Sandfly Security
Sandfly Security
  • 44
  • 28 379
Linux EDR nologin Shell Rename Backdoor Attack Detection and Forensics
System accounts on Linux often use a default shell of /sbin/nologin or /usr/sbin/nologin to prevent them from logging into a host even if enabled by accident. But what happens if an attacker were to replace the nologin binary with a valid shell like /bin/bash? Well, it makes a very stealthy backdoor user! In this video we'll show you this hacking tactic as it is used by APT groups to hide backdoor accounts that are secretly active on Linux systems. In addition to learning how to investigate with command line tools using cryptographic hashes, we'll show you how Sandfly's agentless Linux EDR quickly identifies this attack with efficiency and safety.
Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Find out more and get a free license below:
www.sandflysecurity.com
Be sure to subscribe and follow us:
sandflysecurity
www.linkedin.com/company/sandfly
Переглядів: 142

Відео

Linux EDR Obsolete Password Hashes and their Risks for Password Cracking
Переглядів 17610 годин тому
Over the years Linux has featured many password hashes from MD5 to modern Yescrypt. These hashes are designed to slow down brute force password cracking in the event of compromise. However, as CPU and GPU speeds have increased, so has the risk of password crackers making many of the old algorithms not just obsolete, but dangerous to continue using. In this video we show you how to identify obso...
Linux EDR Default User Password Attack Detection and Forensics
Переглядів 10610 годин тому
Linux ships with many default users disabled out of the box, but what happens if someone were to give them a password to enable login? Well, it would give them a backdoor user! In this video we explore this threat, how it looks with command line forensics, and how to use Sandfly's agentless Linux EDR to watch your system for this attack to know if it is happening. Sandfly is able to find this a...
Linux EDR Duplicate User Password Hash Attack Detection and Forensics
Переглядів 15410 годин тому
Users with duplicate password hashes on Linux indicates the host has been compromised. In this video we'll discuss what we mean by duplicate password hashes, how to identify them with command line tool forensics, and automatically detecting this Linux attack with agentless Sandfly Security EDR. Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint age...
Linux EDR Reverse Shell Detection, Investigation, and Forensics
Переглядів 61120 годин тому
This video covers how to investigate a reverse shell on Linux using command line tools and agentless Sandfly EDR. We'll cover the basic reverse shell attack pattern, what it looks like from an alert perspective, what it looks like from the terminal, and how to investigate the suspicious process using simple command line tools. We'll even show you how to spy on the reverse shell activity using a...
Rob Joyce Interview - Linux Critical Infrastructure Threats
Переглядів 491Місяць тому
Rob Joyce, former head of the NSA hackers known as Tailored Access Operations (TAO), joins us for a talk about Linux critical infrastructure threats. We cover these topics: - Goals of infrastructure disruption. - Common blind spots in critical infrastructure - The particular role of Linux and why it needs better monitoring. - Nation state critical infrastructure targets. - VoltTyphoon Chinese g...
Find and De-Cloak Linux Stealth Rootkits Instantly with Agentless Linux EDR
Переглядів 257Місяць тому
Linux stealth rootkits share common attributes around hiding files, directories and processes. Sandfly's agentless de-cloaking features instantly shows you what files are being hidden so compromised Linux systems can be found immediately. In this demo we show you how to reveal sedexpb, Diamorphene and Reptile stealth rootkits. The new feature works on variants as well. Our agentless Linux EDR a...
Sandfly Linux EDR With Agentless Password Auditing - Find Default Passwords Instantly
Переглядів 903 місяці тому
We demonstrate how to use Sandfly's Linux EDR to agentlessly find weak and default account passwords across all Linux systems. Password auditing on Linux is simple, fast, and safe with Sandfly. Sandfly works on Intel, AMD, ARM, MIPS and IBM POWER CPUs and provides instant password auditing, including custom password lists, to all your Linux systems. Works on Linux cloud, on-prem, embedded and a...
SSH Security Zones - Full demo of how to track, secure and monitor SSH keys on Linux agentlessly.
Переглядів 1574 місяці тому
Introducing Sandfly's SSH Security Zone feature for Linux. This is the full demo of our powerful new way to track and secure SSH keys on Linux agentlessly. SSH Security Zones allows you to track and identify unknown keys in your network. This can help spot lateral movement attacks plus much more. Sandfly is able track SSH keys agentlessly without deploying any endpoint agents. We work on system...
SSH Security Zones - Track, secure and monitor SSH keys on Linux agentlessly.
Переглядів 2144 місяці тому
