|
Raluek posted:if you have to synch it yourself, what makes 1pass any more convenient than keep rear end? better mobile support? You can just save your keep rear end to google drive or dropbox folder and open it directly with https://play.google.com/store/apps/details?id=keepass2android.keepass2android which opens from google drive or dropbox keeping all in sync, I am not sure what there would be like that for IOS though.
|
#
?
Apr 7, 2017 16:00
|
|
|
|
| # ? May 19, 2024 01:39 |
|
|
icloud keychain  ?i'm pretty disappointed that windows doesn't have this, especially since there's a way to log in with the same credential on any win10 box but if they did have it, my confidence that they'd hosed it up somehow would keep me from using it anyway so meh
|
|
#
?
Apr 7, 2017 16:02
|
|
|
windows has a credential store that's used by edge and IE that syncs across your devices. it uses the windows crypto store or w/e so the encryption is per windows account. so if ur logged in anything can read the creds in the store, afaik
|
|
#
?
Apr 7, 2017 16:04
|
|
|
can any win32 read the entire contents of that credential store like all other parts of the system because if so it doesn't sound very safe.
|
|
#
?
Apr 7, 2017 16:13
|
|
|
yes, but only when logged in. it would mean failfox or chome could reuse stored creds from edge/ie, but it would also mean notavirus.ru.exe could steal all ur creds.
|
|
#
?
Apr 7, 2017 16:34
|
|
|
Shaggar posted:yes, but only when logged in and since win10 strongly recommends users to log in with that credential quote:my confidence that they'd hosed it up somehow would keep me from using it anyway
|
|
#
?
Apr 7, 2017 16:36
|
|
|
you wouldn't be able to get the credential to unlock the store without already knowing the credential.
|
|
#
?
Apr 7, 2017 16:38
|
|
|
wait i'm confused about what we're logged in to i wake up my win10 machine and type my microsoft hotmail for windows password, now i'm logged in to a session that knows i'm me, that's the login i'm talking about (and maybe celexi too?). can anything running under that session get at my whole windows password store? or is there some second step, like if i open edge and log in to SA by typing my username and password, then a broken firefox plugin would be able to send my SA credentials to a shitposting botnet but my twitter password is still "safe"?
|
|
#
?
Apr 7, 2017 16:42
|
|
|
there is a protected store associated with your account that is effectively unlocked whenever you login to windows. Lots of stuff gets stored there including your web credentials from IE, edge, and chome (if using the chome built in store). The account type (local vs Microsoft) doesn't matter and it works the same in both cases. Once logged in any application can pull stuff from the protected store. You can store things with an additional encryption key, but in the case of IE and Edge credentials I dont think it does this. When it comes to login time, if you're using Edge or IE it works the same as any other form entry thing where it understands the login form and populates it w/ data from your store. This is done as a native component of both browsers, Edge extensions do not have access to the store so they cant just get access just by being installed. With IE its a little different cause IE extensions are activex. I would guess activex plugins would have access to your protected store so if you installed one it might get your creds. Likewise a failfox plugin that uses a native api would have access to the protected store, but if its a newer web extensions or w/e its the same as edge where its just html/js/css running inside the browser. tl;dr: any win32 executable (including browser extensions that run as external processes) can probably get to your store if you run it but then again it could also log your keystrokes to steal creds from any other system.
|
|
#
?
Apr 7, 2017 17:13
|
|
|
the protected store (DPAPI) already has support for a second factor to decrypt the store so they could theoretically add something like that so when any application tries to access the store you get a popup to approve access and provide the second factor. My guess is they haven't done this cause people would forget the second factor and lose their passwords but it would be a cool feature for people who want it.
|
|
#
?
Apr 7, 2017 17:16
|
|
|
2 factor windows sign in is coming soon so maybe they could add that to DPAPI so you get a push notification on your phone when something wants to pull something out of DPAPI like a web credential.
|
|
#
?
Apr 7, 2017 17:23
|
|
|
lmao https://twitter.com/MarkKriegsman/status/850315971625668608
|
|
#
?
Apr 7, 2017 17:57
|
|
|
my favourite part of that paper was the "maybe it'll be detected by network-based detection before it hits the user's mailbox?? dunno never actually tried it but here's our analysis of what could happen!" there's also a xen writeup on project zero's blog: https://googleprojectzero.blogspot.co.uk/2017/04/pandavirtualization-exploiting-xen.html
|
|
#
?
Apr 7, 2017 18:01
|
|
|
lomarf
|
|
#
?
Apr 7, 2017 18:05
|
|
|
|
|
#
?
Apr 7, 2017 18:11
|
|
|
Shaggar posted:
that is interesting and now i want to learn more about how it works, but not enough to actually do it
|
|
#
?
Apr 7, 2017 18:12
|
|
|
|
|
#
?
