Discover and read the best of Twitter Threads about #infosec

Most recents (24)

#Durham Sussmann trial take away so far. The FBI either never fully investigated the Trump Server / Alfa Bank comms and/or it botched the investigation. @emptywheel has a nice write up & notes Durham uses an FBI witness who admits he's not a DNS expert. emptywheel.net/2022/05/20/the… Image
This part is just stunning 2 me. Durham's FBI expert, who admits he doesn't know the technicals of how DNS works, concludes there wasn't a hack (something secondary to the odd DNS traffic) & then calls the methodology "horrible" & concludes the analysis by the FBI is done? #OSINT ImageImage
So from the #Durham trial testimony the FBI admits it spent less than a day looking at the suspicious DNS data that a number of outside experts have continued 2 suggest show computers from Trump / Alfa Bank / Spectrum may have been communicating around Trump's 2016 GOP nomination ImageImageImage
Read 13 tweets
Now that 🇫🇮 is on the brink of sending an application to join #NATO, 🇷🇺 hybrid-warfare has picked up its pace. One crucial piece of that machine is the big network of "finnish" anti-vax/nato/whatever is required at the time websites and accounts, spewing nonsense to the public.
So how do we know about the 🇷🇺 involvement?
Simple, the do not hide their precence. Examples follow: koronarealistit dot net(com) is a professionally made website spewing covid nonsense, and traces back to 🇷🇺.
Another example: so called "Doctor clinic" Lääkärikeskus Aleksi 15, stationed in Helsinki that operates presumably under the company Clinic Estetic. They claim to offer medical services without covid restrictions of any kind. Website is hosted in #Russia. 1/2
Read 9 tweets
I'm getting messages from folks seeking favors for learning exploit development. I'm posting this thread for those who wanna explore the art of binary exploitation.

NB: There's no specific path, practice makes perfect 💯

#infosec #exploitdevelopment #ReverseEngineering

🧵🧵
pwn college is organized as a set of modules covering different topics. Each module has a set of lecture slides and videos and practice problems auto-generated for each aspiring hacker to practice on.

pwn.college
Nightmare is an intro to binary exploitation / reverse engineering course based around CTF challenges.

guyinatuxedo.github.io
Read 19 tweets
John Deere machines have a remote kill switch to deny control to American farmers. #infosec @doctorow link.medium.com/1nsJQIPERpb
While you're here, @Etsy has been suspending customer accounts for trying to buy an eBook a seller has, likely because the title contains the word "hack." My account is still suspended. Thread. 👇#Etsy
Read 3 tweets
Good morning my fellow #infosec and other curious individuals! Today is day TWO of my <semi> live tweeted Internal Penetration Test with Acme. Updates to follow. Here's the thread from yesterday:
First things first, gotta get the house situated so that I can be undistracted. Let's grab some breakfast, reestablish my tunnels and start taking a look at overnight scanning data.
Oh and If anyone is interested, This is my base playlist:
music.youtube.com/playlist?list=…
BUT I click "Start Radio" so that it gets stuff like the playlist. :)
Read 23 tweets
Here's a #bugbountytip

(1/n)

Overview:
On a bug bounty program, I was able to access internal dashboard of an e-commerce website and see what users have ordered along with their addresses and could also manipulate order status.

The dashboard was running on a custom port.
(2/n)

Approach:

1. The scope of the program was *.target.com.
2. Collected many subdomains using different tools, and then checked for alive subdomains using httpx.
3. Visited all collected subdomains manually, none of them seemed interesting. So I moved forward with testing.
(3/n)

4. So I looked for more ways on how to find assets related to any domain and came across technique known as favicon hashing. I didn't knew about this so I searched for it on google and read few articles on it.