Introducing Sandfly's SSH Security Zone feature for Linux. SSH Security Zones allow customers to setup protected areas of their network where only certain SSH keys are allowed to operate. New keys are flagged immediately and can help stop lateral movement and persistence attacks between secured hosts. In addition to this, we can detect unencrypted private keys and weak RSA keys. Finally, we all...
Stop Using Cryptographic Hashes to Find Linux Malware
Переглядів 4347 місяців тому
Using cryptographic hashes to find malware, especially on Linux, works very poorly. In this video we will show you how trivial it is to change a binary to evade detection using hashes. With open source malware, it is simple and common to change malware to evade detection on Linux which makes hashes almost worthless for the job. If you are going to hunt for malware on Linux, we recommend not usi...
Agentless File Integrity Monitoring on Linux to Detect Compromised Servers
Переглядів 1868 місяців тому
Demonstration of agentless File Integrity Monitoring drift detection to find a compromised Linux servers using Sandfly Security. Sandfly can not only do traditional File Integrity Monitoring (FIM), but also full drift detection for new processes, users, SSH keys, systemd services, scheduled tasks and much more. This includes advanced fileless malware and other threats. Sandfly does this instant...
Linux Threat Hunting Tactics and Techniques vs. Signatures
Переглядів 2088 місяців тому
Threat hunting on Linux is most effective looking for tactics and techniques vs. traditional malware signatures. In this video, Sandfly founder Craig Rowland discusses the differences in relation to log tampering for anti-forensics on Linux. Be sure to subscribe and follow us: www.sandflysecurity.com sandflysecurity www.linkedin.com/company/sandfly sandflysec
Sandfly Agentless Linux Security Quickstart
Переглядів 5949 місяців тому
Watch how fast and easy it is to protect your Linux systems with Sandfly's agentless security platform. Get threat detection, SSH key tracking, password auditing, and drift detection for unknown threats instantly. Learn more at our website and get a free license today. Be sure to subscribe and follow us: www.sandflysecurity.com sandflysecurity www.linkedin.com/company/sandfly facebo...
Drift detection for incident response on Linux. IR teams can instantly find compromised hosts.
Переглядів 2,1 тис.9 місяців тому
Using Sandfly Security's agentless drift detection on Linux to rapidly find a compromised host for incident response. In this video we use drift detection to instantly spot a backdoor process, persistence mechanisms, and malicious user inserted onto a compromised Linux system. It works like the diff command, but against any Linux host to show you what is different in seconds. It's magic for IR ...
Find malware & ransomware on Synology NAS DSM appliances with Sandfly's agentless drift detection.
Переглядів 6959 місяців тому
Find malware & ransomware on Synology NAS DSM appliances with Sandfly's agentless drift detection.
Find Linux intrusions rapidly with agentless drift detection from Sandfly Security.
Переглядів 2739 місяців тому
Find Linux intrusions rapidly with agentless drift detection from Sandfly Security.
BPFDoor Evasive Linux Backdoor and Malware Forensic Investigation Presentation
Переглядів 2 тис.Рік тому
BPFDoor Evasive Linux Backdoor and Malware Forensic Investigation Presentation
Agentless Embedded Linux Device Security on Raspberry Pi
Переглядів 2012 роки тому
Agentless Embedded Linux Device Security on Raspberry Pi
Finding Compromised SSH Credentials on Linux with Agentless Sandfly Security
Переглядів 3392 роки тому
Finding Compromised SSH Credentials on Linux with Agentless Sandfly Security
Detect and Investigate Compromised SSH Keys on Linux with Agentless SSH Key Hunter
Переглядів 3972 роки тому
Detect and Investigate Compromised SSH Keys on Linux with Agentless SSH Key Hunter
Agentlessly find and analyze Linux malware in seconds.
Переглядів 1,1 тис.2 роки тому
Agentlessly find and analyze Linux malware in seconds.
Sandfly Agentless Linux Security Quickstart
Переглядів 5782 роки тому
Sandfly Agentless Linux Security Quickstart
Splunk and Sandfly Agentless Linux Intrusion Detection App Intro
Переглядів 3834 роки тому
Splunk and Sandfly Agentless Linux Intrusion Detection App Intro
Agentless Linux Intrusion Detection with Elasticsearch Kibana and Sandfly Security
Переглядів 8564 роки тому
Agentless Linux Intrusion Detection with Elasticsearch Kibana and Sandfly Security
How to Use Agentless Security to Hunt for Suspicious Users on Linux
Переглядів 2075 років тому
How to Use Agentless Security to Hunt for Suspicious Users on Linux
How to Hunt for Linux Malware with a Cryptographic Hash
Переглядів 2645 років тому
How to Hunt for Linux Malware with a Cryptographic Hash
Using Sandfly's Agentless Linux Security Bot to Hunt for Malware Droppers Within a Time Window
Переглядів 1155 років тому
Using Sandfly's Agentless Linux Security Bot to Hunt for Malware Droppers Within a Time Window
Hunting for Malicious Linux Process Names with Agentless Sandfly Security
Переглядів 2355 років тому
Hunting for Malicious Linux Process Names with Agentless Sandfly Security
How to Recover a Deleted Process Binary on Linux - Linux Process Forensics
Переглядів 3105 років тому
How to Recover a Deleted Process Binary on Linux - Linux Process Forensics

