Introduction to Cyber Security

1. Credits: MP7 | https://pastebin.com/FQLDrVRJ
2.  
3. __________
4. < ErrorSquad >
5. ------------
6. \
7. \
8. .::!!!!!!!:.
9. .!!!!!:. .:!!!!!!!!!!!!
10. ~~~~!!!!!!. .:!!!!!!!!!UWWW$$$
11. :$$NWX!!: .:!!!!!!XUWW$$$$$$$$$P
12. $$$$$##WX!: .<!!!!UW$$$$" $$$$$$$$#
13. $$$$$ $$$UX :!!UW$$$$$$$$$ 4$$$$$*
14. ^$$$B $$$$\ $$$$$$$$$$$$ d$$R"
15. "*$bd$$$$ '*$$$$$$$$$$$o+#"
16. """" """""""
17. __ __ _____ ______
18. | \/ | __ \____ |
19. | \ / | |__) | / /
20. | |\/| | ___/ / /
21. | | | | | / /
22. |_| |_|_| /_/
23.  
24. Cybersecurity essentials:
25.  
26. * use audited cryptography. do not roll your own. do not trust others that do (e.g., telegram).
27.  
28. * harden your OS.
29. https://wiki.archlinux.org/index.php/Security
30. https://wiki.centos.org/HowTos/OS_Protection
31. https://wiki.debian.org/Hardening
32. https://wiki.gentoo.org/wiki/Hardened_Gentoo
33. https://docs.fedoraproject.org/en-US/Fedora/17/html/Security_Guide/chap-Security_Guide-Basic_Hardening.html
34. https://help.ubuntu.com/community/Security
35.  
36. * encrypt your hard drive (full disk encryption, or FDE for short).
37. standard LVM encryption is the best option and should be available when installing your linux distro.
38.  
39. for a disk that is not part of your operating system, a portable drive for example, dmcrypt/LUKS is the best option but veracrypt is
40. available on all platforms. keep in mind your installer may or may not encrypt your GRUB and there are several ways of dealing with
41. that issue which are discussed in the Paranoid #! security guide linked in the introductory resources below. keep in mind disk
42. encryption means nothing to an experienced attacker with physical access if you have not completely shut down your computer and
43. wiped the RAM.
44.  
45. * encrypt your emails.
46. PGP is pretty much all we have, but it is all we need.
47. https://www.enigmail.net/
48.  
49. your metadata may still be collected. if you care about metadata, use a disposable email account or a trusted provider. suggestions
50. include protonmail, tuta.io or cock.li.
51.  
52. * encrypt your instant messages.
53. for better or worse XMPP+OTR is still our best bet.
54. https://otr.cypherpunks.ca/
55.  
56. i would not depend on anything else. even if the crypto in other apps is theoretically sound, the implementation fails or the
57. distribution method is inherently flawed. cryptocat is an unpopular, but good option. telegram, tox, and wickr are fucked. do not
58. even bother. you might as well use skype.
59.  
60. * use a local password manager (no cloud bullshit).
61. any. it is better than what you are doing now.
62.  
63. * strong passwords. make sure they are long and unique.
64. https://www.xkcd.com/936/
65.  
66. * do not reuse passwords. seriously.
67. if you do, consider your password public knowledge.
68.  
69. bypassing a login wall? sure. fuck it. who cares if someone else uses it.
70. anything you care about? no. absolutely not.
71.  
72. * better yet, use randomly generated passwords. the best password is one you cannot remember.
73. https://www.grc.com/passwords.htm
74.  
75. * your new search engine is duckduckgo or searx.
76. https://duckduckgo.com/
77. https://searx.me/
78.  
79. * your new browser is firefox.
80. be sure to go into options, then security, and uncheck block malicious content.
81. https://www.mozilla.org/en-US/firefox/new/
82.  
83. * modify some settings
84. enter about:config into your url bar and apply the following modifications. do not bitch about there being too many options. that is the
85. fucking point. you cannot even configure many of these settings in other browsers without modifying its source or building addons.
86. https://hastebin.com/ivuhasopob
87.  
88. the changes listed above are unambiguous and unopinionated. you can go a much further than this at the expense of comfort and
89. convenience. consider modifying some of the settings listed on https://github.com/pyllyukko/user.js/blob/master/user.js depending on
90. the sacrifices you are willing to make for privacy and security.
91.  
92. * now install your addons.
93. required: ublock origin, https everywhere, noscript, blender
94. https://addons.mozilla.org/en-US/firefox/
95.  
96. * apply your filters.
97. required: easylist, easyprivacy.
98. https://easylist.to/
99.  
100. * and test your results.Cybersecurity resources:
101. Learning: https://hastebin.com/aludiyigim
102. CTF/Wargames: https://hastebin.com/ofofalafid
103. News: https://hastebin.com/onimofeyut
104. Other useful stuff: https://hastebin.com/xixijinuge
105. Essentials Pastebin: https://hastebin.com/fifetelewo
106. Books: http://www.allitebooks.com/
107. Network visualisation: https://dowse.eu/
108. Unofficial grsec: https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec
109. Security tips in order of difficulty: https://hastebin.com/ucanorusew
110. Qualys Security Advisory - The Stack Clash: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
111. http://boards.4chan.org/g/thread/61062751#p61064761's advice: https://hastebin.com/sizimakofi
112. Firefox extensions: https://hastebin.com/xawurihifo
113. TEMPEST attacks against AES: https://www.fox-it.com/nl/wp-content/uploads/sites/12/Tempest_attacks_against_AES.pdf
114. Shared thoughts after 6+ years in Pentesting (http://boards.4chan.org/g/thread/61194248#p61211017): https://0x00sec.org/t/shared-thoughts-after-6-years-in-pentesting/2492
115. Cybrary: https://www.cybrary.it/
116. Awesome Infosec: https://github.com/onlurking/awesome-infosec
117. InfoSec and exploitation tool diagram: https://netsec.ws/infosec.svg
118. So you want to be a Hacker: https://netsec.ws/?p=468
119. The OWASP Mobile Security Testing Guide: https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/
120.  
