|
Truga posted:They gave the sample requests, I ran them and the things their tool said happened, didn't. It's a fairly simple php cms, and nothing in the get parameters ever gets anywhere near a database. I could maybe give them the benefit of the doubt if the 404 url in question was an url that tried to inject SQL (since url is the thing that ends up being in a query to get the page for that location), but that part also gets sanitized before it's anywhere near the db. I've seen really weak error handling where the server returns errors that aren't even close to describing the situation. This says 404 but it only returned it after doing stuff with the sent in data which means it's not a 404 but a 500 because the page existed enough to receive information. You have already seen this with CMS by you mentioning pages that aren't seen unless you are admin. Those pages could be wired up to only return if you send admin cookies (just assuming since I've seen WordPress do this) but that page will actually still be hit but pretend it down because the server sees your non-admin cookies and say, "Whoa whoa whoa, you are not an admin. This page is actually closed" and the server is told to show a 404. Data got in, was read, but the logic hopes you go on by because you might be a dirty, stupid, spider and if it returns anything but 404 it will be looked at more closely. One great bug that recently came out was the struts bug where if you included a java class in a param the jvm running the webapp will look at it and run it as real code. Apache thought they were super good because they fixed parameter sanitization in the get and post params but... The latest one revealed when struts look at request parameters it actually looks at every part of the request. The one that just came out showed you could insert an entire multi-part form with the class loads into the loving Content-Type header and Struts will still read and run that poo poo. Webapps are stupid.
|
#
?
Oct 5, 2017 19:51
|
|
|
|
| # ? May 18, 2024 03:51 |
|
|
Yeah the admin only things are only for clearing disk cache or similar maintenance work, they're not special pages, nor do they do anything relating to the db, thankfully. I know web apps can be really lovely, and that's why I really like our current framework. It has its problems and has been mighty lovely some years ago, but security wise it's been very sturdy lately. Only 5 security issues this year, with quick hotfixes, and they all required admin backend access in the first place to work.
|
|
#
?
Oct 5, 2017 20:18
|
|
|
So I just had a quick question about how owned I am. I got an email, "welcome to your new Instagram account" which did come from Instagram. I didn't have an account, nor did I receive any earlier emails from them that I could see. There were certainly no validation emails. I was able to reset the password and got access to the account. It was a typical spam bot. This all happened a couple hours after haveibeenpwned emailed me about the disqus breach so I'm a bit on edge. Is the instagram account creation process just garbage? It seems too easy - every unregistered email address would get a spam account if there was no validation. Did my email get hacked? I have two factor authentication, a good password and no suspicious devices or logins per Gmail. Instagram ties into Facebook - was my Facebook hacked? Again, nothing suspicious. If I was an obvious dumbass I'd just deal with the fallout of my own poor security, but I have no idea what's up, and hence no idea how to improve my security.
|
|
#
?
Oct 7, 2017 17:48
|
|
|
ohgodwhat posted:no idea how to improve my security. Use a password manager, use unique randomly generated passwords for everything except the password database itself, use multifactor authentication via a physical token or Google Authenticator or equivalent. Having done all that, you might begin to feel safe from password theft (you can still get social engineered but not much protects against that). Of course, the above has no relation to the Instagram event - I do not know what happened there but if you suspect your passwords are compromised, change them.
|
|
#
?
Oct 7, 2017 18:01
|
|
|
Cycle all of your goddamn passwords on a calendar.
|
|
#
?
Oct 7, 2017 19:26
|
|
|
ohgodwhat posted:So I just had a quick question about how owned I am.
|
|
#
?
Oct 7, 2017 19:32
|
|
|
I've been receiving emails for someone else who's been using my email address for like a decade. I'm not compromised, he's just a dumbass. It's amazing how much I know about this 37 year single male from Mexico who uses e-receipts for cabs and got a PS4 for Christmas last year.
|
|
#
?
Oct 7, 2017 19:45
|
|
|
EssOEss posted:Use a password manager, use unique randomly generated passwords for everything except the password database itself, use multifactor authentication via a physical token or Google Authenticator or equivalent. Having done all that, you might begin to feel safe from password theft (you can still get social engineered but not much protects against that). The thing is, I do all of that. 1password with random, site specific passwords, 2FA with TOTP if it's available. That's what has me worried... anthonypants posted:I got one of these a few months ago but it was from some kid who tied my email address to their instagram account. Is Instagram really that bad? You can just sign up with any random email address, and there's no verification that you actually control it? I mean, that would explain how this happened but it seems far-fetched that a relatively sophisticated company, especially a subsidiary of Facebook which seems to take security quite seriously, would have such an obviously flawed system. ohgodwhat fucked around with this message at 21:26 on Oct 7, 2017 |
|
#
?
Oct 7, 2017 21:23
|
|
|
And then marketing and product make angry screeches about how many steps it takes to sign up and why are you making this so difficult??? So you just give in and resign yourself to a "verified" flow happening after account creation.
|
|
#
?
Oct 7, 2017 21:43
|
|
|
ohgodwhat posted:Is Instagram really that bad? You can just sign up with any random email address, and there's no verification that you actually control it? I mean, that would explain how this happened but it seems far-fetched that a relatively sophisticated company, especially a subsidiary of Facebook which seems to take security quite seriously, would have such an obviously flawed system.
|
|
#
?
Oct 7, 2017 21:48
|
|
|
Instagram does have sms 2fa you can opt in
|
|
#
?
Oct 7, 2017 21:56
|
|
|
CLAM DOWN posted:sms 2fa 
|
|
#
?
Oct 7, 2017 21:57
|
|
|
Lol I know
|
|
#
?
Oct 7, 2017 22:18
|
|
|
CLAM DOWN posted:Instagram does have sms 2fa you can opt in
|
|
#
?
Oct 7, 2017 22:46
|
|
|
D. Ebdrup posted:I've been wondering about how long it'll take the industry to catch on to NISTs new recommendations not to do SMS for 2-factor authentication, but I'm not holding my breath.
|
|
#
?
Oct 7, 2017 23:01
|
|
|
D. Ebdrup posted:I've been wondering about how long it'll take the industry to catch on to NISTs new recommendations not to do SMS for 2-factor authentication, but I'm not holding my breath. Honestly? It'll be a long rear end time
|
|
#
?
Oct 7, 2017 23:05
|
|
|
anthonypants posted:Once a carrier in the US drops support for SMS. which is unlikely to happen, since they are a core part of how cell service works (they piggy back on the signals for tower location or keep alive iirc)
|
|
#
?
Oct 7, 2017 23:16
|
|
|
Sms two factor is better than no two factor.
|
|
#
?
Oct 8, 2017 01:11
|
|
|
The Fool posted:Sms two factor is better than no two factor.
|
|
#
?
Oct 8, 2017 02:02
|
|
|
anthonypants posted:Yes, but only just barely. Why just barely?
|
|
#
?
Oct 8, 2017 03:06
|
|
|
Because subverting your cell number is apparently only marginally more effort than not doing it, or something.
|
|
#
?
Oct 8, 2017 03:13
|
|
|
2fa sms is never going away because it allows them to link your account to a cell phone number which then make your data easier to link to external databases.
|
|
#
?
Oct 8, 2017 03:30
|
|
|
SMS 2fa is trivial to bypass if you have the right equipment and knowledge set. That being said, it's not something you have to worry about unless you work for an organization that is at a high risk of that type of attack. It's perfectly adequate to protect your lovely cat pictures on Instagram.
|
|
#
?
Oct 8, 2017 05:36
|
|
|
My personal infosec
|
|
#
?
Oct 8, 2017 05:41
|
|
|
It seems like for sms 2-factor to be compromised you have to be personally targeted, no?
|
|
#
?
Oct 8, 2017 05:48
|
|
|
Thermopyle posted:It seems like for sms 2-factor to be compromised you have to be personally targeted, no? Yeah, but if someone does you're hosed. Until *very* recently, cell phone companies fall over themselves to assign numbers to new phones for any yahoo that calls in saying they "lost" their phone. While most of them have gotten better at authenticating the person who calls in, your only line of defense to having your number re-assigned is disaffected, out-sourced customer service.
|
|
#
?
Oct 8, 2017 05:53
|
|
|
It's still pretty awful. Even if you have "identity theft target DO NOT CHANGE ACCOUNT OVER PHONE" and you tell them to require you to say a password, they'll still assign your number to another sim if someone sweet talks them enough. This happened to a co-worker a year ago or so, and the most he got out of them was "oh, oops.". It's perfectly understandable on their end because there's no actual ramifications for them if you can't realistically change networks because only one has adequate coverage of your area. That said, it's better than nothing, especially for users that don't use password managers, but only barely.
|
|
#
?
Oct 8, 2017 13:17
|
|
|
Volmarias posted:It's still pretty awful. Even if you have "identity theft target DO NOT CHANGE ACCOUNT OVER PHONE" and you tell them to require you to say a password, they'll still assign your number to another sim if someone sweet talks them enough. This happened to a co-worker a year ago or so, and the most he got out of them was "oh, oops.". It's perfectly understandable on their end because there's no actual ramifications for them if you can't realistically change networks because only one has adequate coverage of your area. There are SMS to email services you can get, which neatly fixes that issue. No actual human being to sweet talk, no ability to get the sim changed over to a lovely burner phone.
|
|
#
?