КОМЕНТАРІ

  • @shiverello6109
    @shiverello6109 16 годин тому

    Very well explained, any Linux admin could detect this backdoor after the video. Much appreciated

  • @kevinpaulus4483
    @kevinpaulus4483 День тому

    Nice ... but you still need an exploit from which you can run root commands or escalate to root to replace the shell in the shadow passwd file (chsh) and change the non password to something legible (passwd). Do you have alerts of possible RCE's on vulnerable systems ... do you do continuous nessus like or nmap/NSE or ... other types of vulnerability scanning ? Anyway ... quite interesting product for an enterprise with a Linux environment.

    • @SandflySecurity
      @SandflySecurity 22 години тому

      We assume anyone that gets on a Linux box is going to get root is our philosophy. There are many ways it can happen with bugs, mis-configurations, etc. We scan systems on random basis for signs of attack but are not a vulnerability scanner. We specifically focus on compromise detection and agentless threat hunting. Many systems remain unpatched or open to attack and admins need an automated way to search out and identify hosts that have been compromised. Hope that helps.

  • @Yayaisbadatchess
    @Yayaisbadatchess 2 дні тому

    Awesome! Is the $1$ the same for every md5 password?

    • @SandflySecurity
      @SandflySecurity 2 дні тому

      Yes. The chart basically is this: $1$ = MD5 $2a$ = Blowfish $2y$ = Blowfish $5$ = SHA-256 $6$ = SHA-512 $y$ = yescrypt

  • @Yayaisbadatchess
    @Yayaisbadatchess 4 дні тому

    So glad the algorithm suggested this video, awesome!

    • @SandflySecurity
      @SandflySecurity 3 дні тому

      Thanks for the compliment and watching. We will be posting a lot more of these short topic videos so please subscribe.

    • @Yayaisbadatchess
      @Yayaisbadatchess 3 дні тому

      @SandflySecurity Already did! Also maybe if it's possible to make the red font a little brighter ☺️

    • @SandflySecurity
      @SandflySecurity 3 дні тому

      Thanks for the feedback. We'll fix for next time.

  • @loremipsum685
    @loremipsum685 5 днів тому

    Forgot how useful peekfd is!

