Security Fuckup Megathread - v12.2 - you have slammed your dick in the car door

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v12.2 - you have slammed your dick in the car door

«‹›366 »

30 TO 50 FERAL HOG: Mar 2, 2005

Subjunctive posted:

I don't get this joke and I feel like I should

original fast and furious

# ? Apr 12, 2016 15:28

Adbot: ADBOT LOVES YOU

# ? Jun 3, 2024 16:08

prefect: Sep 11, 2001; No one, Woodhouse.
No one.; Dead Man’s Band

Subjunctive posted:

I don't get this joke and I feel like I should

i think it's from this?

# ? Apr 12, 2016 15:32

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

I am glad that is in my life.

# ? Apr 12, 2016 15:34

Segmentation Fault: Jun 7, 2012

BiohazrD posted:

original fast and furious

what does not arresting illegal arms sellers have to do with funy computer

# ? Apr 12, 2016 15:36

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

prefect posted:

i think it's from this?

i think that there is an extended version?

# ? Apr 12, 2016 15:37

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Happy Badlock Day!

# ? Apr 12, 2016 15:50

neutral milf hotel: Oct 9, 2001; by Fluffdaddy

OSI bean dip posted:

Happy Badlock Day!

# ? Apr 12, 2016 15:51

spankmeister: Jun 15, 2008

http://www.timeanddate.com/countdown/launch?iso=20160412T17&p0=1440&msg=%23Badlock&font=cursive&csz=1

# ? Apr 12, 2016 15:55

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

Patch. Yo. poo poo.

# ? Apr 12, 2016 16:31

burning swine: May 26, 2004

Anyone have the link to that hour-ish long youtube video about selinux that was being posted a while ago in the old thread? I've got free time at work today so I figure I should edumacate myself

# ? Apr 12, 2016 16:44

ChickenOfTomorrow: Nov 11, 2012; god damn it, you've got to be kind

spankmeister posted:

http://www.timeanddate.com/countdown/launch?iso=20160412T17&p0=1440&msg=%23Badlock&font=cursive&csz=1

[img that nazi guy grinning and doing a happy squirm in his seat]

# ? Apr 12, 2016 16:50

spankmeister: Jun 15, 2008

FopeDush posted:

Anyone have the link to that hour-ish long youtube video about selinux that was being posted a while ago in the old thread? I've got free time at work today so I figure I should edumacate myself

https://www.youtube.com/watch?v=MxjenQ31b70

# ? Apr 12, 2016 16:52

burning swine: May 26, 2004

spankmeister posted:

https://www.youtube.com/watch?v=MxjenQ31b70

Thx

Just enough time to learn all about SELinux and then go to town on badlock

what a great morning this is

# ? Apr 12, 2016 16:59

Number19: May 14, 2003; HOCKEY OWNS
FUCK YEAH

I am picking up a barrell of coffee and another of scotch so I am prepared fully

storage vendors are the wildcard today and it will be interesting to see how fast they respond if ahahahshahahahahaha yeah right it will be weeks before they have patches

# ? Apr 12, 2016 17:02

spankmeister: Jun 15, 2008

I have a nice 10yo rum from Barbados. I am ready.

# ? Apr 12, 2016 17:04

Wiggly Wayne DDS: Sep 11, 2010

Let's Encrypt is leaving beta https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html

amongst their new sponsors is Gemalto:

quote:

�We�re very proud to be a Gold Sponsor for Let�s Encrypt which leverages our industry-leading hardware security modules to protect their certificate authority system,� says Todd Moore, Vice President of Encryption Product Management at Gemalto. �Encryption by default is critical to privacy and security, and by working with Let�s Encrypt Gemalto is helping to deliver trust for the digital services that billions of people use every day.�

someone make :gchq:

# ? Apr 12, 2016 17:05

devmd01: Mar 7, 2006; Elektronik
Supersonik

Are the Microsoft security bulletins released yet for wsus? I'm ready to start patching domain controllers in the middle of the day to test resiliency of ad, DNS, and dhcp. :snoop:

# ? Apr 12, 2016 17:16

Number19: May 14, 2003; HOCKEY OWNS
FUCK YEAH

devmd01 posted:

Are the Microsoft security bulletins released yet for wsus? I'm ready to start patching domain controllers in the middle of the day to test resiliency of ad, DNS, and dhcp.

in about 40 minutes

# ? Apr 12, 2016 17:18

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

tik tok on the clock dj blow my servers up

# ? Apr 12, 2016 17:30

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

http://www.postphp.com/namecheap-livechat-social-engineering-leads-to-loss-of-2-vps/

quote:

Namecheap live chat social engineering leads to loss of 2 VPS

On April 9, 2016 I had an email address compromised, with the attacker brute-forcing a weak password. The hacker then attempted to do password resets on several services which had an account with this email, including AWS, and a couple of Bitcoin exchanges; all of which had 2factor authentication enabled so attacker had no luck.

