|
Cup Runneth Over posted:https://twitter.com/marcwrogers/status/1411871388529397767 lol do they really expect all the victims to club together and collect up the ransom like some type of charity telethon? I'd think criminals would have a better sense of realistic cynicism than that.
|
# ? Jul 5, 2021 06:36 |
|
|
# ? May 23, 2024 12:49 |
|
It's probably to try enticing the feds to pay the ransom since it's cheaper than actually solving the problem.
|
# ? Jul 5, 2021 07:44 |
|
Counteroffer with $140M but only if they turn over their software devs to the authorities.
|
# ? Jul 5, 2021 12:19 |
|
Volmarias posted:It's probably to try enticing the feds to pay the ransom since it's cheaper than actually solving the problem. that very thing is already happening so yeah.
|
# ? Jul 5, 2021 15:26 |
|
I've been trying to settle on a password manager and I seriously can't be the only one that finds it sketchy as all hell that most (all?) the ones with online accounts or cloud storage use your supposedly zero-knowledge master password as your login to the web page for account setup and cloud sync. 1password and bitwarden for sure do, I haven't looked at all of them. Am I missing something or does this seem ridiculous? Just entering the master password in a web browser page ever seems like anathema to me. That said other than using keepass and my own server it doesn't seem like there's any options.
|
# ? Jul 5, 2021 18:35 |
|
Rescue Toaster posted:I've been trying to settle on a password manager and I seriously can't be the only one that finds it sketchy as all hell that most (all?) the ones with online accounts or cloud storage use your supposedly zero-knowledge master password as your login to the web page for account setup and cloud sync. 1password and bitwarden for sure do, I haven't looked at all of them. Why is that ridiculous? E: unless you're implying it's just password in which case 1password has 2fa for web login
|
# ? Jul 5, 2021 18:36 |
|
Blinkz0rz posted:Why is that ridiculous? Because you have to trust that the master password you enter is only being used for client side decryption of logins using js and isn't secretly being divulged. You place the same trust in a desktop app but 1) you can firewall it off I suppose 2) a website could change the js it serves you at any moment
|
# ? Jul 5, 2021 18:44 |
|
Rufus Ping posted:Because you have to trust that the master password you enter is only being used for client side decryption of logins using js and isn't secretly being divulged. Yeah maybe I'm over-valuing the 'stability' of an application vs a web page. At least with an application you would have to update it to get a new version. Once modified though, even if you firewall it, it could of course send your password back to their servers, but you could prevent it from sending it somewhere else. In any scenario, if the company that sells you the password manager starts acting maliciously, you're pretty screwed. I feel like making people repeatedly enter their password into a regular webpage javascript you're opening up more avenues for a third party, though. Rescue Toaster fucked around with this message at 18:49 on Jul 5, 2021 |
# ? Jul 5, 2021 18:47 |
|
One question is: do you want someone who doesn’t know the master password to be able to mess with your account and sync settings? Another could be: would you use a second non-resettable password, which is used infrequently and likely can’t be stored in the password manager because you might need it to get access to your password manager’s encrypted store? That seems like a recipe for ergonomic disaster and subsequent data loss, pretty often. With Bitwarden you could host your own setup if you were worried about the main system being compromised, but I think I’m more likely to gently caress up than they are, so I go with it.
|
# ? Jul 5, 2021 18:52 |
|
Have any of you ever experienced this? https://twitter.com/dj_ir0ngruve/status/1412067848453705731
|
# ? Jul 5, 2021 19:26 |
|
Subjunctive posted:One question is: do you want someone who doesn’t know the master password to be able to mess with your account and sync settings? Another could be: would you use a second non-resettable password, which is used infrequently and likely can’t be stored in the password manager because you might need it to get access to your password manager’s encrypted store? That seems like a recipe for ergonomic disaster and subsequent data loss, pretty often. I switched to bitwarden, and thought about self hosting, but decided that I didn't want to deal with the hassle of setting up an internet accessible host.
|
# ? Jul 5, 2021 19:30 |
|
Rufus Ping posted:Because you have to trust that the master password you enter is only being used for client side decryption of logins using js and isn't secretly being divulged. I mean, that's fundamentally the same issue you run into with any kind of tool that you delegate permission to do *something*. If your threat model is such that you're worried about the system using your key to do something other than decrypt your data, by all means host your own solution or use a desktop app but I'm guessing it isn't and the concern is a bit overblown.
|
# ? Jul 5, 2021 20:24 |
|
spankmeister posted:The joke is that they are, and that's why they can't fix it. how did this validate in the first place? Partial validation of the signed data only, no validation that the linked document actually exists? That seems like a big oversight even ignoring cosmic rays, allowing you to attest a document exists with this hash without verifying A) it exists or B) the hash matches. Maybe I'm missing something.
