|
camoseven posted:Anyone else going to BSides DC next weekend? It'll be my first time at any kind of tech conference, and I'm not sure what to expect. There is usually a bro class there by the best tech teacher for that technology. Sit in on it , ask good questions, answer questions well and you might be rewarded with a jar of drunken cherries that he makes. They are good and funny that everyone that knows bro in the industry knows about that cherries no matter which country you are in. Last time I went (and I live here) it was not really exciting for me.
|
#
?
Sep 29, 2017 04:51
|
|
|
|
| # ? May 10, 2024 12:22 |
|
|
camoseven posted:Anyone else going to BSides DC next weekend? It'll be my first time at any kind of tech conference, and I'm not sure what to expect. An abundance of body odour, going by my half-decade of security/tech conferences. Now whenever I get sent to attend something I've resorted to picking interesting talks from the lineup to attend, and treating the rest of a conference as a free work-paid vacation. I've also avoided the big cons so maybe that's why I constantly feel let down by them.
|
|
#
?
Sep 29, 2017 14:31
|
|
|
Martytoof posted:An abundance of body odour, going by my half-decade of security/tech conferences. You should try DerbyCon , it's the best.
|
|
#
?
Sep 29, 2017 17:39
|
|
|
fyallm posted:You should try DerbyCon , it's the best. Apparently there are a lot of unironic fedoras there
|
|
#
?
Sep 29, 2017 17:44
|
|
|
So the future probably belongs to small companies that can actually keep their poo poo together and adjust operations on a weekly basis, right? Cause I can't see any behemoth in any country being able to keep all their infrastructure safe as things are right now
|
|
#
?
Sep 29, 2017 17:59
|
|
|
CLAM DOWN posted:Apparently there are a lot of unironic fedoras there Yeah, I mean there is this event: http://hackyourderby.com But *shrugs* still a good time
|
|
#
?
Sep 29, 2017 19:08
|
|
|
orange sky posted:So the future probably belongs to small companies that can actually keep their poo poo together and adjust operations on a weekly basis, right? Cause I can't see any behemoth in any country being able to keep all their infrastructure safe as things are right now Small companies can't keep their poo poo safe either, they're just not as big of targets & not newsworthy when they get owned. The future belongs to the giant megacorps and the hackers that rob and extort them. It's the cyberpunk future except 90% less cool and 100% less sexy.
|
|
#
?
Sep 29, 2017 19:18
|
|
|
Yeah smaller outfits just don't have the mind of resources for the constant audits/fixes you need either.
|
|
#
?
Sep 29, 2017 19:45
|
|
|
password_requirements.txt
|
|
#
?
Sep 29, 2017 23:38
|
|
|
CLAM DOWN posted:Apparently there are a lot of unironic fedoras there But home state of bourbon with several distilleries within driving distance (have a group that goes to derby a day early and go on tours to the distilleries)
|
|
#
?
Sep 29, 2017 23:57
|
|
|
The Fool posted:password_requirements.txt What actual authentication system would legitimately have this character class restriction?
|
|
#
?
Sep 30, 2017 00:37
|
|
|
Potato Salad posted:What actual authentication system would legitimately have this character class restriction? Bank websites (lol)
|
|
#
?
Sep 30, 2017 00:43
|
|
|
CLAM DOWN posted:Bank websites (lol) This is less funny because it's true.
|
|
#
?
Sep 30, 2017 00:54
|
|
|
ChubbyThePhat posted:This is less funny because it's true. My bank (which is big and national and poo poo) truncates passwords to 15 characters of only letters and numbers, and doesn't use 2FA at all, just three security questions (which just means I gen three more passwords and keep them in the notes section in keepass). All you need to reset the password is the answer to one of those questions and your SSN (which is all over the darkweb like ten times by now), or just bullshit your way past the overworked telephone operator. No email even required, just change the password right on the spot there on the website. But hey, they added fingerprint logging in for their phone app a couple months back, that's progress! Right!?
|
|
#
?
Sep 30, 2017 01:18
|
|
|
CLAM DOWN posted:Bank websites (lol) u fokken wot
|
|
#
?
Sep 30, 2017 01:22
|
|
|
CLAM DOWN posted:Bank websites (lol) This is from my bank: 
|
|
#
?
Sep 30, 2017 01:41
|
|
|
Wake me up when September ends
|
|
#
?
Sep 30, 2017 02:33
|
|
|
Kreeblah posted:This is from my bank: Dollars to donuts you turn off that front end javascript there is no back end sanitization. Or get a intercepting proxy (like burp or zap), put an acceptable password in, turn on intercept and hit submit. Change the two password fields in the request to use one of the naughty characters (I would suggest an & since that would break the least JavaScript or SQL) and see if your type in your new naughty password. Then call and ask directly for their information security team and hope they are competent and will not sue you. Don't do any SQL injection (holy poo poo that will get you sure) but if you can prove no sanitization is being done on the back end (or throwing back an error) that can cause some audit problems. They still may be okay by using stored procedures or methods that automatically hash all passwords without touching an SQL statement but you never want to affect any other account besides your own. At least I would look into it because it's your money. Edit:I just saw the no "script" tag. I wonder if "ScRiPt" is allowed.
|
|
#
?
Sep 30, 2017 02:35
|
|
|
Plot Twist: We were seeing the beginning of "Eternal September 2: Eternal Breach Boogaloo" all along.
|
|
#
?
