|
DrPossum posted:Time to update them ripper dictionaries ripper is a gangster!!!
|
#
?
Mar 4, 2019 05:17
|
|
|
|
| # ? May 20, 2024 09:06 |
|
|
new macos vuln https://www.neowin.net/news/google-reveals-high-severity-flaw-in-macos-kernel
|
|
#
?
Mar 4, 2019 17:35
|
|
|
that's a pretty cool find, or rather a pretty stupid bit of engineering on apples part. just privilege escalation though, so not too terrifying in practice.
|
|
#
?
Mar 4, 2019 17:58
|
|
|
https://www.bleepingcomputer.com/news/security/open-mongodb-databases-expose-chinese-surveillance-data/
|
|
#
?
Mar 4, 2019 23:42
|
|
|
Glad to see people helping to secure the Chinese surveillance infrastructure.
|
|
#
?
Mar 4, 2019 23:49
|
|
|
cinci zoo sniper posted:new macos vuln That was probably horrible to debug. "Uh, where the gently caress did my changes go?"
|
|
#
?
Mar 5, 2019 00:05
|
|
|
Stick Insect posted:https://www.bleepingcomputer.com/news/security/open-mongodb-databases-expose-chinese-surveillance-data/ baby's first echelon
|
|
#
?
Mar 5, 2019 06:55
|
|
|
Rufus Ping posted:ripper is a gangster!!! yeah, rip(per)
|
|
#
?
Mar 5, 2019 07:45
|
|
|
https://twitter.com/rqou_/status/1101331385632022528
|
|
#
?
Mar 5, 2019 15:46
|
|
|
Acer Pilot posted:https://twitter.com/rqou_/status/1101331385632022528
|
|
#
?
Mar 5, 2019 15:51
|
|
|
lol nice so coming back to this thread somewhat hat in hand, it seems the security fuckup is me, although in the most hosed-up way possible a backdoor was installed on my pc and someone 1. logged in remotely while i wasn't in front of my desktop 2. appears to have been keylogging, so they had my 1password credentials  where things get extra-hosed is that i just so happened to be screen capturing at the time, so i have a video recording of this l33t h4x0r d00d trying and sort-of failing to Paypal money to himself from my account, as well as buy two 50-Euro Steam cards (I'm working on getting these reversed, luckily he gave up waiting before the transactions were approved, and for the level of access that the hacker had, they had a very poor plan of attack, it could have been so much worse than it was) so in the process of resetting passwords galore including my 1password secret and master keys i found out paypal has 2fa which i didn't know before, so that's activated now, although once all this poo poo gets settled i'm going to bail on using paypal if i can help it, and it's also made me super-paranoid about how i have things setup since "person has seen what you do on your pc including keystrokes for a while" is some scary poo poo
|
|
#
?
Mar 5, 2019 16:16
|
|
|
univbee posted:lol nice  Dude, that sucks. What did he install to do so?So I got the Windows Sandbox installed on my machine, and have been playing with using it as a Cuckoo guest. Unfortunately, by design the Windows Sandbox does not persist files, on purpose of course, but it would mean if I wanted to use it for forensics, I'd have to reinstall Cuckoo every session. Probably stick with HyperV for now, but I do like it, and that Defender is going to use the sandbox for detonating items.
|
|
#
?
Mar 5, 2019 16:20
|
|
|
CommieGIR posted:
the hacking software getting on my pc was definitely my fuckup, i was trying to get a clean version of a drmed video i owned from a really niche digital distributor that's shutting down. what i installed to attempt to circumvent it had the payload inside, and slipped past mse (i was running windows 7, although after the scare i reinstalled to the latest windows 10) but it made me think how it easily could have been a browser payload or found some way of getting on innocuously i didn't even know what happened until i checked my screen recording video and scrubbed around to see why my browser window was now suddenly open, seeing them enter my 1password successfully was quite scary i'm lucky that i had an exact play-by-play of what they did on my pc so i knew who i had to reach out to
|
|
#
?
Mar 5, 2019 16:30
|
|
|
sorry you lost your weird porn mpeg
|
|
#
?
Mar 5, 2019 16:41
|
|
|
Lutha Mahtin posted:sorry you lost your weird porn, mpreg
|
|
#
?