  • @callmebigpapa
    @callmebigpapa 15 днів тому

    You only hear the noisy, the low and slow go undetected for years. If our power goes out so will theirs. They should have had a dedicated jumpbox for the aquarium guys. The security team for the company can get into any box .....if they get the ok. We should force hardware keys everywhere.

  • @ruymanbr
    @ruymanbr Місяць тому

    Thanks. So this scans but doesn't protect or clean/stop any future attack?

  • @artemis-arrow-3579
    @artemis-arrow-3579 5 місяців тому

    eh, I wrote a stealth malware called gorgon, absolutely no impact on the system, no slowing down, no bugging the system, nothing, mainly due to some design elements I came up with, it's also compatible with pretty much every kernel version since 2.something point is, if someone is skilled enough, and puts the time and effort into a rootkit, they can design something truly invisible

    • @SandflySecurity
      @SandflySecurity 5 місяців тому

      Thanks for the comment. No doubt it's possible to hide on Linux for quite a while.

  • @Tulah
    @Tulah 6 місяців тому

    I feel like hashes could still be useful, but not the way presented here, not to detect malware, but to guarantee integrity of known good software. Hash all the known binaries and libraries on the system, record sizes and then monitor changes. There are some files of course that need to be blacklisted from this such as log files and some runtime files, tempfiles so it's not perfect, but it's additional thing to bundle with other security. Take hashes before backup, bundle them with the backup and then take hashes immediately after the backup to make sure nothing went wrong while at it. Check hashes again immediately after updates and record changes. Monitor file integrity over time actively and report changes into whatever monitoring system is being used. This is basically what people did with open source version of Tripwire early 2000's. Hash everything and record hashes on floppy disk which is then removed until next checkup. Also I did something similar with CFEngine some 10-15 years ago, though I only monitored integrity of some files, not all files so that kinda defeats the point, but at least I'd know if important configs or content of directories changed for reason or another.

  • @antediest
    @antediest 7 місяців тому

    Who the fuck uses sha1 in 2024 😂

    • @SandflySecurity
      @SandflySecurity 7 місяців тому

      It doesn't matter what cryptographic hash you use. The problem is identical. In fact, the longer the hash, the more of a problem it actually becomes.

  • @welcomeblack
    @welcomeblack 7 місяців тому

    ??? The legitimate software provider should provide the check hash. Then you changed the original code so it hashes differently. That's expected behaviour, and is what you look for to check whether or not the OG program has been compromised. What am I missing?

    • @SandflySecurity
      @SandflySecurity 7 місяців тому

      It was demonstrating how easy it is also for a malware binary to be changed and why using hashes to look for malware is a bad approach. The use of a system command is just convenience for others that want to try it as an experiment. You are correct that hashes work great for spotting things that change where you don't want them to change (like a distro binary). They work very poorly for malware that changes all the time.

    • @welcomeblack
      @welcomeblack 7 місяців тому

      @@SandflySecurity Ah OK that makes sense. If you're skimming your server for a known exploit .badbash.rc and are scanning based on hash value, yeah the hash might change every time it's run

    • @cedricbrisson7240
      @cedricbrisson7240 7 місяців тому

      @@SandflySecurity Exactly. A lot of AVs do hash based static analysis and it's absolutely worthless 90% of the time. I've had at least 10x more false positives from hash based detection than true positives

    • @hi117117
      @hi117117 7 місяців тому

      @@cedricbrisson7240 I mean kind of? Most use yara rules that look for specific bytes in critical sections that a malware can't easily change. Maybe its just my exposure but I don't see many people using hashes to identify malware. What I do see are systems using hashes to identify goodware (for lack of a better term).

  • @comosaycomosah
    @comosaycomosah 7 місяців тому

    Pretty fire channel!

  • @danielpacak6577
    @danielpacak6577 8 місяців тому

    That's a great demo and very powerful tool for host IR. I was wondering how / whether this product is suitable for cloud native deployments. For example, running it on a Kubernetes node will be much harder because capturing a profile or well known good behavior of such ephemeral containerised workloads running on a given node is probably much harder.