Resources

medium.com/@Asm0d3us/weap…

Read 8 tweets
#OSINT #OPSEC #Thread #INFOSEC #Gizmodo
A Thread
1. Gizmodo is a part of GoMedia- depicted is an excerpt about their targeted advertising & that they share w/ ad networks Image
#OSINT #OPSEC #Thread #INFOSEC #Gizmodo
2. @acfou PageXRay query shows fingerprinting, tracking from X countries, 512 ad server requests, 485 tracking requests, and 185 other requests. Sample query of some of the trackers indicates possible malicious activity from pivot queries Image
#OSINT #OPSEC #Thread #INFOSEC #Gizmodo
3. Sample Pivot to OTX Alien Vault of a tracker pulled from @acfou PageXRay depicted Image
Read 6 tweets
The Linux Privilege Escalation Cheatsheet... :)

Credits ~ @g0tmi1k

👇🏻🧵

#cybersecurity #infosec #linux #hacking #redteam
Operating System
What's the distribution type? What version?

cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release

What's the kernel version? Is it 64-bit?

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
What can be learnt from the environmental variables?

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?

lpstat -a
Read 21 tweets
1/ CAN #DEFI SMART CONTRACTS EVER BE SAFE?

Is it possible to write bug-free software?

No spoilers, to get the answer you need to read this thread on Twitter *NOW*, before Muskalypse starts.

#infosec #ethereum

👇👇👇
2/ #DeFi keeps scoring higher and higher in the value of "hacks", counting losses in dozens of millions of dollars. This will make the users legitimately worried.
3/ But not just users as "heists" make great headlines that the press likes to tout, often missing the positive benefits, or "innovation" in blockchain and #defi industries.
Read 70 tweets
FREE LABS TO TEST YOUR PENTEST/CTF SKILLS :-)

Retweet this to let others know :)

#cybersecurity #infosec #pentesting
Academy Hackaflag BR - hackaflag.com.br
Attack-Defense - attackdefense.com
Alert to win - alf.nu/alert1
CTF Komodo Security - ctf.komodosec.com
CMD Challenge - cmdchallenge.com
Explotation Education - exploit.education
Google CTF - lnkd.in/e46drbz8
HackTheBox - hackthebox.com
Hackthis - hackthis.co.uk
Hacksplaining - lnkd.in/eAB5CSTA
Hacker101 - ctf.hacker101.com
Hacker Security - lnkd.in/ex7R-C-e
Hacking-Lab - hacking-lab.com
Read 7 tweets
Here's a list of some high quality Bug Bounty Methodologies / checklists.

All for FREE.

🧵👇

#bugbounty #bugbountytips #infosec #cybersecurity
Recon :

For recon, I personally prefer this tutorial by @Jhaddix presented by @RedTeamVillage_

Such quality information out there. Do create your own notes post watching this.
Web App Checklist : alike-lantern-72d.notion.site/Web-Applicatio…

Kudos to @e11i0t_4lders0n for curating this gem for us.
Read 10 tweets
One man's EDR is another's man's surveillance apparatus
🙃
🙃
Read 14 tweets
List of Hacking and Forensic Investigation Tools for IT Security Expert:

( Be a Hacker )

// Thread

#infosec #thesecureedge #cybersecurity #hacking #forensics #tech #thread #linux #bugbounty #DigitalTransformation
Read 14 tweets
I recently wrote a thread on my top used Bug Bounty Tools. You can find it here :



After publishing the above thread, I got lots of requests to write on my most used / favourite Burp Suite extensions.

So here's a thread on my most used Burp extensions.
1. Autorize

Autorize is straight up one of my most used and liked extensions. I personally use Autorize to automate testing for IDORs and it's very simple to use.



In the above video I've combined with our favourite @theXSSrat on using Autorize.
2. Param Miner

Anybody who's into Bug Bounty for quite sometime knows how important it is to identify parameters. Param Miner helps you do this at ease.

I personally use Param Miner to check for web cache poisoning vulnerabilities.
Read 7 tweets
▶️ Secure API Lifecycle

[A Thread 🧵] 👇

#cybersecurity #infosec #appsec #Pentesting
1/- Design

Strong API security starts at the design stage to ensure that full consideration of Authentication and authorization and Data privacy requirements, minimize attack surfaces and threat modeling activity ensures all attack surfaces are understood before implementation.
2/- Build

The construction of API back-ends is a critical factor in ensuring API security. For each of the respective frameworks (i.e., Spring Boot, ASPNET Core, etc.), developers should consult the specific security recommendations.
Read 7 tweets
Here's a list of tools that I use on a daily basis for Bug Bounty Hunting :
1. Proxy

I use Burpsuite for this purpose.
One could also use ZAP Proxy
2. Subdomain Enumeration

I'm a big fan of amass.

