. The Biden Administration, in its second year in office, released an executive order on SSC risks. This has created a tailwind that has led to a proliferation of companies aiming to protect the supply chain and enable companies to comply with this legislation.
Bundling software components and dependencies into a deployable format and distributing it for installation on target systems. We discuss Software Bill of Materials (SBOM), code provenance and signatures, and artifact repositories.
Youtube generates revenue from user ad views, and it’s logical for the platform to implement restrictions to prevent people from downloading videos or even watching them on an unofficial client like YouTube Vanced. In this article, I will explain the technical details of these security mechanisms and how it’s possible to bypass them.
...
Since mid-2021, YouTube has included the query parameter
nin the majority of file URLs. This parameter needs to be transformed using a JavaScript algorithm located in the filebase.js, which is distributed with the web page. YouTube utilizes this parameter as a challenge to verify that the download originates from an “official” client. If the challenge is not resolved andnis not transformed correctly, YouTube will silently apply throttling to the video download.The JavaScript algorithm is obfuscated and changes frequently, so it’s not practical to attempt reverse engineering to understand it. The solution is simply to download the JavaScript file, extract the algorithm code, and execute it by passing the
nparameter to it.
...
Many projects currently use these techniques to circumvent the limitations put in place by YouTube in order to prevent video downloads. The most popular one is yt-dlp (a fork of youtube-dl) programmed in Python, but it includes its own custom JavaScript interpreter to transform the n parameter.
Un de mes podcasts favoris depuis quelques années !
Voici quelques épisodes que je recommande en particulier :
- Episode 421 - RETEX Incident de sécurité au CHU de Brest
- Episode 409 - Retour d’expérience sur la gestion d’une crise cyber par le RSSI de Thalès (déjà partagé sur ce shaarli)
- Episode 397 consacré au blog/newsletter Pwned
- Episode 395 consacré aux aspects « Cyber » de la guerre en Ukraine
- Episode 331 consacré au « Software Sandboxing » avec Jean-Baptiste Kempf de VLC
Aujourd’hui on se penche sur une technique de piratage très maligne, vu qu’elle repose principalement sur : votre répondeur. Martin Vigo, un expert en cybersécurité, a mis au point un soft qui permet d’exploiter des répondeurs du monde entier. En y accédant, il peut ainsi aller réinitialiser les accès de nombreux services utilisant la double authentification, comme Whatsapp, Paypal, Facebook ou encore Linkedin, bref, tous les services qui peuvent vous envoyer un code par téléphone.
Je recommande cet épisode en particulier, avec un excellent REX / PostMortem de Stéphane Lenco sur une gestion de crise à Thalès, ciblé par le rançongiciel / ransomware LockBit