Apr 7, 2017 18:14
|
|
|
flakeloaf posted:that is interesting and now i want to learn more about how it works, but not enough to actually do it theres not a lot to it from an api sense. Its designed to make it easy for developers to store and sync stuff securely rather than having them roll their own.
|
|
#
?
Apr 7, 2017 18:19
|
|
|
https://twitter.com/alfiedotwtf/status/850333129902444544
|
|
#
?
Apr 7, 2017 18:20
|
|
|
why have i never thought of this
|
|
#
?
Apr 7, 2017 18:22
|
|
|
i'm guessing it'd be infeasible to do this to a file containing hashed passwords
|
|
#
?
Apr 7, 2017 18:27
|
|
|
Mods namechange to X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* pls
|
|
#
?
Apr 7, 2017 18:33
|
|
|
lol I was going to suggest putting it in the thread title but I didn't want to post the actual string lest radium's vengeful spirit come to harvest our souls
|
|
#
?
Apr 7, 2017 18:37
|
|
|
flakeloaf posted:i'm guessing it'd be infeasible to do this to a file containing hashed passwords That's why you put it in the username
|
|
#
?
Apr 7, 2017 18:38
|
|
|
suspected breach of gamestop.com september 2016 to february 2017, including credit card details: https://krebsonsecurity.com/2017/04/gamestop-com-investigating-possible-breach/quote:“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” a company spokesman wrote in response to questions from this author.
|
|
#
?
Apr 7, 2017 19:03
|
|
|
quote:Those same sources said the compromised data is thought to include customer ... card verification value (CVV2)
|
|
#
?
Apr 7, 2017 19:18
|
|
|
Bonfire Lit posted:why the hell were they storing that quote:Online merchants are not supposed to store CVV2 codes, but hackers can steal the codes by placing malicious software on a company’s e-commerce site, so that the data is copied and recorded by the intruders before the data is encrypted and transmitted to be processed.
|
|
#
?
Apr 7, 2017 19:24
|
|
|
flakeloaf posted:i'm guessing it'd be infeasible to do this to a file containing hashed passwords hey, a novel way of finding out if services hash their passwords bonus points if it end up on Virustotal
|
|
#
?
Apr 7, 2017 19:41
|
|
|
big DPAPI
|
|
#
?
Apr 7, 2017 19:45
|
|
|
flakeloaf posted:i'm guessing it'd be infeasible to do this to a file containing hashed passwords how long owuld brute-forcing md5 until it came up with something that would flag? might be a good way of zapping anyone still using unsalted md5...
|
|
#
?
Apr 7, 2017 19:48
|
|
|
spankmeister posted:Mods namechange to X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* pls Just wait and see this crash these forums when something gets archived or something.
|
|
#
?
Apr 7, 2017 20:04
|
|
|
lol dont call on the wrath of zdr
|
|
#
?
Apr 7, 2017 20:34
|
|
|
Carbon dioxide posted:Just wait and see this crash these forums when something gets archived or something. i was going to suggest setting a bunch of custom titles to EICAR but being that the forums enforce https i doubt it would create as much hilarity
|
|
#
?
Apr 7, 2017 20:42
|
|
|
Powaqoatse posted:lol dont call on the wrath of zdr Yeah as if they're running AV on SA's servers.
|
|
#
?
Apr 7, 2017 20:46
|
|
|
joke's on you it wouldn't work because not even antivirus wants to read my posts
|
|
#
?
Apr 7, 2017 20:47
|
|
|
Ur Getting Fatter posted:joke's on you it wouldn't work because not even antivirus wants to read my posts most users just quarantine them anyway so it's not like the AV is doing anything extra here
|
|
#
?
Apr 7, 2017 21:33
|
|
|
Volmarias posted:most users just quarantine them anyway so it's not like the AV is doing anything extra here 
|
|
#
?
Apr 7, 2017 21:58
|
|
|
Volmarias posted:most users just quarantine them anyway so it's not like the AV is doing anything extra here 
|
|
#
?
Apr 7, 2017 22:00
|
|
|
Not sure if I missed this in thread, found it amusing as hell: https://arstechnica.com/security/2017/04/rash-of-in-the-wild-attacks-permanently-destroys-poorly-secured-iot-devices/
|
|
#
?
Apr 7, 2017 22:05
|
|
|
|
| # ? May 19, 2024 01:39 |
|
|
flosofl posted:Not sure if I missed this in thread, found it amusing as hell: quote:Once the bots find a vulnerable target, they run a series of highly debilitating commands that wipe all the files stored on the device, corrupt the device's storage, and sever its Internet connection. Given the cost and time required to repair the damage, the device is effectively destroyed, or bricked, from the perspective of the typical consumer. obviously the solution is for all iot devices to come with instructions for getting into uboot
|
|
#
?
Apr 7, 2017 22:28
|
|
