|
Varkk posted:I had a silly idea for crypto locker where I could create a folder on a share called 'aaa' and put some large files in it called a.doc etc and have Nagios monitor it for any changes and generate a critical alert if the file ever gets modified. Some user will delete the file thinking its an error.
|
# ? Apr 29, 2016 21:28 |
|
|
# ? May 31, 2024 10:32 |
|
The users will just put underscores as the first character in their folder names. When they have too many with underscores, they'll use 2. Ad infinitum.
|
# ? Apr 29, 2016 21:29 |
|
Varkk posted:I had a silly idea for crypto locker where I could create a folder on a share called 'aaa' and put some large files in it called a.doc etc and have Nagios monitor it for any changes and generate a critical alert if the file ever gets modified. Check out file server resource manager role. You can alert (or block) when files of a certain pattern are saved down. We keep a crypto canary filter with file names containing *decrypt_instructions* etc
|
# ? Apr 29, 2016 22:10 |
|
One of my clients got Crypto twice in as many days. It was caused by the same person. This person is the owner
|
# ? Apr 29, 2016 22:13 |
|
MJP posted:It finally happened! Took around seven months at this job, but it finally happened. SHITTERS CLOGGED, CALL IT.
|
# ? Apr 29, 2016 23:23 |
|
Roargasm posted:Check out file server resource manager role. You can alert (or block) when files of a certain pattern are saved down. We keep a crypto canary filter with file names containing *decrypt_instructions* etc Doesn't that file get dropped last?
|
# ? Apr 30, 2016 01:19 |
Late on this, butJerry Cotton posted:The problem isn't the users. The problem is that the desktop is a terrible concept when applied to user interfaces. Curious, what would be better? The industry started saying "the desktop can't possibly be the best metaphor we can come up with, let's go for the next thing" almost immediately, and the early-mid 80s were full of blue-sky concepts like pen computing and "stacks" and temporal interfaces—where files are stored by when you last saw/touched them, rather than by where they are spatially. Seemed like an obvious next step, but it turned out nobody can mentally index that way; nobody can think about "I want that file I last touched last Thursday" as easily as they can say "I want that file that was down in the lower left corner". The desktop metaphor may be a bad one, but it's less bad than all the others I'm aware of, as far as human brains are concerned.
|
|
# ? Apr 30, 2016 01:59 |
Content: "Please don't destroy our database; also btw we're storing ur password in cleartext, lol"
|
|
# ? Apr 30, 2016 02:01 |
|
Reminds me of this: You know, all of a sudden I don't think I'll sign up after all.
|
# ? Apr 30, 2016 02:38 |
|
odiv posted:Reminds me of this: I suppose they ought to recommend that you get a password management database and use a randomly generated string containing extended ASCII, but most people will be dramatically improving their passwords by using four words instead of stuff like 123456.
|
# ? Apr 30, 2016 02:57 |
|
As long as they check to make sure people aren't just blindly entering in 'correct horse battery staple' as their password.
|
# ? Apr 30, 2016 03:00 |
|
Varkk posted:I had a silly idea for crypto locker where I could create a folder on a share called 'aaa' and put some large files in it called a.doc etc and have Nagios monitor it for any changes and generate a critical alert if the file ever gets modified. This won't work anyway because system file enumeration starts at the oldest file, not the file that's alphabetically first. Also one of the (many) reasons the trick with an '000' Outlook contact wouldn't work.
|
# ? Apr 30, 2016 10:07 |
|
Merijn posted:This won't work anyway because system file enumeration starts at the oldest file, not the file that's alphabetically first. Also one of the (many) reasons the trick with an '000' Outlook contact wouldn't work. Yeah. I mean I suppose you could mess with the file meta-data and file-system time stamps, but at the point your level of effort is better spent putting in real security measures.
|
# ? Apr 30, 2016 15:04 |
|
vOv posted:As long as they check to make sure people aren't just blindly entering in 'correct horse battery staple' as their password. But it also gets much easier to crack if the attackers know it's a four word pattern. I'm sure someone has come up with a good brute force dictionary that is common 3, 4, and 5 letter words arranged with a space between each. Probably starting with correct horse battery staple.