Mar 5, 2019 16:49
|
|
|
Here's what I did to try and avoid similar issues going forward (on top of the obvious, don't download anything that has a potential for sketchiness) - I split everything that can touch money off of my main online 1password account. This is now only accessible via a file-based 1password vault that I'm intentionally not loading on any device I ever walk away from while it's still on, and don't visit those sites from those devices either (if i ever do in a fit of desperation I sign out from them; would be good for Chrome to let you set a timebomb on cookies for specific sites to automate this) - I memorized the Paypal password instead of having it in any of the 1password vaults. it does still give me concern about what someone could do if they logged into my computer and started loving around in other ways, like stealing files, deleting email or, worst of all, if they logged into the sa forums as me and started making good posts Lutha Mahtin posted:sorry you lost your weird porn mpeg i wound up just buying a screen capture physical device, so my torpedo tits are saved!
|
|
#
?
Mar 5, 2019 16:51
|
|
|
univbee posted:Here's what I did to try and avoid similar issues going forward (on top of the obvious, don't download anything that has a potential for sketchiness) This feels like a decent compromise. univbee posted:- I memorized the Paypal password instead of having it in any of the 1password vaults. this doesn't. i'd make your paypal password hella loving annoying and keep storing it in your 1pass vault. weakening the password such that you can remember it / type it in manually might solve the "if someone owns my local they get my money" problem, but it opens you up to other sorts of attacks that are more common, imo I might aim for changing your behavior like you alluded to in the beginning of your post. don't download dumb poo poo from the internet, but if you're going to anyway you can always have a seperate vm for opening that thing. its not foolproof or whatever but it makes more sense than going back to 8-12 character passphrases that you forget to rotate / maybe duplicate / whatever
|
|
#
?
Mar 5, 2019 17:02
|
|
|
Jowj posted:This feels like a decent compromise. i forgot to mention that, once the hopefully-i-get-them refunds are processed, i'm taking my poo poo off paypal too, so even if it does get compromised it won't do them much good
|
|
#
?
Mar 5, 2019 17:22
|
|
|
Does PayPal have real mfa now? I thought it was sms only.
|
|
#
?
Mar 5, 2019 17:32
|
|
|
The Fool posted:Does PayPal have real mfa now? I thought it was sms only. yeah it's sms only, but i didn't have that fully activated (it's called something weird in the settings and i didn't notice it until i explicitly went looking for it)
|
|
#
?
Mar 5, 2019 17:38
|
|
|
last i checked it was sms except it lets you have the security code sent to whatever arbitrary phone number you want even if it's not already associated with the account, which seems bad
|
|
#
?
Mar 5, 2019 17:39
|
|
|
The Fool posted:Does PayPal have real mfa now? I thought it was sms only. as of late last year, you had to use verisign 2fa (if that was an option for you) or hackily circumvent that to enable normal totp auth app access
|
|
#
?
Mar 5, 2019 17:40
|
|
|
Use a VM or Sandbox for capturing stuff like that in the future so you can isolate and contain if the payload you get is not the sexy time video you wanted. VirtualBox comes to mind, if you have 10 Pro, use HyperV or the new Sandbox. I used an MMPEG ripper to grab Venture Brothers off the Adult Swim website, so I know how you feel.
|
|
#
?
Mar 5, 2019 17:40
|
|
|
univbee posted:yeah it's sms only, but i didn't have that fully activated (it's called something weird in the settings and i didn't notice it until i explicitly went looking for it) Meat Beat Agent posted:last i checked it was sms except it lets you have the security code sent to whatever arbitrary phone number you want even if it's not already associated with the account, which seems bad nope, they support authenticator apps now, i found that out a few weeks ago.
|
|
#
?
Mar 5, 2019 17:42
|
|
|
Shame Boy posted:nope, they support authenticator apps now, i found that out a few weeks ago. i checked just now and i don’t have an option like that, unless i need to kill sms 2fa first
|
|
#
?
Mar 5, 2019 17:48
|
|
|
Shame Boy posted:nope, they support authenticator apps now, i found that out a few weeks ago. cinci zoo sniper posted:i checked just now and i don’t have an option like that, unless i need to kill sms 2fa first i also just checked and don't have that either, and i'm pretty sure i didn't when i first set it up a few days ago
|
|
#
?
Mar 5, 2019 17:48
|
|
|
on the 2FA page, when i hit "add a device" at the bottom of the list I get: 
|
|
#
?
Mar 5, 2019 17:53
|
|
|
Why not buy a ubikey/hardware token to use with your 1password? That seems like the real solution here. If you'd had that the atacker wouldn't have been able to access 1password even with your master password.
|
|
#
?