121. Cryptocurrency:
122. Verge:
123. Website: https://vergecurrency.com/
124. Interview: https://youtu.be/EFXkJjgPlII
125. Monero:
126. Website: https://getmonero.org/
127.  
128. Anonymity networks:
129. I2P: https://geti2p.net/en/
130.  
131. Tox:
132. Tuntox - Tox protocol TCP tunnel: https://github.com/gjedeer/tuntox
133. ToxBot: https://github.com/JFreegman/ToxBot
134. ToxVPN: https://github.com/cleverca22/toxvpn
135.  
136. Cybersecurity videos:
137. DEFCON 14: The Making of atlas: Kiddie to Hacker in 5 Sleepless Nights: https://youtu.be/gYOy7CGpPIU
138. DEFCON 16: Nmap: Scanning the Internet: https://youtu.be/Hk-21p2m8YY
139.  
140. Cybersecurity news:
141.  
142. https://www.schneier.com/
143. https://grsecurity.net/blog.php
144. https://isc.sans.edu/
145. https://blog.torproject.org/category/tags/security-fixes
146. http://resources.infosecinstitute.com/
147. http://www.windowsecurity.com/articles-tutorials/
148. https://www.sans.org/reading-room/
149. https://threatpost.com/
150. https://packetstormsecurity.com/
151.  
152. Introduction to cybersecurity:
153.  
154. https://ssd.eff.org/
155. your first steps.
156. https://trailofbits.github.io/ctf/index.html
157. introduction to CTFs. even if you never do one, this is a good read.
158. https://wiki.installgentoo.com/index.php/Anonymizing_yourself
159. quick and dirty guide to anonymizing yourself.
160. https://hastebin.com/vupatamesu
161. this is the old, fabled, Paranoid #! security guide. not all of it is up to date, but it is very thorough.
162. https://samsymons.com/blog/reverse-engineering-with-radare2-part-1/
163.  
164. Learning resources:
165.  
166. https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md
167. absolutely massive collection of free resources for learning programming from beginner to expert level.
168. https://www.offensive-security.com/metasploit-unleashed/
169. http://www.allitebooks.com/
170. http://opensecuritytraining.info/Training.html
171. http://www.und.edu/org/crypto/crypto/lanaki.crypt.class/
172.  
173. CTF and wargames:
174.  
175. https://www.pentesterlab.com/
176. https://www.mavensecurity.com/resources/web-security-dojo/
177. https://exploit-exercises.com/
178. http://www.itsecgames.com/
179. http://forensicscontest.com/puzzles
180. https://pwnable.tw/
181. https://io.netgarage.org/
182. https://ctftime.org/
183. https://www.vulnhub.com/
184. https://w3challs.com/challenges/hacking
185. https://xss-game.appspot.com/
186. http://smashthestack.org/
187. http://www.hackertest.net/
188. https://www.hackthissite.org/
189. https://overthewire.org/wargames/
190. https://0x0539.net/
191. http://3564020356.org/
192. http://pwnable.kr/
193.  
194. Vulnerability management:
195.  
196. https://www.cvedetails.com/
197. https://www.exploit-db.com/
198. https://www.rapid7.com/db/
199. http://mvfjfugdwgc5uwho.onion/
200. https://cve.mitre.org/cve/cve.html
201. this site lets you download their CVE list in formats easier to work with.
202.  
203. Cryptography:
204.  
205. https://pqcrypto.org/
206. http://www.tandfonline.com/toc/ucry20/current
207.  
208. Penetration testing:
209.  
210. http://ytxmrc3pcbv5464e.onion/files/
211. collection of various ebooks mostly focused on pentesting.
212.  
213. Reverse engineering:
214.  
215. https://beginners.re/
216. https://github.com/rpisec/mbe
217. http://blog.ijun.org/2009/12/understanding-elf-using-readelf-and.html
218. http://ref.x86asm.net/index.html
219. easily-searchable opcode and instruction reference.
220. https://panopticlick.eff.org/
221.  
222. * do not use chrome. chrome is a closed source browser by a for profit corporation. firefox is an open source browser by a non-profit
223. organization. use your head.
224.  
225. * do not use chromium either. it may be open source, but it still phones home.
226.  
227. * block malicious sites in your hosts file.
228. https://github.com/StevenBlack/hosts
229.  
230. * use an anonymous VPN. a paid one. without traffic logs.
231. do torrent over VPN.
232.  
233. * use TOR.
234. do not torrent over TOR.
235. https://www.torproject.org/
236.  
237. * understand the difference between anonymity, privacy, and security.
238.  
239. * read the resources paste to get started.
240. Check out R.I.U. MP7 (@FederalError): https://twitter.com/FederalError