-
Posts
268 -
Joined
-
Last visited
-
Days Won
10
Posts posted by mrreboot
-
-
All the deals for InfoSec related software/tools this Black Friday / Cyber Monday
❤️ Hope you all have a well-deserved, happy thanksgiving and kudos to all those who contributed to this list.
FAQ
When do these sales end?
Most end 29/30th November.
When will most of the deals/discounts be here?
Most likely 27th midday for USA, 28th November for the rest of the world, check back often!
Can I add deals to the page?
Yes, please follow formatting guidelines, provide a source and code. Has to be (loosely) infosec related.
🙈 means 1) Limited user run 2) Great deal or 3) Highly recommended
*Disclaimer: I have included my own, and other discount codes sent in directly.
Hacker Essentials
Stickermule
https://www.stickermule.com/deals
$19 down from $65, free shippingTools
GRAYHATWARFARE (Cloud Storage Buckets Search Engine) 🙈
https://buckets.grayhatwarfare.com/packages
Up to 50% offIDA Pro
https://www.hex-rays.com/cgi-bin/quote.cgi/products
25% OFF for all IDA Home purchasesMaltego OSINT tool
https://buy.maltego.com
50% off Maltego Pro annual subscriptionBurp Bounty Pro Extension
https://order.shareit.com/cart/view
20% off with code: CYBERBOUNTYPulsedive Threat Intelligence 🙈
https://pulsedive.com/about/pro
$5 PRO accounts with code: TRYFOR5SecurityTrails 🙈
https://securitytrails.com/
100 recurring free API credits by retweetingTenable
https://www.tenable.com/buy
50% off Nessus PRO with code: takehalfWPScan
https://wpscan.com/
25% off Starter and Pro accounts with code: BLACKFRIDAY2020VMware
https://store-us.vmware.com/
30% off new licenses, 19% off upgrades. No code requiredFaraday
https://faradaysec.com/landing-black-friday/
30% off and Free training on new licenses.MalwareBytes
https://try.malwarebytes.com/black-friday/
50% off Malwarebytes Premium, 40% OFF Malwarebytes Premium + PrivacyESET
https://www.eset.com/us/cyber-weekend-2020/
40% off all security software010 Editor
https://www.sweetscape.com/010editor/
30% offLittle Snitch (macOS Firewall)
https://www.obdev.at/products/littlesnitch/order.html
30% OFFMurus and Vallum (macOS Firewall (pf))
https://murusfirewall.com/
50% OFFDetectify 🙈
https://detectify.com/lp/black-friday-professional-plan-offer
20% off annual subscription + mention "Kate sent me", to get a Go Hack Yourself hoodie as well with purchase.Sn1per Professional 🙈
https://xerosecurity.com/wordpress/black-friday-sale/
$49 savings on Sn1per Professional v8.0 + Command Execution Add-onKon-Boot (Windows and MacOS local password bypass)
https://kon-boot.com/?NOVEMBER=1
25% off Kon-Boot Windows, MacOS, and 2in1 personal and commercial licenses.Intuitibits (WiFi Explorer Standard, Transfer (TFTP), Wifi Signal)
https://www.intuitibits.com Various discountsBooks:
Bug Bounty Playbook 2 (verified)
https://payhip.com/b/nRia
Discount on full priceNoStarch Press
https://nostarch.com/
33.7% off + free shipping with code BLACKFRIDAY20
*domestic orders only, $50 minO'Reilly Books
https://www.oreilly.com/
50% discount with code: CM20CSApress
https://www.apress.com/us/shop/cybermonday-sale
All eBooks $6.99 each with code: CYBER20APPearson
https://www.pearsonitcertification.com/promotions/booksgiving-buy-2-plus-books-or-ebooks-save-55-142246
Buy 2, save 55% + free US shipping with code: BOOKSGIVINGHumble Bundle
https://www.humblebundle.com/
45% off PremiumAgile Stationary (cybersecurity card games)
https://agilestationery.co.uk/
40% off automatically apply when buying 3 or more productsCourses & Training:
OffSec AWAE 🙈
https://www.offensive-security.com/awae-oswe/
Various discounts per labs lengthUdemy (Hacking Training - online)
https://www.udemy.com
All courses $10.99INE (eLearnSecurity, so eJPT, eCPPT)
https://ine.com/
40% off with code: BF40PluralSight
https://www.pluralsight.com/offer/2020/bf-cm-40-off
40% discountLets Defend
http://letsdefend.io/
50% off with code: BLCKFRDYPentesterLab (Hacking Training/Platform - online) 🙈
https://pentesterlab.com/pro/
One-year: US$146.52 instead of US$199.99 Student (3-month): US$27.99 instead of US$34.99DroneSec (Drone Security Training - online unlocks 1st December) 🙈
https://training.dronesec.com
65% discount on bundle with code: DONOTSHAREBLACKFRI
20% discount on live training with code: BF20Social Engineering Training 🙈
(Robin Dreeke, retired FBI Special Agent and Chief of the Counterintelligence Behavioral Analysis Program)
https://www.peopleformula.com/online-training
25% discount with code: infosec25CloudGuru (was Linux Academy)
https://acloudguru.com/pricing
Various dealsZero2Automated Malware Analysis Course
https://courses.zero2auto.com/beginner-bundle
20% off with code: BLACKFRIDAYSALESPractical DevSecOps
https://www.practical-devsecops.com/black-friday/
