|
Ah, yes, Microsoft, the company with a spotless history, just like LastPass.
|
# ? Jan 18, 2020 04:44 |
|
|
# ? May 25, 2024 20:18 |
|
Now that is a snipe
|
# ? Jan 18, 2020 04:47 |
|
I'm using Keepass, but it pisses me the gently caress off, because integration with a browser is a clusterfuck. Multiple unmaintained Chrome plugins, and the one that loosely works, you need to run another executable acting as a bridge. So I'm copypasting right now, which is annoying as hell. I also don't want to pay a monthly subscription fee to store a microscopic amount of data somewhere.
|
# ? Jan 18, 2020 05:01 |
|
Combat Pretzel posted:I'm using Keepass, but it pisses me the gently caress off, because integration with a browser is a clusterfuck. Multiple unmaintained Chrome plugins, and the one that loosely works, you need to run another executable acting as a bridge. So I'm copypasting right now, which is annoying as hell. My Bitwarden suggestion was not a blind call. I got my mom set up with that. She's relatively good with tech as she was a librarian (the first IT profession), but still an old retired lady who needs me to set up anything complicated. The browser plugin is really spiffy. I was really impressed with it, and I'd use it myself if I didn't already have a system using keepass and personal homebrew stuff that I'm quite happy with.
|
# ? Jan 18, 2020 05:18 |
|
I feel this is the closest thread to be relevant for this horror: https://twitter.com/brockwilbur/status/1218252514111283200
|
# ? Jan 18, 2020 07:38 |
|
The Fool posted:Go away troll Ah, now I'm really convinced 1password is the best and all the problems autofilling I'm just imagining.
|
# ? Jan 18, 2020 07:49 |
|
LOL https://twitter.com/zseward/status/1218236371350978561
|
# ? Jan 18, 2020 08:13 |
|
Combat Pretzel posted:I'm using Keepass, but it pisses me the gently caress off, because integration with a browser is a clusterfuck. Multiple unmaintained Chrome plugins, and the one that loosely works, you need to run another executable acting as a bridge. So I'm copypasting right now, which is annoying as hell. Firefox: https://addons.mozilla.org/firefox/addon/keefox/ : https://chrome.google.com/webstore/detail/kee/mmhlniccooihdimnnjhamobppdhaolme You install a KeePass plugin to make it work. Directions and links to the plugin are here: https://forum.kee.pm/t/installing-kee-with-keepassrpc-for-keepass-password-safe-instructions/23
|
# ? Jan 18, 2020 08:17 |
|
Lambert posted:Ah, now I'm really convinced 1password is the best and all the problems autofilling I'm just imagining. the main thing to keep in mind about lastpass is that their infrastructure has been compromised multiple times and each time the company downplayed what the attackers had access to/could do when you're changing all of your passwords to your preferred password manager remember to add 2 factor authentication where available (sms auth is horrible but unfortunately better than nothing, anyone allowing only that is incompetent)
|
# ? Jan 18, 2020 12:05 |
|
I switched off Lastpass specifically because of their sale to Logmein, but it certainly did fill much better. With autofill, I mean how effective it is at filling the correct form fields whenever I click on the specific entry. 1password has gotten significantly better at this over time, but it's still hit-or-miss with some sites. Lastpass would allow me to manually add/remove form fields it fills, 1password only allows editing of fields the program itself detected, and doesn't allow for adding additional or the removal of superfluous fields. I really don't get why they don't offer such a basic feature.
