|
Potato Salad posted:Patch your AD controllers and any other MS DNS systems newer than Windows 2008r2 asap if you don't like people easily running pretty much anything as NT\SYSTEM remotely and I think without very clear logging Have they disclosed if the vuln doesn't apply to 2008r2, or that they just haven't backported the patch (again)
|
#
?
Dec 14, 2018 23:25
|
|
|
|
| # ? May 20, 2024 04:36 |
|
|
Here is the CVE: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626 2008 R2 is not listed E: https://www.thezdi.com/blog/2018/12/11/the-december-2018-security-update-review There are a handful of other significant CVE's that are in December's patch. The Fool fucked around with this message at 23:30 on Dec 14, 2018 |
|
#
?
Dec 14, 2018 23:27
|
|
|
The Fool posted:Is there a specific thing happening? Other than having to have a client license for every machine that queries it, probably not. Edit: orrrr there's a heap overflow.
|
|
#
?
Dec 15, 2018 01:20
|
|
|
kensei posted:I thought the best way to totally erase an Android phone was to encrypt it then factory reset it? Most people have encryption on but that's an important caveat. Is your threat model someone who will attempt to recover deleted content from a micro SD card after the partition has been reformatted? If not, factory reset by itself is fine.
|
|
#
?
Dec 15, 2018 04:20
|
|
|
https://twitter.com/BradleyAllen512/status/1073544852363714561
|
|
#
?
Dec 15, 2018 07:19
|
|
|
Seems like the real issue is that the maximum password length is 9 characters, and it's case insensitive. Allowing extra characters when logging in is quirky but doesn't have a meaningful impact on security.
|
|
#
?
Dec 15, 2018 08:51
|
|
|
"I've seen this in a couple other financial institutions like 4-5 years ago. What it ended up being was a character limit at the backend that wasn't represented in the UI. The backend gets input too big and truncates to known length, hashes, and compares against known value." It sounds like they have a "secret character limit" and that person's password isn't actually as long as they think it is.
|
|
#
?
Dec 15, 2018 14:50
|
|
|
Cup Runneth Over posted:"I've seen this in a couple other financial institutions like 4-5 years ago. What it ended up being was a character limit at the backend that wasn't represented in the UI. The backend gets input too big and truncates to known length, hashes, and compares against known value." Right, which means that you've got 8 char, at probably 7 bits, or 8 if you're lucky. You know they're not salting it, and the hash is like 3DES at best or something. Enjoy your 56-64 bits of search space when they're inevitably popped.
|
|
#
?
Dec 15, 2018 16:35
|
|
|
Cup Runneth Over posted:"I've seen this in a couple other financial institutions like 4-5 years ago. What it ended up being was a character limit at the backend that wasn't represented in the UI. The backend gets input too big and truncates to known length, hashes, and compares against known value."
|
|
#
?
Dec 15, 2018 17:27
|
|
|
Dylan16807 posted:I found a few things specifically naming a 9 character limit. A secret limit would indeed be pretty bad but I don't know if that's the case here. Doesn't seem unlikely to me, this is surprisingly common.
|
|
#
?
Dec 15, 2018 17:28
|
|
|
Mystic Stylez posted:I'm going to sell one of my dad's computers and Android mobile phone, so I want to wipe them before doing that. If you're still looking for responses, a Windows full format will overwrite the entire drive with zeros, so you can do that on your second disk while still using the computer. This is what a single DBAN pass would do anyway, and is perfectly fine for a disk wiping process. Note that I don't mean a quick format. The formatting process should take hours rather than seconds.
|
|
#
?
Dec 16, 2018 03:22
|
|
|
Mystic Stylez posted:I'm going to sell one of my dad's computers and Android mobile phone, so I want to wipe them before doing that. Android's factory reset is pretty hit and miss with actually really deleting stuff. Cellebrite can recover a pretty shocking amount of crap off a factory reset Android. But, very few people are going to forensically examine your device to retrieve your cat photos. Google hard reset and your device model and you'll probably be fine. Encrypting the volume and resetting is also a good suggestion. While you're in recovery mode, wipe the cache partition and whatnot as well. With iPhone, do a soft reset with the settings menu. Once it finishes, turn it off, hold down the home or volume down key whole turning it on to get into DFU mode, and do a factory reinstall by plugging it into iTunes and following the prompts. I can confirm you're not going to find any data after doing that. That being said, I don't believe most people will bother going to that depth trying to recover anything off a used device. If you really care, software like Piceasoft will overwrite the free space after a factory reset for full data sanitation. I haven't really tried much, but my understanding of SSDs is that once the bit is flipped on the flash memory, it's gone forever. It's not the same recovery potential like platter hard drives. A full format (not just a quick one) should honestly do the trick, unless you're worried about state level actors, in which case you're screwed anyways. I don't think you would substantially impact the lifecycle by a single pass erase. Hard drive, a full format or two is probably good enough. Encrypt and wipe the drive for extra peace of mind. Try using some file recovery software to verify the deed is done.
|
|
#
?
Dec 16, 2018 19:36
|
|
|
With iOS, doing an Erase and Reset from the settings menu should do the trick. It basically erases the personal/app data and then tosses the encryption key away on top of that.
|
|
#
?