15% offOSINTion Training
https://blackfriday.theosintion.com/
33% off courses with code: 2020BF1337OSINTOSINT Combine 🙈
https://academy.osintcombine.com/
40% off all courses with code: BLACKFRIDAYWhizlabs
https://www.whizlabs.com/
50% off all products with code: BLACKFRIDAY50ISACA
https://www.isaca.org/go/flash
15% off CISA/CISM/CRISC training & certsKaplan
https://www.kaptest.com/study/gre/black-friday-and-cyber-monday-gre-deals/
Claim deals are incoming shortly...Networkdefense.io
https://www.networkdefense.io/library/
20% off all courses. No code required.International Cybersecurity Institute
https://www.icsi.co.uk/pages/black-friday-offer
50% off courses with code: BF50Cybrary (Hacking Training/Platform - online)
https://www.cybrary.it/
70% discountCybr (Training/Platform/Community - online) 🙈
https://cybr.com/
Up to 74% offHacker House (Hands on Hacking) 🙈
https://hacker.house/training/
35% discount with code: HACKFRIDAYDawid Czagan's Web Hacking Secrets 🙈
https://silesiasecuritylab.com/
90% discount promo code: BlackFriday2020Services:
ProtonMail
https://protonmail.com/blog/black-friday-2020/
33-50% discountsNordVPN
https://nordvpn.com/offer/great-deal/
68% discount + 3 months freeF-Secure TOTAL and FREEDOME VPN
https://www.f-secure.com/en/home/products/total
50% off with code: BLACKWEEK1Password
https://1password.com/promo/black-friday/the-verge/
50% off family accountLowendbox
https://lowendbox.com/blog/lowendbox-has-mind-blowing-offers-coming-this-black-friday-cyber-monday-season/ Variety of dealsPriveasy (Open Source Privacy and Security Services)
https://Priveasy.org
Get additional 90 days free at checkout with code: 6ffbb6ff46Surfshark VPN
https://surfshark.com/deals
83% off + 3 months freeLastPass
https://www.lastpass.com/offer/cyber-week-2020
40% off LastPass Premium for new usersHardware:
DJI 🙈
https://store.dji.com/event/black-friday-sale-2020
Up to 46% off Osmo Action $199 down from $369SouthOrdPicks
https://www.southord.com/
25% discount with code: CHEER25SOS Soultions (Hardware Kits)
https://www.sossolutions.nl/black-friday-2020
Various discountsifixit
https://www.ifixit.com/News/47143/our-black-friday-sale-is-here-and-bigger-than-ever Multiple discounts + free shipping over $50 with code: FIXSHIPHak5
https://shop.hak5.org/
Various discountsSparkfun
https://www.sparkfun.com/news/3513 Various DiscountsNewsletters:
Cybersecurity Market Insights Newsletter
https://gumroad.com/securityinsights
15% for monthly and annual Pro subscriptions with code: security15off
InfoSec Black Friday Deals (2019)
These were key deals last year, so keep an eye out and update if released.
Hacker Essential
Stickermule
https://www.stickermule.com/deals
$19 down from $65, free shippingSoftware:
Acrylic WiFi Hacking Suite
https://www.acrylicwifi.com/
30% discount with code: BLACKFRIDAYVMware (Virtual Machine Application)
Workstation Pro & Fusion Pro, Workstation & Player
https://store-au.vmware.com/?PID=3211374&PubCID=1397064&cjevent=3533e3c6115911ea839000790a1c0e0f
45-60% off - BF2019RoyalTS (Toolbox for remote computing)
Royal TS (Win) and Royal TSX (macOS) Individual User Licenses
https://royalapps.com/ts/win/buy
50% discount with code BLACKFRIDAY19WiFi Explorer Pro
https://www.adriangranados.com/
https://buy.paddle.com/checkout/43767240-chreaa50fc5abeb-c5a30d6d5b
$50 discountHardware:
SouthOrdPicks
https://www.southord.com/
25% discount with code HOLLY19Pelican Cases
https://www.pelican.com/us/en/shop/black-friday/
30% with code: HOLIDAYYubico/Yubikey
https://www.yubico.com/store/black-friday-2019
$20 OFF two YubiKeys or $100 OFF orders of $400 or moreHak5
https://shop.hak5.org/
50% discount and free shippingDJI (for hacking drones)
https://store.dji.com/guides/dji-black-friday-deals-2019-guide/
40% discountifixit
https://www.ifixit.com/Black-Friday
Multiple discounts + free shipping with code: BLUEANDBLACK19SparkFun
https://www.sparkfun.com/news/3134
15-25% discountSeeedStudio
https://www.seeedstudio.com/thanksgiving_50_off_sale.html
50% discount with code: THANKS50Airspy SDR Tools
https://airspy.com/
https://www.rtl-sdr.com/airspy-30-off-black-friday-sale-coupon-now-active/
30% discount with code: AWARDWINNING2019LAB401 SDR/RFID Equiptment
https://lab401.com/blogs/news/black-friday-cyber-monday-sales
15%+ discount with code: BFCM2019Southord Lockpicking
https://www.southord.com/ 15% off with coupon HOLLY19Maltronics WiFi Keyloggers
https://maltronics.com/collections/wifi-keyloggers
20% discountCourses & Training:
Applied Network Defense Online Training
https://networkdefense.io/
20% discount all coursesNoStarch Press
https://nostarch.com/
42% discount with code ULTIMATE42Udemy (Hacking Training - online)
https://www.udemy.com
