Jump to content

2nty7vn

Members
  • Posts

    20
  • Joined

  • Last visited

Everything posted by 2nty7vn

  1. https://dojo.ministryoftesting.com/lessons/30-days-of-security-testing
  2. The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public. In January, Motherboard reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite. The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia. Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools. "The debate around backdoors is not going to go away, rather, its is almost certainly going to get more intense as we lurch toward a more authoritarian society," the hacker told Motherboard in an online chat. "It's important to demonstrate that when you create these tools, they will make it out. History should make that clear," they continued. Cellebrite is an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies. The company's flagship product, the Universal Forensic Extraction Device (UFED), typically comes as a small, laptop-sized device, and can pull SMS messages, emails, and more from thousands of different mobile phone models. The investigator needs to have physical access to the phone to analyze it. A Motherboard investigation found that US state police and highway patrol agencies have collectively spent millions of dollars on Cellebrite technology. The hacker claimed to have taken the newly released data from a remote Cellebrite server, and said they had extracted them from UFED images. They told Motherboard that the files were encrypted, likely in an attempt to protect Cellebrite's intellectual property, but that they managed to bypass the protections. The hacker's ASCII art, which reads "backdoorz." "The ripped, decrypted and fully functioning Python script set to utilize the exploits is also included within," the hacker wrote in a README file accompanying the data dump. The hacker posted links to the data on Pastebin. It's not clear when any of this code was used in the UFED. Many of the directory names start with "ufed" followed by a different type of phone, such as BlackBerry or Samsung. In their README, the hacker notes much of the iOS-related code is very similar to that used in the jailbreaking scene—a community of iPhone hackers that typically breaks into iOS devices and release its code publicly for free. Jonathan Zdziarski, a forensic scientist, agreed that some of the iOS files were nearly identical to tools created and used by the jailbreaking community, including patched versions of Apple's firmware designed to break security mechanisms on older iPhones. A number of the configuration files also reference "limera1n," the name of a piece of jailbreaking software created by infamous iPhone hacker Geohot. He said he wouldn't call the released files "exploits" however. Zdziarski also said that other parts of the code were similar to a jailbreaking project called QuickPwn, but that the code had seemingly been adapted for forensic purposes. For example, some of the code in the dump was designed to brute force PIN numbers, which may be unusual for a normal jailbreaking piece of software. "If, and it's a big if, they used this in UFED or other products, it would indicate they ripped off software verbatim from the jailbreak community and used forensically unsound and experimental software in their supposedly scientific and forensically validated products," Zdziarski continued. A spokesperson for Cellebrite told Motherboard in an email: "The files referenced here are part of the distribution package of our application and are available to our customers. They do not include any source code." He added that the company monitors new research from academia and the information security community, including "newly published forensic methods, research tools and publicly documented issues, including "jailbreaks," which enable platform research." Cellebrite develops methods for gaining access to phones that do not change or alter data on the device, the spokesperson continued. He wrote that Cellebrite's technology is used to combat child trafficking and exploitation, sexual assault, murder, and drug and gang crime. In its statement released in response to the initial data breach, Cellebrite only mentioned that "basic contact information" of its customers had been stolen. But as Motherboard reported at the time, the cache of data included much more. In early 2016, the Department of Justice and Apple entered a fierce legal battle, in which the department tried to legally compel Apple to build a custom operating system that would allow investigators to bypass security protections on an iPhone. A concern at the time was that, if such an operating system was created, it could leak and become public. Although these dumped tools may not be the most sensitive—Cellebrite keeps its techniques for cracking more recent iPhones inhouse—they do demonstrate that those worries were justified. Researchers will likely now dig through the content for any interesting attacks or findings. "@FBI Be careful in what you wish for," the hacker's message reads, before signing off with a piece of ASCII art, which says "Backdoorz." https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite
  3. https://pressone.ro/cine-sunt-cei-noua-judecatori-ai-ordonantei-13/
  4. Apropos de asta, Adrian Lamo prezinta niste sfaturi generale despre hacking mindset in postarea de aici: https://www.quora.com/How-did-Adrian-Lamo-learn-to-hack . E destul de activ pe Quora, raspunde la mai multe intrebari care are fi adresate in special de incepatori.
  5. Am mai completat cu 3 resurse pentru programming challenges: www.codewars.com www.codechef.com www.hackerrank.com
  6. Programare: www.codewars.com www.codechef.com www.hackerrank.com
  7. 2nty7vn

    TorMail !?

