Posts by eric_capuano@infosec.exchange
(DIR) Post #APhizwPxjARiY2qbJI by eric_capuano@infosec.exchange
2022-11-17T19:22:02Z
0 likes, 0 repeats
@InsignificantThoughts correct, which has implications on forensics as unallocated disk space often contains juicy data about files once present on the file system that no longer are.
(DIR) Post #AQ2KqasQ5tdNTe9jUm by eric_capuano@infosec.exchange
2022-11-27T16:35:23Z
0 likes, 1 repeats
Outstanding post from @eff about the #security of #Mastodon https://www.eff.org/deeplinks/2022/11/mastodon-private-and-secure-lets-take-look
(DIR) Post #AQBIG977O5PJSfAAFs by eric_capuano@infosec.exchange
2022-12-02T01:42:36Z
1 likes, 0 repeats
Trying to see if I can get the AI to collapse in on itself.#yara #yararules
(DIR) Post #AQvRvkwbTbMxWQJkIa by eric_capuano@infosec.exchange
2022-12-24T05:57:58Z
0 likes, 2 repeats
Ok, I was tired of rumors speculating about which #LastPass fields appear to be encrypted client-side before being sent to LastPass, so I ran some tests of my own.For a basic "Password" item, here is what I can tell so far.When saving the item, the following primary fields are transmitted encrypted:NameExtra (Notes field)UsernamePasswordTOTP (not in this screenshot, but did test)However, I also observed the following fields having a cleartext (hex) version in the payload as well:NameUsernameURLFolder Name (not hex)So in other words, there is more than just the URL being transmitted to LastPass in the clear, which makes sense because LastPass' Admin console reveals login activity for all users which includes Name, Username, and URL of the login event; so naturally, these things must be transmitted and kept server-side outside of the vault. However, this once again does go against their "zero-knowledge of anything in your vault" marketing...Screenshots of this test below. I have omitted the encrypted data to prevent revealing enough for a "Known Plaintext Attack" to derive a key, but the relevant pieces are visible. If I am missing anything here, do let me know.#LastPassHack #LastPassBreach
(DIR) Post #AQvRvmHCWVRJeaxi2i by eric_capuano@infosec.exchange
2022-12-24T06:04:26Z
0 likes, 0 repeats
inb4 someone says "why does it say that password: password is REUSED?!"because I ran multiple tests using that same value :)
(DIR) Post #AQvRvmLoFN7rst7OE4 by eric_capuano@infosec.exchange
2022-12-24T06:16:34Z
0 likes, 0 repeats
Another point of clarification— I am not saying all of these values are stored in the vault in the clear, I am only analyzing what is transmitted to LastPass’ servers. It’s possible some of this data is just used on their backend and not persisted to the vault in this format. Someone else that’s done more analysis of an offline vault (@sawaba ?) can maybe bounce my findings off of theirs.
(DIR) Post #AQvRvp24HE7KCWuAN6 by eric_capuano@infosec.exchange
2022-12-24T06:07:02Z
0 likes, 0 repeats
Quick clarification on what I mean by "transmitted encrypted" or "transmitted in the clear"ALL of this traffic is sent over TLS (encrypted), I am referring to the data itself inside the payload, whether or not it is encrypted client side before be transmitted to LastPass servers.
