|
Martytoof posted:How many times have you been to Applebee's anyway? Do you even need a menu at this point? I haven't been to in two years, but even then they had already had tablets with menus, games, etc on them for well over a few years now. Edit: lovely restaurant page snipe
|
#
?
Jan 14, 2021 00:24
|
|
|
|
| # ? May 30, 2024 20:28 |
|
|
CommieGIR posted:Wired with an article on how badly done their API security was: quote:...doesn't use any sort of "rate limiting" that would cut off anyone accessing too many posts too quickly. This sounds like it was secure as an porn site in 1996. Jesus.
|
|
#
?
Jan 14, 2021 00:28
|
|
|
Bonzo posted:This sounds like it was secure as an porn site in 1996. Jesus. I remember being about to look at the URL of an image, and then wget it with a couple ?? in place of the numbers to get the whole series that was behind a paywall
|
|
#
?
Jan 14, 2021 00:34
|
|
|
22 Eargesplitten posted:Yeah, I was thinking a situation like a QR code menu posted on a window like some restaurants have their menus in the window, someone finds the site it goes to then slaps a new one up there that goes to a site that puts malware on the phone and then once it is done redirects to the proper site so nobody knows anything even happened. There are cards/stickers on each table inside. It's not a window on the street. You're railing against an issue that has yet to exist, in the context of virtual menus at a restaurant.
|
|
#
?
Jan 14, 2021 00:47
|
|
|
CLAM DOWN posted:There are cards/stickers on each table inside. It's not a window on the street. You're railing against an issue that has yet to exist, in the context of virtual menus at a restaurant. For now. I can absolutely see a not-to-distant future where shops do slap a QR code up the same way they used to do with printed menus for people walking by and trying to decide if they want to pop in or not. I still don't think it's a major issue if you don't allow side-loading apps, especially since I'd imagine the majority of them would put the stickers under / behind the glass along with the printed menu, making it a bit more obvious if someone slapped a replacement over top--the effort:reward still sucks. Not quite as bad as actually dropping infected USB sticks in the parking lot and hoping, but you're not hitting the thousands a day you'd need to actually get real use out of it unless you were intentionally targeting a specific restaurant because it's frequented by high value targets. So I guess maybe I'd be more careful about the burger joint right next to a SCIF or something.
|
|
#
?
Jan 14, 2021 01:10
|
|
|
CLAM DOWN posted:There are cards/stickers on each table inside. It's not a window on the street. You're railing against an issue that has yet to exist, in the context of virtual menus at a restaurant. I'm not railing against anything, I'm asking if it's as bad of an idea as it seems because all I know about QR codes is you aren't supposed to scan random ones. Also I've literally never seen it so I don't know if anyone puts it on windows as well. I haven't been to a restaurant since August or so, and before that it was March. 22 Eargesplitten fucked around with this message at 01:37 on Jan 14, 2021 |
|
#
?
Jan 14, 2021 01:29
|
|
|
The Fool posted:It’s not any riskier than typing in a url, soooo also The restaurants in the downtown area here started putting QR code’s in their windows like a year ago or something Lots of tourist foot traffic and the ones I’ve seen usually link to an online order form for pickup
|
|
#
?
Jan 14, 2021 01:35
|
|
|
If you have side-loading turned on and you like mashing "Ok!" on any button that pops up, yeah, it's a Bad Idea to scan stuff that you don't implicitly trust. Otherwise the effort put into making a functional hack that doesn't rely on side-loading is very disproportionate to your likely success and payoff. I mean maybe as an extension of an existing bad-app campaign (where the app already is in the Google/Apple app stores), but even then those campaigns are hoping to infect hundreds of thousands, not hundreds, and are usually run by groups outside the US. For them to hire someone to go to the effort of finding local shops, putting together custom redirectors to bounce you eventually to the correct page, and then actually going out and slapping them up just seems like a ton of extra expense and work for minimal payoff. Could work as a targeted watering-hole style attack, though.
|
|
#
?
Jan 14, 2021 01:39
|
|
|
DrDork posted:It certainly confirms something that most of us already assumed about Pharma Cos, at least. Years ago, before the Sunshine Act, I dated the daughter of the Head of Medicine at a major California med school. he made more than the governor. She used to tell me stories about the annual big sales pitch in Carmel, CA. It's a snooty, upscale coastal town and the pharma sales reps basically took the place over for two weeks to schmooze doctors. She'd come back with thousands of dollars in new outfits and stories of fine dining in Michelin rated restaurants. And that's why we have the Sunshine Acts, and we have severe restrictions on comping guests in the cafeteria, and doctors are lucky to get a handful of pens with drug names on them. We do still hire a lot of former cheerleaders as sales reps though; a fit, attractive woman with a bubbly personality can clean up in sales.
|
|
#
?