All courses $10.99eLearnSecurity
https://www.elearnsecurity.com/
25% discount with code: BLK-019PluralSight
https://www.pluralsight.com/offer/2019/bf-cm-40-off
40% discountPentesterAcademy (Hacking Training/Platform - online)
http://www.pentesteracademy.com/thanksgiving
$39 down from $99 or $489p/y down from $1188p/yPentesterLab (Hacking Training/Platform - online)
https://pentesterlab.com/pro/one_year
https://twitter.com/PentesterLab/status/1199792188609024000?s=20
26.74% discountDroneSec (Drone Hacking Training - offline)
https://dronesec.com/collections/training 40% discount code: BLACKFRIDAY19 in email subjectCybrary (Hacking Training/Platform - online)
https://www.cybrary.it/
66% discountPackt Publishing
https://packtpub.com/
e-Books and videos $10 each or 3 for $25O'Reilly Books
https://www.oreilly.com/online-learning/cybermonday-2019.html
50% discount with code: CM19CSGNS3 Academy
https://gns3.teachable.com/
$7 all courses with code: BLACKFRIDAY19Pearson
http://www.pearsonitcertification.com/promotions/black-friday-2019-buy-2-save-55-142103
Buy 2 or more courses for 55% discount with code: BF2019SANS
https://www.sans.org/online-security-training/specials?msc=hpslider1
Apple Hardware or $350 off any courseHackers Academy
https://www.hackersacademy.com/bundles?bundle_id=special-offer
88% discountLinux Academy
https://linuxacademy.com/pricing/individual/
$150 offPractical DevSecOps
https://www.practical-devsecops.com/black-friday/
$400 OFF on course bundle or or $120-$180 OFF on each course.Manning Publications
http://enews.manning.com/q/4qVD2DZvQIJ_yR-6w3SkoEx9ucisTjoscZlyhs8T0J5vCawQV4WfDDi9R
50% on any purchase over $50 with code: CYBERWEEKLeetcode
https://www.leetcode.com/
$30 off annual subscription w/ code THANKS2019ISACA
https://isaca.org/info/cisa-certification-ready/index.html/
15% off CISA/CISM/CRISC training & cert with code CYBERWEEK19CISANetworkdefense.io
https://www.networkdefense.io/library/
20% offApress
https://www.apress.com/us/shop/cybermonday-sale?token=cyberweek19
$7 dealsPTrace Advanced Software Exploitation
https://www.psec-courses.com/courses/advanced-software-exploitation
20% off with code BLACKFRIDAY2019Linux Foundation training and certifications
https://training.linuxfoundation.org/cyber-monday-2020-sneak-peek/ 40%-60% discounts starting on Monday on certification, training, and cert+training bundlesServices:
ProtonMail
https://protonmail.com/blog/black-friday-2019/
33-50% discountNordVPN
https://nordvpn.com/offer/brand/
83% discountThe Hacker News
https://deals.thehackernews.com/
15% off with coupon BFSAVE15F-Secure FREEDOME VPN
50% w/ code BLACKWEEK https://campaigns.f-secure.com/blackweek/en_global/?ecid=109161Password
https://1password.com/promo/black-friday/the-verge/?cjevent=8fec730612de11ea80ac00f80a1c0e14/ 50% off via VergeWhizlabs
https://www.whizlabs.com/ 50% offLowendbox
https://lowendbox.com/blog/happy-thanksgiving-from-lowendbox-black-friday-cyber-monday-offers-are-coming/ Variety of dealsContinuing Education
Kaplan
https://www.kaptest.com/study/gre/black-friday-and-cyber-monday-gre-deals/ Kaplan: $300 off GRE and similarUNCONFIRMED / TBA (2018)
These were key deals last year, so keep an eye out and update if released.
Tindie (Hardware, Electronics, IoT)
https://www.tindie.com/browse/sale/
Multiple discountsPastebin
https://pastebin.com/pro?coupon=blackfriday
??% discountAttify (IoT Exploitation Training/Hardware)
https://www.attify-store.com/
??% off with coupon codeitrainsec Financial Malware Analysis course (live on-line course December 7-10)
https://www.itrainsec.com/financial-re 20% discount until Tuesday Dec 1 with code: BLCKFRDYFMAHow to edit formatting
At the end of a normal sentance, place a backslash for newline () Alternatively with a link, you can double-space ( )
Credits
If you'd like to DM me a deal rather than submitting a PR: @securitymeta_
Thanks to 0ldMate referring me to @Infosec_Taylor who has a fantastic twitter thread as well, adding in some of those deals here! Also thanks to webyeti, grabbed some deals from: https://www.webyeti.ninja/blog/hackerblkfri - more non-infosec deals in there too. Shoutout to some discounts grabbed from Dutchosintguy, @gabsmashh Thanks to those that have sent pull requests, and @reV_sh_ on twitter, among others.
Thanks to those who credited and helped spread the word! https://github.com/instadoodledavid/Infosec-Deals-2020
https://github.com/Securityinfos/Black-Friday-Deals
https://github.com/Dutchosintguy/Blackfriday-Deals-2020- 1
-
1 hour ago, Nytro said:
O intamplare reala, din neamul meu. Rude. Va garantez ca e adevarat.
Recent, a murit cineva, o ruda. Era mai in varsta si avea ceva probleme de sanatate dar nu avea interactiune decat ocazionala cu o singura persoana.
