|
Nalin posted:I like how Keepass2Android installs a custom password keyboard on your phone for the pre-autofill days. It even helps for apps that don't make use of the autofill API yet. Firefox, for example.
|
# ? Feb 20, 2019 20:50 |
|
|
# ? May 29, 2024 18:48 |
|
https://threatpost.com/1password-dashlane-keepass-and-lastpass/142037/Dashlane posted:“We respectfully disagree with the researcher’s claim that this can be truly fixed by Dashlane, or anyone for that matter. Once the operating system or device is compromised, an attacker will end up having access to anything on the device and there is no way to effectively prevent it. There are solutions that amount to ‘putting the information under the rug’ but any attacker sufficiently sophisticated enough to remotely take control of the user’s device would go around these solutions very easily.” Lastpass posted:the vulnerability highlighted by ISE was present in a “legacy” Windows Application that accounted for less than 0.2 percent of LastPass usage. 1Password posted:“Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly. KeePass posted:KeePass told security publication ZDNet that what ISE found was a “well-known and documented” limitation of “process memory protection.” In fact, that’s verbatim what the company said last September when ISE brought up the issue in KeePass’ bug reporting forum. Internet Explorer posted:Lot of infosec folks exposing themselves as spreadsheet pushers ITT
|
# ? Feb 20, 2019 21:04 |
|
apseudonym posted:Facebook uses clipboard listeners, you are actually sending every single password to Facebook.
|
# ? Feb 20, 2019 21:15 |
|
The other odd part of that article was pointing out that 1Password 6 on Windows added support for secure enclaves, but then they quietly removed it because "SGX requires an Intel CryptoProvider be included in 1Password, but that provider does not update itself and could lead to an outdated version being used."
|
# ? Feb 20, 2019 21:15 |
|
Kerning Chameleon posted:Firefox, for example. Firefox does work. You need to be on Firefox version 65 and the beta release of Keepass2Android.
|
# ? Feb 20, 2019 21:29 |
|
It's good that browsers are blocking read access to the copy/paste buffer. But they still have write access, which leaves pastejacking still viable after all these years. Here, try out a pastejacking demo for yourself: https://jsfiddle.net/rpendleton/hQ8ev/
|
# ? Feb 20, 2019 23:56 |
|
Tapedump posted:Source/quote/citation, please? https://www.thedailybeast.com/facebook-is-spying-on-your-clipboard A bunch of articles from around that time period, and I don't use facebook or the app, so I can't tell you if it still does that.
|
# ? Feb 21, 2019 19:36 |
|
I got another reminder how scary clipboard can be when I was copying some YouTube links on my home computer, and noticed that my Ditto clipboard manager also had bunch of strings I had copied earlier today at work. I copy a string inside my Ubuntu virtual machine running under VirtualBox. From there the string is first transferred to my host computer running bare bones Lubuntu, then to another virtual machine running Windows and sitting in the lock screen. And as it happens, on yesterday evening I had taken RDP connection to that same virtual Windows from home. The screen lock had been activated ages ago, but the RDP connection was still alive so anything I copied anywhere in my system would merrily travel upstream all the way. Some of my coworkers can have half a dozen RDP connections to different machines, with nested RDPs going god knows where. You would need a flowchart to figure out where any innocent clipboard copies would end up.
|
# ? Feb 21, 2019 23:10 |
|
can you guys recommend some good infosec twitter follows?
|
# ? Feb 22, 2019 12:01 |
|
mike12345 posted:can you guys recommend some good infosec twitter follows? @KateLibc - is Goon @hacks4pancakes - used to work with her @ Motorola and is whip smart @cory_scott - CISO at LinkedIn. Used to work with him at $International_Bank and is really smart guy @thegrugq @hdmoore @briankrebs
|
# ? Feb 22, 2019 12:24 |
|
0xdude is a good follow also
|
# ? Feb 22, 2019 12:43 |
|
What, no love for @SwiftOnSecurity?
|
# ? Feb 22, 2019 13:26 |
|
If you like your infosec mixed with corn and cortana fanfics then sure.
|
# ? Feb 22, 2019 13:28 |
|
Sheep posted:If you like your infosec mixed with corn and cortana fanfics then sure. No kinkshame, plz.
|
# ? Feb 22, 2019 13:43 |
|
Absurd Alhazred posted:What, no love for @SwiftOnSecurity? Sheep posted:If you like your infosec mixed with corn and cortana fanfics then sure.
|
# ? Feb 22, 2019 14:11 |
|
Oh, I forgot another one @tqbf - Thomas Ptacek (founder of Matasano Security) Super smart, met him when he brought on as consultant at $International_Bank. Be aware, he puts his foot in his mouth sometimes and digs in when he should walk away. Still a good guy who know his poo poo.
