1
2

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

2
50
submitted 4 days ago* (last edited 4 days ago) by evenwicht to c/cybersecurity@infosec.pub

cross-posted from: https://lemmy.sdf.org/post/24645301

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? “Java” is not JavaScript, so I’m baffled. Why is java in a PDF? (edit: explainer on java serialization, and some analysis)

My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

(note: I also wonder what happens when Firefox opens this PDF considering Mozilla is happy to blindly execute whatever code it receives no matter the context.)

3
5

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

4
7
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

5
5

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

6
3
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

7
8

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

8
11
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

9
7

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

10
4
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

11
1

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

12
16
submitted 1 month ago* (last edited 1 month ago) by evenwicht to c/cybersecurity@infosec.pub

This is what my fetchmail log looks like today (UIDs and domains obfuscated):

fetchmail: starting fetchmail 6.4.37 daemon
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server4.com: SSL connection failed.
fetchmail: socket error while fetching from user4@server4.com@server4.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server3.com: SSL connection failed.
fetchmail: socket error while fetching from user3@server3.com@server3.com
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server2.com: SSL connection failed.
fetchmail: socket error while fetching from user2@server2.com@server2.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server1.com: SSL connection failed.
fetchmail: socket error while fetching from user1@server1.com@server1.com
fetchmail: Query status=2 (SOCKET)

In principle I should be able to report the exit node somewhere. But I don’t even know how I can determine which exit node is the culprit. Running nyx just shows some of the circuits (guard, middle, exit) but I seem to have no way of associating those circuits with fetchmail’s traffic.

Anyone know how to track which exit node is used for various sessions? I could of course pin an exit node to a domain, then I would know it, but that loses the benefit of random selection.

13
3

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

14
3
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

15
10

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

16
4

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

17
7
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

18
5

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

19
12

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

20
20
submitted 1 month ago* (last edited 1 month ago) by wop@infosec.pub to c/cybersecurity@infosec.pub

Big or small, we make decisions every day. Rules, policies, processes, templates, etc.

How do you document the process and results of your decision making and track changes?

To give you some background, a lot of departments discuss certain topics every two weeks, but nothing is written down - it takes a lot of time and worse, some decisions change every two weeks.

I've been trying to fight this battle with OneNote atm and was inspired by some software change management frameworks (wild mix of things):

Each decision/problem gets a new page.

  • What is the question/problem?
  • Why is this decision necessary?
  • What are the pros and cons?
  • Which departments need to be involved? What is the scope? (department, site, country, continent, international, etc.)
  • What are the alternatives and consequences of not implementing?
  • plus changelog
  • plus metadata, such as parties involved, who proposed it, dates, etc.

Still a work in progress, but it is a mix of RFC, ADR, and some other frameworks.

How do you handle that?

21
8

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

22
8
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

23
12
submitted 1 month ago* (last edited 1 month ago) by soloActivist@links.hackliberty.org to c/cybersecurity@infosec.pub

Apparently some company I do business with shared my data with another corp without me knowing,

WTF?

then that corp who I did not know had my data was breached.

WTF?

Then the breached corp who could not competently secure the data in the first place offers victims gratis credit monitoring services (read: offers to let yet another dodgy corp also have people’s sensitive info thus creating yet another breach point). Then the service they hired as a “benefit” to victims outsources to another corp and breach point: Cloudflare.

WTF?

So to be clear, the biggest privacy abuser on the web is being used to MitM a sensitive channel between a breach victim and a credit monitoring service who uses a configuration that blocks tor (thus neglecting data minimization and forcing data breach victims to reveal even more sensitive info to two more corporate actors, one of whom has proven to be untrustworthy with private info).

I am now waiting for someone to say “smile for the camera, you’ve been punk’d!”.

(update)
Then the lawyers representing data breach victims want you to give them your e-mail address so they can put Microsoft Outlook in the loop. WTF? The shit show of incompetence has no limit.

(update 2)
It’s interesting to note that the FTC as well as a data breach lawyer both recommend that data breach victims take advantage of the free credit monitoring. I’m a bit surprised. As much as I want to cause the breached company to incur a cost for that subscription, it seems like a foolish move to put my sensitive info in the hands of yet another dodgy 3rd party.

24
6
Off-Topic Friday (infosec.pub)

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

25
14

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

view more: next ›

cybersecurity

3231 readers
10 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS