|
cheese-cube posted:just gonna put my garbage tweet(s) here. tl;dr my bank is garbage forwarded this to a guy I know
|
# ? Mar 9, 2018 08:16 |
|
|
# ? Jun 8, 2024 03:06 |
|
lol ibs
|
# ? Mar 9, 2018 08:17 |
|
Insufficient Bank Security
|
# ? Mar 9, 2018 08:52 |
|
spankmeister posted:Insufficient Bank Security
|
# ? Mar 9, 2018 09:07 |
|
lol at the idea of 3rd party ads on a banking site. a service the customer is already paying for directly how often do ads for competitors get through?
|
# ? Mar 9, 2018 12:16 |
|
i pay nothing to use my bank and pretty much always have (only fee i've ever had to pay was the FID tax that was a couple of cents a year but they got rid of the FID tax aeons ago). sure i've only got a single savings account but it suites my needs and i get a chip+pin mastercard debitcard that has that NFC stuff in it and ive never encountered any fees p much ever.
|
# ? Mar 9, 2018 13:42 |
|
cheese-cube posted:i pay nothing to use my bank and pretty much always have (only fee i've ever had to pay was the FID tax that was a couple of cents a year but they got rid of the FID tax aeons ago). sure i've only got a single savings account but it suites my needs and i get a chip+pin mastercard debitcard that has that NFC stuff in it and ive never encountered any fees p much ever. yeah, i don't pay directly, they make money by holding my money and breeding it
|
# ? Mar 9, 2018 14:05 |
|
Cerv posted:lol at the idea of 3rd party ads on a banking site. a service the customer is already paying for directly but they could make even more with ads
|
# ? Mar 9, 2018 14:45 |
|
Phone posted:but think of the value ad to the customer
|
# ? Mar 9, 2018 15:14 |
|
https://twitter.com/troyhunt/status/972257226806108160 https://twitter.com/zackwhittaker/status/972235502760886272 I mean I wouldn't use a product called Keeper anyway because it causes Binding of Isaac PTSD.
|
# ? Mar 10, 2018 11:59 |
|
here's why https download links are important and necessary https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/
|
# ? Mar 11, 2018 04:24 |
|
So I'm working on cleaning up our authentication/session management flow, and I'm reading through this: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet I noticed that it doesn't mention signing the session cookie, which seems like an easy way to prevent brute forcing a session id. Is it not mentioned because signing the cookie is a lot of extra work compared to just generating a longer session id? DONT THREAD ON ME fucked around with this message at 16:11 on Mar 11, 2018 |
# ? Mar 11, 2018 16:09 |
|
what are you actually preventing by signing a session cookie if your session cookie is already sufficiently random
|
# ? Mar 11, 2018 16:15 |
|
p much, although there's a lot of places that generate a session id based on hashing username, password, ip, etc sha256(user||sha256(password)) isn't uncommon, figuring out the implementation of popular services is a good exercise.
|
# ? Mar 11, 2018 16:18 |
|
geonetix posted:what are you actually preventing by signing a session cookie if your session cookie is already sufficiently random yeah, that pretty much answers it. the only benefit i can think of is that it would be very easy to tell if an attacker is attempting to tamper with sessions, so you could block the ip/run other mitigations.
|
# ? Mar 11, 2018 16:22 |
|
an IP that presents a bunch of different invalid tokens in a short time frame is probably equally suspicious regardless of how you construct your token
|
# ? Mar 11, 2018 16:32 |
|
Subjunctive posted:an IP that presents a bunch of different invalid tokens in a short time frame is probably equally suspicious regardless of how you construct your token yeah but that's significantly harder to implement properly. (although I'm not arguing that it isn't a good idea).
|
# ? Mar 11, 2018 16:56 |
|
MALE SHOEGAZE posted:yeah but that's significantly harder to implement properly. (although I'm not arguing that it isn't a good idea). why is it harder than if it’s signed? both cases are just “invalid token”.
|
# ? Mar 11, 2018 18:00 |
|
Subjunctive posted:why is it harder than if it’s signed? both cases are just “invalid token”. i was thinking about tracking the ip, but you're right, someone sending an unknown token is about as clear a sign of tampering as a token that doesn't match the signature.
|
# ? Mar 11, 2018 18:41 |
|
Reminds me of one time when I was looking through the logs and saw a whole bunch of "invalid token" log lines. The tokens we used were just random strings or whatever. Looking at the log lines, turns out that someone had repeatedly tried to use a cookie with the token "/etc/passwd" Till this day, I wonder in what system they think that would have any effect whatsoever.
|
# ? Mar 11, 2018 19:02 |
|
Sheraton wall centre sucks, the fire alarm has gone off three days in a row. I hope the cause is some dipshit "pentester" pulling the alarm because he thinks he's at defcon
|
# ? Mar 11, 2018 20:23 |
|
Carbon dioxide posted:Reminds me of one time when I was looking through the logs and saw a whole bunch of "invalid token" log lines. there's a lot of automated tools that will just try shoving /etc/passwd and similar paths into everything, it was probably just that. it does lead to some very weird log entries though
|
# ? Mar 11, 2018 20:37 |
|
titaniumone posted:Sheraton wall centre sucks, the fire alarm has gone off three days in a row. I hope the cause is some dipshit "pentester" pulling the alarm because he thinks he's at defcon Failing sensors will cause that too.
