|
Depends on how long their executives decide they need to wait after dumping their stock for it to not look suspicious.
|
#
?
Apr 7, 2018 05:47
|
|
|
|
| # ? May 28, 2024 21:35 |
|
|
A very important distinction is that this was T-Mobile Austria, and not T-Mobile USA.
|
|
#
?
Apr 7, 2018 06:00
|
|
|
Because I have faith that the us infrastructure is any better.
|
|
#
?
Apr 7, 2018 06:07
|
|
|
There's untold number of companies with all of the same security flaws, but you don't go on social media and poke the bear.
|
|
#
?
Apr 7, 2018 06:22
|
|
|
They doubled down with a claim that passwords are stored in a secure, encrypted database
|
|
#
?
Apr 7, 2018 06:35
|
|
|
MC Fruit Stripe posted:There's untold number of companies with all of the same security flaws, but you don't go on social media and poke the bear. Yeah lmao holy poo poo at all of this, there's no way that thousands of script kiddies aren't currently firing metasploit at every T-Mobile Austria IP they can find.
|
|
#
?
Apr 7, 2018 06:39
|
|
|
The Fool posted:Over/under on when TMobile announces a data breach? White/grey hat or black hat? I will go three months on the black hat, but they dun goofed and hacked off the white/grey hats, so I will say a month there.
|
|
#
?
Apr 7, 2018 11:44
|
|
|
Are they talking about the optional password that is used to prevent number porting scams? Or the actual account password? Because those are two separate things and I can't tell which is under discussion here. It seems to be that they are talking about the optional password, which is like the code word you can put on your bank account that you have to verify before the teller will help you. It is just an additional pin number you verify over the phone.
|
|
#
?
Apr 7, 2018 17:09
|
|
|
Nalin posted:Are they talking about the optional password that is used to prevent number porting scams? Or the actual account password? Because those are two separate things and I can't tell which is under discussion here. It seems to be that they are talking about the optional password, which is like the code word you can put on your bank account that you have to verify before the teller will help you. It is just an additional pin number you verify over the phone. That may be (it’s still terrible). Even if it is a misunderstanding, this whole thing has grown so far beyond that.
|
|
#
?
Apr 7, 2018 17:22
|
|
|
The Fool posted:Over/under on when TMobile announces a data breach? Over.
|
|
#
?
Apr 7, 2018 17:31
|
|
|
Proteus Jones posted:That may be (it’s still terrible). Even if it is a misunderstanding, this whole thing has grown so far beyond that. Yes, there are other security holes somewhere that everybody is bound to find. They aren't running a secure fortress.
|
|
#
?
Apr 7, 2018 17:41
|
|
|
Proteus Jones posted:That may be (it’s still terrible). Even if it is a misunderstanding, this whole thing has grown so far beyond that. T-Mobile had sent out an SMS saying that there was a huge upsurge in number porting scams and that you should call them and set up a password to prevent it. I thought it was just some sort of password required to port out a number so I had KeePass generate a max length 15 character password. But it turned out to be a password that you have to say before the customer service reps will help you, like a set of security questions, so now I have to say that whole password out every time I call them up. Argh.
|
|
#
?
Apr 7, 2018 17:42
|
|
|
Nalin posted:T-Mobile had sent out an SMS saying that there was a huge upsurge in number porting scams and that you should call them and set up a password to prevent it. I thought it was just some sort of password required to port out a number so I had KeePass generate a max length 15 character password. But it turned out to be a password that you have to say before the customer service reps will help you, like a set of security questions, so now I have to say that whole password out every time I call them up. Argh. Hahahah
|
|
#
?
Apr 7, 2018 17:43
|
|
|
Nalin posted:T-Mobile had sent out an SMS saying that there was a huge upsurge in number porting scams and that you should call them and set up a password to prevent it. I thought it was just some sort of password required to port out a number so I had KeePass generate a max length 15 character password. But it turned out to be a password that you have to say before the customer service reps will help you, like a set of security questions, so now I have to say that whole password out every time I call them up. Argh. You could always try the timeless classic "it's just 15 random letters and numbers with a symbol in there somewhere".
|
|
#
?