    • @SandflySecurity
      @SandflySecurity 8 місяців тому

      We can profile systems running containers. You can also use recon modules that include only containerized processes, or do not include containerized processes to setup what kind of drift you want to find. For instance, profile containerized to only track containers running on a host. Or track non-containerized only to only track the host OS regardless of what containers it is running. Thanks for your comment.

    • @danielpacak6577
      @danielpacak6577 8 місяців тому

      Thank you for clarification. It would be very helpful to see a video that demonstrates how to hunt for threats on a Kubernetes node.

  • @andrealang3393
    @andrealang3393 9 місяців тому

    Promo`SM 👀

  • @nickknows4249
    @nickknows4249 9 місяців тому

    Best video I’ve seen on BPFDoor. Please take my money for a Linux forensics course!

    • @SandflySecurity
      @SandflySecurity 9 місяців тому

      Thanks for the comment. No plans for a course yet, but our product can teach you a lot about Linux forensics by just what it does. We have a free license for home lab users that may be of interest.

  • @stephenkolostyak4087
    @stephenkolostyak4087 9 місяців тому

    this is cool, it's like something I did years ago. Nice.

  • @zackey_tnt
    @zackey_tnt 9 місяців тому

    How do you deal with hosts that have been in prod for some time and have deviated from a master image, such that, prod changes are now "drifted"?

    • @SandflySecurity
      @SandflySecurity 9 місяців тому

      Best way would be to profile the known-good image of where the system started (e.g. base image of the distro used). Then scan the prod system and review each change alert to make sure you know what it is (does this process belong here, is this user OK?, etc.). Then add/append it to the drift profile. After that, all new changes will be alerts going forward. You can then also use that profile to check your other systems to see how they drifted from your updated profile.

  • @michalmanos4320
    @michalmanos4320 9 місяців тому

    How can we ensure the security of the SSH secrets on a cloud based panel hosted offsite/in-cloud? Is there an option to self-host, is this open source code for auditing?

    • @SandflySecurity
      @SandflySecurity 9 місяців тому

      Customers self-host our product where they want. It is not run by our company and no customer data is sent to us in any form. You can self-host on-prem, in the cloud, or wherever you want. SSH secrets can be managed by our product with elliptic curve cryptography protecting the keys, or we can integrate with a key vault of your choice. Please read more about SSH key security in our install docs: docs.sandflysecurity.com/docs/standard-vs-maximum-security-install docs.sandflysecurity.com/docs/credentials-security We do not store or process any customer data here: sandflysecurity.com/why-sandfly/data-privacy/

  • @NobleSteed00
    @NobleSteed00 9 місяців тому

    How can this be done without an agent?

    • @diamondq
      @diamondq 9 місяців тому

      I 99% sure their server connects to all the machines via SSH and then issues 'recon' commands over the SSH connection. You see during his setup that he's assign SSH credentials to each of the new boxes so that their server can connect. Generally any management software that calls itself agentless generally means it's using SSH (or equivalent).

    • @SandflySecurity
      @SandflySecurity 9 місяців тому

      We connect over SSH and have a purpose built binary with Linux forensic engines to gather data. We do not hook into the kernel or leave anything permanently running as is typical of agent-based deployments.

    • @NobleSteed00
      @NobleSteed00 9 місяців тому

      @@SandflySecurity Ok, thanks.

    • @rosonowski
      @rosonowski 9 місяців тому

      @@SandflySecurity Without access to ring 0, are you relying entirely on userland indicators as demonstrated in this video? The centralized collector and viewer is nice, but what does this offer, mechanically, over something like tripwire?

