|
OSI bean dip posted:verifone was breached i always love responses to breaches that are "we must increase arbitrary password complexity requirements"
|
# ? Mar 8, 2017 05:11 |
|
|
# ? Jun 8, 2024 08:10 |
|
if you invite 3 of your friends and then they invite 3 and then so on and so on we will solve the cyber
|
# ? Mar 8, 2017 05:17 |
|
Volmarias posted:So, having not actually read the source material, and not wanting to read the possibly hyperbolic wikileaks writeup, is there anything in the recent CIA leak which is particularly unexpected? It seems like "no" since normally I'd be reading all about it here with smilies etc if there was. i mean in just skimming earlier, there's a thinly-spread description of a remote iOS 0-day/jailbreak vector that may still work.
|
# ? Mar 8, 2017 05:19 |
|
Are SSL Lab screenshots still cool? I got linked to a customer portal today that immediately threw a cert error and, well: (The cert expired 2 1/2 years ago)
|
# ? Mar 8, 2017 05:23 |
|
i mean if you can broadly paint "the CIA hacked people and hoarded exploits" as a given, then sure? i mean it's no ShadowBrokers where there's usable exploits in the dump, but there's write-ups on hacking office phones (but don't tell any other countries for some reason?), evidence of holding onto an OS X/iOS mach kernel ASLR defeat for a few years, hacking a very specific model of samsung tv to be used as a listening device...
|
# ? Mar 8, 2017 05:26 |
|
anatoliy pltkrvkay posted:i always love responses to breaches that are "we must increase arbitrary password complexity requirements"
|
# ? Mar 8, 2017 05:31 |
|
when i was a computer janitoring childe i quickly found out that arbitrary password complexity requirements coupled with frequent required password changes only led to passwords written on post-it notes stickied on monitors
|
# ? Mar 8, 2017 05:36 |
|
maslow's hierarchy of cyber i think the top of that pyramid is av
|
# ? Mar 8, 2017 05:45 |
|
ultramiraculous posted:hacking a very specific model of samsung tv to be used as a listening device... i haven't seen that part of the dump yet, but samsung tvs share an in house linux distro, unless the specific exploit has been patched, pretty much every smart tv using that stack will be vulnerable, and that can span several model years and series
|
# ? Mar 8, 2017 07:08 |
|
Suspicious posted:when i was a computer janitoring childe i quickly found out that arbitrary password complexity requirements coupled with frequent required password changes only led to passwords.doc in the root directory of everyone's network drives
|
# ? Mar 8, 2017 07:14 |
|
⊂(ºд◉)つ < ( "Dear God Why ‽ )
|
# ? Mar 8, 2017 09:21 |
|
jammyozzy posted:Are SSL Lab screenshots still cool? I got linked to a customer portal today that immediately threw a cert error and, well: only if you name and shame. the lack of TLS 1.2 support is pretty funny, must be an ancient and or incredibly poorly configured server
|
# ? Mar 8, 2017 09:30 |
|
I have this rhel5 box kicking around that has openssl 098e or something and apache 2.2. it only supports TLS 1.0 now (because I turned off SSLv2 and 3 for obvious reasons) and I turned off all of the Diffie Hellman cipher suites because the apache version uses hardcoded 1024 bit parameters. So it only supports RSA key exchange. It gets a B on ssllabs, but at least it's secure? Sort of?
|
# ? Mar 8, 2017 09:57 |
fins posted:https://wikileaks.org/ciav7p1/cms/page_17760284.html pre:( ゚д゚)、 vomits saliva
|
|
# ? Mar 8, 2017 10:36 |
|
I'm the pirated windows keys Nice one CIA Edit: seriously, Google any of those keys. yoloer420 fucked around with this message at 12:23 on Mar 8, 2017 |
# ? Mar 8, 2017 12:14 |
|
|
# ? Mar 8, 2017 12:58 |
|
i'm triggered
|
# ? Mar 8, 2017 13:21 |
|
infernal machines posted:i haven't seen that part of the dump yet, but samsung tvs share an in house linux distro, unless the specific exploit has been patched, pretty much every smart tv using that stack will be vulnerable, and that can span several model years and series Samsung dumped a bunch of cash on the Enlightenment team for some reason, so you can be assured they're making whatever bad decisions they can when it comes to Linux.
|
# ? Mar 8, 2017 15:06 |
|
Bognar posted:there's a section in there where people are arguing that linux is safe because any attempts to backdoor it would be immediately spotted because ~open source~ my favorite counterargument to this was that there was a bug a while back where someone was doing like "if(uid = root)" instead of "if(uid == root)" that was only caught by luck
|
# ? Mar 8, 2017 15:07 |
|
Westie posted:i'm triggered Same. This awful, awful site...
|
# ? Mar 8, 2017 15:11 |
|
firefox v52.0 has a new captive-portal detection feature which works by sending a HTTP GET to http://detectportal.firefox.com/success.txt. however it seems to do it extremely aggressively (from looking at my session logs sometimes once every minute). i'm sure there's a secfuck in here somewhere. also it's dumb that it's requesting a literal file instead of just looking for a HTTP 200 (maybe? i'm probably dumb, could depend on how the captive portal works).
