Category: Noname

If you need a simple tool to extract text and metadata from web or documents (most types) you should check out java based Tika from Apache.

Not a revolutionary story about how government agencies bypass mobile device encryption, but more a reminder of how – software vulnerabilities. See this Wired article for a rather good summary of the research of John Hopkins Uni.

A nice New years offensive strategy and heads up from Microsoft based on the recent SolarWinds case.

But how did it hit MS I wonder… Time will show. Update 01.01.21 investigation status.

More on their analysis here.

Now from Google, called Tsunami. Look forward to test it after reading this article. Also check out GitHub.

Web-browsers with their addons are powerful tools to spot vulnerable web-applications.

I have good experience with both Chrome and Firefox, whereas both have a lot of developer tools and addons to use. Worth mentioning is TamperData, Tamper Chrome, PostMan, Web Scraper, d3coder, Site Spider, User Agent Switcher, Cookie Editor and Wappalyzer, to mention some. Infosec has a nice review of a lot of cool addons (maybe somewhat outdated). Of course most of this can be scripted and done using command line tools as well, however it is more convenient with it ready in your native browser on an everyday basis.

For interception I like BurpSuit and OWASP ZAP. The automated scan in ZAP actually works quite well for a selection of tests. BurpSuits scanner too, but it is not free.

For automated compliance checks, the OWASP dependency-check (GIT) can be used in Bash scripts or as plugins.

For vulnerability checks OpenVAS and NeXpose (both have free trials) are nice alternatives to the rather expensive Nessus.

If you like to practice and train your skills, do it offline or on your own web-apps(!).

Yes, I wonder why it has taken so much time, but not really, for everyone to embrace cloud.

Can you find any decent, up to date, article online arguing that buying og building your own hardware, data center and software from the ground up is the best option for security? No (or enlighten me please!). And that is because there are no longer a such case I argue. We have in history learned from each other, and moved forward to a global digital world, based on years of collaboration. Even hardware resources and chemicals to make them are mined/shared/sold for everyone to get access globally. Why am I saying this, you may ask. Well it is because we must not trust but verify, what we need to do to make our data secure, and forget about if trust can make that happen for us by outsourcing HW, SW, development and services to foreign countries manufacturers, MSPs, cloud, or whatever. How do we do that, well we educate and build expertise to make that happen. And I don’t mean just read paper. Doing rather. Not just to make what we use securely, but to contribute with what we learn, experience, collaborate and argue to improve.

NCSC brings out a great analogy about the rental car and the owned “customized” car. Check it out here.

NIST Seeks Participants for Digital Forensics Exercise

Source: Security Magazine Published on 2020-06-05

Hear what John S. had to say about Zero Trust, the architect of SABSA, already back in 2019.

Looking into AI, there are vast aspects of how to build a thinking machine. Who’s working with this, and how they pursue their goal of making thinking machines, can be categorised to social groups, or tribes, according to Toby Walsh in his book; Android Dreams.

The learners. Just as we humans learn, the computers must too. It can be supervised, semi-supervised and unsupervised. They can be divided in the following groups:

• symbolists; logics, using inductive reasoning to determine the cause A of a result B
• connectionists; neuroscience inspired, learning from continuous signals interconnected, e.g, Deep Learning
• evolutionaries; finding the best computational model, e.g., inspired by “the survival of the fittest” theory
• Bayesians; statistical approach, probability theory of the Bayes theorem
• analogises; other spaces, where observed problems can be used to solve others

The reasoners, such as the rules of thought, knowledge and uncertainty, orchestrated to fit a purpose.

The robotics, making computers create their perception of the real world, using cameras, microphones, and other data sources. In a way, combining reasoning and learning.

The linguists, making computers learn our language and how we communicate.

Common for all tribes are that they can be defines as botht neats (mathematical precision) and scruffies (by chance, great chance).

Started playing with the freely available VMs from FireEye. Seems like nice Windows based alternatives to Kali and Parrot OS for at least basic pentesting and forensics tools. Personally I like Kali for its sustainability in the market, frequent updates and tools arsenal. However Parrot has grown on me with its sleek design.

Anyways, it seems FireEye got a lot from acquiring Mandiant a while ago. The Redline toolkit is quite nice, so it will be interesting to see how these two plays out:

Commando VM is for penetration testing, see Github.

Flare VM is for malware analysis.