|
# ? Jan 18, 2020 12:31 |
|
I'm investigating a move from developing line of business apps in finance to infosec. I've got ~5 years experience as a software engineer, following a 2 year stint in customer success at a software company. Over the last 2 years it's become my job to "do security" on my projects. Yeah, it's distressing from an organisational perspective, and I've been trying to learn as much as I possibly can but I've discovered that I enjoy applying the practices to our code base and infrastructure. In my experience that seems out of the ordinary for a dev, so why not get paid (more?) to do it full time? I understand infosec is a massive sector, I suppose I'd see myself specialising in defensive application security, but I'm still early on in my research. Anyway, I'm looking for general opinions about this kind of move. Has anyone done it themselves or witnessed it? Good/bad idea? What does a typical job look like: full time, consultant, one or many clients? Am I going to kneecap my earning potential (UK based)? Do I need qualifications to get work? Coming from the software eng world qualifications are almost a foreign concept
|
# ? Jan 18, 2020 12:39 |
Wiggly Wayne DDS posted:autofill is a contributing factor in how effective password manager vulnerabilities are: don't use it, and especially don't have it auto-submit
|
|
# ? Jan 18, 2020 14:22 |
|
bike-shed-effect in action ITT
|
# ? Jan 18, 2020 14:36 |
Qwan posted:bike-shed-effect in action ITT Besides, we all know purple is the best color
|
|
# ? Jan 18, 2020 14:58 |
|
D. Ebdrup posted:What kind of auto-fill are we talking about here? The one that's wholly automatic, or the one where you have to request the fields to be auto-filled by right-clicking and selecting an option in the context menu?
|
# ? Jan 18, 2020 15:21 |
Wiggly Wayne DDS posted:no user interaction pre-fill of fields
|
|
# ? Jan 18, 2020 15:47 |
|
SAVE-LISP-AND-DIE posted:I'm investigating a move from developing line of business apps in finance to infosec. I've got ~5 years experience as a software engineer, following a 2 year stint in customer success at a software company. Over the last 2 years it's become my job to "do security" on my projects. Yeah, it's distressing from an organisational perspective, and I've been trying to learn as much as I possibly can but I've discovered that I enjoy applying the practices to our code base and infrastructure. In my experience that seems out of the ordinary for a dev, so why not get paid (more?) to do it full time? I understand infosec is a massive sector, I suppose I'd see myself specialising in defensive application security, but I'm still early on in my research. i think doing AppSec is a good way forward for you yeah. There are other roles that may also be good fits once you have your foot in the door, officially. I can’t speak to a few of your questions, but i can provide some general experiences i have: - smaller shops probably won’t have a dedicated appsec person; they may have a role that does that in addition to other things, not have one at all, or outsource it completely. this may limit your job opportunities to contracting or larger orgs in general. This likely is locale specific! - qualifications are a sore point in the community; you may run into some people who swear by them or people who hate them. Look at job listings in your area and see what they request; in the US, at least, it’s common for people to ask for things like CEH, sec+, and CISSP even when none of those apply to the job you are interviewing for. You can get by without them sometimes, but it makes it harder to get through the HR screen This thread is mostly not appsec folks (though there may be some around!) It may be useful to you to check out a local security meetup and get some resources there (OWASP has a slack channel dedicated to mentoring, for instance, that might be useful to you)
|
# ? Jan 18, 2020 16:27 |
|
Jowj posted:i think doing AppSec is a good way forward for you yeah. There are other roles that may also be good fits once you have your foot in the door, officially. Echoing this but be aware that a lot of appsec work isn't the "exploit it and fix it" kind of work. Most of it falls into "scan code/app, interpret report, triage to dev team" which for me, at least, was intensely boring.
|
# ? Jan 18, 2020 17:50 |
|
Security do-over guy: Also, turn on multi-factor authentication on any of your lifeline services which allow it. TOTP soft-tokens (google Authenticator, ms authenticator, etc) are better than SMS but SMS is better than nothing. Having a second factor for your important services is a good safety net behind a good password.
|
# ? Jan 18, 2020 17:55 |
Martytoof posted:Security do-over guy:
|
|
# ? Jan 18, 2020 17:58 |
|
Curious, do you all use hard tokens or phone apps for 2FA? We got rid of our RSA fobs in favour of the Microsoft Authenticator app.