|
# ? Feb 22, 2019 14:18 |
|
@campuscodi
|
# ? Feb 22, 2019 15:25 |
|
i've had a public list for the yospos sec thread for a while: https://twitter.com/zylche/lists/security i try and remove any noise from there but good luck with that post 2016
|
# ? Feb 22, 2019 15:31 |
|
Troy Hunt is cool
|
# ? Feb 22, 2019 15:35 |
|
Proteus Jones posted:Oh, I forgot another one Seconded. He tweets a lot more than I would really like (so that the signal/noise ratio is reasonable) but he's a good follow. He knows his poo poo but also won't stop reading hackernews, so Also, I'd recommend following the people who's work you really like via rss subscription to twitter lists. it means you're not on twitter all day.
|
# ? Feb 22, 2019 17:49 |
|
The security folk I follow are mostly people I've worked with or friends but I'd recommend: @Benlaurie @tbqf @natashenka @sleevi_
|
# ? Feb 22, 2019 21:19 |
|
somewhere, there's a Microsoft server constantly crawling twitter for mentions of sandboxescaper accounts
|
# ? Feb 23, 2019 05:20 |
|
apseudonym posted:Facebook uses clipboard listeners, you are actually sending every single password to Facebook. Whoa, that gets transmitted? I thought it was only used locally, just like Chrome and Firefox sniff for copied URLs. Do you have a reference for that, or is it something you observed privately?
|
# ? Feb 23, 2019 10:37 |
|
apseudonym posted:@Benlaurie
|
# ? Feb 23, 2019 10:56 |
|
Subjunctive posted:Whoa, that gets transmitted? I thought it was only used locally, just like Chrome and Firefox sniff for copied URLs. Do you really think that Facebook, a company who has no issues targeting kids to brainwash them into addiction, and who was recently found tricking people into installing basically backdoors onto their phones to collect every single bit of data that the phone sent out, would just willingly choose to not collect that extra clipboard data? Why even give them the benefit of the doubt?
|
# ? Feb 23, 2019 11:29 |
|
Boris Galerkin posted:Do you really think that Facebook, a company who has no issues targeting kids to brainwash them into addiction, and who was recently found tricking people into installing basically backdoors onto their phones to collect every single bit of data that the phone sent out, would just willingly choose to not collect that extra clipboard data? Why even give them the benefit of the doubt? Yeah, Facebook gets absolutely no slack at all. They are run by, at the most charitable take, an amoral narcissist who surrounds himself with the same.
|
# ? Feb 23, 2019 12:24 |
|
I’m asking because a) I know it wasn’t transmitted when that was first added, and b) because I want to yell at people there if it is now. (Similarly with Chrome, whose parent also had a network-interposing research app using enterprise certificates app until FB got in trouble. I have better people to yell at for FB though.) E: also it didn’t upload all your photos just because it had camera access and at one point had a post helper that showed it, and if that changed I’d love to find out too! Subjunctive fucked around with this message at 14:23 on Feb 23, 2019 |
# ? Feb 23, 2019 14:20 |
|
But I ask again, why are you giving them the benefit of the doubt? They are pure scum and are collecting that data, period. You know people at FB? Then yell at them and ask them to prove otherwise. They had the benefit of the doubt but time and time again they’ve shown that they don’t give a poo poo about anything other than how much more money they could earn without any qualms about how to get that. I guarantee you that they’d sell tech to north loving korea if they could do it for the right amount of money. This is the same company that hired a firm to discredit critics and the like by targeting people like Soros with anti Semitic attacks and inventing fake news. They get absolutely NO lee way. Every bad thing you can imagine they can do, they are doing it unless they can prove otherwise. gently caress Facebook and anyone who chooses to work for them. Boris Galerkin fucked around with this message at 14:35 on Feb 23, 2019 |
# ? Feb 23, 2019 14:27 |
|
I’m asking a mobile security professional whose opinion and knowledge I respect if I’m understanding his post correctly, and if he has a reference (including his own observation, which would certainly suffice for me) I can use in future conversation. I am at no point saying anything about FB’s current behaviour with respect to the URLs. I’m asking things to find out if it changed, because I am 100% certain that it did not when it was first added. You can ask questions to learn something, not just score points.
|
# ? Feb 23, 2019 14:31 |
|
Subjunctive posted:I’m asking a mobile security professional whose opinion and knowledge I respect if I’m understanding his post correctly, and if he has a reference (including his own observation, which would certainly suffice for me) I can use in future conversation. I am at no point saying anything about FB’s current behaviour with respect to the URLs. I’m asking things to find out if it changed, because I am 100% certain that it did not when it was first added. You can ask questions to learn something, not just score points. And I’m saying the time to assume Facebook isn’t doing awful evil poo poo is over. It’s time to assume they are unless they can show otherwise.