Dupa ce a murit, a venit cineva (nu stiu exact de unde, dar pot afla) si au oferit rudelor 500 EUR ca sa semneze ca a murit de Covid-19. Doar ca rudele nu au vrut. I-au facut analizele si dupa cum era de asteptat, testul a iesit negativ. Ideea e ca am vazut la stiri un interviu luat pe strada in care cineva mentiona ceva asemanator. Nu am crezut, dar despre aceasta intamplare stiu cu certitudine.
Acum, ma intreb, oare de ce? Eu cred ca exista niste fonduri pentru asa ceva si ca exista si persoane care vor sa ramana cu bani de pe urma lor. Are cineva idee care ar putea fi cauza? "Sa dea la numar" nu e un argument. Cineva trebuie sa aiba beneficii in urma unor astfel de actiuni iar intr-un final totul se traduce in bani.
O posibilitate ar fi ca "oferta" să vină chiar de la cineva de la morgă pentru a incasa mai mulți bani de la asigurare.
Sincer nu știu cum stă treaba în România, dar aici anumite case de asigurări au gen un preț fix economic pentru înmormântările "standard", în schimb dacă e caz de covid mă gândesc că se schimbă treaba si costurile urcă, gen: materiale de protecție folosite, incinerare, etc..
-
Microsoft is offering hackers up to $100,000 if they can break the security of the company’s custom Linux OS. The software giant built a compact and custom version of Linux last year for its Azure Sphere OS, which is designed to run on specialized chips for its Internet of Things (IoT) platform. The OS is purpose-built for this platform, ensuring basic services and apps run isolated in a sandbox for security purposes.
Microsoft now wants hackers to test the security of the Azure Sphere OS, paying up to $100,000 if the Pluton security subsystem or Secure World sandbox is breached. The bug bounty program is part of a three-month research challenge that runs from June 1st until August 31st. “We will award up to $100,000 bounty for specific scenarios in the Azure Sphere Security Research Challenge during the program period,” explains Sylvie Liu, a security program manager at Microsoft’s Security Response Center.
MICROSOFT WANTS A GROUP OF SECURITY RESEARCHERS TO JOIN THE CHALLENGE
The challenge is focused on the Azure Sphere OS itself, and not the underlying cloud portion that’s already eligible for Azure bounty program awards. Microsoft is specifically looking for a group of security researchers to try and break its Linux OS security. Physical attacks are out of scope, but researchers can apply to be part of the challenge here.Azure Sphere was announced at last year’s Build developer conference, and it’s still relatively new. Businesses like Starbucks are rolling out Azure Sphere to secure its store equipment, which feeds back data points on the type of beans, coffee temperature, and water quality for every shot of espresso.
Microsoft CEO Satya Nadella sees IoT devices as a key area for the company, describing its cloud business as the biggest hardware business at Microsoft earlier this year. Nadella is chasing the billions of IoT devices that analysts predict will be in use over the next decade. Azure Sphere is a key part of the mission to help secure and manage these devices, and part of Microsoft’s increased push to win a world beyond Windows that’s increasingly moving to cloud computing.
- 1
-
-
Mi s-a parut interesanta ideea.
Software developers can accidentally leak sensitive information, particularly secret keys for third party services, across code hosting platforms such as GitHub, GitLab and BitBucket.
https://shhgit.darkport.co.uk/
- 3
-
28
Jan 20Wawa Breach May Have Compromised More Than 30 Million Payment Cards
In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.
On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.
The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019.
Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.
On Dec. 19, 2019, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations.
Pennsylvania-based Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4. The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).
A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”
“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”
Gemini Advisory, a New York-based fraud intelligence company, said the biggest concentrations of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customer card use in Florida and Pennsylvania, the two most populous states where Wawa operates. Wawa also has locations in Delaware, Maryland, Virginia and the District of Columbia.
According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.
“Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records,” Gemini observed. “While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and utilizing Wawa gas stations during the period of exposure.”
Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.
Gemini monitors multiple carding sites like Joker’s Stash. The company found the median price of U.S.-issued records in the new Joker’s Stash batch is currently $17, with some of the international records priced as high as $210 per card.
“Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure,” Gemini concluded.
Representatives from MasterCard did not respond to requests for comment. Visa declined to comment for this story, but pointed to a series of alerts it issued in November and December 2019 about cybercrime groups increasingly targeting fuel dispenser merchants.
A number of recent high-profile nationwide card breaches at main street merchants have been linked to large numbers of cards for sale at Joker’s Stash, including breaches at supermarket chain Hy-Vee, restaurant chains Sonic, Buca di Beppo, Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s, retailers like Bebe Stores, and hospitality brands such as Hilton Hotels.
Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.
The United States is the last of the G20 nations to make the shift to more secure chip-based cards, which are far more expensive and difficult for criminals to counterfeit. Unfortunately, many merchants have not yet shifted to using chip-based card readers and still swipe their customers’ cards.
According to stats released in November by Visa, more than 3.7 million merchant locations are now accepting chip cards. Visa says for merchants who have completed the chip upgrade, counterfeit fraud dollars dropped 81 percent in June 2019 compared to September 2015. This may help explain why card thieves increasingly are shifting their attention to compromising e-commerce merchants, a trend seen in virtually every country that has already made the switch to chip-based cards.
Many filling stations are upgrading their pumps to include more cyber and physical security — such as end-to-end encryption of card data, custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use and in some cases mandated by other G20 nations.
But these upgrades are disruptive and expensive, and many fuel station owners are putting them off until it is absolutely necessary. Prior to late 2016, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip.
