Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

«‹›242 »

Podima: Nov 4, 2009; by Fluffdaddy

name and shame

# ? Aug 18, 2017 04:24

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 08:52

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

You know full well it's a government agency who put that policy in place in the 90s.

# ? Aug 18, 2017 05:17

ErIog: Jul 11, 2001

fins posted:

Any plans for some more bletchley boffinry any time soon? I want my drat gang tag!

There's an unsolved one if you can dig it up. :getin:

# ? Aug 18, 2017 12:24

jerry seinfel: Jun 25, 2007

Volmarias posted:

You know full well it's a government agency who put that policy in place in the 90s.

Oh man I have two good ones.

The web store for one fed agency limits passwords to exactly 8 characters. Only letters and numbers. No more, no less.

And the job application site for regional agency has a Forgot your password? Function. But it sends you your existing password in plain text after you also provide them with the ZIP code tied to your account for some reason.
iirc this one also stores your full social in plain text tied to the user profile page.

# ? Aug 18, 2017 13:11

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

a financial firm I use lightly has a policy that no password can use more than 5 letters from the previous password, and password changes can take a few minutes to take effect (there's a loading bar)

# ? Aug 18, 2017 13:15

Migishu: Oct 22, 2005; I'll eat your fucking eyeballs if you're not careful; Grimey Drawer

Subjunctive posted:

a financial firm I use lightly has a policy that no password can use more than 5 letters from the previous password, and password changes can take a few minutes to take effect (there's a loading bar)

active directory is a hellova drug

# ? Aug 18, 2017 16:31

Migishu: Oct 22, 2005; I'll eat your fucking eyeballs if you're not careful; Grimey Drawer

Also, never forgetti mom's spaghetti

https://twitter.com/Migishu/status/834567858285854721/photo/1

# ? Aug 18, 2017 16:41

fins: May 31, 2011; Floss Finder

From here : https://github.com/libyal/documentation/blob/master/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf

quote:

Microsoft Outlook allows users to set a password on their PST files. This password is stored in the 'Message Store' PFF item as a weak 32-bit Cyclic Redundancy Check (CRC32).

The weak CRC32 is not suited to store a password hash, because it is to easy to generate a collision. This means that the password can be easily cracked.

But it gets worse; PFF does nothing with the password other than store its weak CRC32. So none of the data in a PFF is actually protected by the password. Good news for forensic analysis.

# ? Aug 18, 2017 18:07

Shame Boy: Mar 2, 2010

fins posted:

From here : https://github.com/libyal/documentation/blob/master/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf

pretty sure that's been known for years, or at least we knew about it at my last job (as well as a similar thing with PDF's) because it let us generate thumbnails of stuff that was "password protected" without requiring the password (because we could just go in and flip the bit that said it was protected or remove the password entry entirely or whatever)

# ? Aug 18, 2017 18:17

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Migishu posted:

Also, never forgetti mom's spaghetti

https://twitter.com/Migishu/status/834567858285854721/photo/1

does pci/dss have a reporting system because lol https://twitter.com/Place_des_Arts/status/834877518696091648

# ? Aug 18, 2017 18:38

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

fins posted:

From here : https://github.com/libyal/documentation/blob/master/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf

quote:
But it gets worse; PFF does nothing with the password other than store its weak CRC32. So none of the data in a PFF is actually protected by the password. Good news for forensic analysis.

# ? Aug 18, 2017 18:40

maskenfreiheit: Dec 30, 2004

anthonypants posted:

does pci/dss have a reporting system because lol https://twitter.com/Place_des_Arts/status/834877518696091648

i'm the double down on whatever the cheapest consultant we could find told us

# ? Aug 18, 2017 18:42

Shame Boy: Mar 2, 2010

the big thing i learned from that job was that all document/office-y formats (especially old ones) should be assumed to just be storing everything in plain text and any "password" is meaningless (and probably also stored in plain text or at best MD5'd)

we had tons of customers (including a lot of banks) and tons of them had password-protected documents and only one actually managed to use some form of real actual encryption on documents (which we made them strip off because we were a bad company lol)

e: actually now that i'm thinking of it they had us write a script that looped through every file and tried all of the passwords they gave us (a text file containing about 15 that were all some variation of companyname-year kinda things) to decrypt them

# ? Aug 18, 2017 18:44

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

maskenfreiheit posted:

i'm the double down on whatever the cheapest consultant we could find told us

cheapest francophone consultant at that

# ? Aug 18, 2017 18:45

maskenfreiheit: Dec 30, 2004

ate all the Oreos posted:

the big thing i learned from that job was that all document/office-y formats (especially old ones) should be assumed to just be storing everything in plain text and any "password" is meaningless (and probably also stored in plain text or at best MD5'd)

we had tons of customers (including a lot of banks) and tons of them had password-protected documents and only one actually managed to use some form of real actual encryption on documents (which we made them strip off because we were a bad company lol)

what about .odt?

i actually have an old diary i forgot the pw to (pw protected odt)

i remember when i switched from openoffice to libreoffice it stopped working, or maybe upgraded oo?

iirc when i started it (pre-2011) i think they were using blowfish based on the pw you supply?

honestly if i could figure out a way to throw guesses at it i think i could create a wordlist that would crash it...