|
# ? Feb 23, 2019 14:37 |
|
Boris Galerkin posted:And I’m saying the time to assume Facebook isn’t doing awful evil poo poo is over. It’s time to assume they are unless they can show otherwise. Yes, you’ve made your position clear. I don’t have a problem with you holding that opinion. I haven’t questioned it or asked you to repeat or elaborate on it. Go with god.
|
# ? Feb 23, 2019 14:41 |
|
https://mobile.twitter.com/ashk4n/status/1099146500725063680 Oh look, they developed an app that if leaked would have been “near-fatal” for them in their own words. It’s apparently so bad that they don’t want anybody talking about it period. Something about violating privacy. But yeah, let’s just give them the benefit of the doubt. Surely they’ve learned their lesson.
|
# ? Feb 23, 2019 14:55 |
|
You should read the text more clearly. Someone else built an app on the platform, and may not have disclosed what they were accessing clearly once the user installed it. Leaking of earnings would have been fatal — the 3rd party app was already public, which is how they found out about it. They already had a design to remedy it and were alarmed when they found out what the app was causing. This is actually them acting correctly when they found out something bad was happening on their platform, like Apple putting contact access behind user confirmation way back when, or pulling the research apps more recently. (This is all pretty clear from the Twitter thread, if it’s the same one I remember.) FB has fallen far enough that you don’t need to stretch.
|
# ? Feb 23, 2019 15:04 |
|
I could replace a few nouns in that thread and have several that I was on about Firefox extensions when that was my problem, it occurs to me. I wonder if there are any platforms of note that haven’t had something like that. gmail just put a bunch of new controls in place because of that, too. I think it points to insufficiently adversarial design validation as a system issue, but I don’t have a magic trick for resolving that. It’s definitely something I push my teams on now, but it still relies on sufficient creativity with limited people in the allotted time to match an attacker set (or well-meaning but hazardous user, even) who is not similarly constrained — and you can undo all that hard work with a change later on, if you haven’t captured it all in test plans. Maybe raising goats on a mountain top would feel better.
|
# ? Feb 23, 2019 15:13 |
|
Boris Galerkin posted:And I’m saying the time to assume Facebook isn’t doing awful evil poo poo is over. It’s time to assume they are unless they can show otherwise. Ahhhh, the good old court of public opinion. Carentiam probandi non excusat.
|
# ? Feb 23, 2019 15:54 |
|
To maybe unfuck the thread a bit: if you have a customer with a regulatory requirement that you run AV, which Windows/Mac AV is least likely to make you wish you’d just cancelled the contract instead?
|
# ? Feb 23, 2019 16:12 |
|
Subjunctive posted:To maybe unfuck the thread a bit: if you have a customer with a regulatory requirement that you run AV, which Windows/Mac AV is least likely to make you wish you’d just cancelled the contract instead? You can't just stick with MSE for Windows? Doesn't solve your Mac problem but it's about as lightweight as you can get. I've never seen an antivirus on OSX that didn't cause way more problems than it fixed. Avoid Semantec and McAfee because they're terrible. Cylance is probably fine if you're using their on prem offering, but their cloud av service kinda sucks for management features. Easily the best of the three though.
|
# ? Feb 23, 2019 16:21 |
|
The Iron Rose posted:You can't just stick with MSE for Windows? Doesn't solve your Mac problem but it's about as lightweight as you can get. Yeah, I’m pushing for MSE on Windows, but someone at the customer thinks it doesn’t count. I’m trying to find that person. The leading contender now is Bitdefender, I think? I’ll have someone look into Cylance, good call. Cup Runneth Over posted:Ahhhh, the good old court of public opinion. Carentiam probandi non excusat. I think Facebook has enough documented bullshit by this point to be condemned pretty soundly on several fronts. (Boris seems to not want to raise any of those, though, which is an odd strategy.) I wanted (want) to know if clipboard upload has changed to be one of those cases, and I know apseudonym can cut through folklore to evidence (if I’m interpreting his post correctly in the first place), that’s all. I still periodically have chastising conversations with FB C-suite and VPs about their bullshit. I know they are hosed up. I just want to know if they hosed this specific thing up, because I have a direct historical relationship to it.
|
# ? Feb 23, 2019 16:30 |
|
We use cylance for windows and mac and it's perfectly needs suiting
|
# ? Feb 23, 2019 16:34 |
|
|
# ? May 29, 2024 18:48 |
|
Boris Galerkin posted:And I’m saying the time to assume Facebook isn’t doing awful evil poo poo is over. It’s time to assume they are unless they can show otherwise. I don’t see the benefit to be this emotionally invested.
|
# ? Feb 23, 2019 16:37 |