Yet in December 2016, Visa — by far the largest credit card network in the United States — delayed the requirements, saying fuel station owners would be given until October 1, 2020 to meet the liability shift deadline.
Either way, Wawa could be facing steep fines for failing to protect customer card data traversing its internal payment card networks. In addition, at least one class action lawsuit has already been filed against the company.
Finally, it’s important to note that even if all 30 million of the cards that Joker’s Stash is selling as part of this batch do in fact map back to Wawa locations, it’s highly unlikely that more than a small percentage of these cards will actually be purchased and used by fraudsters. In the 2013 megabreach at Target Corp., for example, fraudsters stole roughly 40 million cards but only ended up selling between one to three million of those cards.
- 2
-
Top 25 RCE Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: Potential pre-auth RCE on Twitter VPN
Company: Twitter
Bounty: $20,160
#2
Title: RCE on Steam Client via buffer overflow in Server Info
Company: Valve
Bounty: $18,000
#3
Title: Struct type confusion RCE
Company: Shopify
Bounty: $18,000
#4
Title: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution
Company: Valve
Bounty: $12,500
#5
Title: Git flag injection — local file overwrite to remote code execution
Company: GitLab
Bounty: $12,000
#6
Title: Remote Code Execution on www.semrush.com/my_reports on Logo upload
Company: SEMrush
Bounty: $10,000
#7
Title: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message
Company: Valve
Bounty: $9,000
#8
Title: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)
Company: LocalTapiola
Bounty: $6,800
#9
Title: Remote Code Execution at http://tw.corp.ubnt.com
Company: Ubiquiti Inc.
Bounty: $5,000
#10
Title: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability
Company: Flash (IBB)
Bounty: $5,000
#11
Title: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
Company: Imgur
Bounty: $5,000
#12
Title: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/
Company: Starbucks
Bounty: $4,000
#13
Title: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File
Company: Mail.ru
Bounty: $4,000
#14
Title: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
Company: Starbucks
Bounty: $4,000
#15
Title: Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
Company: Shopify
Bounty: $3,000
#16
Title: Unchecked weapon id in WeaponList message parser on client leads to RCE
Company: Valve
Bounty: $3,000
#17
Title: Drupal 7 pre auth sql injection and remote code execution
Company: The Internet Bug Bounty Program
Bounty: $3,000
#18
Title: RCE via ssh:// URIs in multiple VCS
Company: The Internet Bug Bounty Program
Bounty: $3,000
#19
Title: Remote Code Execution on Git.imgur-dev.com
Company: Imgur
Bounty: $2,500
#20
Title: GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability]
Company: PHP (IBB)
Bounty: $1,500
#21
Title: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE
Company: Lob
Bounty: $1,500
#22
Title: Remote code execution using render :inline
Company: Ruby on Rails
Bounty: $1,500
#23
Title: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)
Company: Ruby on Rails
Bounty: $1,500
#24
Title: Remote code execution on rubygems.org
Company: RubyGems
Bounty: $1,500
#25
Title: WordPress SOME bug in plupload.flash.swf leading to RCE
Company: Automattic
Bounty: $1,337
Bonus: 10 Zero Dollars RCE Reports
#1 Bonus
Title: Read files on application server, leads to RCE
Company: GitLab
Bounty: $0
#2 Bonus
Title: XXE in DoD website that may lead to RCE
Company: U.S. D.o.D.
Bounty: $0
#3 Bonus
Title: Remote Code Execution (RCE) in a DoD website
Company: U.S. D.o.D.
Bounty: $0
#4 Bonus
Title: Remote Unrestricted file Creation/Deletion and Possible RCE.
Company: Twitter
Bounty: $0
#5 Bonus
Title: RCE on via CVE-2017–10271
Company: U.S. D.o.D.
Bounty: $0
#6 Bonus
Title: Ability to access all user authentication tokens, leads to RCE
Company: GitLab
Bounty: $0
#7 Bonus
Title: Remote Code Execution via Extract App Plugin
Company: Nextcloud
Bounty: $0
#8 Bonus
Title: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
Company: U.S. D.o.D.
Bounty: $0
#9 Bonus
Title: Remote Code Execution in Rocket.Chat Desktop
Company: Rocket.chat
Bounty: $0
#10 Bonus
Title: [npm-git-publish] RCE via insecure command formatting
Company: Node.js third-party modules
Bounty: $0
- 2
-
In timpul liber hackthebox.eu, vizionez content de la "IppSec" mai rau ca pe Netflix
- 1
-
When hunting for security issues, the pursuit for uncharted assets and obscure endpoints often ends up taking the focus away from obvious, but still critical, functionality.
If you approach a target like you are the first person to ever perform a security assessment on it, and check everything thoroughly, I believe you are bound to find something new — especially if the code you are testing has been in continuous development for a while.
This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages: the login form.
Initial discovery
While exploring PayPal’s main authentication flow, I noticed a javascript file containing what appeared to be a CSRF token and a session ID:
This immediately drew my attention, because providing any kind of session data inside a valid javascript file usually allows it to be retrieved by attackers.
In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML
<script>
tag to import a script cross-origin, enabling it to gain access to any data contained within the file.Sure enough, a quick test confirmed the XSSI vulnerability and, although a javascript obfuscator was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them with just a bit of extra work.
