Marcin Szary

202 posts

Marcin Szary

@mszary

people and technology enthusiast

Krakow, Poland Katılım Haziran 2009

145 Takip Edilen101 Takipçiler

Marcin Szary@mszary·3 Oca

This is so good on so many levels youtube.com/watch?v=Xrlrbf… #security #ReverseEngineering

YouTube

English

Marcin Szary@mszary·3 Kas

@SwiftOnSecurity While FIDO2 would do the job by preventing the attack during the authentication phase, we still need a standardized method to bind the already established sessions to the device that originated them

English

340

SwiftOnSecurity@SwiftOnSecurity·3 Kas

The purpose of SMS/Push/# matching MFA was to put you past most victims and thus most toolsets. There was a point you were basically immune with legacy protocols turned off in Exchange. Now that stronger methods are normalized, attackers are targeting their weaknesses. Not done.

John Hammond@_JohnHammond

Session hijacking a Microsoft 365 account! Stealing their credentials and bypassing MFA prompt with Evilginx: a reverse-proxy phishing framework! We stage a phishing domain and email pretense, and gain full access to the victim account! youtu.be/sZ22YulJwao

English

436

128.1K

Marcin Szary@mszary·26 Eki

@KacperSzurek Było nawet takie pojęcie jak „reklamacja” tasm (dziwna kalka językowa od reclaim), gdzie przepisywało się fragmenty taśm na inne, kiedy dane w połowie taśmy expirowaly :) moje czasy LTO3 :)

Polski

1.4K

Kacper Szurek@KacperSzurek·26 Eki

To specjalna taśma. Używa się jej do tworzenia kopii zapasowej. W swoim komputerze pewno używasz dysku SSD ale duże korporacje, które mają terabajty danych do przechowania, korzystają właśnie z takich, wydawałoby się archaicznych metod. Dlaczego? Jedna taśma LTO 9 może pomieścić aż 18 TB danych. A kosztuje nieco ponad 500 złotych. Zwykłe dyski HDD o tej samej pojemności są kilka razy droższe. Skoro więc to takie świetne rozwiązanie to dlaczego raczej o nim nie słyszałeś/aś? Bo o ile sama taśma jest tania, to napęd już niekoniecznie. Nagrywarka to koszt rzędu 20 000 PLN. A Ty jak dbasz o swój backup?

Polski

179

33.7K

Marcin Szary@mszary·24 Eki

@ljachowicz @Zaufana3Strona @mrgretzky Chyba już fixniete, dzięki za czujność :) 👍

Polski

Lukasz Jachowicz@ljachowicz·23 Eki

@Zaufana3Strona @mrgretzky @mszary Invitka w tekście prowadzi do zakończonego wydarzenia. Czuwaj! ;-)

Polski

124

ZaufanaTrzeciaStrona @zaufanatrzeciastrona@infosec@Zaufana3Strona·23 Eki

Nie wszystkie metody 2FA są sobie równe – zobacz, jak można je atakować zaufanatrzeciastrona.pl/post/nie-wszys… Porozmawiam o tym z twórcą Evilginxa, @mrgretzky i @mszary, CTO Secfense. Zapraszam! /Adam

ZaufanaTrzeciaStrona @zaufanatrzeciastrona@infosec tweet media

Polski

5.3K

Marcin Szary@mszary·24 Eki

@adastroworld Seems like it, indeed. 1password’s staff member did the same thing apparently: blog.1password.com/files/okta-inc…

English

Matthew Prince 🌥@eastdakota·21 Eki

Okta compromised… again. Here’s how @Cloudflare, even though we were (again) targeted, was able to mitigate the attack. And some best security practice suggestions for @okta and their customers. blog.cloudflare.com/how-cloudflare…

English

253

1.1K

686.5K

Marcin Szary@mszary·26 Eyl

Mastery as its finest

Kuba Gretzky@mrgretzky

🎬Phishing LinkedIn and bypassing MFA demo created for the upcoming Evilginx Pro post 🔥 💡Evilginx uses a background browser to capture the secret token from legitimate website and inject it back into the reverse proxy phishing session. P.S. Enjoy that Cyberpunk tune I made 🎵

English

333

Marcin Szary@mszary·21 Ağu

@mrgretzky @x33fcon Well done, Mr Evilginx, well done 👏

English

188

Kuba Gretzky@mrgretzky·21 Ağu

Finally my talk from @x33fcon is online! 🔥 I try my best to explain what websites could do to protect the users against reverse proxy phishing attacks like Evilginx.🪝🐟 There is also a bonus live demo at the end with some Evilginx Pro secret sauce! 💡 youtube.com/watch?v=C-Fh4s…