|
# ? Jul 5, 2021 20:27 |
|
Blinkz0rz posted:I mean, that's fundamentally the same issue you run into with any kind of tool that you delegate permission to do *something*. Yes I agree and personally use 1password's cloud offering
|
# ? Jul 5, 2021 21:38 |
|
With the power of the desktop app integration, I basically never even type my master password of 1Password into any web pages or Chrome extension, so at this point it's a pretty minor concern.
|
# ? Jul 6, 2021 00:55 |
|
Speaking of password managers... https://twitter.com/matthew_d_green/status/1412411435842519049
|
# ? Jul 6, 2021 15:19 |
|
Absurd Alhazred posted:Speaking of password managers... Look who rolled their own crypto!
|
# ? Jul 6, 2021 15:32 |
|
That's such a well written post, you actually learn something having read it
|
# ? Jul 6, 2021 16:37 |
|
Thanks Ants posted:That's such a well written post, you actually learn something having read it Agreed. Good flow, good writing style, lots of meaningful content without straying into either being too smug about how smart these researchers were to find the issue or throwing in snide remarks about how lol-tasticly dumb Kaspersky was, yeah. This is how a good security blog write up should look.
|
# ? Jul 6, 2021 17:19 |
|
It took them two years to fix that. Two. Years. When the security researchers told them how to fix it.
|
# ? Jul 6, 2021 18:11 |
|
Has there been any real news on the Kaseya attack about how they got hit? Last I read it wasnt a supply chain attack but some 0 day exploit of their software.
|
# ? Jul 6, 2021 19:58 |
|
BaseballPCHiker posted:Has there been any real news on the Kaseya attack about how they got hit? Last I read it wasnt a supply chain attack but some 0 day exploit of their software. So there was a pretty serious vulnerability in Kaseya that was discovered by Dutch security researchers and they were in the process of working with Kaseya to get that resolved. While this was going on the REvil ransomware gang discovered the bug. Either they discovered it independently or they acquired details about it somehow, that part is not yet clear. This bug can be used to gain control of a Kayesa instance without authentication. This has been used by REvil to gain control of lots and lots of instances of Kaseya at companies and MSP's and subsequently used to deploy ransomware to their clients. Now why these MSP's had their Kaseya instances open to the internet is a hell of a good question. But they did. It was NOT a compromise of Kaseya itself or a malicious update of the Kaseya software. So in that sense it wasn't a supply chain attack. However some might argue that if you got popped with ransomware because your MSP used Kaseya it could be considered a supply chain attack in that sense. But really only in the sense that the MSP is the supplier in this case, not Kaseya itself.
|
# ? Jul 6, 2021 21:43 |
|
spankmeister posted:So there was a pretty serious vulnerability in Kaseya that was discovered by Dutch security researchers and they were in the process of working with Kaseya to get that resolved. While this was going on the REvil ransomware gang discovered the bug. Either they discovered it independently or they acquired details about it somehow, that part is not yet clear. I would think its exposed because its likely the kind of customer who is using an msp for budget reasons doesn't have the budget to create tunnels specifically for these kinds of services.
|
# ? Jul 6, 2021 23:08 |
|
spankmeister posted:So there was a pretty serious vulnerability in Kaseya that was discovered by Dutch security researchers and they were in the process of working with Kaseya to get that resolved. While this was going on the REvil ransomware gang discovered the bug. Either they discovered it independently or they acquired details about it somehow, that part is not yet clear. That's how it got to us because I can assure you that now closed port and subsequent NAT that Kaseya was talking on was ACL'ed to hell and back, so big bad Presidio definitely had theirs exposed. At least I don't have to worry about their foot in the door at my agency anymore. Our in-house security averted a serious potential disaster when it stopped it cold on a live CUCM box.
|
# ? Jul 6, 2021 23:17 |
|
spankmeister posted:So there was a pretty serious vulnerability in Kaseya I don’t understand how these fit together. It sounds a lot like REvil compromised the Kaseya software and used that compromise to push the nasty bits, but you say that they didn’t compromise Kaseya so I’m confused. Sorry for being dumb, but I’d love to understand better.
|
# ? Jul 7, 2021 00:08 |
He means their software was vulnerable but the supplier, in this case Kaseya, wasn’t hit themselves via some kind of supply chain attack. I believe
|
|
# ? Jul 7, 2021 00:11 |
|
It appears the patch for PrintNightmare has been released. Happy patch Tuesday!
