|
Right, and that's why I'm asking about it. I don't have an interest in doing the syncing myself, I want them to do it and have everything magically work without effort or thought, even though I'm a team of one. Given that this is pretty close to LastPass, I thought I'd ask if anyone has reviewed this yet.
|
#
?
Jul 11, 2016 13:53
|
|
|
|
| # ? May 10, 2024 11:59 |
|
|
Are VulnScan vendors the new AV shitbirds? I am having the worst time trying to do business with Tenable.
|
|
#
?
Jul 11, 2016 14:29
|
|
|
Volmarias posted:Right, and that's why I'm asking about it. I don't have an interest in doing the syncing myself, I want them to do it and have everything magically work without effort or thought, even though I'm a team of one. "Reviewed" formally? I haven't, and I'm not sure if anyone has torn it apart. However, I have done some wireshark p-caps on my home network and haven't seen any nefarious or suspect traffic that I could attribute to 1Password. I can also tell you there's no weird "phone home" situations unless you have turned on the service that let's you know when a site has been compromised. They monitor sites that have had breaches and keep a central DB of it. You can set 1Password to check that DB hosted by Agilebits and it will compare the DB against the date of your last PW change and alert you if necessary to change it. It will sync using your iCloud account (for an all Apple solution), Dropbox (for mixed OS), or manual WiFi sync. Regardless of the sync, the keystone is encrypted via AES256 and never travels in plaintext. You can make the auto-lock as aggressive as you like (from "require master passphrase on every access" to "lock keystone after X minutes of inactivity"). I'm not a fan of auto-submission (entering data and clicking a button), but you can use the helper app to fill in User/Pass, Credit Card, or Identity forms. It's a nice way to bypass storing data in the clipboard. I haven't used the "Family/Teams" version, so I can't talk to using their own cloud service for synching. My suggestion, is whatever password/identity management service you end up using, be familiar with the options is has and manage the settings accordingly.
|
|
#
?
Jul 11, 2016 15:40
|
|
|
flosofl posted:I haven't used the "Family/Teams" version, so I can't talk to using their own cloud service for synching. Unfortunately, this is basically what I want to know about. They're offering a service that's remarkably similar to LastPass, including a web based management of your password store. I just want to know if anyone has anything to say about it, since the thread (read: OSIBeanDip) is pretty set against Lastpass's implementation.
|
|
#
?
Jul 11, 2016 16:58
|
|
|
Volmarias posted:Right, and that's why I'm asking about it. I don't have an interest in doing the syncing myself, I want them to do it and have everything magically work without effort or thought, even though I'm a team of one.
|
|
#
?
Jul 11, 2016 17:00
|
|
|
I've had so many problems with sync services that I'm afraid to use anything other than dropbox sync for my passwords. If something fucks up on Dropbox's end I have backup copies on my PC.
|
|
#
?
Jul 11, 2016 17:29
|
|
|
The Devil Tesla posted:I've had so many problems with sync services that I'm afraid to use anything other than dropbox sync for my passwords. If something fucks up on Dropbox's end I have backup copies on my PC. Well, for 1Password all vaults are stored locally and synched to an encrypted keychain. Theoretically, the iCloud/Dropbox information is the canonical version, with collisions being resolved with timestamp comparisons between local and cloud. If I had to make a wild-rear end guess, I'd say their Family/Teams version works similarly, but using Agilebits' cloud solution for storage.
|
|
#
?
Jul 11, 2016 17:38
|
|
|
flosofl posted:Well, for 1Password all vaults are stored locally and synched to an encrypted keychain. Theoretically, the iCloud/Dropbox information is the canonical version, with collisions being resolved with timestamp comparisons between local and cloud. There's this document that goes into a lot more detail: https://1password.com/teams/white-paper/1Password%20for%20Teams%20White%20Paper.pdf
|
|
#
?