One article that I would definitely recommend anybody who's using amass is this gem by @hakluke

hakluke.medium.com/haklukes-guide…
Read 11 tweets
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
FREE LABS TO TEST YOUR PENTEST/CTF SKILLS

Share with your network and friends.

#cybersecurity #bugbounty #hacking #infosec #bugbountytips #ctf #pentesting

🧵 1/n
· Academy Hackaflag BR - hackaflag.com.br
· Attack-Defense - attackdefense.com
· Alert to win - alf.nu/alert1
· CTF Komodo Security - ctf.komodosec.com
· CMD Challenge - cmdchallenge.com
· Explotation Education - exploit.education
· Google CTF - capturetheflag.withgoogle.com
· HackTheBox - hackthebox.com
· Hackthis - hackthis.co.uk
· Hacksplaining - hacksplaining.com/lessons
· Hacker101 - ctf.hacker101.com
Read 8 tweets
🧵A Thread:
2+ years in bugbounty here are my stats:

->Total reports: 403

⟢Resolved: 59
⟢N/A: 81
⟢Duplicate: 82
⟢Informative: 165
⟢Triaged: 13
⟢New: 3

Approach: Manual testing, 0% recon!

Here is what i learnt 👇

#BugBounty #Infosec
1/n Initially starting everyone does mistakes, we grow up learning from others . So don't give up keep learning and stay persistent
2/n Stay humble with triagers, but there are times when ur report is valid but might be mistaken due to unseen reasons . it happened to me many times but have to be persistent in report and explain why i think it is valid or no dup
Read 24 tweets
Infra/App monitoring Tools-thread 👇🏻

What is monitoring?

The purpose of IT monitoring is to determine how well your IT infrastructure and the underlying components perform in real time. The resolution gets quicker &smarter

#Linux #Monitoing #Security #infosec #ITJobs #Tools Image
Type of monitoring:

1. Availability monitoring: this is designed to provide users with information about uptime and the performance of whatever is being monitored.

2. Application performance management (APM): Using APM solutions, businesses can monitor
whether their IT environment meets performance standards, identify bugs and potential issues, and provide flawless user experiences via close monitoring of IT resources.

3. Security monitoring: Security monitoring is designed to observe a network for breaches or
Read 7 tweets
On recense les premières traces de chiffrement symétrique vers 1500 av. JC, en Mésopotamie. 🥐

Aujourd'hui, on utilise le chiffrement symétrique dans notre vie numérique, souvent sans le savoir. Mais comment ça fonctionne exactement ? 🧵
#dev #code #infosec
Le chiffrement symétrique, même le plus basique, est basé sur deux outils : Un algorithme de chiffrement / déchiffrement, et une clé. 🔑

Prenons l'exemple d'une discussion entre deux personnes 👇
1️⃣Les participants d'une discussion se mettent d'accord sur un algorithme de chiffrement commun (souvent inhérent au système utilisé pour communiquer).
Read 10 tweets
Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: Image
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx Image
Read 10 tweets
This week on my podcast, I read my @Medium column, "The Best Defense Against Rubber-Hose Cryptanalysis," about what the cypherpunks got wrong, what they got right, and what that says about claims that cryptocurrency will defend us from tyranny:

onezero.medium.com/rubber-hoses-f… 1/ A medieval engraving of a prisoner being tortured on a rack;
If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/04/04/att… 2/
30 years ago, the cypherpunks - forerunners of the cryptocurrency movement - waged an epic battle to ensure that we could all access working cryptography. 3/
Read 54 tweets
Application Security is one of the top skills that every tech firm is aggressively looking for 🚀

If you are a person who wants to make a great career in AppSec, this thread is for you 👇

🧵

#applicationsecurity #infosec #cloudsec #azure #aws
Five ways you could teach yourself Application Security

1 / 5
Five ways you could teach yourself Application Security

2 / 5
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!