Mar 5, 2019 17:58
|
|
|
Shame Boy posted:on the 2FA page, when i hit "add a device" at the bottom of the list I get: this doesn't show up. maybe it's region-specific? dumb as hell, gotta stick with sms El Mero Mero posted:Why not buy a ubikey/hardware token to use with your 1password? That seems like the real solution here. If you'd had that the atacker wouldn't have been able to access 1password even with your master password. actually it wouldn't have, because the hardware token only prompts when you sign in on a new device. a big part of the reason why this was especially bad is because it was done from my usual computer/ip address, which is giving me headaches with paypal (it would be different if they had used my creds from the ukraine or whatever) 1password doesn't currently offer a way of changing this behavior (i have 2fa activated for 1password but can still sign in with just my master pw on my computers) univbee fucked around with this message at 18:04 on Mar 5, 2019 |
|
#
?
Mar 5, 2019 18:02
|
|
|
El Mero Mero posted:Why not buy a ubikey/hardware token to use with your 1password? That seems like the real solution here. If you'd had that the atacker wouldn't have been able to access 1password even with your master password. this is absolutely the right solution edit: wait you can’t set it to require the hardware token every time? drat 
|
|
#
?
Mar 5, 2019 18:05
|
|
|
Achmed Jones posted:edit: wait you can’t set it to require the hardware token every time? drat no but i think i'm going to suggest this to them for a future update this hack has taught me how utterly hosed you can be if someone remotes into your pc with a keylogger, even with 2fa, it sucks
|
|
#
?
Mar 5, 2019 18:08
|
|
|
univbee posted:this doesn't show up. maybe it's region-specific? dumb as hell, gotta stick with sms Gross. Dashlane gives me the option to choose new device or every time I login. Kinda surprised that 1pass doesn't have that.
|
|
#
?
Mar 5, 2019 18:10
|
|
|
univbee posted:the hacking software getting on my pc was definitely my fuckup, i was trying to get a clean version of a drmed video i owned from a really niche digital distributor that's shutting down. what i installed to attempt to circumvent it had the payload inside, and slipped past mse (i was running windows 7, although after the scare i reinstalled to the latest windows 10) lol you fell for the video codec gambit still lovely that happened to you though. i wonder if video evidence would help get those steam purchases reimbursed faster
|
|
#
?
Mar 5, 2019 18:11
|
|
|
are you sure there’s not a “remember this device” checkbox you can uncheck? like 1password is generally pretty good and this kind of oversight is frankly staggering. I’d expect it to be on the login screen, not in settings apologies if I’m being obtuse here
|
|
#
?
Mar 5, 2019 18:15
|
|
|
Achmed Jones posted:are you sure there’s not a “remember this device” checkbox you can uncheck? like 1password is generally pretty good and this kind of oversight is frankly staggering. I’d expect it to be on the login screen, not in settings i looked, it's definitely not there and not mentioned at all in their "how to setup 2fa" articles
|
|
#
?
Mar 5, 2019 18:20
|
|
|
how's a password vault securely supposed to check for 2fa on unlock on new device, you can put that check on the server on local unlock, checking a password can be done safely by deriving/entangling the top-level vault key with the password but for, like, totp you can't do that, since it's just comparing hash(secret, time % 30s) if you're trusting the client app to not have the 2fa check nop'd out why bother lol, they already got a key logger installed
|
|
#
?
Mar 5, 2019 18:20
|
|
|
univbee posted:this doesn't show up. maybe it's region-specific? dumb as hell, gotta stick with sms bizarre, yeah maybe it's region-specific or they're A/B testing it or something
|
|
#
?
Mar 5, 2019 18:22
|
|
|
Cocoa Crispies posted:how's a password vault securely supposed to check for 2fa on unlock well the way i'm doing things now is "gapping" some access. i setup a second vault that's only accessible on my laptop (which i don't have on if i'm not in front of it) and my phone (iphone, not jailbroken or anything like that). so this mitigates at least financial damage possibilities going forward
|
|
#
?
Mar 5, 2019 18:30
|
|
|
you can make strong passwords that are easy to remember tho
|
|
#
?
Mar 5, 2019 19:21
|
|
|
|
| # ? May 20, 2024 09:06 |
|
|
Lutha Mahtin posted:you can make strong passwords that are easy to remember tho 00000000 was good enough as a nuke code during the height of the cold war 
|
|
#
?
Mar 5, 2019 19:29
|
|