However, a secret is only as good as the damage you can do with it. I immediately set out to find out what exactly
_csrf
and_sessionID
were and if they could actually be used in a real attack.Digging further
After countless attempts to replace regular CSRF tokens inside authenticated requests on PayPal’s platform with the value of
_csrf
, I came to the conclusion that a classic cross-site request forgery attack was not possible using this specific token. Similarly, a victim’s_sessionID
was unfortunately not enough to impersonate them on PayPal’s site.Next, I went back to the vulnerable script and followed the tokens to find what they were actually used for. This led to a deep dive into one of PayPal’s main protection mechanisms used to prevent brute force attacks, the security challenge. While this functionality is used in many places, I will be focusing on the main login form.
The idea is pretty simple: After a few failed login attempts, you are required to solve a reCAPTCHA challenge before you can try again. The implementation, however, may raise some eyebrows.
Upon detecting a possible brute-force attempt, the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to
/auth/validatecaptcha
is initiated.The familiar
_csrf
and_sessionID
are present in the request body, as well as two other values, which we will get to a bit later.The response to the captcha validation request is meant to re-introduce the user into the authentication flow. To this end, it contains a self-submitting form with all the data provided in the user’s latest login request, including their email and plain text password.
I realized that, with the correct timing and some user interaction, knowing all the tokens used in this request was enough to get the victim’s PayPal credentials. In a real-life attack scenario, the only user interaction needed would have been a single visit to an attacker-controlled web page.
So I went back and tried to figure out what the missing parameters were. This was easier than expected:
-
The value of
jse
was not validated at all. -
recaptcha
was the token provided by Google upon solving a reCAPTCHA challenge. It was not tied to a specific session, so any valid token— for example, from an automated solving service — would be accepted.
Exploitation
Putting all this together, I created a proof of concept that demonstrated the whole process, except for integrating a captcha solving service.
First, the proof of concept would exploit the initial XSSI vulnerability to get a set of tokens which were valid in the victim’s session. It would then launch a few authentication requests with random credentials from the victim’s browser, simulating a brute force attempt, which would trigger the security challenge flow.
Once the victim logged in to PayPal using the same browser, the cached random credentials would be replaced by the user’s own email and password. The last step was obtaining a fresh reCAPTCHA token, after which the plain text credentials would be retrieved from the
/auth/validatecaptcha
endpoint and displayed on the page.I later found that the same vulnerable process was also used on some unauthenticated checkout pages, allowing plain text credit card data to be leaked using the same technique.
Disclosure
The proof of concept, along with all relevant information, was submitted to PayPal’s bug bounty program on the 18th of November 2019, and was validated by HackerOne 18 days later.
Following a quick acknowledgement by the PayPal team and a few additional questions, I was awarded a $15,300 bounty on the 10th of December. The reward amount corresponds with the bug’s 8.0 (High) CVSS score, which is the same score that I had initially suggested when submitting the report.
A patch was applied around 24 hours later, meaning that the bug was fixed only five days after PayPal became aware of it — quite an impressive turnaround time.
Fix and prevention advice
The
/auth/validatecaptcha
endpoint now requires an additional CSRF token, which cannot be leaked using cross-site script inclusion.While this properly fixes the vulnerability, I believe that the whole thing could have been prevented when designing the system by following one of the oldest and most important pieces of infosec advice: Never store passwords in plain text.
By the way, I am looking to do security assessments and bug bounty program management work. I have experience in security testing, vulnerability triage, as well as a background in software development. Does this sound of interest to you? You can get in touch via alex@ethicalhack.ro.
Source
https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9
- 1
- 1
- 8
-
The value of
-
14 hours ago, aismen said:
NordVPN e bun ca nu are sediile in America/Canada si alte tari din Nine Eyes si ce organizatii de-astea cu tratat de spionaj mai exista.
https://www.cnet.com/news/nordvpn-user-accounts-were-compromised-and-passwords-exposed-report-says/
Cred ca mai merg
Quotepezempire@yahoo.com:Mad1Alex2Pip3
peresclyde@yahoo.com:mh02na4594
redgerton89@gmail.com:Jordan08
benzialberto@gmail.com:cucciolone
2011drew24@gmail.com:sea93329
comm4330@yahoo.com:Bullshit1
merevesz@gmail.com:corky123
romeo.se.2009@gmail.com:romeo36896
spork232ca@hotmail.com:Rjh232ca
caplanamy@hotmail.com:Oakham97
djcunningham007@gmail.com:Doctorwhofan11
christraves@yahoo.com:Chicago1
toremyklebust@Comcast.net:donald88
akraa021@hotmail.co.uk:bellman11
samueleasterbrook@gmail.com:katherine69
nataliep14@hotmail.com:nats6265
kadijah1222@gmail.com:Rasheen12
alberthartholt@hotmail.com:Appie2004
tino1317@gmail.com:fire1317
ryan_guy222@hotmail.com:Amanda123
mmcyj1@aol.com:skippy12
deniseusuka@hotmail.com:cdjuly13
tsmith9494@hotmail.com:Potter94
ghendricks777@gmail.com:Home2047
nimzoray777@yahoo.com:akopian123
berjali@gmail.com:maryama2011
westhompson1982@gmail.com:pass4ggpa123
justin18y@gmail.com:Erindale30
catslack@gmail.com:minesweeper
ajhltu212000@yahoo.com:miamifins21 -
36 minutes ago, aismen said:
Plus ca e intr-o tara cu jurisdictie de cacat. Merge asa de o chestie repede sa intri pe un site unde esti banned sau ceva.