Dec 16, 2018 19:51
|
|
|
Dylan16807 posted:I found a few things specifically naming a 9 character limit. A secret limit would indeed be pretty bad but I don't know if that's the case here. A lot of places still use an 8 character lanman hash for stuff. My ISP’s webmail for one thing. Front load your entropy!
|
|
#
?
Dec 17, 2018 04:02
|
|
|
OSU_Matthew posted:I haven't really tried much, but my understanding of SSDs is that once the bit is flipped on the flash memory, it's gone forever. It's not the same recovery potential like platter hard drives. Modern hard drives are the same. Individual bits are barely stable in the first place, and a single write is enough to wipe out any hope of recovering the previous data. A few remapped sectors might slip past, still, but that's what a direct ATA erase command is for.
|
|
#
?
Dec 17, 2018 04:47
|
|
|
OSU_Matthew posted:I haven't really tried much, but my understanding of SSDs is that once the bit is flipped on the flash memory, it's gone forever. It's not the same recovery potential like platter hard drives. A full format (not just a quick one) should honestly do the trick, unless you're worried about state level actors, in which case you're screwed anyways. I don't think you would substantially impact the lifecycle by a single pass erase. Always ATA Secure Erase in both cases and everything will be gone, including spare sectors. OSU_Matthew posted:While you're in recovery mode, wipe the cache partition and whatnot as well. Factory reset wipes the cache partition as well, but can't hurt. Probably some crazy devices out there where it doesn't.
|
|
#
?
Dec 17, 2018 09:34
|
|
|
Lambert posted:Doesn't seem unlikely to me, this is surprisingly common. Every time I see this it is because of SOX compliance written as 'passwords must by x char in length', instead of 'at least x char'. Then to comply with audit...
|
|
#
?
Dec 19, 2018 15:05
|
|
|
porktree posted:Every time I see this it is because of SOX compliance written as 'passwords must by x char in length', instead of 'at least x char'. Then to comply with audit... the one place i've seen it, while sox compliant, assigned passwords when you changed yours.
|
|
#
?
Dec 19, 2018 15:52
|
|
|
porktree posted:Every time I see this it is because of SOX compliance written as 'passwords must by x char in length', instead of 'at least x char'. Then to comply with audit... Any auditor worth their salt looks past this though
|
|
#
?
Dec 19, 2018 17:16
|
|
|
geonetix posted:Any auditor worth their salt looks past this though I can't wait to meet that one.
|
|
#
?
Dec 19, 2018 21:54
|
|
|
OSU_Matthew posted:Android's factory reset is pretty hit and miss with actually really deleting stuff. Cellebrite can recover a pretty shocking amount of crap off a factory reset Android. But, very few people are going to forensically examine your device to retrieve your cat photos. Google hard reset and your device model and you'll probably be fine. Have you done this with Cellebrite yourself? I've used it a lot on phones, but I don't recall trying it on a factory resetted phone, and certainly not on enough different makes/models to be a representative set. But if you've noticed it yourself I'd love to hear more detail.
|
|
#
?
Dec 20, 2018 02:47
|
|
|
Gromit posted:Have you done this with Cellebrite yourself? I've used it a lot on phones, but I don't recall trying it on a factory resetted phone, and certainly not on enough different makes/models to be a representative set. But if you've noticed it yourself I'd love to hear more detail. Yup, at my last job we were able to pull things like pictures of whiteboards, contacts information and messages, and some other stuff with Cellebrite on a variety of factory reset Androids. This was on devices that had been certified as clean by the company or agency's IT too. Even old blackberries wouldn't fully delete apps and some other information when doing the "secure" reset. We didn't even put those through Cellebrite at the time, we just opened it up and boom there's your texts, phone number, and several apps you have to manually delete or overwrite. I don't recall whether we found anything on iOS before doing a full reimage, but they had the fewest issues on the forensic end. I would imagine newer androids with full encryption would be better, I just haven't seen the forensic examination to say so.
|
|
#
?
Dec 20, 2018 15:09
|
|
|
OSU_Matthew posted:Yup, at my last job we were able to pull things like pictures of whiteboards, contacts information and messages, and some other stuff with Cellebrite on a variety of factory reset Androids. This was on devices that had been certified as clean by the company or agency's IT too. When was the last time you tried this?
|
|
#
?
Dec 20, 2018 18:03
|
|
|
Proteus Jones posted:With iOS, doing an Erase and Reset from the settings menu should do the trick. It basically erases the personal/app data and then tosses the encryption key away on top of that. That's my understanding as well, it junks the encryption key, turning the storage into noise
|
|
#
?
Dec 20, 2018 19:23
|
|
|
apseudonym posted:When was the last time you tried this? Last time I personally tried this was about a year ago. But, just as a caveat, the phones tested were probably about twoish years old at that point, like Galaxy six and a few other models I don't specifically remember off the top of my head. Unfortunately I don't work there anymore so I couldn't tell you what things are like currently, other than a general takeaway and the resulting process for securely erasing devices based on the findings. I don't believe we were able to find any test files on windows phones, though that ship has sailed anyways. To me it's more interesting from the perspective that everything is a dumpster fire 
|
|
#
?