Jan 14, 2021 01:41
|
|
|
mllaneza posted:Years ago, before the Sunshine Act, I dated the daughter of the Head of Medicine at a major California med school. he made more than the governor. She used to tell me stories about the annual big sales pitch in Carmel, CA. It's a snooty, upscale coastal town and the pharma sales reps basically took the place over for two weeks to schmooze doctors. She'd come back with thousands of dollars in new outfits and stories of fine dining in Michelin rated restaurants. Yeah, pharma sales are a whole other ballgame. Med devices aren't much better as a whole at least for certain device types.
|
|
#
?
Jan 14, 2021 01:44
|
|
|
mllaneza posted:We do still hire a lot of former cheerleaders as sales reps though; a fit, attractive woman with a bubbly personality can clean up in sales. Yup. Never underestimate the social engineering potential of a cute girl in a low-cut top.
|
|
#
?
Jan 14, 2021 01:45
|
|
|
mllaneza posted:Years ago, before the Sunshine Act, I dated the daughter of the Head of Medicine at a major California med school. he made more than the governor. She used to tell me stories about the annual big sales pitch in Carmel, CA. It's a snooty, upscale coastal town and the pharma sales reps basically took the place over for two weeks to schmooze doctors. She'd come back with thousands of dollars in new outfits and stories of fine dining in Michelin rated restaurants. Carmel didn’t get its first Michelin star until 2019, I think! (I got email from the restaurant when they were selected.)
|
|
#
?
Jan 14, 2021 01:49
|
|
|
Subjunctive posted:Carmel didn’t get its first Michelin star until 2019, I think! (I got email from the restaurant when they were selected.) Why would you expect sales reps to be honest about the quality of the restaurant they're taking to when you know they're not gonna be exactly truthful about most of the rest of their pitch, either? Like half of Sales seems to be predicated on the (apparently well founded) assumption that you can tell people basically anything and they won't bother checking up on it, no matter how easily available the information may be to verify.
|
|
#
?
Jan 14, 2021 02:50
|
|
|
Person gets arrested in Russia, takes a bit to get her phone back The Russian's implanted a chip of some sort https://twitter.com/_MG_/status/1349756902977097730?s=20 The chip appears to be an over the counter tracker bug: https://www.alibaba.com/product-detail/PCB-Wifi-LBS-GSM-GPS-Tracker_62166465931.html?spm=a2700.details.maylikeexp.9.3bd72073s5qAQ2
|
|
#
?
Jan 14, 2021 20:52
|
|
|
I worked at a medical device manufacturer, and even after the Sunshine Act, our sales people were all sorts of shady. Salespeople were first hired on the basis of how good looking they were, male or female. Somehow someway the company got away with doing "trainings" at fancy golf resorts. So long as the doctors attended what amounted to a 1hr sales pitch/demo they could play golf and eat free meals.
|
|
#
?
Jan 14, 2021 21:42
|
|
|
What's the term for SSO/IAM when used against outside vendors that you cannot make changes with and don't have SSO apis? A number of employees have to deal with a garbage upstream portal that implements N-simultaneous users as company1 .. companyN accounts. Yes, it's explicitly simultaneous not per-seat, it's just done badly on their end. My first thought was just push a PW manager database containing the logins they should have access to, but when you login to company3@portal it kicks whoever was already using that out instead of telling you to use a different account. So it'd need some sort of session logic, or at least fill in the accounts sequentially to minimize that.
|
|
#
?
Jan 17, 2021 01:09
|
|
|
Parler's hosting requirements leaked and its.....something.... https://twitter.com/th3j35t3r/status/1350612426115452935?s=20 There's Top500 Supercomputers with less hardware than they are demanding.
|
|
#
?
Jan 17, 2021 04:22
|
|
|
CommieGIR posted:Parler's hosting requirements leaked and its.....something.... Considering how they were exploited I assume the code is so unoptimized that it rack up some major bills. This is what I would assume my devs would come up with if they didn't have any infrastructure people.
|
|
#
?
Jan 17, 2021 04:29
|
|
|
As Peter sunde said, embarrassing
|
|
#
?
Jan 17, 2021 05:20
|
|
|
What the gently caress is their code lol
|
|
#
?