# ? Aug 18, 2017 18:46

Shame Boy: Mar 2, 2010

maskenfreiheit posted:

what about .odt?

i actually have an old diary i forgot the pw to (pw protected odt)

i remember when i switched from openoffice to libreoffice it stopped working, or maybe upgraded oo?

iirc when i started it (pre-2011) i think they were using blowfish based on the pw you supply?

honestly if i could figure out a way to throw guesses at it i think i could create a wordlist that would crash it...

i don't know because we had never ever encountered any company who used odt ever :v:

i think i uploaded one once just to see what our software would do and it couldn't figure out what the gently caress it was and just put the generic "unknown type" icon on it lol

# ? Aug 18, 2017 18:48

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

maskenfreiheit posted:

what about .odt?

i actually have an old diary i forgot the pw to (pw protected odt)

i remember when i switched from openoffice to libreoffice it stopped working, or maybe upgraded oo?

iirc when i started it (pre-2011) i think they were using blowfish based on the pw you supply?

honestly if i could figure out a way to throw guesses at it i think i could create a wordlist that would crash it...

run strings on it and see what pops out

# ? Aug 18, 2017 20:00

Wiggly Wayne DDS: Sep 11, 2010

Cocoa Crispies posted:

run strings on it and see what pops out

cve-2014-8485 called

# ? Aug 18, 2017 20:16

mrmcd: Feb 22, 2003; Pictured: The only good cop (a fictional one).

https://github.com/akrennmair/newsbeuter/issues/591

quote:

An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe.

Newsbeuter versions 0.7 through 2.9 are affected.

lol

# ? Aug 18, 2017 20:32

maskenfreiheit: Dec 30, 2004

Cocoa Crispies posted:

run strings on it and see what pops out

done!:

code:

mimetypeapplication/vnd.oasis.opendocument.textPK
Configurations2/statusbar/PK
Configurations2/accelerator/current.xml
Configurations2/floater/PK
Configurations2/popupmenu/PK
Configurations2/progressbar/PK
Configurations2/menubar/PK
Configurations2/toolbar/PK
Configurations2/images/Bitmaps/PK
layout-cache<
hbP[
r&}/
*;d"v
}RJX_
vU9>
content.xml2S
z|7_
l@TaQP
<,,|]
o?y.
IVPj
9^Hi
qC)%
v"zH
-H2z-7
'S!9
[^;}B
1z~G
SZ{f
OB/K
,DGN 
1EHP~
$~]a1
CDjl`
r6vG
l+kwd
Gw>|8
t7R|T
O>=h
lu7?
29:&
"d$R
%7Zb
,\Z\
_9e:K
KKA5
hP^E
ji4|&E
s,Cf
^MC
nDt$
R//U3
_2'M
$8wN`
FEL_
Zl' 
jbM/;
84$[
rX~ne}
M|c 
!;%bt
^X>q
le2) 
cji4
P?Wx
Z-+d
a2[7
#wkB5
99W@
=i-5
mY#7
yjnj
dF=C
#[`)
}$5~
m>"
n+?#H
oddt
&_Vm
~*GN
-4I,
s!%D
h&fH
m4qO
=]Wv
?a>)z
G{2c8
W%3?vx
E]|o
I9`T
cuRh
:IpmO=
X uI
f2~,u
V8"}
4~(0
UmL0
;3y,
c0/%
,N)c
Fj4}
G"&sN?
QiXv
;!9#
E2{.V
|IH0
R9k;
{":B
3|^.
YE=Q>
(T^w
+n,d
4>_yZ
XZZj
.b1X
k?`yY
`z65
T] ;
{Ldh
fkE%
;~7x
Kn:'n
6IY2&2aG#`a
Wa*oXt
3^TH
vQiw
tn|#t)
_Tv^z
=X7|<
Kkq(M
vSTV
-e1,
Q4 _
?F%m
w^QGf@y
q+'F
;ZJq
tO/O
*?:B__
]Bol
tN:A!
x*v2
6:0#w
"e"'
R'[:~
77Sq
,!#v-
qNV/
]jT3j
Gr]g
48-o
B0d0
A&=Pud
}< J
|EVK
HBMr
cB[D]
b6O5GqL
Au_!
kj(Z*
]Xk9
U^cE
.+/G^
u2Wi
.)O`
3 Zd
6.9(P
,o/z
A{E*,
Sj,T
.wF
viU_`
V;ZR?o
2;R6_C
scN,BaZ=h
#7mi[
Q:F2
WY_)
jF$7
*NnR
U-\]
@mR4?
Q'q?
,0p=
jAMg
wuEboWh
6{&RR
C-hC
&Ha'f
dR%I
cwFH
>E}v2p
ujWC
IX*M
R.WO|
|@C=k
Q`&o
jFl%c\
br*5Q
?k&'l
-KV\
gX6Ru
ANYc
S)wy
mJ`w
d^6b
5A)a
i_`ku
k;ls
Ek3]2
hD[.
%"Ay;
69TU
Gur7y3
,lE~
xuL0z
G}x8|
8rej
`}I9fl
ce-Zw
2Q+]
S\SrG
e9/H
?6 ]I
|49_
"_oS~ 
>z+$D
ANrX
V>GD
y7dD
QFx4z
<bfG
O}W!oj!?
n1:&
*%cc#
Y]NQ
(;.X
%| BX
D,H%
\2}v
vwcnc
hg<9
tJ lT
hH[k
o=Z.wph
CFW\:6
tPt$
^Y5+#
u)^w
faH2F
b:ek
#)f<g[
:V!+
$^&O9
itZl 
6Ke{
n&)}
K>*7wwAR;
(o%F\
D! V
7dnY
^Q?~1%
}r`g
*c%<=\
b}07
;[^a{
qDU#
L$3W`e
kXAsjl
Q_h*z
\I&&C&
PtU!X
tC8O
84Ym U
zF19
y69We
`p#[8 
Y9.2oWc
8p-S
FjcCL}
W`>K"]
tGnAy
)'oy
="|6
#aux
YnKP
AjCFZ-i
[DsrI
"IbZ
yU_6
3u%H
`L*G
fC]f4b
RfN`*&m
VJ7j
b-_5
V]"Z
/&J*c
ei[l
(\@4
L[2'
7ht~
%,>Q
NY&X
NJjM
%5K&
`W_o
,=^T
manifest.rdf
1(@9
]7v-
4<B;
&I0;
s4p`$
+QC7w
? pPK
styles.xml
,=wF
*"B\
L)c+
e!O^
6c DZ
 HOB
h0gL
f3cAC
]@B:
'`E!l
c&ag
;)4fYqH
6sLx
%f*7
$;k
ryUg
(rt71
IWxF
urlef
xj"W
Aeys
~t4@;
$yM'
4g.X
H>Tcu
meta.xmlw
}<E!
K17|
settings.xml
Mz(z(
 _QT
U(:I
wjh4
!/:-
]l<"qd
<9#q
e?Q_
V|96g9
pT! 3
Wg.$jr
?bA)
E3cq/rQV;==[X
][&36#V
[+oW*
XpEH
%8Sek
<0**
SxG\
dNI;S(*
1S=+l
META-INF/manifest.xml
D%^H
8eey
R)C
V%/Q
ZLx`
Oq*&
Dt E
9!~a
Jm%B
AB".
cE_[
hvVm  Q
LgDS
{4*Of_
du^Hv;W
yso5&Se
93-`?S
ykr3
mimetypePK
Configurations2/statusbar/PK
Configurations2/accelerator/current.xmlPK
Configurations2/floater/PK
Configurations2/popupmenu/PK
Configurations2/progressbar/PK
Configurations2/menubar/PK
Configurations2/toolbar/PK
Configurations2/images/Bitmaps/PK
layout-cachePK
content.xmlPK
manifest.rdfPK
styles.xmlPK
meta.xmlPK
?1S=+l
settings.xmlPK
META-INF/manifest.xmlPK

# ? Aug 18, 2017 20:39

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

Wiggly Wayne DDS posted:

cve-2014-8485 called

2014 called, they want your unpatched copy of strings back

# ? Aug 18, 2017 20:40

maskenfreiheit: Dec 30, 2004

mrmcd posted:

https://github.com/akrennmair/newsbeuter/issues/591

lol

is there some sort of compendium of dumb cve tricks? (not like OWASP top 10, but a step more detailed).

poo poo like this makes me lol real good.

# ? Aug 18, 2017 20:41

Wiggly Wayne DDS: Sep 11, 2010

i'd put grub's 28 backspaces to root bug pretty high in such a list

# ? Aug 18, 2017 20:47

Migishu: Oct 22, 2005; I'll eat your fucking eyeballs if you're not careful; Grimey Drawer

anthonypants posted:

does pci/dss have a reporting system because lol https://twitter.com/Place_des_Arts/status/834877518696091648

Even in the thread I was like "Yeah nah your poo poo isn't PCI/DSS compliant mate" but then got massively ignored.

