|
RFC2324 posted:If they are moving to push everyone into the cloud the way the poster I quoted seemed to be saying, then its a problem. That sucks if true, none of my stuff is connected to their cloud stuff. I hope they learn a lesson from this.
|
# ? Mar 31, 2021 16:28 |
|
|
# ? May 19, 2024 19:47 |
|
CommieGIR posted:That sucks if true, none of my stuff is connected to their cloud stuff. I hope they learn a lesson from this. My last 2 hosting gigs included me being depressed by the fact that using LastPass was the GOOD option, with several admins openly advising people to stop with the complex passwords and just increment the same ones you have always used by 1 every 90 days. So no, no one has learned any loving thing
|
# ? Mar 31, 2021 16:41 |
|
RFC2324 posted:My last 2 hosting gigs included me being depressed by the fact that using LastPass was the GOOD option, with several admins openly advising people to stop with the complex passwords and just increment the same ones you have always used by 1 every 90 days. I kinda wanna know how they popped the lastpass DB, I'm assuming the guy had it tied to his Windows account or had the password saved somewhere plaintext.
|
# ? Mar 31, 2021 17:19 |
|
CommieGIR posted:I kinda wanna know how they popped the lastpass DB, I'm assuming the guy had it tied to his Windows account or had the password saved somewhere plaintext. I assume password reuse. Most people seem to roll that "just increment by one" password that they used everywhere into their new database password before going and changing all of your site passwords, so just grab an old dump of demonoid.pr
|
# ? Mar 31, 2021 17:21 |
|
CommieGIR posted:I kinda wanna know how they popped the lastpass DB, I'm assuming the guy had it tied to his Windows account or had the password saved somewhere plaintext. Its an email address and password at the minimum which is about as basic poo poo tier security as you can get. The fact that lastpass doesn't require you to have mfa is... cute.
|
# ? Mar 31, 2021 17:30 |
|
Sickening posted:Its an email address and password at the minimum which is about as basic poo poo tier security as you can get. The fact that lastpass doesn't require you to have mfa is... cute. Ahhhhh, sorry I was mixing up Lastpass and Keepass in my head And yeah, I don't know why Lastpass isn't MFA compliant yet, its so easy now.
|
# ? Mar 31, 2021 17:37 |
|
If you have Lastpass Enterprise you can enforce MFA across your org. Since it sounds like this guy may have generated access keys for the AWS root account and maybe wasn't using enterprise policy or 2FA, it doesn't sound like anything would have saved them. It's been wild working at multiple large, household name tech companies and still having people push against enforced employee 2FA and user 2FA features because too many people just don't like using it or are somehow wildly inconvenienced.
|
# ? Mar 31, 2021 17:42 |
|
Shuu posted:It's been wild working at multiple large, household name tech companies and still having people push against enforced employee 2FA and user 2FA features because too many people just don't like using it or are somehow wildly inconvenienced. Oh yeah, this has been the bane of my last few years of consulting: I still get steady pushback against MFA, my current client is the only one that really bought all the way into it.
|
# ? Mar 31, 2021 17:47 |
|
I vaguely remember something about running a password manager while logged into Windows as a local admin account mean that if your user account got compromised, they could get an unencrypted memory dump of your password vault when you unlocked it. Having trouble finding info on it now. With it being a dev that got popped, I kinda feel like that could have been a strong possibility.
|
# ? Mar 31, 2021 17:52 |
|
If you can compromise their pc, just replace the exe with a version that uploads everything the first time you unlock it.
|
# ? Mar 31, 2021 18:00 |
|
Shuu posted:If you have Lastpass Enterprise you can enforce MFA across your org. Since it sounds like this guy may have generated access keys for the AWS root account and maybe wasn't using enterprise policy or 2FA, it doesn't sound like anything would have saved them. This is all fine and good but you still run into the issue of folks using their personal accounts and storing credentials in them. This is especially hard in the dev circles and cloud without a ton of origin restrictions. You basically can't stop this unless you... *Restrict all managed devices to use your companies password manager of choice while also making sure they can't sign on with their personal accounts. *Restrict all access to these managed dev and cloud tools to only be accessible through your managed devices and network locations. *Hammer them over and over again until you annoy them into complete compliance. The lessons I have learned tell me that attempting to do all of the above and more, your users, devs, admins, and everyone else is going to leak credentials through the infinite amount of ways to do so. Make them as worthless as you can.