|
# ? Jul 7, 2021 00:24 |
|
Subjunctive posted:I don’t understand how these fit together. It sounds a lot like REvil compromised the Kaseya software and used that compromise to push the nasty bits, but you say that they didn’t compromise Kaseya so I’m confused. Sorry for being dumb, but I’d love to understand better. If I hack your company through an already existing vulnerability in windows, did microsoft get hacked?
|
# ? Jul 7, 2021 00:26 |
|
Subjunctive posted:I don’t understand how these fit together. It sounds a lot like REvil compromised the Kaseya software and used that compromise to push the nasty bits, but you say that they didn’t compromise Kaseya so I’m confused. Sorry for being dumb, but I’d love to understand better. Vulnerability detected in self-hosted Kayesa instances that were exposed to the internet, attacker used this access to deploy their payload. If you have Kayesa access you can just use the API to deploy something to all clients, it doesn’t mean the company making the software was infiltrated.
|
# ? Jul 7, 2021 00:41 |
|
Yeah, the confusing terminology is people saying it's a "supply chain attack" because the compromised Kayesa instances can push Bad Things to clients masquerading as legitimate updates / software installs / whatever. It'd be the same as if there was a compromise that let attackers pop your AD controller and deploy a GPO policy to all clients that forced them to run bitcoinminer.exe or whatever on startup: it isn't really what's meant by "supply chain attack," but it does involve some aspects in the sense of being able to abuse legitimate patch / update / install processes to push malware.
|
# ? Jul 7, 2021 00:45 |
|
Yeah it's "supply chain" in the sense that revil used a legit management tool to deploy the ransomware. I don't really agree with that usage but whatevs.
|
# ? Jul 7, 2021 00:53 |
|
this isn't a new kind of attack, is it? it seems to obvious to attack the orchestration tools
|
# ? Jul 7, 2021 00:54 |
|
I guess it's a supply chain attack in relation to the MSP, similar to how Target got done over by their air conditioning supplier
|
# ? Jul 7, 2021 01:10 |
|
Sickening posted:It appears the patch for PrintNightmare has been released. Happy patch Tuesday! not for 2016 though?
|
# ? Jul 7, 2021 01:11 |
|
RFC2324 posted:If I hack your company through an already existing vulnerability in windows, did microsoft get hacked? Ah, Kaseya the software vs Kaseya the company. Thanks.
|
# ? Jul 7, 2021 01:16 |
|
I assumed it was being called a supply chain attack because the malicious code initially represented it as a Kaseya update/hotfix so there was speculation that Kaseya had been compromised and someone pushed a malicious hotfix as Kaseya. Turns out it was just a bad exploit for a piece of software that is designed to be internet facing. In further fun MSP news a Microsoft CSP reseller got compromised over the weekend too. A CSP reseller sells Office 365/Azure to MSPs (which in turn resell it to their customers) that are too small to deal with Microsoft directly and gets delegated admin to every tenant they provide licensing to. https://ir.synnex.com/news/press-release-details/2021/SYNNEX-Responds-to-Recent-Cybersecurity-Attacks-and-Media-Mentions/default.aspx Maneki Neko fucked around with this message at 03:04 on Jul 7, 2021 |
# ? Jul 7, 2021 03:00 |
|
came into work today to find an email saying we had just sold off the MSP side of the business I was amused by the timing
|
# ? Jul 7, 2021 03:08 |
|
Subjunctive posted:I don’t understand how these fit together. It sounds a lot like REvil compromised the Kaseya software and used that compromise to push the nasty bits, but you say that they didn’t compromise Kaseya so I’m confused. Sorry for being dumb, but I’d love to understand better. New write up by Ars is pretty good. https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/
|
# ? Jul 7, 2021 03:25 |
|
Subjunctive posted:I don’t understand how these fit together. It sounds a lot like REvil compromised the Kaseya software and used that compromise to push the nasty bits, but you say that they didn’t compromise Kaseya so I’m confused. Sorry for being dumb, but I’d love to understand better. As I understood it, the attackers exploited a vulnerability in the Kaseya VSA software to compromise on-prem instances of it running at MSP's. These instances were then used to deploy ransomware to the clients of those MSP's. At no point was Kaseya the company itself compromised (that we know of). spankmeister fucked around with this message at 05:50 on Jul 7, 2021 |
# ? Jul 7, 2021 05:47 |
|
|
# ? May 23, 2024 12:49 |
|
It is possible that Kaseya the company was in fact compromised but that that access was used to learn about the vulnerability in the product. But at this point that's pure speculation.
|
# ? Jul 7, 2021 05:52 |