Apr 7, 2018 19:47
|
|
|
astral posted:You could always try the timeless classic "it's just 15 random letters and numbers with a symbol in there somewhere". plot twist, its 16 characters
|
|
#
?
Apr 8, 2018 05:25
|
|
|
The Fool posted:Over/under on when TMobile announces a data breach? build a time machine
|
|
#
?
Apr 9, 2018 00:06
|
|
|
So the roll I'm currently in is sliding me more into security every day as I seem to be the only one with even a slight understanding of Infosec. I can't go into too much but we do in-country hosting of an application containing sensitive data. The industry as a whole here doesn't have any real spec's for security beyond conducting self-administered audits by people who still call their monitor the hard drive. What is some infosec industry standard's that I can point to as med/long term goals? Our physical security is 90% there but virtually outside of MS/Vmware best practice I'm finding it's pretty easy to be dismissed as paranoid, I'm going to get an external security company onboard for a pentest but would like to have an idea of our security goals before they try to sell me an ISO 9000 type qual for a company with 10 people. I feel we've got a good framework and tools in place but process and "what about this?" wise is failing On a personal note, what are some beneficial quals for infosec? CEH? Anyone got any video's or books they can recommend?At this point I'm only sure of 2 things, I don't know enough to say we are secure as we could be and I don't know what else I don't know 
|
|
#
?
Apr 10, 2018 09:51
|
|
|
NIST has a framework that can be roughly applied to most audit standards like ISO 9000 and HIPAA. The framework has a lot of information on how to apply reasonable metrics specific to your security goals so you're not wasting time with bullshit that doesn't affect you.
|
|
#
?
Apr 10, 2018 14:01
|
|
|
Unless it's specifically for a required compliance checkbox don't start looking into penetration testing until you have you have your house in order. That means taking a look at the CIS Top 20 Security Controls and honestly assessing your organization's security maturity level. Take care of the low hanging fruit. Do vulnerability assessments. Remeditate. Do more vulnerability assessments. Fix that poo poo too. https://learn.cisecurity.org/20-controls-download You'll also want to read up on threat modelling. The below is a pretty good read as far as 600 page tomes about loving threat modelling go. https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 Diva Cupcake fucked around with this message at 14:29 on Apr 10, 2018 |
|
#
?
Apr 10, 2018 14:26
|
|
|
https://authy.com/blog/how-the-authy-two-factor-backups-work/ Should I trust Authy's backup more/less/same compared to Authenticator+'s given the latter backing up to Dropbox with it's own TOTP 2FA? I'm leaning toward Authy for desktop support and (pedantically) open source. Is there a rational difference in the eyes of the thread?
|
|
#
?
Apr 10, 2018 22:17
|
|
|
I'm pretty uneasy about the whole concept of syncing OTP seed values to a cloud service to be honest, but I'll take it over SMS recovery when you lose your phone.
|
|
#
?
Apr 10, 2018 22:32
|
|
|
https://www.youtube.com/watch?v=RoAsyraektY
|
|
#
?
Apr 11, 2018 06:21
|
|
|
Nalin posted:Are they talking about the optional password that is used to prevent number porting scams? Or the actual account password? Because those are two separate things and I can't tell which is under discussion here. It seems to be that they are talking about the optional password, which is like the code word you can put on your bank account that you have to verify before the teller will help you. It is just an additional pin number you verify over the phone. The optional password that's also apparently optional for the call center to care about, according to a co-worker that had to clean up the fallout on his accounts even though he set one.
|
|
#
?