Dec 21, 2018 15:31
|
|
|
Android has changed a LOT since the S6, just FYI
|
|
#
?
Dec 21, 2018 16:33
|
|
|
CLAM DOWN posted:Android has changed a LOT since the S6, just FYI The S6 was just before the mandatory encryption requirements, if my memory serves, but I would have expected them to have had it (though given my experience with celbrite's Android claims they probably talked up the SD card something fierce since that isn't wiped in a factory reset).
|
|
#
?
Dec 21, 2018 19:10
|
|
|
The S6 had encryption as an optional feature only, not enabled by default.
|
|
#
?
Dec 21, 2018 19:21
|
|
|
Lambert posted:The S6 had encryption as an optional feature only, not enabled by default. And if you enabled it, it performed even worse than before lol
|
|
#
?
Dec 21, 2018 19:56
|
|
|
CLAM DOWN posted:And if you enabled it, it performed even worse than before lol Insert rant about microbenchmarks not being indicative of actual device performance
|
|
#
?
Dec 22, 2018 11:41
|
|
|
apseudonym posted:Insert rant about microbenchmarks not being indicative of actual device performance EDIT: Except I guess I kinda just did rant, didn't I. I can't explain why benchmarking wrong makes me so irrationally angry, and I don't like that it does, but it does all the same. 
BlankSystemDaemon fucked around with this message at 00:07 on Dec 23, 2018 |
|
#
?
Dec 23, 2018 00:02
|
|
|
D. Ebdrup posted:
It makes me angry too I just don't let it rile me up too much  The amount of bullshit around encryption performance isn't just bad benchmarking and ignoring amdahls law but also hurtful to deploying real meaningful security improvements, though we eventually forced through it
|
|
#
?
Dec 23, 2018 00:32
|
|
|
OSU_Matthew posted:Yup, at my last job we were able to pull things like pictures of whiteboards, contacts information and messages, and some other stuff with Cellebrite on a variety of factory reset Androids. This was on devices that had been certified as clean by the company or agency's IT too. Thanks for the extra info. When I'm back at work next year I'll chat with my team and get someone to do some testing.
|
|
#
?
Dec 23, 2018 08:09
|
|
|
apseudonym posted:The S6 was just before the mandatory encryption requirements, if my memory serves, but I would have expected them to have had it (though given my experience with celbrite's Android claims they probably talked up the SD card something fierce since that isn't wiped in a factory reset). Right, YMMV and I'm sure newer phones and versions of Android are better about this, especially with mandatory encryption. Not to mention that as a threat vector, someone forensically testing your used factory reset devices outside of an interested state actor is probably pretty drat slim when there are so many easier ways to target an organization or individual. This is more from a point of interest regarding what a dumpster fire things are, and to just be careful/be aware that older devices can be leaky in ways you didn't even think of.
|
|
#
?
Dec 23, 2018 14:46
|
|
|
Any Tenable Nessus users here using it to report compliance to templates from Security Center? Either roll-your-own, or the canned templates (SOX, PCI DSS, HIPPA/HITECH, etc.). Looking for good/bad reviews before I try to force security to devote project hours. Thx
|
|
#
?
Dec 26, 2018 10:20
|
|
|
The biggest problem I have with Nessus or other compliance report tools are not so much the tool. It’s the uncritical way a lot of security teams use it, divorced from any context of architecture and dependency constraints.
|
|
#
?
Dec 26, 2018 16:11
|
|
|
Imo it's related to security becoming a business issue rather than an engineering issue. I'm currently running into an issue where our governance team (policy and legal analysts) wants to implement policies that broadly affect our engineering teams but that don't contribute in any way to actual risk reduction because the customers they interface with don't care about nuance or architecture and just want to check a box so they can buy our products. It's extremely frustrating for me because killing engineering velocity to check a box for customers drives away good engineering talent and turns an extremely agile org into a ponderous beast. From a personal perspective it's also disillusioning and not at all the reason I joined the infosec field.
|
|
#
?
Dec 26, 2018 16:24
|
|
|
The problem is you're not evaluated on reality, you're evaluated on whatever the auditor thinks. It can be internal audit, 3rd party doing your annual 3402 SOC 1, a QSA doing PCI, whatever. They want to see documentation you have a security policy, appropriate controls, and that you follow them. The thing is that running a Nessus report using whatever Tenable calls a "HIPPA Compliance Template" is something you can wave at an auditor based on an arguably *independent* evaluation. Yeah it's probably mostly meaningless, but ticking boxes means not having red flags in your goddamn audit findings. Those cost *money*, **now**, to fix. And customers get real pissy when you're in material breach.
|
|
#
?
Dec 26, 2018 16:50
|
|
|
Well you see, red X's are bad.
|
|
#
?
Dec 26, 2018 16:53
|
|
|
|
| # ? May 20, 2024 04:36 |
|
|
Clearly lying to auditors is the most viable and prudent path forward
|
|
#
?
Dec 26, 2018 16:55
|
|