(DIR) Post #AREqoOOp5bn8n8lYTA by eric_capuano@infosec.exchange
2023-01-02T16:23:29Z
0 likes, 0 repeats
"for Gaming" is the consumer version of "Military-grade" for enterprise. 🤢
(DIR) Post #ARKwrR8x6oaIqOw9sO by eric_capuano@infosec.exchange
2023-01-05T05:11:13Z
1 likes, 0 repeats
As if the #LastPass debacle wasn’t enough, let’s top it off with a #CircleCI breach that’s triggered a warning to rotate all secrets 🤦♂️Pouring one out for all my #devops homies (hi @shortstack) https://circleci.com/blog/january-4-2023-security-alert/
(DIR) Post #ASoudnVmTq4CufI4Wm by eric_capuano@infosec.exchange
2023-02-18T23:55:09Z
0 likes, 1 repeats
Should start hitting up my #Plex users for swag fund donations 😂https://plex-gear.myshopify.com/
(DIR) Post #ATeZUWqWesUU9Ewhn6 by eric_capuano@infosec.exchange
2023-03-15T22:19:25Z
0 likes, 1 repeats
I wish that voice-enabled automated call trees had an option for "I have kids in the background, please do not recognize voice commands and only use dial pad inputs"
(DIR) Post #AWxo2iCLdWKzhK1u4G by eric_capuano@infosec.exchange
2023-06-22T21:30:36Z
0 likes, 0 repeats
When your mediocre bank does some mediocre ops stuff
(DIR) Post #AXBcQekM7ueglZhWT2 by eric_capuano@infosec.exchange
2023-06-29T02:15:10Z
0 likes, 0 repeats
This is awesome -- a site that tracks end-of-life for many major software products... Great way for the IT/security team to stay on top of software life cycles.https://endoflife.date/
(DIR) Post #AXxU5brblPB9ObL3dQ by eric_capuano@infosec.exchange
2023-07-22T16:35:47Z
0 likes, 0 repeats
@shortstack made me breakfast— egg and a dinosaur 🦕 😂Now I just need a juice box 🧃
(DIR) Post #AYRMfdDLZGIoK9DBJI by eric_capuano@infosec.exchange
2023-08-05T15:51:03Z
0 likes, 0 repeats
📢 After 8 incredible years @recon_infosec, a company I proudly co-founded, I've made the decision to step forward on a new journey. Recon remains strong, and I'm immensely proud of what we've achieved. My passion for innovating in security operations calls, and I'm eager to keep pushing boundaries. Thank you for the unwavering support and encouragement over the years. I will continue to support Recon as an advisor and board member, but a new role awaits! More to come 💙
(DIR) Post #AaJUvBOK5NCUN0jgo4 by eric_capuano@infosec.exchange
2023-10-01T03:20:58Z
0 likes, 0 repeats
Throwback to that one time I named an MQ-1 Predator attack drone after my kid sis 🤣
(DIR) Post #AbKZG2rPCqLO5nZGOO by eric_capuano@infosec.exchange
2023-10-31T13:31:20Z
1 likes, 0 repeats
Whos gonna be the scariest trick or treater and dress up as a HAR file?
(DIR) Post #AbOU3gSG1zdgonkIgi by eric_capuano@infosec.exchange
2023-11-01T18:02:24Z
2 likes, 1 repeats
What if those keygen warez authors of the late 90s/early 2000s were just MIDI musicians trying to get their mixtapes out there?Thanks @bromiley for sharing this gem with me https://keygenmusic.tk/#
(DIR) Post #AbQpUOUhP306HqNx8y by eric_capuano@infosec.exchange
2023-11-03T13:52:07Z
1 likes, 0 repeats
Shame on you, @arstechnica ... You clearly worded the title of this clickbait article to make it seem as if Okta was breached again, when in fact that isn't true at all here. Titling it "Okta hit by another breach..." is misleading, when the reality is Rightway was the one "hit by a breach"... Okta was indirectly impacted by the breach, and in a way that affects nobody but their employees.You knew this wasn't appropriate wording for the title, but you chose to capitalize on current events for clicks.Okta wasn't even the only Rightway customer affected by the breach, so where's your article for every other company "hit by a breach" they had nothing to do with?Throwing shade, you wrote:Okta learned of the compromise and data theft on October 12 and didn’t disclose it until Thursday, exactly three weeks later.This 3rd party breach only affected Okta employees -- who else do they owe a disclosure to? This only affects them! IMHO, the only one that owes anyone a disclosure here is Rightway.I am as big a critic of Okta's breach history as anyone, but needlessly kicking them while they're down feels unethical. Do better.https://arstechnica.com/security/2023/11/okta-hit-by-another-breach-this-one-stealing-employee-data-from-3rd-party-vendor/ #okta #OktaHack
(DIR) Post #Acg31BH5yzOFegb66y by eric_capuano@infosec.exchange
2023-12-10T20:08:53Z
1 likes, 1 repeats
Today I learned (thanks @shortstack) that docker containers do not resolve DNS hostnames of other containers on the default bridge network, but will on a custom bridge network... Wish I had known this a few years ago instead of using janky container links which are one-way and not bidirectional.Plex cluster improved++