Nu m-am interesat de unde sunt, pentru ce il folosesc eu nu prea conteaza.
-
-
WindScribe is definitely one of the most popular VPN service among users worldwide (check in-depth review -> Googlce trends). The company is famous for its fully functional FREE version with 10 GB data, dedicated servers for streaming, unlimited bandwidth and unique technology called R.O.B.E.R.T. (“Remote Omnidirectional Badware Eliminating Robotic Tool”) which helps to blocks Ads, trackers and malware. With a strong AES-256 encryption the company doesn’t have a huge pool of servers but spread them over 55 countries and 100 cities.
Another innovative thing about WindScribe is the ability to build your own subscription plan, so the price can start from $1/month. So any additional location will cost you $1/month and add 10 GB on top of your allowed monthly bandwidth. Also you can select “unlimited bandwidth + R.O.B.E.R.T.” for additional $1/month.
The company also runs promotions, special offers and deals from time to time so you can save some extra. A good time to find exclusive WindScribe coupon or promo code is Black Friday, New Year, Halloween, etc. So don’t miss a chance to save big on a top rated VPN service
"HOWTO"
WindScribe - build a custom plan with "Build a Plan" option and save upto 90% off of the original price
-
Two Romanian hackers namely Bogdan Nicolescu and Rady Miclaus will be spending 20 and 18 years respectively in prison for infecting 400,000 computers with cryptominers and stealing sensitive financial and credential data. The duo is said to have stolen millions of dollars from countless unsuspected users.
Both the accused are members of the infamous Romanian hacking group called Bayrob. Nicolescu was the group leader whereas Miclaus served as the co-conspirator. The third accused, Tiberiu Danet, is also a member of the same group. In November 2018, Danet pleaded guilty to eight of the charges and will be sentenced on January 8, 2020.
See: Dutch Police Nabs Romanian Gang for Stealing $590K worth of iPhones
According to the official press release, the duo was found guilty of 21 counts of money laundering, wire fraud, identity theft, and malware development for mining bitcoin and monero cryptocurrencies through utilizing host computers’ resources apart from other crimes.
“These sentences handed down today reflect the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world,” said FBI Special Agent in Charge Eric Smith. “Despite the complexity and global character of these investigations, this investigation and prosecution demonstrate the commitment by the FBI and our partners to aggressively pursue these individuals and bring justice to the victims.”
The Bayrob Group was founded in 2007 and operated actively until the apprehension and extradition of its key members, including the group leader Nicolescu, in 2016. This group operated from the outskirts of Bucharest and carried out different hacking and malware campaigns including spam emails loaded with dangerous Trojans sent as harmless messages from renowned firms and enterprises.
The emails mostly contained attachments hiding the Bayrob botnet, and were sent from the IRS, Norton, and Western Union. As soon as the user clicked on the attachment, the computer got infected with the malware, and all the installed malware protection tools got disabled while access to websites of law enforcement agencies was also blocked. The attackers copied the email contacts of the victim through the malware and sent the infected emails to them as well.
Through the botnet, the Romanian hacker group managed to steal $4 million. Moreover, the group also developed crypto miners to mine for Bitcoin and Monero and scan and transfer the victims’ crypto wallet ownership along with the funds. They also stole personal data from the infected computers including credit card information, login credentials, and usernames/passwords on different websites.
Furthermore, the malware enabled the system to register AOL accounts, which were used to send more malicious emails. The duo got 100,000 email accounts registered through this method and subsequently sent out tens of millions of infected emails.
They also replaced legitimate websites like eBay with fake replicas and when the victim accessed these websites, they were tricked into entering their credentials to the fake webpage instead of the authentic ones.
It did not end here; the group also used eBay for their nefarious objectives. The duo placed over 1,000 fake listings of motorbikes and automobiles on eBay and uploaded malware-infected images on these listings. Users who clicked on the images were redirected to fake eBay ordering pages where the victims were encouraged to pay for the items. A person was hired to play the role of fictional eBay Escrow Agent whose only job was to collect the money from the victim and transfer it to the hacker duo.
“These sentences handed down today reflect the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world,” added Special Agent Smith.
Source
https://www.hackread.com/20-years-prison-romanian-hackers-infected-computers/
- 1
- 1
-
The official Cayman Islands tourism website brags about the territory's stunning beaches, exotic wildlife and contemporary art museums. Yet, it's probably better known for the allegations of money laundering made against it by other governments, including that of the United States, which is what makes the claim that hackers published 2TB of the Cayman National bank's confidential data interesting.
A pseudonymous Twitter account called Distributed Denial of Secrets--a play on the distributed-denial of service attacks that can bring down even the largest websites-- said on Saturday that it was releasing "copies of the servers of Cayman National Bank and Trust." The account has also claimed to have released more information over the last few days and to have upgraded its servers to cope with traffic spikes.
Cayman National operates numerous branches in the Cayman Islands proper, Isle of Man and Dubai. Distributed Denial of Secrets claimed that it's "allegedly been used for money laundering by Russian oligarchs and others" as well, which is why it published the bank's confidential data. The goal appears to be giving people access to private information that could prove or disprove those allegations of wrongdoing.
Distributed Denial of Secrets said it didn't hack Cayman National itself. Instead, the data appears to have been stolen by someone called "Phineas Fisher," and its revelation was announced by HackBack alongside an explanation of Fisher's actions. A copy of the original statement can be found in the tweets discussing this leak and a report from Unicorn Riot; a translated version was also shared to Pastebin.