    • @SandflySecurity
      @SandflySecurity 9 місяців тому

      We use a variety of indicators and artifacts from a host but do not hook into ring 0 as it is not necessary to find virtually any malware on Linux (and introduces stability and performance impacts). We have no recent experience with tripwire, but in general we do not do just traditional file integrity monitoring, but can also profile running processes (even done by fileless malware). Also users, cron entries, systemd services, SSH keys, at jobs, and so on. Any forensic artifact we collect can be tracked for drift agentlessly. Finally, we can work on any Linux host we can log into which includes not just servers, but embedded systems, appliances, and so on up to a decade+ old. We also cover Intel, AMD, ARM, MIPS and Power CPUs seamlessly on virtually any Linux distribution.

  • @Ichinin
    @Ichinin 11 місяців тому

    This was exceptionally good, especially the sniffer detection tips.

  • @adriennecrosby4105
    @adriennecrosby4105 11 місяців тому

    Your screen is very difficult to read.

    • @SandflySecurity
      @SandflySecurity 9 місяців тому

      Thanks. We'll make it larger for future videos.

  • @a.r.5779
    @a.r.5779 Рік тому

    Thank you very much, very very instructive.

  • @johnf216
    @johnf216 Рік тому

    Great video, thanks for taking the time to record and share it.

  • @loremipsum685
    @loremipsum685 Рік тому

    www.fbi.gov/wanted/cyber/apt-41-group

  • @cyberlabz
    @cyberlabz Рік тому

    Great video!! This is gold!! Thank you.

  • @johnlampe595
    @johnlampe595 2 роки тому

    if the user has a virustotal API key, could they feed it to sandfly to automate the hash lookups?

    • @SandflySecurity
      @SandflySecurity 2 роки тому

      We will have that feature soon as it is on our near-term roadmap.

  • @shiwangk9963
    @shiwangk9963 2 роки тому

    Sounds Cool UI, I have been using ansible to do the same stuff on cli. Would love to see more features !

  • @goddiemang5792
    @goddiemang5792 2 роки тому

    Useful information here !!!

  • @loremipsum685
    @loremipsum685 3 роки тому

    Very cool. Thanks for sharing.

  • @YoungDioX
    @YoungDioX 3 роки тому

    Great video! I do wish you paused a little for some of the commands towards the end so I could get a good look at them.

  • @svampebob007
    @svampebob007 4 роки тому

    That's a very interesting tool you got there, the main issue I have with it is www.sandflysecurity.com/pricing/ You should really put a price where your mouth is. A basic price with * can really help consumers choose the product. I love the idea though: Now that I've looked at the website and videos, and got time to think about, this is more of a passive protection, you are basically digging through logs and looking at anomalies, meaning that once you detect an intrusion you'll flag it (with very impressive amount of details saving loads of hours of looking at logs). Yet at the end of the day the system is already compromised, if this even happened 1 minutes or 30 days ago is kinda irrelevant, that system should be taken offline and preferably wiped. It's still a very ingenious solution, I like the fact that you basically just use ssh to get a foot hold into any ssh capable system and passively look at what's going on that's clever! I think this could be done with a anti malware/anti virus using ssh/sshfs and capping the scan speed by either limiting the affinity of the AV/AM possess or limiting the bandwidth and also focusing on "vulnerable" locations. it would still work as a "passive" protection, but more automated. I still like the idea, and I'm very impressed with the data being very accessible, the real issue is no visible price points... I could be saving $50k per cluster or be looking at a $50k bill for what amounts to a $20 job because you're billing structure isn't obvious. Maybe I'm totally misunderstanding the technology, so correct me if I'm wrong, but when I hear when you say "agentless" and "ssh", "key", "we see root here that's normal (video id: lQizoBHmF6Q time 7:54)" implies that you allow Sandfly to login via ssh as root but only with a ssh key, so that you can then use that software to scan the system using logs and commands like "lsof -i -P -n | grep LISTEN" So basically Sandfly get's a shell into any system and collects the data, but doesn't actually do anything with it. (implementing AV with ssh root access would help here) Still I'm impressed with the data it's showing, most data/graph servers tend to just show kinda usless things like "cpu temp" "network speed"... cpu and network are the kind of stuff that we take care off before the host is online it should already be capable of not over heating or max out the network. Now who launched not.a.virus.jpg as neo.matrix.bat... that's the kind of stuff I'm looking for! Looking at logs where it spams me 1000 lines of "dhcp default renewed ip to 127.0.0.1" per 1 "btw neo tried to login" is very useful. because some times you can't just grep "who dun did it"