Jan 17, 2021 05:40
|
|
|
CLAM DOWN posted:What the gently caress is their code lol Probably Rails
|
|
#
?
Jan 17, 2021 06:08
|
|
|
xtal posted:Probably Rails Rudy on Rails
|
|
#
?
Jan 17, 2021 06:08
|
|
|
Absurd Alhazred posted:Rudy on Rails 
|
|
#
?
Jan 17, 2021 06:09
|
|
|
Absurd Alhazred posted:Rudy on Rails
|
|
#
?
Jan 17, 2021 22:11
|
|
|
Absurd Alhazred posted:Rudy on Rails Going to quote this one more time. Looking at that, I'm guessing their devs think that Cloudfront is a euphemism for their old forum.
|
|
#
?
Jan 17, 2021 22:16
|
|
|
Can anyone help me put a risk into context, regarding Azure AD App Registrations. Specifically this: https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ So my org uses Mimecast. We had an Azure App Registration setup that allows Mimecast to backup our O365 mailboxes. The App Registration config allows read rights to our Exchange Online tenant. In the authentication config we uploaded a certificate supplied by Mimecast. An attacker then stole this certificate from Mimecast. Mimecast are not divulging at lot of information at this point. They have told customers to expect a more detailed update this week; so far we have just been told to delete and recreate the App Registration. 1) Am I correct in thinking that an attacker with the certificate could read our org's Exchange Online data and there would be no particular obstacles to this? Basically like in this code tutorial (https://www.c-sharpcorner.com/article/register-your-application-to-work-with-office-365-part-two/), just supply the tenant ID and the certificate and then access the relevant API? 2) Any idea how we would detect if this has already happened? Where is App Registration/Service Principal use logged? Can't figure this out from the documentation.
|
|
#
?
Jan 17, 2021 23:11
|
|
|
That's my (admittedly limited) understanding that the attacker could potentially access all your EXO data. For what it's worth, Mimecast told us Microsoft only detected suspicious traffic on five customer tenants, so unless they have contacted you already then your data may not have been accessed. It still looks pretty bad though. We'll see when they release more details. We are a particularly noisy customer, so they proactively called us to disconnect when the breach was discovered.
|
|
#
?
Jan 17, 2021 23:49
|
|
|
CrowdStrike CTF starts tomorrow, if anyone likes that sort of thing https://mobile.twitter.com/CrowdStrike/status/1348702484731211777
|
|
#
?
Jan 18, 2021 01:39
|
|
gallop w/a boner posted:Can anyone help me put a risk into context, regarding Azure AD App Registrations. Specifically this: https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ 1) if they have the secret (if one was generated) or you’re doing cert base auth there is no barrier unless you’re using conditional access. 2) Azure sign in logs. If those haven’t been sent to a log analytics workspace they’re more limited from a retention standpoint. edit: You can also go to the Enterprise App Registration and look specifically at when/where the API was used. i am a moron fucked around with this message at 05:26 on Jan 18, 2021 |
|
|
#
?
Jan 18, 2021 03:15
|
|
|
Didn't see a more relevant thread for this, so apologies if it is off-topic. Would like to share some pains I'm having with customer authentication at my company. We're a fintech app for mobile devices, serving consumers in a developing country. For the first factor they first tried passwords, and found that large segments of people were constantly forgetting their passwords and getting locked out. So they decided to make SMS TOTPs the first factor instead. (Each account is unique to a phone number, so there's no problem with coverage, at least.) Unfortunately this opened the floodgates to phishing. The market we're in has low cybersecurity literacy so we're talking about very large numbers of people getting their accounts taken over every day. Just dangling the prospect of cash prizes and pretending to be a company employee were enough to complete the scam. Loud warnings in our SMS -- "DO NOT SHARE WITH ANYONE ELSE" -- did not help. So we think 2FA would help. But it's been really hard to find something that is phishing-proof and customer-friendly. Authentication devices and authenticator apps would all be pretty tricky for a customer base with mixed digital literacy skills. Backup codes wouldn't really guard against phishing. The big question is how to protect customers against themselves, and my research hasn't found something that really makes sense for our situation. Any advice would be helpful.
|
|
#
?
Jan 18, 2021 06:01
|
|
|
I've seen some finance websites use a series of personal questions as a second login step. Presumably those would be easier to remember than a password.
|
|
#
?