Jul 11, 2016 18:41
|
|
|
Anyone ever tried packet capturing Nessus or vuln scan traffic from their local machine? I'm having a hell of a time getting wireshark to decrypt the TLS/SSL traffic on the fly. You used to be able to use proxychains to start the Nessus service and route poo poo through a proxy but now Nessus does some sort of backend wizardry that makes the scanner ignore the proxychains rules.
|
|
#
?
Jul 18, 2016 21:58
|
|
|
Bazanga posted:Anyone ever tried packet capturing Nessus or vuln scan traffic from their local machine? I'm having a hell of a time getting wireshark to decrypt the TLS/SSL traffic on the fly. You used to be able to use proxychains to start the Nessus service and route poo poo through a proxy but now Nessus does some sort of backend wizardry that makes the scanner ignore the proxychains rules. What's the end goal -- scan through a proxy, inspect Nessus traffic, something else? Credentialed Linux scans are done over SSH and AFAIK, you can't decrypt SSH with Wireshark. The rest of the traffic (excepting the Nessus web server on 8834, some SSL/TLS plugins, and if you're doing web application tests to a HTTPS target) isn't encrypted. Scanning through a proxy is going to be a headache.
|
|
#
?
Jul 19, 2016 04:06
|
|
|
Yeah, end goal is to inspect the actual requests that Nessus is generating to web servers over TLS/SSL. I figured out a way to do it using hyperfox and pointing Nessus at my local machine with hyperfox running and routing requests to the actual target. Definitely lots of hoops to jump through. Basically we had a Nessus finding based on version information but we had no idea how Nessus was getting the version information from the host. The nasl file just said it was pulling the version number from the hosts KB, but the KB file did not have the version information. Nessus 3 used to allow you to generate a pcap of the scan traffic straight from the web UI but they removed it 
|
|
#
?
Jul 21, 2016 00:40
|
|
|
Just another reminder of why LastPass is garbage: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
|
|
#
?
Jul 27, 2016 15:18
|
|
|
OSI bean dip posted:Just another reminder of why LastPass is garbage: There's this from Tavis last night: https://twitter.com/taviso/status/758143119409885185
|
|
#
?
Jul 27, 2016 15:22
|
|
|
flosofl posted:There's this from Tavis last night: Separate vulnerability likely but yeah. LastPass is literal garbage.
|
|
#
?
Jul 27, 2016 15:26
|
|
|
OSI bean dip posted:Separate vulnerability likely but yeah. LastPass is literal garbage. As far as Tavis, based on his past work, he's most likely found some pretty egregious exploits agains the executable.
|
|
#
?
Jul 27, 2016 15:29
|
|
|
Just blew away my LastPass account and told them the reason was "concerned about security." I never trusted it before, preferring to use KeePass, but I had non-critical passwords stored in there for junk sites. My issue is that I can't really trust their browser extension given how poorly it parses URLs. That's like a Jr. Programmer/Stack Overflow copy-paste level of incompetence. I would just rather not have that code sniffing all my password forms regardless of what is stored in the vault.
|
|
#
?
Jul 27, 2016 16:43
|
|
|
I've always been wary of LastPass and recommended against it, and I feel vindicated right now.
|
|
#
?
Jul 27, 2016 16:56
|
|
|
flosofl posted:Right, I wasn't trying to say it was the same thing, I was just piling on LastPass. Never been a fan of the subscription model and centralized storage for passwords. That's why I'm so disappointed in the latest 1Password offering. I use the standalone versions (where you supply the storage for the keystore), but I'd drop them like a bad habit if they migrated completely to a subscription model using their cloud storage.
|
|
#
?
Jul 27, 2016 17:43
|
|
|
Super disappointing, though Karlsson does say on his blog post that the attack doesn't work if multi-factor authentication is enabled on the Lastpass account. 1Password's new Family service seems like it might finally be a viable competitor when the final app is released, hopefully they are better at writing software than the Lastpass guys.
|
|
#
?
Jul 27, 2016 18:03
|
|
|
Anyone used codebook? it's come up as an alternative to 1 password which i was about to spring for in order to have something less DIY then keypass
|
|
#
?
