🚧 Brute-Forcing One-Time Passwords 🚧

My last two threads discussed the probability of brute-forcing OTPs, how to do it effectively and how to defend against attacks.

Here is an overview of the topics covered:

1. Bernoulli Processes 🧮
https://infosec.exchange/@kpwn/110520985360492457

2. Increasing and Decreasing Probabilities 🤞
https://infosec.exchange/@kpwn/110561329301840527

Here's everything compiled into a blog post 📰
https://kpwn.de/2023/06/brute-forcing-one-time-passwords/

Do you find my content valuable?

🔔 Follow me for more web security content.

🔁 Also, boost this toot to spread the word!

#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #Passwords #OTP #Authentication

Ransomware, but they install an unlicensed copy of Oracle somewhere in your organization and threaten to tell Oracle about it if you don’t pay up.

AI is a lot like fossil fuel industry. Seizing and burning something (in this case, the internet, and more broadly, written-down human knowledge) that was built up over a long time much faster than it could ever be replenished.

It is confirmed that Reddit is forcing subreddits to open again. This is according to /r/antiwork moderators.

#reddit #blackout #redditmigration

"Reddit represents one of the largest data sets of just human beings talking about interesting things," Huffman said. "We are not in the business of giving that away for free."

You and me, we're just data sets. Years of interaction with fellow human beings, building community, sharing insight and creativity…it’s all just data. Data to be mined and monetized.

Huffman's not mad Reddit was scraped for a chatbot. He's mad he wasn't paid for the privilege. It's his data, you see. His. Not yours.

Search engines are useless. Windows is packaging Internet features few asked for. The major public sites are sealed tight to avoid third party tools.

Web 1.0 is back, baby!

No random open source application, I do not want to join your Discord channel for support.

There's this really cool technology called hypertext markup language, and if you use it for your documentation another piece of amazing technology called a search engine can help me find the answer I'm looking for

And the real magic is you only have to answer it once and the answer helps anyone. You don't have to answer the same question every day. This frees you up for more fun development

autoexec.bat (credit: Adam Koford)

US DOJ unseals a 2019 indictment charging two Russians with stealing ~647K BTC in a Mt. Gox hack; one of them is also charged with conspiring to operate BTC-e (Nikhilesh De/CoinDesk)

https://www.coindesk.com/policy/2023/06/09/mt-goxs-hackers-are-2-russian-nationals-us-doj-alleges-in-indictment/
http://www.techmeme.com/230609/p14#a230609p14

Well, I inadvertently discovered a zero-day RCE in acme.sh and got a Chinese CA to shut down overnight: https://github.com/acmesh-official/acme.sh/issues/4659

hey could the criminals who somehow converted an application logic bug in a spam filter to “you have to throw the hardware in a shredder to be sure” please publish their own blog post about this https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/

From a live tweet of the proceedings around the lawyer caught using ChatGPT:

"I thought ChatGPT was a search engine".

It is NOT a search engine. Nor, by the way are the version of it included in Bing or Google's Bard.

Language model-driven chatbots are not suitable for information access.

>>

A little cheeky of PrinterLogic to warn against PrintNightmare vulnerabilities after this savage thrashing on full-disclosure: https://seclists.org/fulldisclosure/2023/May/16

Shodan is only showing ~15 on the internet at least: https://www.shodan.io/search?query=title%3Aprinterlogic

The @runZeroInc query is similar: https://console.runzero.com/inventory/services?search=_asset.protocol%3Ahttp%20protocol%3Ahttp%20%28html.title%3A%3D%22Printer%20Logic%22%20OR%20favicon.ico.image.md5%3A%3Dab2fc8886bfbf3e986f8015539d29736%29

hat tip to @campuscodi for flagging at https://riskybiznews.substack.com/p/risky-biz-news-iranian-hacktivists (and @riskydotbiz for the mention)

At-Bay’s Cyber Research Team has confirmed that AvosLocker is using several vulnerabilities in Veritas's Backup Exec, a popular data backup and recovery software, as a means to launch ransomware attacks.

It marks the second RaaS syndicate to use the vulns to launch ransomware attacks, as ALPHV/BlackCat also has been observed using the flaw as an initial access point

https://www.at-bay.com/articles/avoslocker-adds-veritas-vulnerabilities-to-access-arsenal/

We want your Chrome full chain exploits https://security.googleblog.com/2023/06/announcing-chrome-browser-full-chain.html?m=1

So I caught the recruiting tram again and made more photos for all you dorks 😄

(This is a tram that runs in Budapest that has clear paneling so you can see the inner workings. They use it to recruit engineers and mechanics for public transport.)

#Budapest #trams #tramstodon #PublicTransport

When children are first taught to read/write in your country (or state), what writing style do they use considering both text they write and text they read?

Boosts for reach are appreciated!

Remember the #Gitlab 16.0 vulnerability and the message to patch it asap ?
Well: https://securityonline.info/poc-exploit-released-for-gitlab-cve-2023-2825-vulnerability/
The PoC is here: https://github.com/Occamsec/CVE-2023-2825

Got a new shirt

New: NSO Group is under new ownership after lenders forced a change of control with plans to keep its controversial spyware business going. Lenders have been working with Omri Lavie, a co-founder of NSO, after foreclosing on the parent company. https://www.wsj.com/articles/israeli-cyber-company-nso-group-has-new-ownership-after-u-s-blacklist-a2cda00a