|
# ? Mar 31, 2021 18:02 |
|
evil_bunnY posted:The early years were a dumpster fire because of default perms, the current years can be a dumpster fire when people open their buckets to make poo poo work. "Making poo poo work" is the huge problem. AWS is a nightmare to try new things in and when you have deadlines it's easy to get [deus ex recut voice] desperate
|
# ? Mar 31, 2021 18:08 |
|
Internet Explorer posted:I vaguely remember something about running a password manager while logged into Windows as a local admin account mean that if your user account got compromised, they could get an unencrypted memory dump of your password vault when you unlocked it. Having trouble finding info on it now. With it being a dev that got popped, I kinda feel like that could have been a strong possibility. I mean that seems to be true for most, either when the password is copy/pasted or other ways. Separation of rights via Least Privilege helps solve some of that (i.e. a non-admin account being popped is less likely to be able to read any data from the admin account escalated process.
|
# ? Mar 31, 2021 18:08 |
|
Didn't LastPass have a vuln a few years back where you could silently harvest someones entire database with a well crafted field form(that could be hidden on the page)?
|
# ? Mar 31, 2021 18:13 |
|
RFC2324 posted:Didn't LastPass have a vuln a few years back where you could silently harvest someones entire database with a well crafted field form(that could be hidden on the page)? Yeah, I think this is what you're referring to - https://bugs.chromium.org/p/project-zero/issues/detail?id=1930
|
# ? Mar 31, 2021 18:16 |
|
Internet Explorer posted:Yeah, I think this is what you're referring to - https://bugs.chromium.org/p/project-zero/issues/detail?id=1930 I think what I read what his write up on the exploit he mentions at the bottom, but it looks like it did they ever notify their users of that high severity issue?
|
# ? Mar 31, 2021 18:52 |
|
I think so. I believe they sent an email about it. https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved/
|
# ? Mar 31, 2021 19:06 |
|
Shuu posted:If you have Lastpass Enterprise you can enforce MFA across your org. Since it sounds like this guy may have generated access keys for the AWS root account and maybe wasn't using enterprise policy or 2FA, it doesn't sound like anything would have saved them. We just rolled out MFA last week I fought for a year to enable it when I was in IT and was explicitly shut down every time. This is especially egregious because we actually made everyone signup for MFA, and use it on their first login! And then we never again required it on login after that.
|
# ? Mar 31, 2021 19:13 |
|
Internet Explorer posted:I vaguely remember something about running a password manager while logged into Windows as a local admin account mean that if your user account got compromised, they could get an unencrypted memory dump of your password vault when you unlocked it. Having trouble finding info on it now. With it being a dev that got popped, I kinda feel like that could have been a strong possibility. This is probably what you’re thinking of: https://nakedsecurity.sophos.com/2019/02/21/password-managers-leaking-data-in-memory-but-you-should-still-use-one/
|
# ? Mar 31, 2021 21:28 |
|
The Fool posted:This is probably what you’re thinking of: https://nakedsecurity.sophos.com/2019/02/21/password-managers-leaking-data-in-memory-but-you-should-still-use-one/ As soon as I saw the URL, I knew that was it. Yes, thank you!
|
# ? Mar 31, 2021 21:34 |
|
So I called Fidelity to close my brokerage account with them. The machine had me put in my social security number. So far, normal. Then it asked me to type in my account's password using the phone's keypad. As in the letters JKL are all entered as 5. Caps? Doesn't matter. Doge = 3643 and DOGE = 3643. If you've got a number? You just use the number. And wait for it, all special characters are entered with the * sign. Someone tell me I'm dumb and this is actually a good security practice because it looks like a dumpster fire to me.
|
# ? Mar 31, 2021 23:43 |
|
Depends on how many tries you get, really. Password strength is versus ability to brute force, and it’s not like hashes of the keypad-encoded passwords are leaking to attackers.