|
# ? Mar 8, 2017 15:35 |
|
I'm sure there are plenty of captive portals that return a 200 with a body containing a <meta refresh> tag
|
# ? Mar 8, 2017 15:36 |
|
also the file is 7 bytes, so might as well check that stuff makes it through unmolested
|
# ? Mar 8, 2017 15:39 |
|
apple does the same thing, fyi http://captive.apple.com/hotspot-detect.html i dont know how often it checks, each time connectivity changes at a guess?
|
# ? Mar 8, 2017 15:43 |
|
This has to be by someone's nephew during a summer internship.
|
# ? Mar 8, 2017 15:46 |
izi security
|
|
# ? Mar 8, 2017 15:49 |
|
anatoliy pltkrvkay posted:i always love responses to breaches that are "we must increase arbitrary password complexity requirements" That's about making sure your users with the Worst Passwords have to change.
|
# ? Mar 8, 2017 16:17 |
|
cinci zoo sniper posted:üzi security
|
# ? Mar 8, 2017 16:33 |
|
cheese-cube posted:firefox v52.0 has a new captive-portal detection feature which works by sending a HTTP GET to http://detectportal.firefox.com/success.txt. however it seems to do it extremely aggressively (from looking at my session logs sometimes once every minute). i'm sure there's a secfuck in here somewhere. also it's dumb that it's requesting a literal file instead of just looking for a HTTP 200 (maybe? i'm probably dumb, could depend on how the captive portal works). Thanks Ants posted:apple does the same thing, fyi http://captive.apple.com/hotspot-detect.html hopefully firefox isn't just plain http as cheese-cube says
|
# ? Mar 8, 2017 16:36 |
|
well https returns bad domain with cloudflare cn, so unless they're doing some http header magic, it's probably bad
|
# ? Mar 8, 2017 16:39 |
|
the maine ez pass site is surprisingly good. theres a little gauge that shows your current discount rate and instead of a generated image, its svg. its by far the best government site ive ever used, though i don't want to think about how they're storing my creds cause that's probably bad.
|
# ? Mar 8, 2017 16:40 |
|
ioactive just pushed on a report on confide - that crappy messenger that white house officials decided to randomly use: http://www.ioactive.com/pdfs/IOActive-Security-Advisory-Confide-Messaging-Ap.pdf
|
# ? Mar 8, 2017 16:42 |
|
Wiggly Wayne DDS posted:ya abusing captive portals is in the cia's docs where they outline that the https cert for captive.apple.com is a big pain in the rear end and they'd never be able to source it Truga posted:well https returns bad domain with cloudflare cn, so unless they're doing some http header magic, it's probably bad yeah they definitely appear to be doing it in the clear, i can see the requests for straight plain HTTP on tcp/80. and as Truga said the endpoint is listening on tcp/443 but has a bad cert so unlikely they're using HTTPS e: my dumb idiotfucker tweet about the thing: https://twitter.com/GarbageDotNet/status/839476937441476608 Pile Of Garbage fucked around with this message at 16:58 on Mar 8, 2017 |
# ? Mar 8, 2017 16:54 |
|
Wiggly Wayne DDS posted:ya abusing captive portals is in the cia's docs where they outline that the https cert for captive.apple.com is a big pain in the rear end and they'd never be able to source it Captive portals are garbage so you have to test http if you plan to send anything plaintext, since they may let HTTPS through unmolested but then gently caress up HTTP. Pretty much everyone does this but usually only when you move networks or if something looks particularly off. Captive portals are a fuckup.
|
# ? Mar 8, 2017 16:58 |
|
apseudonym posted:Captive portals are garbage so you have to test http if you plan to send anything plaintext, since they may let HTTPS through unmolested but then gently caress up HTTP. Pretty much everyone does this but usually only when you move networks or if something looks particularly off. i've actually been dealing with some cisco anyconnect VPN fuckery recently and yeah captive portals are turbo retarded. things become immensely more complicated if you're directing users to use a VPN that implements split-tunnel or even split-DNS.
|
# ? Mar 8, 2017 17:00 |
|
cheese-cube posted:only if you name and shame. the lack of TLS 1.2 support is pretty funny, must be an ancient and or incredibly poorly configured server or any recent oracle middleware stack which is still stuck on openssl .9.8.x
|
# ? Mar 8, 2017 17:57 |
|
fins posted:https://wikileaks.org/ciav7p1/cms/page_17760284.html More goodies. http://jacksbrain.com/2017/03/personal-favorites-vault7-cia-leak/
|
# ? Mar 8, 2017 19:21 |
|
Carbon dioxide posted:More goodies. http://jacksbrain.com/2017/03/personal-favorites-vault7-cia-leak/ Security fuckup megathread - WhereIKeepMyNukes.pdf
|
# ? Mar 8, 2017 20:08 |
|
PNGA file for your pleasure
|
# ? Mar 8, 2017 20:14 |
|
|
# ? Jun 8, 2024 08:10 |
|
https://twitter.com/pdbogen/status/839554926313254912
|
# ? Mar 8, 2017 20:17 |