|
# ? Mar 11, 2018 20:41 |
|
kali just announced a new version of their distro without support for raw unix sockets https://www.kali.org/news/kali-linux-in-the-windows-app-store/
|
# ? Mar 11, 2018 20:45 |
|
Carbon dioxide posted:Reminds me of one time when I was looking through the logs and saw a whole bunch of "invalid token" log lines. there are file based session hadlers that would store session 123 in /tmp/sessions/123 so i guess if you also did path.join and then dumped out an error message with the "invalid data"? seems like a long shot
|
# ? Mar 12, 2018 00:02 |
|
Carbon dioxide posted:Reminds me of one time when I was looking through the logs and saw a whole bunch of "invalid token" log lines. ate all the Oreos posted:there's a lot of automated tools that will just try shoving /etc/passwd and similar paths into everything, it was probably just that. it does lead to some very weird log entries though I was trying to debug a licence issue and the log for our FlexNet instance has all sorts of junk like that, and ../../../../../admin.php, and random junk besides. Presumably some dumb check-a-box pentest blasting poo poo to all hosts on the network
|
# ? Mar 12, 2018 04:50 |
|
finished my slides for bsides vancouver if y'all are going to be there, just PM me or something there will be a stream i believe -- talk is at 10:30 AM PDT on track 2. the presentation won't be spectacular as it's really me on my soap box for 35-45 minutes
|
# ? Mar 12, 2018 05:54 |
|
~Coxy posted:I was trying to debug a licence issue and the log for our FlexNet instance has all sorts of junk like that, and ../../../../../admin.php, and random junk besides. all the automated scanners do this just to catch the odd path traversal, xss or sqli the sad thing is they usually still work on newly produced code, so it’s a good thing to scan for those
|
# ? Mar 12, 2018 07:13 |
|
anthonypants posted:kali just announced a new version of their distro without support for raw unix sockets https://www.kali.org/news/kali-linux-in-the-windows-app-store/ huh, unix sockets came out decemberish. hopefully they enable them distrowide soon after they're in stable windows, and don't let it stay with them off by default.
|
# ? Mar 12, 2018 07:26 |
|
anthonypants posted:here's why https download links are important and necessary https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/ quote:Your correspondence of March 7, 2018 again reiterates that PacketLogic does not permit the end user to inject a payload “larger than 1 packet”. Citizen Lab’s conclusion is that 1 packet is all that is required to enable the product to be used in the manner it describes. Great defence. It's only 1 packet, what could possibly go wrong?! fakeedit: quote:In all injected packets, the IPID is always 13330 (0x3412, which is 0x1234 endian-swapped) for all injected packets. I'm the 0x1234
|
# ? Mar 12, 2018 14:20 |
|
this sure isn't ominous https://lists.samba.org/archive/samba-announce/2018/000434.html
|
# ? Mar 12, 2018 18:27 |
|
anthonypants posted:raw unix sockets are you trying to summon steve gibson
|
# ? Mar 12, 2018 18:35 |
|
i just called my bank and was greeted by an automated message asking me to complete a survey for a caribbean cruise turns out I dialed 1 800 xxx xxxx instead of 1 888 xxx xxxx. if they had asked me for all my personal info instead i would have gotten owned.
|
# ? Mar 12, 2018 18:40 |
|
my company is going to be spending a lot of time in the second half of the year on security with an eye towards working toward certification of some kind. I'm basically the security officer for the company in all but name, so I'll be heading up the effort. I'm trying to plan out what kind of training I'll need to head that effort. I'm somewhat versed in security, and have given presentations on OWASP and the like. however I lack knowledge of best practices around the non-development side of things. any recommendations on books/courses/webpages/security certs I can look into?
|
# ? Mar 12, 2018 23:02 |
|
the details of wpa3 are out. it looks like a significant improvement over wpa2, adding forward security and a modern PAKE handshake, replacing WPS, adding support for encrypting unauthenticated (no-password) networks, and increasing the key size to 192-bits for some reason. also, some good news for wpa2 devices going forward (since we'll probably be stuck leaving it enabled for at least the next 20 years):quote:Improvements to WPA2
|
# ? Mar 12, 2018 23:18 |
|
well the samba issues are a bit disappointing, was expecting much more fun
|
# ? Mar 13, 2018 12:13 |
|
anyone ever mess with disabling specific TLS Extensions in SChannel like Session Ticket, is that even a thing (I'm guessing not)? Yay auditors thinking it would be a great use of time nickpick Microsoft's TLS implementation beyond just locking down specific ciphers and protocols.
|
# ? Mar 13, 2018 14:24 |
|
https://twitter.com/KateLibc/status/973551222023057408
|
# ? Mar 13, 2018 14:28 |
|
sadus posted:anyone ever mess with disabling specific TLS Extensions in SChannel like Session Ticket, is that even a thing (I'm guessing not)? Yay auditors thinking it would be a great use of time nickpick Microsoft's TLS implementation beyond just locking down specific ciphers and protocols. pretty sure we have one resident schannel pro, i shamefully cannot remember but they posted nice cipher suite lists plus recommended ECC curve combos, was very handy
|
# ? Mar 13, 2018 14:45 |
|
|
# ? Jun 8, 2024 03:06 |
|
three years i've had this credit card, used it online for a whole bunch of stuff, not even a peep it expired, i activated the new one end of last month, it got popped last night started to think it was something i hosed up, but i've been on hold now for almost 20 minutes so my guess is someone lost control of their subscriber info
|
# ? Mar 13, 2018 14:51 |