Jul 27, 2016 18:39
|
|
|
Alereon posted:Super disappointing, though Karlsson does say on his blog post that the attack doesn't work if multi-factor authentication is enabled on the Lastpass account. 1Password's new Family service seems like it might finally be a viable competitor when the final app is released, hopefully they are better at writing software than the Lastpass guys. I believe he means it won't work if you have multifactor enabled on your *twitter* account. Lastpass is still vulnerable.
|
|
#
?
Jul 27, 2016 19:25
|
|
|
Lastpass, as bad or worse than AV?
|
|
#
?
Jul 27, 2016 19:33
|
|
|
ideate posted:I believe he means it won't work if you have multifactor enabled on your *twitter* account. He literally links to instructions on how to turn on Lastpass's multifactor auth
|
|
#
?
Jul 27, 2016 19:43
|
|
|
Swagger Dagger posted:He literally links to instructions on how to turn on Lastpass's multifactor auth Given the way the exploit works, it wouldn't make sense that MFA on Lastpass would help unless it asks you to re-verify every time it autofills a password field.
|
|
#
?
Jul 27, 2016 20:01
|
|
|
wyoak posted:Given the way the exploit works, it wouldn't make sense that MFA on Lastpass would help unless it asks you to re-verify every time it autofills a password field. That's my thinking too. I use Lastpass and am really considering moving. 1password, I guess?
|
|
#
?
Jul 27, 2016 22:28
|
|
|
ideate posted:That's my thinking too. I use Lastpass and am really considering moving. 1password, I guess? I would say that or KeePass. I think the current recommendation is to stay away from KeePass 2 and use version 1. Not 100% on that, so you may want to a little looking around.
|
|
#
?
Jul 27, 2016 22:47
|
|
|
flosofl posted:I think the current recommendation is to stay away from KeePass 2 and use version 1. Really? How come?
|
|
#
?
Jul 27, 2016 22:59
|
|
|
The Infosec Thread: Everything's probably hosed, good luck
|
|
#
?
Jul 27, 2016 23:18
|
|
|
CLAM DOWN posted:Really? How come? It's bad, but not as terrible as I thought. Turn off auto update features. https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/
|
|
#
?
Jul 28, 2016 00:14
|
|
|
flosofl posted:It's bad, but not as terrible as I thought. Turn off auto update features. Keepass doesn't have an auto update, it's an update check. It's a vulnerability, but it doesn't seem that bad: quote:Until the version check has been switched to HTTPS update notifications should be taken with a grain of salt. To be on the safe side, new releases should be downloaded only directly from Keepass’s secured Sourceforge page: https://sourceforge.net/projects/keepass/ edit: and also the issue is resolved (http://keepass.info/help/kb/sec_issues.html#updsig): quote:Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS. The above is indicated and linked from the article that you linked to. C'mon, man. doctorfrog fucked around with this message at 00:26 on Jul 28, 2016 |
|
#
?
Jul 28, 2016 00:23
|
|
|
Seems as simple as not having autofill on. I have lastpass set so I manually fill username/password fields. The near-zero effort it takes to use their service on multiple devices is what has kept me with them, maybe something better will come along some day. I've seen dashlane around recently, not sure they really offer anything that no one else does. Their "security" page isn't very reassuing, https://www.dashlane.com/security
|
|
#
?
Jul 28, 2016 00:30
|
|
|
I think the point is that LastPass manage to keep making these sorts of mistakes that people go "lol what the gently caress is that about" when they are disclosed, so who knows how secure the actual service is. I'm kind of surprised Google haven't gotten onboard with a password manager (I know Chrome syncs passwords but it's more comparable to iCloud Keychain than LastPass/1Password etc), it's the sort of project that would fit their whole culture. Although only for a year or two before they got bored with it.
|
|
#
?
Jul 28, 2016 00:33
|
|
|
doctorfrog posted:Keepass doesn't have an auto update, it's an update check. It's a vulnerability, but it doesn't seem that bad: Hey, I don't have a dog in this race (other than gently caress LastPass). I just said I seemed to recall it, someone asked what it was, and I linked to the article I remembered. I didn't re-read it, and don't really care. If they fixed it awesome.
|
|
#
?
