|
CyberPingu posted:In a perfect world they work. But the problems come from our inability to use them properly. A perfect world doesn't exist, so they don't work. Too many in security fail to understand/account for the fact our users are human beings.
|
# ? Feb 28, 2021 20:00 |
|
|
# ? May 26, 2024 06:36 |
CLAM DOWN posted:A perfect world doesn't exist, so they don't work. Too many in security fail to understand/account for the fact our users are human beings. Thats why I said in a perfect world. Also why I said we suck at creating them and keeping them safe.
|
|
# ? Feb 28, 2021 20:02 |
|
CyberPingu posted:Thats why I said in a perfect world. Also why I said we suck at creating them and keeping them safe. A perfect world doesn’t need security. I think people are fine at creating them. This idiocy of constantly rotating them and password complexity nonsense just takes away from what really matters. A system that is only protected by a username and password isn’t secure and it never has been.
|
# ? Feb 28, 2021 20:21 |
|
So your solutions to do... What exactly? How do I unlock my phone if we outlaw passwords, does everyone have to buy little yubikeys separately to use their phone?
|
# ? Feb 28, 2021 21:11 |
|
Mr. Crow posted:So your solutions to do... What exactly? How do I unlock my phone if we outlaw passwords, does everyone have to buy little yubikeys separately to use their phone? See this is a great question when its not meant to be passive aggressive nonsense. So your modern phone has a "password" that is optional but helpful, but not the only line of defense. Its mostly a 4-6 keycode which most users have memorized and never rotate (because your users need to actually remember it without writing it down). Guess it wrong too many times and the phone is locked for extended times or even wiped in certain cases. Modern phones also have fingerprint and facial recognition on top of that so you can't even leak a password. My wife looks at her phone and it unlocks. These are all enhanced by the fact that you have to physically have the phone. The web access to the cloud account attached to the phone, by default, keeps track of where you have logged in before so that if you are attempting to access it in an unknown location, you are challenged. Just having a password isn't enough. So in this situation you have some very reasonable security while also having a user experience that doesn't suck. Its a great reason for why passwords, on their own, loving blow rear end. Every system beyond the password mean SO much more. Sickening fucked around with this message at 22:01 on Feb 28, 2021 |
# ? Feb 28, 2021 21:25 |
|
Sickening posted:See this is a great question when its not meant to be passive aggressive nonsense. Sickening posted:I wish this entire industry would shut the gently caress up about passwords. Sure is. Sickening posted:So your modern phone has a "password" that is optional but helpful, but not the only line of defense. Its mostly a 4-6 keycode which most users have memorized and never rotate (because your users need to actually remember it without writing it down). Guess it wrong too many times and the phone is locked for extended times or even wiped in certain cases. Modern phones also have fingerprint and facial recognition on top of that so you can't even leak a password. My wife looks at her phone and it unlocks. These are all enhanced by the fact that you have to physically have the phone. Aren't these objectively worse than a reasonably long pin or password? Sickening posted:The web access to the cloud account attached to the phone, by default, keeps track of where you have logged in before so that if you are attempting to access it in an unknown location, you are challenged. Just having a password isn't enough. Ok cool so your arguing with nobody, certainly 'the industry', who was saying "passwords by themselves are adequate security"
|
# ? Feb 28, 2021 22:12 |
|
Mr. Crow posted:Aren't these objectively worse than a reasonably long pin or password? No. Mr. Crow posted:Ok cool so your arguing with nobody, certainly 'the industry', who was saying "passwords by themselves are adequate security" I am saying trying to focus on "password complexity" is loving counter productive and more often than not a waste of time, as well as other things. Its like you either didn't read my entire post or are just ignoring parts of it. Stop that. And since you brought it up, I am arguing with you, the person who brought up the stupid phone and youbikey bullshit. Sickening fucked around with this message at 22:33 on Feb 28, 2021 |
# ? Feb 28, 2021 22:16 |
|
SMEGMA_MAIL posted:Is there a known real world case where this actually happened? Obviously it’s been demonstrated at CTF’s and such but it’s such a difficult thing to do that it seems unlikely that it’s a significant concern for most users and small companies, compared to a hacker finding and just going after the host directly or something. Off the top of my head, I can't think of a real world instance, but I'll see what I can dig up.
