Cybersecurity

Hack?!

I played CTF challenges for around a year to realize I am not as talented in finding flaws. It requires a lot of knowledge in multiple fields and a completely different mindset to approach problems, but it's fun.

Sites

• OWASP — Open Web Application Security Project
• Have I Been Pwned? — Check breached accounts/emails/passwords
• OverTheWire Wargames
  • Bandit (beginners), Natas (web), etc.
  • Bandit Overview | MayADevBe — tutorial
  • Natas Writeup | CertCube Labs — tutorial
• List of file signatures | Wikipedia

Links

Guides/tutorials/opinions

• Is Cybersecurity an Unsolvable Problem?
  • A chat with philosopher Scott Shapiro about his book: Fancy Bear Goes Phishing
  • One interesting idea is perfect cybersecurity might not be possible because of the duality of symbols. The same set of symbols (bits) is used to represent both instructions and data, which makes general computing devices possible, yet it also makes hacking possible
• Short session expiration does not help security (HN)
  • It could not prevent problems caused by XSS, leaked logs, shared computers, etc.
  • Requiring frequent re-authentication has risks as well
  • Facebook, Google, Amazon and GitHub have sessions that last forever as well
• When MFA isn't actually MFA | Retool (HN)
  • Google's update to backup MFA secrets to cloud means MFA becomes a single-factor-authentication
  • Getting access to the Google account once is enough to control all OTPs stored in Google Authenticator
• Stop deploying web application firewalls
  • WAFs are slow, ineffective, unsafe and noisy
  • Instead, isolate application, immutable system, static analysis in CI, and capability-based security
• Security at Startup
  • Different levels of security configuration for different phases of startup

Write-ups

• Capturing the flag with GPT-4 (HN)
  • Three challenges: Sharmir's secret sharing scheme, writing Perl script to decode Perl storable files and a series of shell hurdles (Linux command line tricks)
• Cold boot ram theft
  • Rip data out of RAM chips by freeing the chip
  • Decryption keys, bootloader code, data, stack and heap are all in the physical memory
  • Physical memory encryption, like Xbox and PS5 game consoles, can counter it, but most CPUs on the planet don't do that
• How early PayPal was nearly devastated by a security upgrade | Max Levchin
  • Max Levchin, one of the co-founders of PayPal, implemented a Shamir Secret Sharing protocol to replace a passphrase
  • During the migration, something went wrong that almost locked the whole DB
  • Turns out there is an incompatibility between Linux and Solaris. "Shoulda RTFM".
• Any sufficiently advanced uninstaller is indistinguishable from malware (HN)
  • An uninstaller that self-deleting with code injection is indistinguishable from malware
  • There is a js file example of how to delete itself and other files, leave no race, without code injection
• A strange sign of times
  • The story of Troy Hunt, the guy behind Have I Been Pwned
  • The story of the site, the threats and stress, and the problem of relying on 1 guy to guard the web
• How it works: The novel HTTP/2 'Rapid Reset' DDoS Attack
  • Google mitigated the largest DDoS attack to date, peaking above 398 million rps
  • Enabled by HTTP/2 stream multiplexing, where a request/connection can open multiple streams, increasing throughput
  • What attacker did is opening streams + rapidly resetting streams, a connection can then have infinite amount of requests, as cancelling previous requests means it never exceeds the max concurrent connection but always keep the connection open
• Audio fingerprinting
  • Each browser generate a unique audio fingerprint with the web audio API
  • The value is stable across session and remains the same in incognito mode
  • Bypass safari 17 audio fingerprinting protection
    • Sampling to denoise the noise added by safari
• xz-utils
  • backdoor in upstream xz/liblzma leading to ssh server compromise
  • FAQ on the xz-utils backdoor (CVE-2024-3094)
• VSCode extensions are insecure
  • How we hacked multi-billion dollar companies in 30 minutes using a fake VSCode extension
• A Vigilante Hacker Took Down North Korea's Internet | Wired
  • I'm the hacker that brought down North Korea's Internet for over a week. AMA | Reddit r/IAma
  • Finding out two gateway routers of North Korea's internet, exhaust its bandwidth
• Hacking Misconfigured S3 Buckets
  • Finding buckets, testing permissions, missing file type restrictions may lead to XSS
• Using YouTube to steal your files (HN)
  • Using embedded YouTube links, multiple redirects and clickjacking
• YouTube: Exposing the Threat in Our Phone System | Veritasium
  • Tracking location, intercepting calls and messages through vulnerabilities in SS7, a protocol use in 2G and 3G
• Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform (HN)
  • Send unique attachment or emojis that will be auto-downloaded in push notifications
  • Traverse cloudflare CDN servers to see where it's cached to geolocate the target approximately
• A Brief History of Code Signing at Mozilla
  • How Mozilla Firefox release files are signed over 20 years
  • From a remote machine with the signature in a USB to Autograph (Mozilla's digital signature service)
• Leaking the email of any YouTube user (HN)
  • Cool write-up of a bug where you can get the email of any YouTube user
  • YouTube leak a Google account identifier, an old Google service API takes ID as input and return the email of the ID