Apr 11, 2018 14:02
|
|
|
Well I figured out my problem with KeePass was that I never actually saved the database after adding a bunch of stuff, and I didn't seem to prompt me over that when I closed it in my original assessment. After learning to be religious with the CTRL-S combo with it, stuff persists just fine. I'm wondering now if there's an Android app that would sync with a KeePass database kept on my own VPS. That would mean HTTP or preferably SCP. I know DropBox and Google Drive has been supported forever, but I'd rather not use those if I can help it. Has anything updated in the Android space to support SCP? Everything I see is from 2014.
|
|
#
?
Apr 13, 2018 16:40
|
|
|
Rocko Bonaparte posted:Well I figured out my problem with KeePass was that I never actually saved the database after adding a bunch of stuff, and I didn't seem to prompt me over that when I closed it in my original assessment. After learning to be religious with the CTRL-S combo with it, stuff persists just fine. I'm wondering now if there's an Android app that would sync with a KeePass database kept on my own VPS. That would mean HTTP or preferably SCP. I know DropBox and Google Drive has been supported forever, but I'd rather not use those if I can help it. Has anything updated in the Android space to support SCP? Everything I see is from 2014. You can set most keepass clients to save the database automatically on change or close. What's your goal with keeping the file on a VPS? If you're not using AWS, Azure, or GCP, your database is probably more secure on Google Drive than it is on your VPS provider. If you're worried about somebody getting access to your database and brute-forcing it, just use a keyfile that you copy manually between authorized clients.
|
|
#
?
Apr 13, 2018 17:46
|
|
|
I am more afraid I will accidentally make the file public while trying to share other stuff when using Dropbox or Google Drive. On my VPS, I would just assign it to an account that has exclusive rights to it and nothing else. I am less concerned about somebody outright gunning for me, but I want to do some due diligence. It's better than the text file in Notepad++ either way.
|
|
#
?
Apr 13, 2018 19:14
|
|
|
Rocko Bonaparte posted:I am more afraid I will accidentally make the file public while trying to share other stuff when using Dropbox or Google Drive. Uh, this isn't really something you can accidentally do. Even then, your password database is encrypted with a passphrase. E: like, I don't even care if someone else has my keepass database, it has both a key file and a very strong unique passphrase. It's not getting opened.
|
|
#
?
Apr 13, 2018 19:25
|
|
|
CLAM DOWN posted:E: like, I don't even care if someone else has my keepass database, it has both a key file and a very strong unique passphrase. It's not getting opened. Yeah, Drop-pox is fine. Even if you did manage to accidentally share (which.. how?), as long as you use something different than your luggage combo to lock it up you'll be OK.
|
|
#
?
Apr 13, 2018 23:34
|
|
|
Need some advice on which encryption scheme and secure erase solution to implement for my wife. Her job is such that she prefers to securely wipe her disks when one project is done and before another is started. We installed an SSD (Samsung EVO) and later learned that SSDs cannot be securely wiped in the same way that traditional magnetic drives can be erased. I've read through some articles about the ATA secure erase feature and how some manufacturers' tools are not as reliable as others and that some data can sometimes be recovered. As for encryption, we used VeraCrypt for a while and everything was fine until the Windows 10 Fall Creator's update hit. The update would never successfully finish (though smaller updates seemed to work fine) and I found out that the encryption and the big update do not play nice together. I had to decrypt and apply the update and by then her project was over so I just reinstalled everything. I updated the drive's firmware and looked through the encryption options and it seems that the Samsung automatic drive encryption only works with OS-level encryption schemes like BitLocker and not something like VeraCrypt. I know BitLocker has had rumors of backdoors, encryption keys being stored at Microsoft, and the now patched "SHIFT-F10 during update" trick to pop a command prompt and bypass BitLocker. So basically what I want are-
isaboo fucked around with this message at 00:50 on Apr 14, 2018 |
|
#
?
Apr 14, 2018 00:45
|
|
|
pahuyuth posted:Need some advice on which encryption scheme and secure erase solution to implement for my wife. Her job is such that she prefers to securely wipe her disks when one project is done and before another is started. We installed an SSD (Samsung EVO) and later learned that SSDs cannot be securely wiped in the same way that traditional magnetic drives can be erased. I've read through some articles about the ATA secure erase feature and how some manufacturers' tools are not as reliable as others and that some data can sometimes be recovered.
|
|
#
?