I�m pretty careful to use 2FA for any service that I consider important, so that in just this scenario there is really nothing much the attacker can do.

Then they came to Namecheap where I have a couple of VPS servers, this account also had 2factor SMS authentication required for login. However the hacker opened up a live chat with Namecheap and requested a password reset for the SolusVM VPS panel, at which point, in a massive breach of their security protocols, they sent a plain text email to the comprised address containing both the VPS panel username (previously unknown to the attacker) and a new password. Normally Namecheap is supposed to ask for your �support PIN� before doing anything related to account� and the support PIN can only be obtained by logging in using 2FA.

Despite having 2factor on the Namecheap account, the VPS panel itself requires no 2factor and allows full serial console to the servers.

At this point I was at the computer and saw a �Thanks for our chat here�s your login/password� email and VPS panel login notifications, and knew right away this was bad.

Immediately I SSHed to the servers and shut them down so the attacker could not gain access to anything via serial console. Every time he tried to boot them up I immediately shut them down again. I got into the VPS panel and changed the password however this does not kill open sessions so there was no way to lock the hacker out.

At the same time I was on live chat with Namecheap informing them of the situation, and finally after 45 minutes they locked the VPS servers so that they could no longer be accessed via the VPS panel.

When Namecheap had changed all passwords and email they opened up access to the VPSs and the extent of the damage was revealed. Looking at the panel logs it appears the hacker got bored of playing the �You boot up, I boot down� game with me and decided they were probably not going to get anything, so 30 minutes after I�d reported the situation to Namecheap (and panel was still not locked), the hacker decided to give up, but on the way out decided to click the conveniently located �Re-install� button next to each VPS. This instantly wipes everything and installs a new OS. Again this action requires no 2FA authentication or any other form of confirmation.

When I realized this damage I was very bummed, but figured at least Namecheap must keep some backups in case of massive hardware failure that they can restore and maybe I�ll lose a weeks worth of data.

Wrong; they have absolutely zero backups, so I guess if a couple of disks on your RAID fail (assuming they even use RAID), or they happen to let someone reformat your server you are totally screwed.

Namecheap responded with �oops we�re very sorry� and �you can have free hosting for 1 year for 1 of the servers��and that they are �investigating further��but despite 4 days worth of requests they have failed to give me a copy of the chat transcript with the hacker (so that I can see what was actually said and what other information of mine the hacker may have).

And the 1 year worth of hosting is pretty much a joke as I�d be crazy to host anything else with Namecheap given this terrible security; looking back now I can see the security has always been woefully inadequate even without the social engineering.

Think about the glaring security flaws:

The VPS panel allows full serial console with only a login/password (no 2FA required or possible)

They send out your VPS panel login/password in plain text emails when you sign up, and when you reset the password. So if you ever failed to delete one of those emails completely and someone gets into your email�your totally screwed�

VPS can be irrevocably wiped within seconds without any prompts or confirmations just by the click of one button; whether the server is turn on/off it doesn�t matter.

They keep no backups, even to cover hardware or security failure.

And of course the icing on the cake is that they ignore 2FA and are willing to send out your username/password to anyone that asks.

My personal take away is that I should have had better local backups or synced to another service, but I have gotten complacent after so many years without any issues. I had only kept backups on the server itself and had discounted the possibility of the server just completely going �poof� with no backups kept by the host. I thought they must have something internally to cover a major screw up like this.

Although the email password was fairly weak I think you have to assume that your email could be compromised at any time, so I find it only fair that you should be able to rely on 2FA provided by services.