|
# ? Jan 18, 2020 18:00 |
|
I haven’t touched a hard token in probably three or four years now. E: that being said, I still have RSA tokens for some internal services, only in soft format. I hate it and am actively trying to push for a migration. some kinda jackal fucked around with this message at 18:04 on Jan 18, 2020 |
# ? Jan 18, 2020 18:02 |
|
CLAM DOWN posted:Curious, do you all use hard tokens or phone apps for 2FA? We got rid of our RSA fobs in favour of the Microsoft Authenticator app. Personally, both (NFC yubikeys are cool!). At work, only soft tokens because of budget.
|
# ? Jan 18, 2020 18:06 |
|
D. Ebdrup posted:SMS would be good if it was possible to have certain numbers/contacts not have notifications displayed on the lock-screen. SMs would be good if it weren't so susceptible to MITM attacks. Answering above, I use Microsoft Authenticator, and more and more of my clients are ditching hard tokens for MFA apps on phones.
|
# ? Jan 18, 2020 18:17 |
|
D. Ebdrup posted:SMS would be good if it was possible to have certain numbers/contacts not have notifications displayed on the lock-screen. The weakness of SMS 2FA has nothing to do with lock notifications and everything to do with phone numbers being incredibly easy to steal (in the US). With a fairly minimal amount of personal information, an attacker can convince the phone company to transfer the victim's phone number to their control using the service portability rules. Then the texts come straight to you. It helps that if the first min wage call-center operator you call isn't cooperative, you can just try again. This is how Twitter CEO Jack guy got his twitter hacked -- someone got ATT/Verizon/whatever to give them his phone number. (Twitter uses SMS for password resets which is even worse.)
|
# ? Jan 18, 2020 18:20 |
|
What’s the attack vector for SMS MFA anyway? I know about SIM cloning, is there anything else? I meant to get the point across that while imperfect it’s still better than no MFA, which is still the case IMO unless there’s a trivial MITM attack that can be performed. It’ll stop the random “I got your password” compromise but I wouldn’t trust it for anything mission critical.
|
# ? Jan 18, 2020 18:22 |
Oh right, I'd forgotten about the whole social-engineering part that makes SMS so useless. Worst part is, because of industry pressure, NIST reneged on their attempts to stop companies from using SMS, by explicitly stating that it wasn't good for MFA purposes. Why does everything have to be in the service of the least common denominator when it comes to security?
|
|
# ? Jan 18, 2020 18:30 |
|
D. Ebdrup posted:Oh right, I'd forgotten about the whole social-engineering part that makes SMS so useless. I just wish 2FA was mandatory The amount of resistance to password managers just kills me I sound like a broken record player telling everyone to start using one.
|
# ? Jan 18, 2020 18:33 |
|
SAVE-LISP-AND-DIE posted:Anyway, I'm looking for general opinions about this kind of move. Has anyone done it themselves or witnessed it? I used to do webdev. A buddy (who was an SRE) and I kept owning the hell out of the web app (this was at a SaaS shop), so they had us start the security team. Now he works at Mozilla and I work at Google. I've been doing hacker nerd poo poo since I was in high school, though, so it's not like I was coming into the field totally ignorant (at least in like exploit dev and stuff, I had next to no experience in blue team other than "knowing how to not write vulnerabilities") Being a software engineer that knows security things or a security person that can actually program like a developer (instead of writing lovely unmaintainable scripts) makes you worth more than peers in either field that can't do that. This is especially true at smaller companies that dont necessarily have the headcount to just have security engineers tell the SWEs what to build.
|
# ? Jan 18, 2020 19:25 |
|
CLAM DOWN posted:Curious, do you all use hard tokens or phone apps for 2FA? We got rid of our RSA fobs in favour of the Microsoft Authenticator app. We use ms authenticator as our fleet is too mixed for yubikeys(not enough usb-c laptops to go for the usb-c+lightning combo). Android build is a bit buggy but doable, ios build is a tad more stable. The sole hard tokens we had to handle were for our finance staff and thanks to PSD2 those are gone too(sadly the bank defaulted to sms rather than totp).