Apr 14, 2018 00:57
|
|
|
Bitlocker is fine. Also, with an encrypted drive there is zero need for a full wipe. Lose your keys, do a quick wipe, fresh install and re-encrypt with new keys.
|
|
#
?
Apr 14, 2018 00:58
|
|
|
anthonypants posted:Samsung Magician has a secure erase feature. In my experience that software only seems to work with samsung retail drives, I had a HP laptop with some kinda samsung white box m.2 ssd and magician wouldn't work with it.
|
|
#
?
Apr 14, 2018 00:59
|
|
|
pahuyuth posted:Need some advice on which encryption scheme and secure erase solution to implement for my wife. Her job is such that she prefers to securely wipe her disks when one project is done and before another is started. We installed an SSD (Samsung EVO) and later learned that SSDs cannot be securely wiped in the same way that traditional magnetic drives can be erased. I've read through some articles about the ATA secure erase feature and how some manufacturers' tools are not as reliable as others and that some data can sometimes be recovered. I can't be arsed to check, but I thought you could bypass key-escrow with BitLocker like how you can with FileVault2. As for SSD, the best way to make it non-recoverable is to use an encrypted fs and then wipe the partition table and format over it. Done. If it's currently not encrypted, encrypt it. Then format over it. If your using a baked in solution in the SSDs firmware, turn it off. And format it as fresh.
|
|
#
?
Apr 14, 2018 01:00
|
|
|
mewse posted:In my experience that software only seems to work with samsung retail drives, I had a HP laptop with some kinda samsung white box m.2 ssd and magician wouldn't work with it.
|
|
#
?
Apr 14, 2018 01:06
|
|
|
anthonypants posted:I've only used Samsung Pros but the Samsung Evo should work fine. In my defense I don't know how to read
|
|
#
?
Apr 14, 2018 01:39
|
|
|
Some physical security for a change: https://twitter.com/LockPickingLwyr/status/984978564633284608
|
|
#
?
Apr 14, 2018 06:45
|
|
|
Absurd Alhazred posted:Some physical security for a change:  I remember hearing about this lock a few years ago. There are a staggering amount of RVs, campers, truck toolboxes/tailgates, contractor vans, etc that use this lock. And a single key can unlock all of them. Hell, you can still find “replacement” keys for CH571 on Amazon.
|
|
#
?
Apr 14, 2018 07:30
|
|
|
It's so popular there's a ch751 dot com website.
|
|
#
?
Apr 14, 2018 08:13
|
|
|
So, after over 3 months, Asus finally updated my Q87 board with Spectre fixes! The TPM is still useless AFAIK, but I guess it’s better than nothing.
|
|
#
?
Apr 14, 2018 20:24
|
|
|
|
| # ? May 28, 2024 21:35 |
|
|
Rocko Bonaparte posted:Well I figured out my problem with KeePass was that I never actually saved the database after adding a bunch of stuff, and I didn't seem to prompt me over that when I closed it in my original assessment. After learning to be religious with the CTRL-S combo with it, stuff persists just fine. I'm wondering now if there's an Android app that would sync with a KeePass database kept on my own VPS. That would mean HTTP or preferably SCP. I know DropBox and Google Drive has been supported forever, but I'd rather not use those if I can help it. Has anything updated in the Android space to support SCP? Everything I see is from 2014. KeePass2Android supports Dropbox, Google Drive, OneDrive, SFTP, FTP, HTTP (WebDav), HTTPS (WebDav), OwnCloud, 3rd party apps, or just straight from your file system. If you wanted to use SCP, you could install any SCP syncing app and then have KeePass2Android load the file from your filesystem.
|
|
#
?
Apr 14, 2018 22:14
|
|