Cybersecurity

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.

Windows laptop manufacturers will likely need to fix this one.

Hello /m/cybersecurity folks! Wanted to get a pulse check on those who use this particular community. I mod both here at Fedia as well as at infosec.pub for /cybersecurity. I run a few weekly threads (e.g. Mentorship Monday) at infosec.pub and have tried to run those same weekly threads here but they get barely any traction, whether that be because they are redundant with infosec.pub or because people here are just not that active yet. For those who main Kbin/Fedia, is there anything you’d like to see that I can help with (weekly threads, community engagement style posts, etc…)? For those who sub here and at infosec.pub, is there anything Kbin adds that you feel is worth pointing out?

Unless some folks come out in favor of keeping the weekly threads here at Fedia, I will stop them and focus on having those threads over at infosec.pub.

Cheers and happy threadiversing!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.

Threat actors are doubling down on brand impersonation by using lookalike domain names.

Passphrases are a great way to protect your online accounts and digital identity. But what is a passphrase?

Daniel Huigens, the head of Proton’s cryptography team, explains how the latest crypto refresh makes PGP more secure.

Fortinet patches a critical-severity vulnerability in FortiOS and FortiProxy that could lead to remote code execution.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Hey everyone! My name is Mike and I write about #infosec, #tech and other things at https://shellsharks.com. I'm currently running an event this week I refer to as >Shark Week (https://shellsharks.com/sharkweek), which is essentially just me posting some sort of "content" each day for the entire week, coinciding with actual shark week (https://www.discovery.com/shark-week) on Discovery.

Appreciate a follow, boost and/or feedback on the site/posts. Thanks so much! 🦈🦈🦈

Kicking off >Shark Week, I wanted to share everywhere I am these days. I'll admit I am most active on Mastodon but like to maintain some form of presence other places. So connect with me wherever or everywhere!

• Infosec.Exchange: https://infosec.exchange/@shellsharks
• Mastodon.Social: https://mastodon.social/@sass
• Infosec.Pub: https://infosec.pub/u/shellsharks
• Fedia.io: https://fedia.io/u/shellsharks
• Infosec.Town: https://infosec.town/@shellsharks
• Infosec.Place: https://infosec.place/shellsharks
• Threads: https://www.threads.net/@mk3s
• Bluesky: https://bsky.app/profile/shellsharks.com
• Matrix: @shellsharks:matrix.org
• Nostr: npub122gmsek4hrjyw08xj62d2qq04xvfqshvqlxs37w6nn67ea3kxrtsf2022j
• Spoutible: https://spoutible.com/shellsharks
• Post.news: https://post.news/@/shellsharks
• Discord: https://discord.gg/3rkHgtcYbb (as shellsharks)
• Spill: Not on here yet but if anyone has an invite let me know!

Thanks again!

(article linked from m/Android)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Anyone familiar/have experience with conducting a Crown Jewels Analysis (CJA)? MITRE’s SEG (“Systems Engineering Guide”) has a process for doing this (page 167) but there are certainly other methodologies. Am working on something like this so any anecdotes would be cool to hear about!

Hey Fedia-folk of /m/cybersecurity! Wanted to get a quick pulse-check and collect some thoughts from the community here regarding their usage both current and future. I'll

1. Would anyone like to see weekly threads created for things like #mentorshipmonday? If so, let me know what kind of weekly threads you all would find useful/interesting.
2. There are a few infosec/cyber-related communities that have popped up both here on Fedia and elsewhere (e.g. kbin.social, infosec.pub, etc...). Some are more niche, while others similarly general as this community. What is everyone's thoughts in terms of where they plan to spend their time? I want to be mindful of the fracturing and try to build something here that people find useful.
3. Do you think the "threadiverse" (kbin, Lemmy, etc...) is a viable alternative to Reddit for you? (Assuming you were on reddit originally).
4. If you have any other thoughts or suggestions for the community please share them here as well! Thanks!