|
# ? Mar 31, 2021 23:49 |
|
You also have to balance this against Olds who won't remember the da-da-duh-da-da code with the specific cadence to make a certain character, then scream at a hapless support person.
|
# ? Apr 1, 2021 02:36 |
|
Subjunctive posted:Depends on how many tries you get, really. Password strength is versus ability to brute force, and it’s not like hashes of the keypad-encoded passwords are leaking to attackers. No, it’s just really bad. Worst, and most likely, case: they’re keeping the passwords in plaintext. Obviously terrible. “Best” case: when you set a password, it’s encoded into keypad form, then both the original and encoded forms are salted, hashed, and stored. If there’s a breach and an attacker gets their hands on both password DBs, then it’s seriously bad news. The number of possible combinations in the keypad encoded password is tiny compared to the full version, and once you recover a keypad password, then it cuts down massively on the space you have to search to recover the full password. Anybody with both sets of hashes and a bit of GPU time can easily recover the originals. It’s a good idea to use user-set passwords instead of just assuming that anyone who knows your SSN is you, but trying to reuse passwords between two platforms like this is not a good way to do it.
|
# ? Apr 1, 2021 03:25 |
|
Boris Galerkin posted:So I called Fidelity to close my brokerage account with them. The machine had me put in my social security number. So far, normal. What's the password length requirements? e: also, try logging in on their website sometime with your password in the wrong case, I'm willing to bet it's case insensitive. spankmeister fucked around with this message at 07:36 on Apr 1, 2021 |
# ? Apr 1, 2021 07:33 |
|
spankmeister posted:What's the password length requirements? quote:Please use 6 to 20 letters, numbers, and/or special characters. Letters are case-sensitive. For the record my now defunct account had a password violating those things. I have a number sequence, and I have a string of “EEEE” which is just what my password generator generated.
|
# ? Apr 1, 2021 12:13 |
|
spankmeister posted:What's the password length requirements? For fun I tried it out, but it doesn't accept the wrong case.
|
# ? Apr 1, 2021 12:21 |
|
“Guess it’s time to dump Ubiquiti” do you guys refuse to use Linux, Windows, Android, macOS, or iOS because each one has had at least one problem? Put the nature of the breach into perspective: someone hosed up their PAM. This was a failure caused by That Guy who is always complaining about certain parts of administration security in your organization. Compare that to cisco/cisco. Potato Salad fucked around with this message at 13:28 on Apr 1, 2021 |
# ? Apr 1, 2021 13:23 |
|
Potato Salad posted:“Guess it’s time to dump Ubiquiti” do you guys refuse to use Linux, Windows, Android, macOS, or iOS because each one has had at least one problem? I think the problem was less "they made a mistake" and more "they pretended they didn't make a mistake, but the mistake was very big."
|
# ? Apr 1, 2021 13:53 |
|
HexiDave posted:I think the problem was less "they made a mistake" and more "they pretended they didn't make a mistake, but the mistake was very big." Yes I would agree. See for instance how FireEye handled their initial announcement of the whole Orion/SolarWinds debacle as an example of how to handle things well.
|
# ? Apr 1, 2021 15:12 |
|
HexiDave posted:I think the problem was less "they made a mistake" and more "they pretended they didn't make a mistake, but the mistake was very big."
|
# ? Apr 1, 2021 15:19 |
|
It wasn't a security breach, but we dumped FireEye when their email security product was just dropping emails silently for weeks and there was no way to know from our side. Took our users and the users from a major partner opening tickets for it to click. Apparently affected a ton of customers.
|
# ? Apr 1, 2021 15:21 |
|
Potato Salad posted:“Guess it’s time to dump Ubiquiti” do you guys refuse to use Linux, Windows, Android, macOS, or iOS because each one has had at least one problem? iOS, Android, Linux and Windows all publish CVEs and issue fixes. Ubiquiti forces people to use remote access, has access to every credential and certificate stolen, hides it while lying to users about impact, making potential impact worse edit: it may be easier to say every company makes mistakes, Ubiquiti males compounding mistakes text editor fucked around with this message at 15:23 on Apr 1, 2021 |
# ? Apr 1, 2021 15:21 |
|
Ubiquiti made the same mistakes that make every security goon say to stay the gently caress away from LastPass.