|
# ? Feb 28, 2021 22:58 |
|
You sure? I haven't played attention to modern tech if phones have gotten better but a quick search shows even a couple years ago it's trivial to unlock a phone with face unlock with a picture, for example. https://nakedsecurity.sophos.com/2019/01/08/facial-recognition-on-42-android-phones-beaten-by-photo-test/ https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html https://security.stackexchange.com/questions/131730/what-are-the-nist-fbi-requirements-for-fingerprint-readers-and-iris-scans Sickening posted:I am saying trying to focus on "password complexity" is loving counter productive and more often than not a waste of time, as well as other things. Its like you either didn't read my entire post or are just ignoring parts of it. Stop that. And since you brought it up, I am arguing with you, the person who brought up the stupid phone and youbikey bullshit. You're being awfully aggressive here, so sorry for offending you. I was reading your posts as if you were advocating getting rid of passwords entirely and I wasn't exactly sure how you could do that, the phone was the obvious first example of where my apparently imagine argument breaks down.
|
# ? Feb 28, 2021 23:11 |
|
Mr. Crow posted:You sure? Those are very outdated and do not apply to the modern IR face unlock, as found in iPhones or the Pixel 4. You cannot unlock those with a picture.
|
# ? Feb 28, 2021 23:15 |
|
If I had my way, every single user would have to submit a blood test every single time they wanted to unlock their devices. Treat every user as if they might potentially be The Thing, and you get strict access limiting to boot.
|
# ? Feb 28, 2021 23:38 |
|
Mr. Crow posted:You sure? Honestly it seems like you're the one who's being pretty aggressive here. Passwordless authentication already exists in a variety of contexts, so the whole "how you gonna handle this, smart guy?" routine is very strange. I use it, in different guises, for everything from getting into EC2 instances for work to signing into my personal MS account. The point of using a phone (or other hardware mechanism) is that it keeps the creds locked up in its own secure enclave, and can do mutual authentication with the remote system. So, having the user's passcode, or their biometric descriptors, doesn't matter by itself - that just lets the user unlock the secure enclave inside the phone, where the real secrets live. The bad guys have to actually get their phone if they want to impersonate the user. That might not be a challenge for the CIA or FSB, but it'll stop most organized crime phishing pretty well. And, once the bad guys have the user's phone, they're still not out of the woods; they need to either get into the HSM (not as tamper-resistant as a datacenter model but still, hope they're at that CIA/FSB level) or guess the user's passcode/fake out the biometrics before the lockout hits. There are still plenty of potential weak points here, from attacks against the phone, to phishing the provisioning authority and sidestepping the whole chain. But, overall, it's probably a better system than the standard "oh, it's been 90 days, time to change my password from s00pers3cr3t7 to s00pers3cr3t8, which is good because it's just my netflix, etsy, online banking, and Amazon password with a number on the end" system, and if anything, it's lower-friction for users.
|
# ? Feb 28, 2021 23:47 |
|
CLAM DOWN posted:Those are very outdated and do not apply to the modern IR face unlock, as found in iPhones or the Pixel 4. You cannot unlock those with a picture. Mr. Crow posted:You sure? You started it, made lovely points, and were completely wrong to boot. You are forgiven however as hopefully this conversation might help those still in quicksand on how basic modern security strategies work. And yes, I am more than a tad aggressive on the subject because if the users weren't bad enough, I have to fight other "security professionals" who cling to security thinking from 1996. It feels like its every day. So many don't want to the things that actually work, they want to live in the past and check the boxes from decades gone by and pretend they did their job. It also frustrates our users needlessly and causes support tickets that don't need to exist. Sickening fucked around with this message at 23:51 on Feb 28, 2021 |
# ? Feb 28, 2021 23:48 |
I've been trying to get passwordless auth implemented for our customers at work for loving ages now and it always seems to hit some sort of dead end. Also fwiw, password expiry is the loving worst faux security poo poo ever and gently caress knows why it's even included in CIS poo poo.
|
|
# ? Feb 28, 2021 23:50 |
|
CyberPingu posted:I've been trying to get passwordless auth implemented for our customers at work for loving ages now and it always seems to hit some sort of dead end. Microsoft will detect you are using password expiration in azure/o365 and will suggest you turn it off as a security suggestion. It counts against you in their secure score system. Once azure ad makes the passwordless options better supported and easier to roll out, so much is going to change for the better.