Jan 18, 2021 06:10
|
|
|
Vegetable posted:The market we're in has low cybersecurity literacy so we're talking about very large numbers of people getting their accounts taken over every day. Just dangling the prospect of cash prizes and pretending to be a company employee were enough to complete the scam. Loud warnings in our SMS -- "DO NOT SHARE WITH ANYONE ELSE" -- did not help. How, exactly, would 2fa help against these particular scams?
|
|
#
?
Jan 18, 2021 06:11
|
|
|
I’m not saying your company is potentially over their collective heads in this, but yikes. The only truly unphishable 2FA method is U2F which has iffy mobile support to begin with (and that’s assuming smartphones). Everything else is phishable with varying amounts of effort.
|
|
#
?
Jan 18, 2021 06:21
|
|
|
Jabor posted:How, exactly, would 2fa help against these particular scams? One, an additional level of authentication -- whatever it may be -- could be enough friction to frustrate scammers or to raise alarm bells for the consumers, particularly if we can use that step to communicate additional warnings to the consumer. This is entirely unproven of course. Two, the main problem of phishing is that the authentication token is transferable over distances. One possibility we considered was to require 2FA only for new-device logins. To authenticate them, you'd need to have a trusted device authenticate it via a proximity-based check (e.g., bluetooth handshake or NFC). This form of 2FA has a lot of problems -- a trusted device isn't always available, such as when you misplace it. But this form of MFA certainly makes it near-impossible for a gullible consumer to authenticate a scammer, who 100% of the time operates remotely. Just some ideas that I've been floating. But I'm hoping there'll be more elegant solutions out there. edit: Another option is, of course, biometric authentication based on fingerprints or face. It's phishing proof if designed correctly. But legally there are a lot of barriers to us doing this. Vegetable fucked around with this message at 06:34 on Jan 18, 2021 |
|
#
?
Jan 18, 2021 06:23
|
|
|
Not being able to use passwords, an SMS MFA code, or app-based MFA is pretty rough. How about about sending a login link to their email that's a "click here" so they can't easily copy and paste it, then show them a bunch of pictures (blue dolphin, brown dog, etc.) and make them choose "their" picture. Maybe put a CAPTCHA before they can get an email link sent to them if you want to cut down on people getting spammed with links. I assume you have no control over the devices they are connecting with and your stuff is web based, not app based?
|
|
#
?
Jan 18, 2021 07:05
|
|
|
You could do something like magic links potentially. Which are slightly more secure that OTPs and a bit more difficult to phish.
|
|
|
#
?
Jan 18, 2021 09:13
|
|
|
CyberPingu posted:You could do something like magic links potentially. Which are slightly more secure that OTPs and a bit more difficult to phish. Magic links are good. You can even phrase it in the email as "visit this link to gain full access to your account" or something so people might realize what they're handing over.
|
|
#
?
Jan 18, 2021 09:56
|
|
|
Vegetable posted:Didn't see a more relevant thread for this, so apologies if it is off-topic. I'm a developer, not a security expert, but my suggestion would be to use a password to register, and then once you've successfully logged in to the app, create an on-device 4-digit PIN to protect the account, or use biometrics on the device if available, and then store an authentication token in secure storage on the phone. If you move to a new device or you entered your PIN incorrectly too many times, then you use the password to authenticate yourself and create a new PIN. And for the users who don't remember their password, you follow your existing password recovery process, except you should now have a much lower number of password recovery requests cos 4-digit PIN is easier to remember than password with unspecified complexity. You said in your follow-up that biometrics are legally questionable, but I'd imagine that only becomes a concern if you're trying to validate the face or fingerprint against a stored master record on your backend, which would indeed be an issue. But if you're using the device's biometrics purely to verify that the person using the app is the person owning the phone and then using a pre-stored password or token, the biometric data doesn't leave the device so there's a lot less to worry about... in fact I'd be quite surprised if the fingerprint APIs even allow you to perform a raw scan to verify externally. I have 4 separate online banking apps on my phone, and each allows me to login using face-ID without having to type in my password. That's probably the route you want to take.
|
|
#
?
Jan 18, 2021 12:18
|
|
|
Whats wrong with using hardware token auth? Not a lot of support for it?
|
|
#
?
Jan 18, 2021 16:30
|
|
|
|
| # ? May 30, 2024 20:28 |
|
Defenestrategy posted:Whats wrong with using hardware token auth? Not a lot of support for it? Yeah pretty much. Also technical education barriers and increased support tickets when people inevitably lose them.
|
|
|
#
?
Jan 18, 2021 16:41
|
|