    "Tor Mail is a former Tor hidden service that went offline in August 2013 after an FBI raid on Freedom Hosting. The service allowed users to send and receive email anonymously, to email addresses inside and outside the Tor network." (https://en.wikipedia.org/wiki/Tor_Mail). Pe acelasi subiect: https://protonmail.com/blog/protonmail-tor-censorship/
  8. Ca o sugestie, incearca sa scrii cat mai putin si la subiect. Avand in vedere ca suntem bombardati zilnic cu informatie, orice nu e la subiect e pierdere de timp, timp in care putem sa invatam altceva mai util. Python nu e un program, ci un limbaj de programare. Ti-as mai sugera si sa cauti singur pe net tutoriale despre python si despre orice doresti sa afli sau nu intelegi. Primul pas e sa inveti sa folosesti Google in folosul tau. Succes.
  9. Last week, Facebook announced support for U2F Security Keys, to help keep accounts secure with our second-factor authentication feature called login approvals. This is part of a larger story of industry investment and innovation around improving, and perhaps even replacing, the password. The truth is, technologies for login authentication like FIDO are only half of the story needed to keep accounts secure. The other half is account recovery—specifically, how do you regain access to your account if you lose your password, phone, or security key? So-called “security questions” are widely acknowledged as both inconvenient and risky. They tend to be re-used across different accounts, making them even more dangerous than shared passwords. Recovery emails and SMS messages are common alternatives, and while they can get the job done, both are showing their age: neither offers the end-to-end security guarantees we expect from modern protocols, and these methods are becoming less reliable as the next billion people are getting online for the first time. We need something better—a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number. This process needs to be easy, secure, and respectful of your privacy. Some tools like Facebook Login and Trusted Contacts are part of the solution, but not every site uses the same features. Consider GitHub, a collaborative software development platform that hosts some of the most popular software in the world, including Facebook's own open source projects like React and osquery. GitHub maintains direct control of how it authenticates its users, how it assesses password strength and other risk signals, and how it deploys a diverse set of two-factor authentication methods. So what do you do if you lose access to the phone number or security keys you use at GitHub? An email address alone can't provide the same level of two-factor authentication to recover access, so starting Tuesday, you'll be able to use your Facebook account to provide additional authentication as part of the recovery process at GitHub. You'll need to set up this method in advance by saving a recovery token with your Facebook account. A recovery token is encrypted so Facebook can't read your personal information. If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature. Facebook doesn't share your personal data with GitHub, either; they only need Facebook's assertion that the person recovering is the same who saved the token, which can be done without revealing who you are. This can happen in just a few clicks in your browser, all over HTTPS. We're releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs. Not only will our implementation be immediately in-scope for our bounty programs, but Facebook and GitHub will jointly reward security issues reported against the specification itself, according to our impact criteria. We would like to see more services adopt this account recovery design over the long run, so we are publishing the protocol behind this feature today on our open source site at GitHub: https://github.com/facebookincubator/DelegatedRecovery/ Both Facebook and GitHub plan to publish open source reference implementations of the protocol in various programming languages to make it easy to build secure and privacy-preserving connections among your accounts and ensure you never lose access. Soon, we hope to open the ability for any service to improve its account recovery experience using Facebook. We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook. Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts. Brad Hill is a Security Engineer at Facebook. https://www.facebook.com/notes/protect-the-graph/improving-account-security-with-delegated-recovery/1833022090271267
  10. HTML+CSS, JavaScript, PHP, SQL nu ii folosesc la ceea ce are el nevoie, deci nu are sens sa incepa cu asa ceva. Odata ce stii C/C++, desi e nevoie de munca, poti mult mai usor sa migrezi spre alte limbaje de scripting ca cele de mai sus. Dar e mult mai greu in sensul invers.
  11. Exact la asta ma gandeam acum. Chirurgi care stau cu orele in operatie, responsabili de viata unui om. Asta pe langa faptul ca poti pierde dreptul de a profesa, sau poti chiar sa ajungi la inchisoare.
  12. Da-mi voie sa te contrazic aici. Intr-adevar e un mediu stresant, dar in mod sigur nu e cel mai stresant. E o insulta adusa altor meserii mult mai grele. Cand vii la munca nu iti pui viata in joc si nici nu o pui pe a altora. Eu nu am cunoscut pana acum toti programatorii de peste 40 de ani, dar cei pe care ii cunosc mi se par in conditie psihica foarte buna. Cine lucreaza de placere in acest domeniu nu o sa fie la fel de stresat ca cineva care face asta ca e la moda si aduce bani. Nu putem sa generalizam lucrurile.
  13. Companiile mari se dezvolta intr-un ritm mai alert, si oferta de forta de munca nu e la fel de dezvoltata incat sa tina pasul cu cererile unui numar mare de companii, in special ca se cauta oameni mai bine pregatiti.
  14. De acord si eu cu C/C++ ca prima alegere. As recomanda si Python in paralel. Un limbaj puternic si usor de invatat. Resurse pentru C++: rabdare si perseverenta http://www.learncpp.com/ C++ Primer Fifth Edition ( A nu se confunda cu C++ Primer Plus!) https://github.com/fffaraz/awesome-cpp Resurse Python: https://docs.python.org/3/ https://github.com/vinta/awesome-python
  15. Ai nevoie de baze solide in matematica. De aici porneste totul.
  16. Pentru inceput ti-as recomanda sa treci prin exercitiile de aici http://www.w3resource.com/python-exercises/. Sunt lucruri de baza pe care e foarte important sa le intelegi si sa le fixezi pentru a putea crea lucruri mai complexe pe viitor. Si cel mai bine se poate face asta prin exercitiu. Gasesti aici si tutoriale pentru Python, dar si pentru alte limbaje.
×
×
  • Create New...