|
# ? Feb 28, 2021 23:55 |
Sickening posted:Microsoft will detect you are using password expiration in azure/o365 and will suggest you turn it off as a security suggestion. It counts against you in their secure score system. Yeah it's the same with AWS' CIS benchmarking I wrote a big gently caress off document about how we could implement passwordless auth in like 5 different ways and some marketing dickhead came in and was like "All these are going to impact engagement, this is dumb"
|
|
# ? Feb 28, 2021 23:58 |
|
Mr. Crow posted:You sure? otherwise known as "we speculated at the method Android and iOS calculates fingerprints, we never tested it against real devices, we think this will work" (and it's from 4 years ago)
|
# ? Mar 1, 2021 00:01 |
|
CyberPingu posted:Yeah it's the same with AWS' CIS benchmarking Well, they are correct! It will impact your engagements with all other orgs with old grog security teams who are also stuck in 1996. Being on those calls and listening to them berate someone for this stuff must be a real treat.
|
# ? Mar 1, 2021 00:03 |
Sickening posted:Well, they are correct! It will impact your engagements with all other orgs with old grog security teams who are also stuck in 1996. Being on those calls and listening to them berate someone for this stuff must be a real treat. I had to sit on a call the other day and listen to our head of sales pour over GDPR rules to see if there were any loopholes to spam our customers with emails. I wanted to smash his face in
|
|
# ? Mar 1, 2021 00:06 |
|
Mr. Crow posted:Aren't these objectively worse than a reasonably long pin or password? Actually yes, your pin is better in that you don't have to worry about spoofing, false acceptances, or the entire space of 'accidental' unlocks like you do with biometrics (not to the degree of your old articles, but claiming they're failsafe is not true either), but biometrics are a major convivence factor for driving adoption of secure lockscreens. Long pins and passwords have pretty bad usability tradeoffs that discourage their use, biometrics help offset that. On the downside people think they're magical and don't really understand them, but that's life. But pins and biometrics don't belong is the age old discussion about website passwords -- passwords are for remote auth while pins require physical access (you can't try them remotely at all) and have hardware enforced backoffs that negate their comparably poor entropy space. Pins and biometrics are all about attackers with physical access, which passwords in the common web usage aren't, if you mainly care about is the brute forced or shared password'd from rando's on the internet using a trusted device that most your users have in their pocket to verify authorization works great. Of course you can't use that approach for everything, but if you can you should, your users phone is more secure than your server anyways. At least we can all celebrate that NIST finally dropped the regular password rotation requirement. CyberPingu posted:Yeah it's the same with AWS' CIS benchmarking Ah yes, because not requiring typing in passwords everywhere hurts engagement.
|
# ? Mar 1, 2021 00:10 |
|
CyberPingu posted:Also fwiw, password expiry is the loving worst faux security poo poo ever and gently caress knows why it's even included in CIS poo poo. It makes some theoretical sense for the same reason it's a good idea to rotate certs regularly: if somebody manages to get their hands on credentials, forcing the real user to rotate their credentials to something new locks out the attacker. And, if you're in a WWII/Cold War era scenario where a single authority is issuing your password to you (which is where a lot of early infosec "best practices" and received wisdom came from), then a lot of the issues with simple password reuse and "just tack a number on the end" never come up. But then users got to choose their own passwords, every little system under the sun started asking for its own should-be-unique credentials, human psychology and laziness came into the picture, and the whole thing turned into the hosed up mess we all know and love. CyberPingu posted:I had to sit on a call the other day and listen to our head of sales pour over GDPR rules to see if there were any loopholes to spam our customers with emails. CAN-SPAM compliance is a bit outside the scope of this thread, but I'd be lying if I said I hadn't had a couple of daydreams about the FTC deciding to enforce the law and throwing some fines at the people who think "opt out" means "temporarily remove from one specific marketing subchannel" and that their monthly announcements are "transactional."
|
# ? Mar 1, 2021 00:20 |
Oh...my...christ Someone sent us a PoC to our responsible disclosure program, that he had uploaded to YouTube
|
|
# ? Mar 1, 2021 11:07 |
|
CyberPingu posted:Oh...my...christ It's an unlisted video, right?