Couldn't find a poll option so I guess people can just weigh in on their thoughts here. I've been a "CISSP-holder" since 2015/2016-ish and have always had the renewal fees paid for by my employer. My renewal date has come and unfortunately I don't think I'll be getting any employer assistance paying the fee this time around. Is it worth keeping? Some important things to know...

• I'm not in government work right now but it's not impossible that I would be sometime in the future.
• I have TONs of other certs so maybe CISSP is redundant?
• CISSP is lame right? =P
• Costs about $125/yr so a 4 year renewal is like $500 </gross>

"UGH! Whats the command to [insert function here]?"

Shortcuts, hot-keys, and power use is leveraged through knowing application commands. Sad thing is, if you aren't in the application all the time, it's easy to remember that it can be done, but tough to recall the keystrokes to accomplish it. FEAR NOT INFOSEC COMPATRIOTS! I got you.

Here is a curated list of cheat sheets for many popular tech in our cybersecurity space. I've been compiling them for a bit, but this seems like the group that would most benefit. Cheers!

I didnt create any of these cheatsheets, so much love and appreciation to the authors themselves. We all win.

Gerry's Cheatsheets Compilation

• OWASP Compilation of Cheat Sheets OWASP Compilation of Cheat Sheets

• Privilege-Escalation: This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. Privilege-Escalation

• Malware analysis tools and resources. Malware analysis tools and resources

• Analyzing Malicious Documents Cheat Sheet Analyzing Malicious Documents Cheat Sheet

• ReverseEngineering Cheat Sheet ReverseEngineering Cheat Sheet

• SQL Injection | Various DBs SQL Injection | Various DBs

• Nmap Cheat Sheet and Pro Tips Nmap Cheat Sheet and Pro Tips

• PENTESTING LocalFileInclude Cheat Sheet PENTESTING LocalFileInclude Cheat Sheet

• Penetration Testing Tools Cheat Sheet Penetration Testing Tools Cheat Sheet

• Reverse Shell Cheat Sheet Reverse Shell Cheat Sheet

• nbtscan Cheat Sheet nbtscan Cheat Sheet

• Linux Commands Cheat Sheet Linux Commands Cheat Sheet

• Kali Linux Cheat Sheet Kali Linux Cheat Sheet

• Hacking Tools Cheat Sheet (Diff tools) Hacking Tools Cheat Sheet (Diff tools)

• Google Search Operators: The Complete List (42 Advanced Operators) Google Search Operators: The Complete List (42 Advanced Operators)

• (Multiple) (Good) Cheat Sheets - Imgur Imgur Cheat Sheets

• Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. Active-Directory-Exploitation-Cheat-Sheet

• Shodan Query Filters Shodan Query Filters

• Getting Real with XSS - A reference on the new techniques to XSS Getting Real with XSS

• SANS Massive List of Cheat Sheets Curated from here: SANS Cheat Sheets

General IT Security

• Windows and Linux Terminals & Command Lines Windows and Linux Terminals & Command Lines

• TCP/IP and tcpdump TCP/IP and tcpdump

• IPv6 Pocket Guide IPv6 Pocket Guide

• Powershell Cheat Sheet Powershell Cheat Sheet

• Writing Tips for IT Professionals Writing Tips for IT Professionals

• Tips for Creating and Managing New IT Products Tips for Creating and Managing New IT Products

• Tips for Getting the Right IT Job Tips for Getting the Right IT Job

• Tips for Creating a Strong Cybersecurity Assessment Report Tips for Creating a Strong Cybersecurity Assessment Report

• Critical Log Review Checklist for Security Incidents Critical Log Review Checklist for Security Incidents

• Security Architecture Cheat Sheet for Internet Applications Security Architecture Cheat Sheet for Internet Applications

• Tips for Troubleshooting Human Communications Tips for Troubleshooting Human Communications