|
# ? Apr 30, 2016 16:55 |
|
The Nards Pan posted:But it also gets much easier to crack if the attackers know it's a four word pattern. I'm sure someone has come up with a good brute force dictionary that is common 3, 4, and 5 letter words arranged with a space between each. Probably starting with correct horse battery staple. Let's assume, VERY conservatively, that there are only a thousand such words to choose from. At four words per passphrase, that means there are 1,000,000,000,000 (a nice even one trillion) possible combinations. The average length of each combination would be, say, twenty characters. So your handy brute-force dictionary is about 20 terabytes in size. If you could make ten thousand attempts per second, it would take you only three years or so to brute-force through the entire keyspace. So it'd be possible with enough effort... IF you already somehow know the list of only 1000 possible words, the exact format (i.e. exactly four words separated by spaces), etc. There's nothing wrong with xkcd-style passwords in theory. In practice, of course, people suck at coming up with randomness. But the four words thing isn't bad advice at all to give to the general public, especially when you consider that the usual alternative they'd come up with is "Jen1989".
|
# ? Apr 30, 2016 17:47 |
|
Powered Descent posted:Let's assume, VERY conservatively, that there are only a thousand such words to choose from. At four words per passphrase, that means there are 1,000,000,000,000 (a nice even one trillion) possible combinations. The average length of each combination would be, say, twenty characters. So your handy brute-force dictionary is about 20 terabytes in size. If you could make ten thousand attempts per second, it would take you only three years or so to brute-force through the entire keyspace. So it'd be possible with enough effort... IF you already somehow know the list of only 1000 possible words, the exact format (i.e. exactly four words separated by spaces), etc. There's nothing wrong with xkcd-style passwords in theory. I usually prefer to tell users favorite song line from a song, including spaces as long as its 5+ words long go for it! Yes this limits the pool, but someone would have to know the user was doing it. Witches gathered at black masses. Is pretty strong compared to baseball1. Most brute force wont touch something that long. It's also a bit more secure if you have to tell it over the phone and don't say "My password is ______" But instead they ask "what is your password?" and you say "She took the midnight train going anywhere" Not that this should have to happen but users are dumb and share passwords to get on each others computers when they are out instead of you know logging into their own account or involving IT.
|
# ? Apr 30, 2016 18:56 |
|
Great idea until they start putting in mondegreens
|
# ? Apr 30, 2016 20:56 |
|
The poo poo thing about word strings is that 90% of new logins still require a number and a capital and a special character etc, so you're still going to have to remember "million$ oF peache5" or whatever.
|
# ? Apr 30, 2016 21:11 |
|
Spaces normally qualify as special characters. If not use hyphens. Microsoft requires 3 out of the following 4: Upper, Lower, Numbers, Special characters. (Chinese Characters is a fifth category I guess) 'Scuse me while I kiss this guy-9 Is a really strong password.
|
# ? Apr 30, 2016 21:23 |
|
Apple ID does not like long passwords with spaces, but will still say it changed the password successfully.
|
# ? Apr 30, 2016 21:51 |
|
The California State University system (So about 2 dozen universities) mandated about 6 months ago that passwords have to be minimum 8 characters, at least 1 number, one uppercase, one special character, and cannot contain words in the dictionary. Any three letters or more in a row that is in the dictionary gets rejected. Take that dictionary attacks
|
# ? Apr 30, 2016 21:57 |
|
Dr. Arbitrary posted:Spaces normally qualify as special characters. If not use hyphens. Just install keepass and stop messing around with song lyrics.
|
# ? Apr 30, 2016 21:59 |
|
Varkk posted:Just install keepass and stop messing around with song lyrics. Who's going to train people to use keepass? Also most of my users that use lastpass or roboform just continue to use Petname1! or whatever as their password and use the password manager for autofill rather than to improve security.
|
# ? Apr 30, 2016 22:20 |
|
I use 1Password and no complaints other than it uses Dropbox to store the encrypted key files for cross-platform functionality.
|
# ? Apr 30, 2016 22:26 |
|
Varkk posted:Just install keepass and stop messing around with song lyrics. This isn't for personal use, it's for telling users / family what to use. They don't want to use a "complicated program" I love keepass and noscript but drat if I can get anyone else to use them. Also sometimes you just need something you can type in and not have to open up keepass for whatever reason.