Jul 28, 2016 00:43
|
|
|
PBS posted:Seems as simple as not having autofill on. I have lastpass set so I manually fill username/password fields. So what will you do for the next vulnerability?
|
|
#
?
Jul 28, 2016 02:00
|
|
|
OSI bean dip posted:So what will you do for the next vulnerability? I sent them an email asking them to stop having vulnerabilities, I'm pretty sure all potential issues will now be resolved. I sent similar emails to Oracle, Microsoft, Adobe, Cisco, and Apache as well. I like to try to be proactive.
|
|
#
?
Jul 28, 2016 02:09
|
|
|
PBS posted:I sent them an email asking them to stop having vulnerabilities, I'm pretty sure all potential issues will now be resolved. I don't think that you understand the problem with LastPass.
|
|
#
?
Jul 28, 2016 02:18
|
|
|
OSI bean dip posted:I don't think that you understand the problem with LastPass. Other than being a big juicy target maybe I don't. Seems like few devs actually give a poo poo about security, and internally everything is somehow a shitshow with walls thrown up around it. From my viewpoint no known major compromises for as long as they've been around given the target on their back is decent. Are you aware of an exact alternative that you'd consider to be more secure? If yes, can you explain your reasoning? I value your opinion if you care to expound.
|
|
#
?
Jul 28, 2016 02:31
|
|
|
PBS posted:Other than being a big juicy target maybe I don't. Here's the thing: LastPass cannot be audited without having to sign an NDA. You have no idea about the server-side aspect of how it runs and there have been far many problems. Nobody in here will be able to tell us how the server-side works and any suggestion that they're confident that they have made things secure is kidding themselves and are really giving charlatan-level advice. 1Password and KeePass are more than fine especially when you combine it with a cloud synchronization service like Dropbox, OneDrive, et cetera. Yes. Those services have problems in themselves, but if LastPass is breached in the right way (it's more than the cryptography we have to worry about here), all the passwords are going to be exposed. If someone gets their hand on a bunch of 1Password or KeePass databases, they're going to have to crack each individual file to get anything. KeePass and 1Password can rely on the length of time between now and long-past the heat death of the universe to protect your passwords if you don't set a lovely master password. LastPass just needs one simple breach and thousands upon thousands of users are going to be hosed. This is not the first LastPass problem nor will it be the last. Lain Iwakura fucked around with this message at 02:49 on Jul 28, 2016 |
|
#
?
Jul 28, 2016 02:42
|
|
|
OSI bean dip posted:Here's the thing: LastPass cannot be audited. You have no idea about the server-side aspect of how it runs and there have been far many problems. Nobody in here will be able to tell us how the server-side works and any suggestion that they're confident that they have made things secure is kidding themselves and are really giving charlatan-level advice. I appreciate the reply. In summary, you're saying that any company that provides a service exactly like lastpass's would be considered similarly a bad decision to utilize? Realistically, what separates lastpass from any other company that I have to place a fair amount of trust in to keep my money/information/etc secure? (If anything beyond the obvious that it stores my passwords for all other services)
|
|
#
?
Jul 28, 2016 02:54
|
|
|
|
| # ? May 10, 2024 11:59 |
|
|
PBS posted:I appreciate the reply. Yes. Anyone who follows the same model like LastPass is likely to have the same problem. As with all cloud-based services, you have to rely on someone else to ensure that your data does not get exposed either through incompetence or by an oversight in the design--so far LastPass has yet to achieve defending itself from either. Again, you still run the risk by sharing your password databases on a cloud service, but you gain more control over mitigating the effects because you can rely on the format of the 1Password or KeePass files to ensure that the passwords stay safe--I'd still change all the passwords if my KeePass file or whatever was exposed, but it buys you a near infinite amount of time provided that the password set for the database is good enough. LastPass cannot provide you that level of security at all.
|
|
#
?
Jul 28, 2016 03:01
|
|