Untitled attachment

Notices where this attachment appears

1. Embed this notice
   cR0w (cr0w@infosec.exchange)'s status on Friday, 12-Jan-2024 09:31:46 JST cR0w

   in reply to

   If your org uses a third-party solution for phishing training, it is likely that all of the testing emails contain a specific header. Mail filtering is generally configured to allow them to bypass rules and make it to all inboxes as intended. It is also often used to prevent rewriting the URLs in links if your org has a system that does so ( Proofpoint, Barracuda, etc. ).

   As an employee, if you don't want to bother with the regular phishing training, look at the message details and see if you can find the header used to bypass protections in your org. Some of the common ones are:
   X-Phishtest
   X-ThreatSim-Header
   X-ThreatSim-ID
   X-PhishMeTracking
   X-PhishMe

   Then in your mail client, set up a rule to take whatever action you wish. You can create an alert, move the message to a specific folder, or even execute a program or script if IT hasn't disabled that function.

   I fully support those of you of a chaotic persuasion to take the URLs from your org's phishing messages and fully enumerate the unique identifier section. Just brute force it and see if everyone gets assigned phishing training.

   It used to be that as an attacker, you could put all of those headers in and likely bypass filters due to the org setting a basic allow rule for one of them for phishing training. However, more orgs have finally either moved to third-party mail service that usually does a better job at filtering, or they are getting around properly configuring SPF, DKIM, and DMARC with strict rules that specify sending domains that are allowed with the header mentioned above. YMMV, of course.

   #phishing #infosec

2. Embed this notice
   Azeria (azeria@mastodon.social)'s status on Wednesday, 13-Sep-2023 09:26:14 JST Azeria

   Time for an Arm-twist! CVE-2023-4039

   Tom Hebb (Meta red team) and I discovered an 0day in GCC (for AArch64 targets) during my Arm exploitation training.

   It renders stack canaries against overflows of dynamically-sized variables useless.

   https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

3. Embed this notice
   StreetFur (streetfur@pawb.fun)'s status on Thursday, 01-Jun-2023 02:31:56 JST StreetFur

   @thomasfuchs as someone who graduated in the late 00s and straight into mainframe work. It's interesting to explain, yeah it's super stable and has crazy transaction volumes it can sustain (the history of IMS is a bit bonkers). Buuuuuut it's a weird working market of older developers refusing to knowledge share and younger devs being locked out of the space by mockery and lack of teamwork and on the job training.

   It's going to get real weird when those older devs start expiring.