|
# ? Apr 30, 2016 22:30 |
Putting all your passwords in one database always struck me as a horrible idea, no matter how secure the company claims it is. Because every company ever to be breached would, prior to them, assure you of how safe your data was if asked, too. I wish I could hammer it into the heads of people making password policies that how long and complex a password is tolerable scales by how often you make me type it in on a goddamned phone keyboard. If your poo poo actually remembers my credentials for an extended period I'm good with a really long password but if you disable autocomplete and make me put it in multiple times a day you're getting exactly the minimum required amount of typing. I WANT to have a nice strong password, don't actively encourage me towards shorter easier ones. As well as this Dillbag posted:The poo poo thing about word strings is that 90% of new logins still require a number and a capital and a special character etc, so you're still going to have to remember "million$ oF peache5" or whatever. I've seen rare few password forms that scale the other requirements back if you make it long enough, which makes so much sense that other places not having it is a gaping flaw.
|
|
# ? May 1, 2016 00:00 |
|
Javid posted:Putting all your passwords in one database always struck me as a horrible idea, no matter how secure the company claims it is. Because every company ever to be breached would, prior to them, assure you of how safe your data was if asked, too. Keepass is purely client-side. The only way to breach it is via malware on the user's PC - which isn't really possible to defend against, once you've got a rootkit installed you're working in an untrustable environment, at which point you're boned. I wouldn't put my passwords into something like LastPass that has a centralized repository where a bunch of user's passwords though. That's really asking for trouble, like you describe. As always, it's important to be clear about what attack vectors you are considering when you say that something is "insecure". The most common situation is when some dumbass web programmer doesn't store passwords securely and his database gets hacked, which releases a bunch of passwords that are reused in other places. A password manager with randomly-generated passwords fixes that vector. Then there's the situation where a LastPass-style centralized repository gets hacked. Storing it locally mitigates this, using Dropbox is theoretically weaker because a server-side hack can still yield a bunch of KPDB files in bulk, but it's a worthwhile tradeoff to increase usability for many people. At least it's not an obvious target full of juicy credentials like LastPass. Finally, there's malware on the user PC and there's really not a whole lot you can do there - it could keylog, or peek at memory, etc. The only real mitigation there is not to get malware in the first place.
|
# ? May 1, 2016 01:33 |
|
I use bittorrent sync to keep my key and DB up to date. No central location. You can even choose to only have it sync when you want to. If someone is snooping on your traffic, they could catch your encrypted key and DB, but if you have someone looking for and decrypting RSA-whatever it is now as a personal user you should probably stop sending blueprints of government buildings to Iraq. In a company setting, you might have to keep the dbs on a server, though. A USB stick would be better except they would constantly get lost.
|
# ? May 1, 2016 01:51 |
|
Paul MaudDib posted:Keepass is purely client-side. The only way to breach it is via malware on the user's PC - which isn't really possible to defend against, once you've got a rootkit installed you're working in an untrustable environment, at which point you're boned. Even a centralized repo in a cloud account (which essentially what LastPass is), isn't at that much risk PROVIDED the end user uses that one really good master password they have to lock the repo (and use that password only for that). That pass phrase hash is what unlocks the encryption key for the repo, which in LastPass's case is AES256. It's important to note, that LastPass as a company has zero ability to recover that key. If you forget the password, you are poo poo out of luck since they don't offer escrow for a "recovery" key. As long as LastPass has implemented AES according to it's standard, no one is brute forcing that anytime soon. And I have no reason to believe they have deviated from bog-standard AES as their encryption algorithm. 1Password is slightly different. For Windows you can store it locally and sync via an encrypted temporary local network service that's built and torn down every sync. Or you can place it on Dropbox without 3rd party software involved. You can use other cloud services, but you'll need the could helper apps on the desktop, and you'll be out of luck on the mobile versions. On the Mac side, it's the same, but you can also use iCoud integration by having the 1Password Keychain living in your Apple Keychain. An encrypted container in an encrypted container (sort of like Dropbox). And AgileBits, like whoever owns LastPass (LogMeIn, I think?), also has no way of opening your password file. The point is, as long as the end-user does their part in pass phrase selection and use that pass phrase for ONLY the password container, no one is getting into those files. I hear apocryphal stories of "oh, AES is totally cracked", but until I see actual results I'm not going to spend too much time worrying about it. And both LastPass and 1Password use user unique salts for hashing, so rainbow tables don't concern me much either. Proteus Jones fucked around with this message at 06:18 on May 1, 2016 |
# ? May 1, 2016 06:14 |
|
Among other things, LastPass delivers an unsecured/unencrypted JS payload in their vault XML, and while they can't necessarily decrypt a password they (or anyone who compromises their servers, or a middleman) could add a JS payload that performs a request that exposes the password once you load that site, and they could also add a fake account for a site that would leak a password for a site that's not currently in a DB. And of course the key is stored locally in your browser cookies/local store, if there's ever a XSS vulnerability or something on the LastPass site then your encryption key could be leaked. Basically having a web-based service that exposes you to a JavaScript attack surface is Bad News Bears IMO. Use a local tool. https://www.blackhat.com/docs/eu-15/materials/eu-15-Vigo-Even-The-Lastpass-Will-Be-Stolen-deal-with-it.pdf
|
# ? May 1, 2016 06:37 |
|
Paul MaudDib posted:Among other things, LastPass delivers an unsecured/unencrypted JS payload in their vault XML, and while they can't necessarily decrypt a password they (or anyone who compromises their servers, or a middleman) could add a JS payload that performs a request that exposes the password once you load that site, and they could also add a fake account for a site that would leak a password for a site that's not currently in a DB. Hahahaha, what? Yeah don't use that. Now you got me curious about 1Password. So I now I get to dig into that. Thanks for the link. Blackhat and DefCon papers are always welcome to me.