Bottom line is that without the social engineering the hacker would have not been able to get into these servers, and I can�t believe Namecheap fell for this hacker trick 101, really poor security.

i wonder how weak his other passwords were

# ? Apr 12, 2016 17:41

Shame Boy: Mar 2, 2010

I had to reset my 2-FA with Gandi and they actually required that I send them a scan of a government-issued photo ID because they're Actually Good At Things :3:

# ? Apr 12, 2016 17:43

spankmeister: Jun 15, 2008

Parallel Paraplegic posted:

I had to reset my 2-FA with Gandi and they actually required that I send them a scan of a government-issued photo ID because they're Actually Good At Things

yeah or you just show them one of these that you had made:

https://shop.digitalcourage.de/lichtbildausweis-mit-selbst-gewaehlten-daten.html

# ? Apr 12, 2016 17:51

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

OSI bean dip posted:

Namecheap live chat social engineering leads to loss of 2 VPS

I thought, nay hoped, that they meant vice-presidents.

# ? Apr 12, 2016 17:55

30 TO 50 FERAL HOG: Mar 2, 2005

Subjunctive posted:

I thought, nay hoped, that they meant vice-presidents.

same

# ? Apr 12, 2016 17:55

Wiggly Wayne DDS: Sep 11, 2010

Subjunctive posted:

I thought, nay hoped, that they meant vice-presidents.

same

# ? Apr 12, 2016 17:55

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

Number19 posted:

I am picking up a barrell of coffee and another of scotch so I am prepared fully

storage vendors are the wildcard today and it will be interesting to see how fast they respond if ahahahshahahahahaha yeah right it will be weeks before they have patches

NetApp committed to posting some poo poo on support thread where people are screaming, no idea but I'm guessing it will be a few days before a patch is out

# ? Apr 12, 2016 17:56

Shame Boy: Mar 2, 2010

spankmeister posted:

yeah or you just show them one of these that you had made:

https://shop.digitalcourage.de/lichtbildausweis-mit-selbst-gewaehlten-daten.html

I mean I guess if they knew my address and full name and stuff, I'm not saying it's perfect but it's way better than just "oh I got locked out" "sure here's your account information and new password have a nice day :downs:

# ? Apr 12, 2016 17:56

spankmeister: Jun 15, 2008

I too, buy hosting at a place with cheap in the name and expect high standards.

# ? Apr 12, 2016 17:56

30 TO 50 FERAL HOG: Mar 2, 2005

# ? Apr 12, 2016 17:57

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

# ? Apr 12, 2016 18:00

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

oh god why do we have a meeting schedule rn

# ? Apr 12, 2016 18:01

spankmeister: Jun 15, 2008

https://www.samba.org/samba/history/security.html still not updated wtf < :mad:

# ? Apr 12, 2016 18:02

Wiggly Wayne DDS: Sep 11, 2010

http://badlock.org/

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.

Impact examples of intercepting administrator network traffic:
Samba AD server - view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server - modify user permissions on files or directories.

Denial-of-Service (DoS) attacks:
Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.

booooooooooooooooooring

# ? Apr 12, 2016 18:02

creatine: Jan 27, 2012

Captain Foo posted:

oh god why do we have a meeting schedule rn

# ? Apr 12, 2016 18:02

FlapYoJacks: Feb 12, 2009

Cause baby, now we've got bad block.

# ? Apr 12, 2016 18:03

spankmeister: Jun 15, 2008

Wiggly Wayne DDS posted:

http://badlock.org/

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.

Impact examples of intercepting administrator network traffic:
Samba AD server - view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server - modify user permissions on files or directories.

Denial-of-Service (DoS) attacks:
Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.

booooooooooooooooooring

# ? Apr 12, 2016 18:04

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

Wiggly Wayne DDS posted:

http://badlock.org/

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.

Impact examples of intercepting administrator network traffic:
Samba AD server - view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server - modify user permissions on files or directories.

Denial-of-Service (DoS) attacks:
Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.

booooooooooooooooooring

so you could spoof a DC and use that to get a root payload on a client system enrolled in the domain probably

# ? Apr 12, 2016 18:04

30 TO 50 FERAL HOG: Mar 2, 2005

lol samba.org getting hammered

# ? Apr 12, 2016 18:04

burning swine: May 26, 2004

alright, patch time

okay patch is coming out

# ? Apr 12, 2016 18:05

Adbot: ADBOT LOVES YOU

# ? Jun 3, 2024 16:08

Winkle-Daddy: Mar 10, 2007

All the deets appear up on http://badlock.org/

efb: etc

# ? Apr 12, 2016 18:08

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v12.2 - you have slammed your dick in the car door

«‹›366 »