• Security Incident Survey Cheat Sheet for Server Administrators Security Incident Survey Cheat Sheet for Server Administrators

• Network DDoS Incident Response Cheat Sheet Network DDoS Incident Response Cheat Sheet

• Information Security Assessment RFP Cheat Sheet Information Security Assessment RFP Cheat Sheet

Digital Forensics and Incident Response

• SIFT Workstation Cheat Sheet SIFT Workstation Cheat Sheet

• Plaso Filtering Cheat Sheet Plaso Filtering Cheat Sheet

• Tips for Reverse-Engineering Malicious Code Tips for Reverse-Engineering Malicious Code

• REMnux Usage Tips for Malware Analysis on Linux REMnux Usage Tips for Malware Analysis on Linux

• Analyzing Malicious Documents Analyzing Malicious Documents

• Malware Analysis and Reverse-Engineering Cheat Sheet Malware Analysis and Reverse-Engineering Cheat Sheet

• SQlite Pocket Reference Guide SQlite Pocket Reference Guide

• Eric Zimmerman's tools Cheat Sheet Eric Zimmerman's tools Cheat Sheet

• Rekall Memory Forensics Cheat Sheet Rekall Memory Forensics Cheat Sheet

• Linux Shell Survival Guide Linux Shell Survival Guide

• Windows to Unix Cheat Sheet Windows to Unix Cheat Sheet

• Memory Forensics Cheat Sheet Memory Forensics Cheat Sheet

• Hex and Regex Forensics Cheat Sheet Hex and Regex Forensics Cheat Sheet

• FOR518 Mac & iOS HFS+ Filesystem Reference Sheet FOR518 Mac & iOS HFS+ Filesystem Reference Sheet

The majority of DFIR Cheat Sheets can be found here.

Penetration Testing

• Windows Intrusion Discovery Cheat Sheet v3.0 Windows Intrusion Discovery Cheat Sheet v3.0

• Intrusion Discovery Cheat Sheet v2.0 (Linux) Intrusion Discovery Cheat Sheet v2.0 (Linux)

• Intrusion Discovery Cheat Sheet v2.0 (Windows 2000) Intrusion Discovery Cheat Sheet v2.0 (Windows 2000)

• Windows Command Line Windows Command Line

• Netcat Cheat Sheet Netcat Cheat Sheet

• Misc Tools Cheat Sheet Misc Tools Cheat Sheet

• Python 3 Essentials Python 3 Essentials

• Windows Command Line Cheat Sheet Windows Command Line Cheat Sheet

• SMB Access from Linux Cheat Sheet SMB Access from Linux Cheat Sheet

• Pivot Cheat Sheet Pivot Cheat Sheet

• Google Hacking and Defense Cheat Sheet Google Hacking and Defense Cheat Sheet

• Scapy Cheat Sheet Scapy Cheat Sheet

• Nmap Cheat Sheet Nmap Cheat Sheet

Cloud Security

• Multicloud Cheat Sheet Multicloud Cheat Sheet

All Around Defender Primers

• Linux CLI 101 Linux CLI 101

• Linux CLI Linux CLI

• PowerShell Primer PowerShell Primer

• PowerShell Get-WinEvent PowerShell Get-WinEvent

Some more context around adversaries registering actual “.zip” files as domains.

Hey infosec/cyber/tech folks of the fediverse! With reddit being a mess coupled with my interest in becoming more fedi-active/aware, I wanted to share out my site/blog where I post mostly about cyber and tech but also venture into other non cyber/tech stuff. Check it out and find me on Mastodon if you want to connect or chat! Some interesting stuff I'll highlight from my site is listed below...

• A guide for getting into information security
• A thorough list of named vulnerabilities
• A long list of mini-reviews about trainings I have taken
• A huge repo of infosec blogs I have collected over time (message me if you want to be added)
• A "bootcamp" on Vulnerability Management
• A comprehensive guide on the various threat modeling methodologies that I have encountered.

Thanks!