Cayman National doesn't appear to have acknowledged the alleged leak on its website or social media profiles. It does say on its website that it's requiring clients to share additional information "in connection with the regulations of the global financial industry," however, and that many of its services would be unavailable on November 17 because of "a major upgrade and maintenance programme."
The company also offered a helpful tip on its Facebook profile earlier today: "Refrain from accessing Online Banking through open and public access points, such as Internet cafes, public libraries, etc." That's a remarkably odd thing to share on Facebook while people on platforms like Twitter and Hacker News discuss a purported leak of terabytes' worth of private information.
Phineas Phisher - Hack Back - Bank
More info
https://unicornriot.ninja/2019/massive-hack-strikes-offshore-cayman-national-bank-and-trust/
Full archive and backups
- 1
-
-
Vechime: 2012
Balanta: 45.00 €
Ultima plata: 2017
Pret: 100 €
Tara aprobare: Spania
Nu a mai avut activitate de 2 ani aprox.
A fost generat cu continut legal in limba spaniola si engleza.
Plata de prefertat in crypto: ETH, BTC, XLM
-
Amazon has thousands of workers around the world who listen to and review private Alexa conversations with the goal of helping improve the speech assistant’s technology, according to Bloomberg.
The report said the Amazon team transcribes the recordings and shares the conversations with other parts of the company in order to make Alexa’s “understanding of human speech” better.
The team is spread across different regions, including Boston, India, and Romania, Bloomberg said, and some of the workers review up to 1,000 audio clips per shift.
Amazon has never publicly disclosed the role of this group or the fact that human interference is part of Alexa’s voice technology.
An Amazon spokesperson noted that employees don’t have direct access to information that can identify the people speaking or the account that the snippet came from. However, Bloomberg reported that recordings are associated with account numbers, device serial numbers and the owner’s first name.
The spokesperson said:
Quote“We take the security and privacy of our customers’ personal information seriously. We only annotate an extremely small sample of Alexa voice recordings in order improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone. We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system. Employees do not have direct access to information that can identify the person or account as part of this workflow. All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption, and audits of our control environment to protect it.”
-
Am vazut ca nu vrei py, dar mie mi s-a parut super simplu si usor de folosit, in caz ca te razgandesti.
Eu in python am folosit selenium + pyvirtualdisplay (poti emula si rezolutia dorita)
- 3
-
Ai incercat http://www.nirsoft.net/utils/fastresolver.html ?
Script in powershell.
https://gallery.technet.microsoft.com/scriptcenter/Resolve-IP-Addresses-from-df4cbbe5#content
-
A mers perfect, merci.
-
The world’s most popular Free Web Hosting company 000Webhost has suffered a major data breach, exposing more than 13.5 Million of its customers' personal records.
The stolen data includes usernames, passwords in plain text, email addresses, IP addresses and last names of around 13.5 Million of 000Webhost's customers.
According to a recent report published by Forbes, the Free Hosting service provider 000Webhost was hacked in March 2015 by an anonymous hacker.
In a post on its official Facebook page, the hosting company has acknowledged the data breach and posted the following statement:
"We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information."
The stolen data was obtained by Troy Hunt, an Australian security researcher, who received the data from an anonymous source and also confirmed the authenticity of the data.
"By now there's no remaining doubt that the breach is legitimate and that impacted users will have to know," Hunt wrote in a blog post published Wednesday. "I'd prefer that 000webhost be the ones to notify [its customer] though."
000Webhost Ignored Data Breach Warnings Continuously
000Webhost web Hosting company repeatedly failed to pay attention to the early warnings by Troy Hunt and the Forbes journalist, but the company ultimately decided to ignore them.
What's even Worse?
The Web Hosting company did not even follow fundamental and standard security practices to ensure the security of its customers.
Data breaches are common these days. Just a few days back, we reported about a serious data breach at TalkTalk – the biggest phone and broadband provider in the UK that put the personal data of its 4 Million customers at risk.
But, What could a Security Breach lead to?
Severe damage to company's reputation
Loss of consumer trust
Thousands of dollars in penalties and fines
Personal data loss cost infinite
Temporary or Permanent Closure
Note: At the time of writing, 000webhost.com website is temporarily down.
What Should You Do Now?
For security reasons, the team at Free Hosting service has changed all customers' passwords to the random values and implemented encryption, without giving any direct notice to its affected customers.
That means, if you are one of those 13.5 Million 000webhost clients, then you need to follow the password reset process to generate a new password in order to access your account.
However, 000Webhost said: "We removed all illegally uploaded pages as soon as we became aware of the [data] breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future."
Storing customers passwords in plain text, ignoring early warnings, and then implementing encryption to prevent further damages.
-
-
A mai fost postat de catre Nytro , verifica in p^lm ceea ce postezi fking wanker.
Tipic ratatilor vocabularul tau, crezi ca daca ma injuri rezolvi ceva?
Nu-ti convine, da-mi report.
🔰Pluralsight 1 Year Premium (Free)🔰
in Securitate web
Posted · Edited by kandykidd
Ⓜ️ Pluralsight 1 Year Premium worth 199$ For Free!
Benefits: 500 Hours of Premium Watch time, Quality Educative Videos + Certification.
https://www.pluralsightone.org/product/education/code-org-redemption-3m
📍Video : https://www.youtube.com/watch?v=0p4a80YRh5w
Happy New Year 😍