Oct 8, 2017 13:36
|
|
|
Unless the SMS gets sent to the email address that is protected by SMS 2FA
|
|
#
?
Oct 8, 2017 13:40
|
|
|
My 2-factor sms accounts go to my Google Voice number. No carrier fuckery there. Of course, who knows what vulnerabilities exist in that system...
|
|
#
?
Oct 8, 2017 14:34
|
|
|
Methylethylaldehyde posted:There are SMS to email services you can get, which neatly fixes that issue. No actual human being to sweet talk, no ability to get the sim changed over to a lovely burner phone. No. There are known vulnerabilities in SMS and call routing systems that can hijack the SMS before it ever gets to your email gateway. It's been used in the wild to hit bank accounts.
|
|
#
?
Oct 8, 2017 15:17
|
|
|
Space Gopher posted:No. There are known vulnerabilities in SMS and call routing systems that can hijack the SMS before it ever gets to your email gateway. It's been used in the wild to hit bank accounts. Yep, I knew that was also a thing, but my solution just addressed the 'oh nhoes, I lost my phone, plz gieb new 1 plz'. SMS 2 factor is dogshit and only stops the lowest effort thieves.
|
|
#
?
Oct 9, 2017 03:25
|
|
|
Like people said I feel SMS 2FA is good enough for 99% of home users. But I also feel like using a software token is still miles better and not much harder to setup (probably easier even) so why not make that the default. E: Although, I'm about to move all my 2FA authenticators from Android to IOS and I have no idea how that works, like can you get two private keys (one for each device) etc so yeah it's probably more convoluted when you switch phones.
|
|
#
?
Oct 9, 2017 07:40
|
|
|
ohgodwhat posted:Is Instagram really that bad? You can just sign up with any random email address, and there's no verification that you actually control it? If you think that's bad, someone accidentally signed up for Venmo in 2014 with one of my email addresses and I get sent all of their transaction receipts, amounts, descriptions, last 4 digits of their bank account numbers, etc.
|
|
#
?
Oct 9, 2017 07:49
|
|
|
What free password manager do you guys recommend? And if I need to pay for a good service, what's the best choice?
|
|
#
?
Oct 9, 2017 10:47
|
|
|
I recommend KeePass with Google Drive cloud sync of the password database. FolderSync works great on Android for this (the Drive app sync was pretty broken last time I tried it). No browser integration, just auto-type and clipboard on PC and the KeePass keyboard on Android. Turn off "Safe file writes" or whatever it is in KeePass options or sometimes Drive will think you deleted the password database instead of saving it (because it does a SaveAs->DeleteOld->RenameNew sequence). Also disable the "press enter after typing password" default option to stop you publically tweeting your password in case you accidentally activate auto-type somewhere you should not.
|
|
#
?
Oct 9, 2017 11:27
|
|
|
EssOEss posted:I recommend KeePass with Google Drive cloud sync of the password database. FolderSync works great on Android for this (the Drive app sync was pretty broken last time I tried it). No browser integration, just auto-type and clipboard on PC and the KeePass keyboard on Android. Thank you, I'll look into it.
|
|
#
?
Oct 9, 2017 12:00
|
|
|
EssOEss posted:I recommend KeePass with Google Drive cloud sync of the password database. FolderSync works great on Android for this (the Drive app sync was pretty broken last time I tried it). No browser integration, just auto-type and clipboard on PC and the KeePass keyboard on Android. LMAO Google Drive broken on Android, everything working as usual!
|
|
#
?
Oct 9, 2017 12:47
|
|
|
orange sky posted:What free password manager do you guys recommend? And if I need to pay for a good service, what's the best choice? I'm a fan of 1Password, though I got it before it became a subscription service and still use Dropbox as the syncing mechanism. But you didn't really say what platforms you're looking for and features that matter to you.
|
|
#
?
Oct 9, 2017 14:39
|
|
|
|
| # ? May 18, 2024 03:51 |
|
|
fordan posted:I'm a fan of 1Password, though I got it before it became a subscription service and still use Dropbox as the syncing mechanism. But you didn't really say what platforms you're looking for and features that matter to you. 1Password actually looks pretty cool, I wanted central management so that I can get to my passwords from anywhere (so preferably a cloud service) and good security practices on the company that makes the stuff, that's really it. Integrations are of course a plus but I don't mind going to a website to copy and paste a password.
|
|
#
?
Oct 9, 2017 14:47
|
|