|
# ? Mar 1, 2021 11:16 |
spankmeister posted:It's an unlisted video, right? It is not. I've already sent a request for it to be taken down.
|
|
# ? Mar 1, 2021 11:25 |
|
CyberPingu posted:Oh...my...christ lol this happens all the time, I just ask them to remove it and send them a box of goodies / gift cards after (if it was a valid finding). You'll make a friend who's on your side forever and ever.
|
# ? Mar 1, 2021 11:26 |
|
CyberPingu posted:Oh...my...christ
|
# ? Mar 1, 2021 13:57 |
evil_bunnY posted:It's trivial to unlist or reupload it. As geonetix says, if you treat people right they'll reciprocate, and someone contacting your RD team to begin with is already primed to be cooperative. Yeah I get that. It's just a bit annoying having to go through this. If we can verify it he will be rewarded.
|
|
# ? Mar 1, 2021 13:59 |
|
Weeeeeee https://twitter.com/DecipherSec/status/1366860560139247621
|
# ? Mar 2, 2021 22:19 |
|
90% sure related to this: https://blog.rapid7.com/2021/03/02/indiscriminate-exploitation-of-microsoft-exchange-servers-cve-2021-24085/ OWA -> Webshell -> Cred dump from the looks of it
|
# ? Mar 2, 2021 23:51 |
|
Tryzzub posted:90% sure related to this: https://blog.rapid7.com/2021/03/02/indiscriminate-exploitation-of-microsoft-exchange-servers-cve-2021-24085/ Yup, did an IR recently related to this too. That was fun, especially since they ran their Exchange Box with Domain Admin rights....
|
# ? Mar 3, 2021 00:17 |
|
Amazing. As if right now, if your own an on prem exchange and it’s still talking to the internet without a patch, you are a moron. We don’t have any, but the cord would have been unplugged until they are patched and investigated.
|
# ? Mar 3, 2021 00:57 |
|
ok so I’m definitely seeing a lot of 404s for attack details I was able to access an hour ago.
|
# ? Mar 3, 2021 01:29 |
|
CommieGIR posted:Yup, did an IR recently related to this too. That was fun, especially since they ran their Exchange Box with Domain Admin rights....
|
# ? Mar 3, 2021 01:34 |
|
Tryzzub posted:ok so I’m definitely seeing a lot of 404s for attack details I was able to access an hour ago. Yeah, not sure what is going on....why'd Rapid7 take it down?
|
# ? Mar 3, 2021 01:44 |
|
CommieGIR posted:Yeah, not sure what is going on....why'd Rapid7 take it down? They took it down because it was written before the advisories came out (from what I heard). I'd bet on a new version coming out tomorrow.
|
# ? Mar 3, 2021 03:17 |
|
trashy owl posted:They took it down because it was written before the advisories came out (from what I heard). I'd bet on a new version coming out tomorrow. It’s easy enough to find the cached copy. Cat’s already out of the bag etc etc but always fun to collate information between sources/ initial observations. https://webcache.googleusercontent....n&ct=clnk&gl=us
|
# ? Mar 3, 2021 03:41 |
|
As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that. My question is: Am I just pissing in the wind with this, or is this kinda thing worth while?
|
# ? Mar 4, 2021 16:16 |
|
Defenestrategy posted:As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that. Totally pissing in the wind. Nobody is reading them. It might serve as checking a box though, so there is that.
|
# ? Mar 4, 2021 16:26 |
|
Defenestrategy posted:As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that. sorry, nobody is reading it, BUT you can turn that effort into a nice looking blog, too?
|
# ? Mar 4, 2021 16:30 |
|
|
# ? May 26, 2024 06:36 |
|
Defenestrategy posted:As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that. Maybe somebody will read it, but yea it's mostly CYA so they can't feign total ignorance when an incident occurs. I've found that more active participation based events yield better dividends than just tossing reading material out into the world. Phishing campaigns will tell you how many people will fall for obvious attacks and the user then sees oh hey maybe I'm not so clever about spotting these. Same with doing capture the flag events with developers instead of just watching boring videos about owasp top 10.
|
# ? Mar 4, 2021 16:32 |