|
# ? Apr 1, 2021 15:58 |
|
Is there anything else at Ubiquiti's price point for the home network / playground?
|
# ? Apr 1, 2021 16:27 |
Ynglaur posted:Is there anything else at Ubiquiti's price point for the home network / playground? I bought a five-port switch with four 10G SFP+ cages and one 1GbE port, and aside from missing documentation about baudrate for serial connection via uplcom(4) and no mention of (10k) jumboframes being the default on all ports, it seems fine once I switched it to SwOS.
|
|
# ? Apr 1, 2021 21:00 |
|
Ynglaur posted:Is there anything else at Ubiquiti's price point for the home network / playground? It'll be a long time until WiFi6 ruckus gear hits that price on ebay though +its an older model, like their first AC wave 2
|
# ? Apr 1, 2021 22:16 |
|
On the topic of protecting users from phishing, it's time to name and shame myself: I fell victim to a Steam phishing scam yesterday. However, 1) I had nothing of value to steal, no items to trade away; I had my inventory hidden, so the phisher was presumably disappointed to discover this 2) I had Steam Guard (aka MFA) enabled, so he was unable to make any changes to my account, and I invalidated his session promptly 3) I used a unique email address (via a vanity domain on a DigitalOcean droplet) and have a password manager, so I promptly kicked him out and changed the password; he won't have anything useful on me 4) He was unable to jump to anyone on my friends list before someone alerted me to do the above, according to the chatlogs I pulled up; I responsibly disclosed the compromise to the people on my friends list that he contacted 5) I checked my market transactions and purchase history; no activity. Steam's user protections prevented him from accessing or using any personal or financial info The vulnerabilities that led to the compromise: 1) It was an account that I knew (added years ago when I met them on some game) but didn't know (some rando I hadn't spoken to in ages, trivial to plausibly impersonate) 2) Request to vote for some shithead's CS:GO team plausible, but unwanted social interaction; forced politeness causes a desire to get the interaction over with and reduces attention to detail 3) Fake site with a plausible, well-produced fake Steam third-party login flow 4) I don't play CS:GO so I don't give a poo poo about their tournament websites or know how they work 5) I never log into Steam in my browser so I didn't have the login info in 1Password! 1Password would have stopped this phishing attempt in its tracks when my browser extension didn't show my login for their fake site. This is probably the most crucial thing; my password manager could have waylaid the whole thing if I was using it completely ubiquitously. I am fairly confident I have rooted the attacker from my account and that I wasn't penetrated further than my Steam credentials. I didn't download anything, obviously (that would have been a major red flag), so I'm confident the compromise was limited to my account details (username, password, email address), all of which I've now changed. So hopefully this experience provides some useful info to those of you trying to protect your own users as to how phishing attempts work (on anyone! no one is safe!), why training isn't a panacea that will solve them, and how to better protect your users when they are inevitably compromised. As a side note, you guys should definitely include login IP and approximate location with any MFA system you build. That also would have been a red flag; wouldn't have saved me from changing my password, but he wouldn't have been able to get past MFA. I can kind of see why people have concerns about Google Authenticator now given that prompt-based MFA is more likely to put a user on alert than rolling MFA tokens. There's my security breach disclosure, feel free to mock me for being an idiot now
|
# ? Apr 1, 2021 23:20 |
|
Cup Runneth Over posted:On the topic of protecting users from phishing, it's time to name and shame myself: I fell victim to a Steam phishing scam yesterday. However, Thanks for sharing this. Lessons learnt like this are great shares.
|
# ? Apr 1, 2021 23:26 |
|
|
# ? May 19, 2024 19:47 |
|
Bravo on you for sharing. Yeah, that particular Steam "hack" has been going around for a while. The Steam thread on SA has people pretty much every day trying to track down some goon who got got. Nobody said this stuff was easy!
|
# ? Apr 1, 2021 23:31 |