|
# ? May 1, 2016 07:18 |
|
flosofl posted:Hahahaha, what? Yeah don't use that. Most of that requires running code on, or physical access to the machine. Which isn't really the end of the world, once you get on the machine it's basically over, you're getting what you want one way or another. You could keylog and steal the password to a KeePass database too. It's not quite as secure as a KeePass database that would be secure at rest (on the local machine), but the interesting attacks there are the ones that could be done remotely. Paul MaudDib fucked around with this message at 07:52 on May 1, 2016 |
# ? May 1, 2016 07:40 |
|
vOv posted:As long as they check to make sure people aren't just blindly entering in 'correct horse battery staple' as their password. if (md5sum(tolower(removespaces($password)))) == md5sum("correcthorsebatterystaple")... Dillbag posted:The poo poo thing about word strings is that 90% of new logins still require a number and a capital and a special character etc, so you're still going to have to remember "million$ oF peache5" or whatever. I may or may not work around that by sticking a string similar to "A1!" on the back of each password. Takkaryx posted:The California State University system (So about 2 dozen universities) mandated about 6 months ago that passwords have to be minimum 8 characters, at least 1 number, one uppercase, one special character, and cannot contain words in the dictionary. Any three letters or more in a row that is in the dictionary gets rejected. Take that dictionary attacks I... it... but... what. That actually sharply reduces the password space! (Mind you, what I would do would be, given above examples, tcerrocesrohyrettabelpatsA1! ... wait. That has err and roc(k) and ret(ire) and bel(l) and pats and whatever else. No.
|
# ? May 1, 2016 13:03 |
|
sfwarlock posted:I may or may not work around that by sticking a string similar to "A1!" on the back of each password. I can confirm this works great, converting even your favorite weakest password into industrial strength uncrackable passcodes. Or so a lot of websites think.
|
# ? May 1, 2016 16:00 |
|
Merijn posted:I can confirm this works great, converting even your favorite weakest password into industrial strength uncrackable passcodes. Or so a lot of websites think. While your statement is true, remember what we came from: 8-character maximum passwords with no other requirements. Besides, in my terrible opinion, the bigger problem is sites that make the password a maximum of 12 characters. I could use a completely secure password, such as 'staple batteries to horse nuts', but no - I have to use 'Password1234'.
|
# ? May 1, 2016 23:40 |
|
StaBaToHoNut
|
# ? May 2, 2016 00:02 |
|
Finally, the day where being a weaboo and knowing all the OOOs medal combos comes in handy!
|
# ? May 2, 2016 00:20 |
|
Wuts a weaboo?
|
# ? May 2, 2016 00:52 |
|
I just realized that for the first time in a while we are actually discussing the ritual of Pa'as-Wurd.
|
# ? May 2, 2016 00:52 |
|
|
# ? May 31, 2024 10:32 |
|
An information security bulletin came in about the upcoming public holidays:quote:The personal computer and the multi-function machine without necessity should turn off the power. The word, "unnaturalness" makes me think there might be some darkness crafted by the elder gods lurking in the headers of spam messages.
|
# ? May 2, 2016 07:10 |