# ? Aug 18, 2017 21:05

Chris Knight: Jun 5, 2002; me @ ur posts; Fun Shoe

is Ticketmaster's fault

# ? Aug 18, 2017 21:31

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Migishu posted:

Even in the thread I was like "Yeah nah your poo poo isn't PCI/DSS compliant mate" but then got massively ignored.

i promise you that they do not care

# ? Aug 18, 2017 21:37

Shame Boy: Mar 2, 2010

also they're "compliant" in that the auditor stamped the big ol' "compliant!" stamp on their stuff after running a few automated tests and shrugging and that's really all that actually matters

# ? Aug 18, 2017 21:40

mrmcd: Feb 22, 2003; Pictured: The only good cop (a fictional one).

maskenfreiheit posted:

is there some sort of compendium of dumb cve tricks? (not like OWASP top 10, but a step more detailed).

poo poo like this makes me lol real good.

I don't really have a secret, other than my team has automation that scans various feeds for new CVE related patches and then notifies a human intelligence to decide if it's a "meh patch normally" or "gently caress gently caress gently caress gently caress gently caress" situation.

If it's my week to look at the robo secfuck vomit I sometimes come across a funny ones. Usually though it's just mozillas weekly 40 CVE related urgent patches.

# ? Aug 18, 2017 21:43

Wiggly Wayne DDS: Sep 11, 2010

the newsbeuter's came through debian's security mailing list earlier but given it required bookmarking meh

go find somewhere vaguely upstream and if they have a decent signal:noise security feed to trawl

# ? Aug 18, 2017 21:49

Wiggly Wayne DDS: Sep 11, 2010

nice https://sso.godaddy.com

expired 14th August 2017 and still not renewed

e: and they fixed it between me posting and re-checking, or its one of the servers in rotation

# ? Aug 18, 2017 22:30

Migishu: Oct 22, 2005; I'll eat your fucking eyeballs if you're not careful; Grimey Drawer

anthonypants posted:

i promise you that they do not care

obviously

until someone gets a list of peoples usernames and password hash's, no one will care

# ? Aug 18, 2017 23:50

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Migishu posted:

obviously

until someone gets a list of peoples usernames and password hash's, no one will care

even then they won't care. get someone from pci/dss involved and they might listen

# ? Aug 19, 2017 00:03

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa

theve sent out letters saying "if you can explain why you bought nazi memorabilia, please write back so we can remove your name from the list that will be published in one week"

https://twitter.com/NiclasWestlake/status/898195585802620928

closet nazis are freaking the hell out :3:

# ? Aug 19, 2017 02:09

duTrieux.: Oct 9, 2003

Powaqoatse posted:

speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa

theve sent out letters saying "if you can explain why you bought nazi memorabilia, please write back so we can remove your name from the list that will be published in one week"

https://twitter.com/NiclasWestlake/status/898195585802620928

closet nazis are freaking the hell out

ahhahahahaaaaa ehheh hee

# ? Aug 19, 2017 02:14

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

https://twitter.com/afaskane/status/897165104483119105

antifa has data on 8600 orders over 7 years

the nazi site has been cleaned up a bit since, but archive.org shows the type of poo poo they sell/sold:
https://web.archive.org/web/20160223051112/http://midgaardshop.com:80/kategori/vrigt/klistermarken

# ? Aug 19, 2017 02:18

treasured8elief: Jul 25, 2011; Salad Prong

Powaqoatse posted:

speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa

theve sent out letters saying "if you can explain why you bought nazi memorabilia, please write back so we can remove your name from the list that will be published in one week"

https://twitter.com/NiclasWestlake/status/898195585802620928

closet nazis are freaking the hell out

💯

# ? Aug 19, 2017 02:39

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

https://twitter.com/Geraintmogs/status/898302675057491968

# ? Aug 19, 2017 03:03

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

jfc

this is better than the bitcoin wallet inspector

# ? Aug 19, 2017 03:12

FAT32 SHAMER: Aug 16, 2012

anthonypants posted:

https://twitter.com/Geraintmogs/status/898302675057491968

ahahaha this guy got owned

# ? Aug 19, 2017 04:27

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 08:52

Bunni-kat: May 25, 2010; Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?

infernal machines posted:

jfc

this is better than the bitcoin wallet inspector

You don't put your actual password in those, you use something of the same length and characteristics.

# ? Aug 19, 2017 04:29

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

«‹›242 »