YouTube

English

218

22.7K

Marcin Szary@mszary·3 Tem

@mrgretzky Sneaky :) love it

English

383

Kuba Gretzky@mrgretzky·3 Tem

🫣 SNEAK PEEK👀 Evil QR in action, demonstrating how attackers could use sign-in QR codes to execute phishing attacks. 🪝🐟 Blog post with open-sourced toolkit coming soon! 🔥 (sometime this week)

GIF

English

122

501

67.6K

Marcin Szary retweetledi

Kuba Gretzky@mrgretzky·26 Nis

BREAKING: Announcing Evilginx Mastery course price & release date! 🗓️Date: May 10th 2023 💳Price: 399 EUR (359 EUR with -10% release discount) 📝Sign up here: academy.breakdev.org/evilginx-maste… ⭐️Evilginx 3.0 & online documentation will also be released on the same day!

English

268

71.2K

Marcin Szary@mszary·14 Oca

@rafrasenberg IDDQD

Svenska

Raf Rasenberg@rafrasenberg·12 Oca

Name a more famous combo than Ctrl C + Ctrl V

English

1.9K

389

4.6K

950.9K

Marcin Szary@mszary·4 Kas

@ruchowdh Twitter does identity management by changing passwords, really?

English

ruchowdh.bsky.social@ruchowdh·4 Kas

Has it already started? Happy layoff eve!

English

916

3.8K

73.5K

Marcin Szary@mszary·23 Ara

@FEITIAN_Tech where could I find your CA certificates to be used for #U2F keys attestation?

English

Marcin Szary@mszary·5 Eki

Phrack is back :) phrack.org/issues/70/1.ht… #cybersecurty #Hacking

English

Marcin Szary@mszary·29 Eyl

@Probly_Kidding @thomasjsn @iamdevloper Search no more ;) twitter.com/leinweber/stat…

will leinweber@leinweber

I made a VGP (very good program) that makes it so it looks like I’m typing on slack whenever anyone else is typing, and stops when they stop. Everyone loves it so far and doesn’t find it annoying at all! github.com/will/slacktypi…

English

Area Man@Probly_Kidding·23 Eyl

@thomasjsn @iamdevloper I've been thinking about writing a script that just hits spacebar and backspace continuously so it's constantly saying "XXX is typing"

English

I Am Devloper@iamdevloper·23 Eyl

I'm trying to be more passive-aggressive on Slack Does anyone have any tips? I'm collating them...

English

138

918

Marcin Szary retweetledi

Bill Marczak@billmarczak·18 Tem

THREAD with a couple of interesting bits from @AmnestyTech's new report on what they learned from looking for NSO Group's spyware on phones amnesty.org/en/latest/rese…

English

843

1.5K

Marcin Szary@mszary·24 Haz

@niebezpiecznik Jakby nie bylo, Bank of America wspoltworzyl FIDO prawie od poczatku :)

Polski

Niebezpiecznik@niebezpiecznik·24 Haz

Trochę wstyd, że Bank of America jest przed naszymi bankami jeśli chodzi o wsparcie dla kluczy U2F do logowania...

Polski

122

Marcin Szary@mszary·17 May

#FIDO is amazing, it just wasn't designed to replace CAPTCHA ;) That Cloudflare's experiment seems to be doomed (blog.cloudflare.com/introducing-cr…) #u2f #fido2 #yubico

Adam Langley@agl__

(Just grounding out the cap sensor on a security key is enough to trigger a "touch". No drinking birds required.)

English

Marcin Szary retweetledi

Mark Ermolov@_markel___·20 Mar

Wow, we (+@h0t_max and @_Dmit) have found two undocumented x86 instructions in Intel CPUs which completely control microarchitectural state (yes, they can modify microcode)

English

104

1.8K

Marcin Szary@mszary·5 Şub

Ooops ;)

OverSoft@OverSoftNL

Infosec fail thread: So, in the last couple of weeks I've been looking into a product we were thinking of offering to our customers. This time, we were looking into the FootfallCam 3D plus. A counter system to measure how many people are in a building. 1/n

Keşfet

@SwiftOnSecurity @KacperSzurek @ljachowicz @Zaufana3Strona @mrgretzky @adastroworld @Cloudflare @okta