Sep 30, 2017 02:40
|
|
|
Should we maybe start a list of companies that haven't announced a breach in September? Would this be easier?
|
|
#
?
Sep 30, 2017 02:48
|
|
|
https://www.shodan.io/host/199.38.216.243
|
|
#
?
Sep 30, 2017 02:49
|
|
|
 SMB. Version. 1.
|
|
#
?
Sep 30, 2017 02:51
|
|
|
Absurd Alhazred posted:
TO THE INTERNET
|
|
#
?
Sep 30, 2017 02:56
|
|
|
CLAM DOWN posted:TO THE INTERNET These people audit other people's infosec, right? I almost wrote infosex, let's just rename this thread "The Infosex Thread: Everybody has Cybersyphillis"
|
|
#
?
Sep 30, 2017 03:09
|
|
|
Absurd Alhazred posted:
|
|
#
?
Sep 30, 2017 03:13
|
|
|
Gotta be a honeypot, right?
|
|
#
?
Sep 30, 2017 08:02
|
|
|
Mr Chips posted:Gotta be a honeypot, right? Deloitte has proven to be so incompetent I would bet it's not
|
|
#
?
Sep 30, 2017 08:11
|
|
|
To log into my bank I need to use my customer number and a 6 digits PIN. So, okay, they log you out after 5 attempts, but to reset the PIN they send you a snail mail. If anybody determined knows where I live it'd be trivial to steal it. I get it, they need to keep it simple for old folks but they should also offer better means (FIDO, 2FA, ...) as options.
|
|
#
?
Sep 30, 2017 08:52
|
|
|
None of the banks here even offer anything but 2FA for their websites. You can log onto the app with a code + print tho.
|
|
#
?
Sep 30, 2017 12:53
|
|
|
Furism posted:To log into my bank I need to use my customer number and a 6 digits PIN. So, okay, they log you out after 5 attempts, but to reset the PIN they send you a snail mail. If anybody determined knows where I live it'd be trivial to steal it. Mailing you the new PIN sounds perfectly reasonable, since the alternative is "what's your mother's maiden name" or "what color was your first car". You're right that it's vulnerable to Steve Down The Street taking the letter, but that's orders of magnitude less likely than the typical attack scenario of Uri From The Ukraine.
|
|
#
?
Sep 30, 2017 14:55
|
|
|
It seems to me the security of mailing stuff also depends on the the of type of letterbox prevalent in your country. Nearly all mail in the UK is delivered through slots in front doors, making it harder to intercept mail compared to the roadside boxes that television and movies tell me dominate rural and suburban america. Fraudsters have been experimenting with sticking fake letterboxes to the outside of houses. http://www.manchestereveningnews.co.uk/news/greater-manchester-news/fraudsters-glueing-fake-letter-boxes-11435864
|
|
#
?
Sep 30, 2017 15:58
|
|
|
Every year around tax season here we have community mailboxes start to go missing. The post office's solution to this was to make it slightly more difficult to break in to the boxes, which as far as I can tell has solved nothing.
|
|
#
?
Sep 30, 2017 18:10
|
|
|
Evis posted:Every year around tax season here we have community mailboxes start to go missing. The post office's solution to this was to make it slightly more difficult to break in to the boxes, which as far as I can tell has solved nothing. You mean these things just up and disappear? 
|
|
#
?
Sep 30, 2017 18:23
|
|
|
That's the nicer version of it because at least you know stuff's gone. Sometimes they get keys for them and just take mail they find interesting. Takes a lot longer to find out when that happens. :/
|
|
#
?
Oct 1, 2017 03:09
|
|
|
Evis posted:That's the nicer version of it because at least you know stuff's gone. Sometimes they get keys for them and just take mail they find interesting. Takes a lot longer to find out when that happens. :/ Analog APT.
|
|
#
?
Oct 1, 2017 15:25
|
|
|
Sign up for informed delivery: https://informeddelivery.usps.com/box/pages/intro/start.action They send you pictures of the envelopes that are supposed to be delivered that day. I've had a few that never show up. Nothing important yet, and it's probably the fuckwit delivery person putting the envelopes in the wrong box. There's a nice link in there to report stuff that you didn't get that is supposed to go to the postal inspectors.
|
|
#
?
Oct 1, 2017 16:19
|
|
|
Furism posted:Analog APT. Advanced Postal Threat Guy Axlerod posted:Sign up for informed delivery: https://informeddelivery.usps.com/box/pages/intro/start.action Sweet, full color scans of the local circulars that get shoved into my mailbox. Let me know when I can pay money to have the garbage not delivered TO my home.
|
|
#
?
Oct 1, 2017 18:55
|
|
|
Volmarias posted:Sweet, full color scans of the local circulars that get shoved into my mailbox. Let me know when I can pay money to have the garbage not delivered TO my home.
|
|
#
?
Oct 1, 2017 18:58
|
|
|
Yeah, just the FINAL NOTICE letters from "Car Warranty" companies. The W2, replacement bank cards, and DMV stuff is good though.
|
|
#
?
Oct 1, 2017 19:50
|
|
|
|
| # ? May 10, 2024 12:22 |
|
|
Bah, the USPS thing wants me to come into the post office to verify my identity because it can't do it from the questions is asks me.
|
|
#
?
Oct 1, 2017 20:41
|
|