    • @SandflySecurity
      @SandflySecurity 4 роки тому

      Thanks for your response. Pricing is one of these things where it can vary so much depending on a customer's size and number of endpoints that we just need to talk to them to see how many hosts they actually have to see what discounts apply. The product is affordable even for very small deployments and also for very large ones. We don't actually look at any logs or use any built-in system tools at all. We have custom built forensic engines designed specifically to investigate Linux. We are addressing after the fact intrusions because that is the major exposure for Linux. Even if you have a security product that claims to intercept and block all attacks (not possible), then there is always the chance the intruder still gained entry. For instance a product that blocked five attacks and gave you five alerts. That's fine. But suppose there was a sixth attack it simply didn't see or block and that worked? At that point you better be looking on the host for compromise signs or you are in trouble. If we detect attacks we can in fact respond to them. The latest version of the product can actively respond to process attacks by either suspending or killing the malicious process as soon as it is found. Other response options are possible. On top of this you can also build your own custom checks very easily and deploy them agentlessly. So if you are dealing with a specific threat to your orgranization and want to keep it confidential you can deploy custom modules yourself to help with incident response and clean-up. Contact us if you'd like a demo for your organization. We are happy to give a live demo on live attacks and supply a trial license. Thanks.

  • @hermanwooster8944
    @hermanwooster8944 4 роки тому

    This was awesome. As a new Linux user, I'll be sure to save this video for reference.

  • @JaggedTusk
    @JaggedTusk 4 роки тому

    Hey Craig, outstanding videos. I've learned so much regarding Linux forensics! Please keep the videos coming!

  • @austinjohnson4890
    @austinjohnson4890 4 роки тому

    I'm a computer nerd thinking about switching careers to cyber security... Growing hemp has lots of down time so im going to study up. this channel is going to be my new college, thanks for uploading this stuff; not many will watch this but a few people like me will really appreciate it.

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 років тому

    Can you show us the books you've read or are reading on that bookcase behind you?

    • @SandflySecurity
      @SandflySecurity 5 років тому

      Too many to list and changes constantly!

    • @Gregorydaerr1971
      @Gregorydaerr1971 5 років тому

      🤔....how bout just post q pic and I'll do the rest. I'm overwhelmed at the layered onion this topic has become. It seems almost purposely convoluted and obfuscated. Typical / average ....navice..... users have no hope of securing themselves in today's cyberspace. As a programmer, I'm hoping to deep dive and become competant in this space before looking into where some attention should be directed in order to enable the average user some useful and reliable tools for better protection. Virus software that simply white or black lists or compares hashes against a lookup table are woefully unable to offer any real protection. We need software that can recognize what a script/executable/binary is actually doing and how its interacting with the OS and to limit and restrict BEHAVIOR rather than to attempt to use lazy shortcuts that are easily defeated. We need to create security software that can find unknown vulnerabilities based on more granular analysis of the system it protects. I also think that the whole trust model the cert authorities are providing have proven useless and another framework is needed soon. I think that anything involving "trust" metrics have proven in recent years, to be a corrupt and broken system. The most effected of these sloppy policies are the average user. ....and they are likely ovlivious. Although ignorance can reduce the shock of some situations (your identity has been stolen, 110k pervs are watching your daughter shower thru her phone and you just realized that on the internet, men are men......women are men and teenage girls are FBI Guys) for these average folk, that may be enough. However, I prefer knowing- REGARDLESS if there is nothing I can do. ... at least i can take comon sense precautions to protect my data, money and privacy. G Daerr

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 років тому

    Can you suggest a good Antivirus product?

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 років тому

    Curious. Where can I read your paper?

    • @SandflySecurity
      @SandflySecurity 5 років тому

      Search for it at firstmonday.org. It should still be there.

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 років тому

    What language did you write the stealth scan prog.......python?