|
# ? Jan 19, 2020 10:26 |
|
CLAM DOWN posted:Curious, do you all use hard tokens or phone apps for 2FA? We got rid of our RSA fobs in favour of the Microsoft Authenticator app. I use andOTP on my phone (since it has a few more features such as icons and GPG-encrypted backups compared to Google Authenticator) and a Feitian ePass (https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD) for services that allow more than one 2FA device (like G Suite). The Feitian is nice, it supports U2F, NFC, and technically also has some smart card functionality (which you configure via a no doubt terrible Windows app which I couldn't be bothered to try to get to work in Wine). At work, we use Passbolt for password sharing.
|
# ? Jan 19, 2020 14:43 |
|
I use SafeInCloud and im quite happy with it.
|
# ? Jan 19, 2020 18:48 |
|
I use Authy.
|
# ? Jan 19, 2020 19:19 |
|
Hollow Talk posted:I use andOTP on my phone (since it has a few more features such as icons and GPG-encrypted backups compared to Google Authenticator) and a Feitian ePass (https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD) for services that allow more than one 2FA device (like G Suite). We use the Feitian for it's GIDS compatable SmartCard functions, Yes you do configure it via the god awful app but thats just a mode switches for CCID/U2F/OTP. Nice cheap dongle!
|
# ? Jan 19, 2020 23:59 |
|
I have Qs about general internet security. 1. What’s the best email provider for anonymity and security? Protonmail? 2. What’s the best online payment service for anonymity and security? 3. What’s the best password practice for security and convenience? I already use a vpn service. I recognize 100% anonymity isnt possible. Apologies if this isn’t the correct thread.
|
# ? Jan 20, 2020 02:07 |
|
Martytoof posted:What’s the attack vector for SMS MFA anyway? I know about SIM cloning, is there anything else? You don't even need sim cloning, any simple pleb at the att customer support sell you out and swap the sim. This is probably the moby dick of examples but the security bar is hilariously low. If you do need to do SMS keep the SMS 2FA to company issued phones they'll need additional corp information you can't gleam from equiax breaches. incoherent fucked around with this message at 06:58 on Jan 20, 2020 |
# ? Jan 20, 2020 02:26 |
|
incoherent posted:You don't even need sim cloning, any simple pleb at the att customer support sell you out and swap the sim. This is probably the moby dick of examples but the security bar is hilariously low. If you do need to do SMS keep the SMS 2FA to company issued phones they'll need additional corp information you can't gleam from equiax breaches. Boo. Rogers here in Canada has a "security pin" that's supposed to prevent this from happening, but I've never once been asked to verify it to make any changes to my account. Also I'm not sure how the pin works but if it's just a visual check on the rep's part then it obviously doesn't stop insider bad actors like you described. Sigh.
|
# ? Jan 20, 2020 13:55 |
|
Martytoof posted:What’s the attack vector for SMS MFA anyway? I know about SIM cloning, is there anything else? SIM swapping, SIM cloning, and faked SS7 redirects are all ways to get SMS messages destined to someone else.
|
# ? Jan 20, 2020 14:13 |
|
TURGID TOMFOOLERY posted:I have Qs about general internet security. 1. Use any over some kind of anonymisation layer and use PGP. Protonmail security is just kind of annoying, requires SMS verification of a non-VOIP number on signup, and the people that email you / the people that you email are probably sending plaintext/non-e2e anyway so the point of it is half moot. 2. Monero over Tor or some poo poo probably, but good luck using it in day to day purchases VPN service: commercial ones are probably absolute flaming shitshows.
|
# ? Jan 20, 2020 17:14 |
|
|
# ? May 25, 2024 20:18 |
|
3. Use a password vault program (lol) (just use 1password or LastPass it's fine) to generate and store a long/complex/unique password for every login. Never reuse. Supplement with 2FA wherever possible. SMS is way way better than nothing. Get a Yubikey for the best. Thanks all for your answers to my hard vs soft token question btw. It's interested to see what other companies use on large scales. I would prefer to use a Yubikey at work but we went for the easiest widespread option for less technical folks, to encourage adoption and use. Hence, Microsoft Authenticator (with the login prompt enabled so people just tap "approve").
|
# ? Jan 20, 2020 17:18 |