Adrian

@techspence What are you thoughts on PAWs? In my experience, literally all orgs draw the line there and use bastion hosts instead. Admins refuse to do office tasks in a VM or separate workstation.

I’ve always thought (wrongly) that tiered administration for Active Directory was widely known and accepted. It seems like it’s one of those things that many feel is “for big companies” and is more effort than it’s worth. But I disagree.. Maybe should do a podcast on this topic what do you think?

Thanks to all joining my talk @defcon. Find all the details about the research in our blog: blog.syss.com/posts/hacking-…

It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!). github.com/dirkjanm/blood…

Linux: Password-based remote auth is a big no-no, especially for root! Use public keys and sudo instead. Windows: Or we can just enable it by default. Let's call it SMB. Oh and the hash is also the password, because why not.

Just released #hashcathelper 1.0.0. This version is ready to visualize password re-use in multi-domain environments thanks to a feature suggestion by @n00py1. Now available on PyPI! github.com/SySS-Research/…

@_dirkjan @bookingcom Same for me. Was contacted via WhatsApp, but they had all details. Very convincing. This has been going on for years and booking claims it's an issue with the hotels. Yet I never had this issue with hotels[.]com. Made a one-time exception for booking - instantly almost scammed.

Hey @bookingcom , I'm getting scammed via your official message system on a real booking. Sounds like you're having some security troubles.

The craziest BloodHound art I've made yet (password sharing clusters)

@friggelei @cirosec Die wollen nur Leute, die kaputte TLS certs diagnostizieren können

@cirosec echt jetzt, die Subdomain nicht im SAN?

Wir suchen Dich als #Pentester (m/w/d) bei cirosec - Werde Teil unseres #CyberSecurity Expertenteams. 100% remote oder vor Ort in #Heilbronn

@two06 A bit dramatic, no?

Choose no life. Choose no career. Choose no family. Choose a fucking big mess with laptops, mobile devices, fully encrypted flash drives and tens of VMs. Choose no sleep, high caffeine and mental insurance. Choose no friends. Choose combats and matching trekking shoes. Choose chairs for your office in a range of fucking fabrics. Choose Burp, Kali, hipster scripting languages, toolkits, debuggers, and wondering why the fuck you‘re writing a report on a Sunday morning. Choose sitting in that swivel chair, looking at mind-numbing, spirit-crushing applications and infrastructures, stuffing fucking junk food into your mouth. Choose rotting away at the end of it all, pishing your last on some miserable cons, nothing more than an has-been technical resource to the non-sentient, fucked up AI DARPA spawned to replace the computer-literate.  Choose your future. Choose to pentest.

@Jean_Maes_1994 syss.de/fileadmin/user… @matthiasdeeg @iiiikarus

Has anyone ever pentested wireless keyboards? Seems to me like free keylogging lol

@florianaigner Isaac Asimov hat es am besten getroffen. The relativity of Wrong: en.wikipedia.org/wiki/The_Relat…

@florianaigner When people thought the world was flat, they were wrong. When people thought the earth was spherical, they were wrong. But if you think that thinking the earth is spherical is just as wrong as thinking the earth is flat, then your view is wronger than both of them put together

Ich schrieb gestern, die Erde sei eine Kugel. Und natürlich kam dann wieder: "Stimmt doch nicht! Wie kannst du nur! Die Erde ist ein Geoid, ein Rotationsellipsoid, kartoffelförmig!" Ein paar Zeilen dazu, weil ich das wirklich für ein problematisches Missverständnis halte: (🧵)

@ShitSecure Or just rerun bloodhound for each new set of creds

Do manual verifications for each credentials found. Back to the roots and steps needed before BH was released :P

Pentest/Red-Team tip: Never trust in BH-Information if you didn't enumerate them with an administrative user. Session infos are not complete, Local Group information may be missing. Low priv users cannot enumerate that anymore for updated systems. 🧐

Security researchers have disclosed vulnerabilities in AudioCodes desk phones and Zoom Zero Touch Provisioning (ZTP) to gain full remote access to devices #cybersecurity #audiocodes #zoom thehackernews.com/2023/08/zoom-z…

@Furan917 @BrownCoatFan @merill @lfredoreyes How do you implement 2FA with Microsoft's implementation of Kerberos?

@BrownCoatFan @merill @lfredoreyes Only if you don't use MFA. If you can implement MFA then that timed guideline is no longer relevant to PCI.

It's 2023 and your IT team is still forcing the entire company to change their passwords every few months 🤦 PS. I work at Microsoft, and we stopped doing this nearly four years ago. Send the link below to your IT team 👇

OK, I have no idea how long this series of tweets will be, but I've heard from several people associated or previously associated with NCC. While I've verified the association, bear in mind that a lot of this is from single sources. To start with, here's some backstory on the original round of layoffs in February: A North America-wide all-hands meeting was scheduled with only a few days notice, which was unusual. On that day, the British press were reporting that NCC was forecasting lower growth than expected and were going to lay off ~8% of its global workforce. The all-hands meeting confirmed layoffs would be coming. Managers would be notified that same day, and the layoffs would start at 12PM EST on the next day (a Friday). The layoffs were described by one source as a "bloody massacre". Employees were locked out of their computers before their manager had a chance to contact them and tell them the bad news. Several of these employees were onsite at customers in the middle of engagements. Several employees were locked out by mistake and only found out hours later that they were still employed. The actual number of employees laid off ended up being significantly higher than the 7-8% they were told in the all-hands meeting. One source estimated that between 10-15% of all North American employees were let go. Mismanagement was blamed by one source for the layoffs, as the North American side of the business was heavily dependent on work from big west coast tech firms and startups, which was a shift from a lot of east coast financial customers. When these big tech firms started their own layoffs, they reduced the number of services being bought from NCC, resulting in the February layoffs.

@peter4logo @florianaigner Weil es nicht mehr als das gibt.

@peter4logo @florianaigner Clauser ist auch nicht der erste Nobelpreisträger mit zweifelhaften Positionen. Ein weiterer Fall der Nobel-Krankheit. en.wikipedia.org/wiki/Nobel_dis…

@peter4logo @florianaigner Sämtliche Publikationen von Clausen beziehen sich auf Quantenphysik. Dadurch kann man weder auf das sachliche Argument eingehen, noch hat er irgendeine besondere Autorität auf dem Gebiet. Soll er sein Modell doch Peer Reviewen lassen. scholar.google.com/citations?hl=e…