|
This discussion about government issue TOTP is interesting, because in Finland it basically works the other way. Your bank provides the TOTP or other MFA, and you use your online banking credentials to authenticate yourself to government services and many others too. Want to do your taxes, modify your car registration, check your medical records, it's all handled through bank authentication. Alternatives are authentication through your cell operators mobile certificate or a government issue smart card, but I have to have bank account anyway, so why would I pay extra for my operator or buy a 100€ smart card. I work for a large university and if I forget my password, I can go to the password change website, do bank authentication to prove my identity and set a new password.
|
# ? May 8, 2021 01:14 |
|
|
# ? Jun 8, 2024 05:49 |
|
Saukkis posted:This discussion about government issue TOTP is interesting, because in Finland it basically works the other way. Your bank provides the TOTP or other MFA, and you use your online banking credentials to authenticate yourself to government services and many others too. Want to do your taxes, modify your car registration, check your medical records, it's all handled through bank authentication. Alternatives are authentication through your cell operators mobile certificate or a government issue smart card, but I have to have bank account anyway, so why would I pay extra for my operator or buy a 100€ smart card. I work for a large university and if I forget my password, I can go to the password change website, do bank authentication to prove my identity and set a new password. here in the US I am pretty sure there isn't a single major bank that doesn't use SMS for authentication pretty sure the problems with that kicked off this whole conversation
|
# ? May 8, 2021 01:46 |
|
RFC2324 posted:here in the US I am pretty sure there isn't a single major bank that doesn't use SMS for authentication In Finland it has been paper number lists since last millenia. Only in the past few years EU regulations are forcing them to change it. Either you use the banking app on your phone, or you receive a number through SMS and check the PIN code that matches that number from your OTP list.
|
# ? May 8, 2021 02:26 |
|
DerekSmartymans posted:My adult son didn’t get his first stimulus check because it fell out inside a truck and nobody cared enough to pick it up. He got it almost the same day of his $600 stimulus check was direct deposited. 🙄 That’s more a result of the USA still using paper checks in tyool 2021.
|
# ? May 8, 2021 07:28 |
|
Khablam posted:That's not a failure of SMS, that's just social engineering. You can replace SMS with signal, Google auth, etc in that scenario and it still works. You can literally just build a box that acts as a cell phone tower and read everyone's SMS messages for whatever radius u can broadcast / recieve to
|
# ? May 8, 2021 15:34 |
|
alexandriao posted:You can literally just build a box that acts as a cell phone tower and read everyone's SMS messages for whatever radius u can broadcast / recieve to Isn't that basically the Stingray that went around the US a while ago? fake cell phone tower, gets numbers,text,locational triangulation the works?
|
# ? May 8, 2021 15:36 |
|
TheParadigm posted:Isn't that basically the Stingray that went around the US a while ago? fake cell phone tower, gets numbers,text,locational triangulation the works? https://youtu.be/IktrlSJNumw
|
# ? May 9, 2021 09:13 |
|
DerekSmartymans posted:My adult son didn’t get his first stimulus check because it fell out inside a truck and nobody cared enough to pick it up. He got it almost the same day of his $600 stimulus check was direct deposited. 🙄 I didn't get either stimulus check last year until I filed my 2020 return. I still haven't received my 2019 return.
|
# ? May 9, 2021 09:35 |
|
So my windows defender just cause a file Uwamson.A!ml which seems pretty high risk. I read through the OP and am just confirming that the only way to be safe is to reinstall my OS, is that correct? e: to be clear nothing happened other than windows warning me about the file that was contained in a .zip file. I'd unpacked the zip and that's all WorldIndustries fucked around with this message at 18:56 on Jun 11, 2021 |
# ? Jun 11, 2021 18:11 |
|
If you didn't actually run the thing you're fine. But whatever you were doing to obtain that zip in the first place sounds risky. How many similar zip files might you have come across in the past that defender didn't tell you about?
|
# ? Jun 11, 2021 19:01 |
|
Booyah- posted:So my windows defender just cause a file Uwamson.A!ml which seems pretty high risk. It seems that signature is associated with crypto mining. Were you attempting to mine crypto of some variety? If so it might be just the antivirus being overzealous, a lot of them will flag all cryptominers as suspicious in the same way as game cracks and such. If you were not attempting to mine crypto it seems someone was and I'd consider the machine to be compromised.
|
# ? Jun 11, 2021 21:59 |
|
I wasn't doing any mining, it was in the source code zip for Cheat Engine which I was looking into for changing values in an Unreal Engine game: https://github.com/cheat-engine/cheat-engine/releases/tag/7.2 I didn't actually compile the code, I had unzipped the source and later windows defender notified me about it. So maybe I'm okay
|
# ? Jun 12, 2021 10:51 |
|
Booyah- posted:I wasn't doing any mining, it was in the source code zip for Cheat Engine which I was looking into for changing values in an Unreal Engine game: WTF. If you look in the issues list at https://github.com/cheat-engine/cheat-engine/issues there's a bunch of issues raised about people running into this issue and all the devs say is "turn off reputation based protection in your antivirus". That's a bit weird. I *guess* it might give a false positive because this is literally a program that exists to mod other programs which is something that a virus might do. But just telling people to turn off an AV feature without further explanation is... iffy. But that's a general remark. @Booyah- as for your individual case, you're most likely fine, as your AV stopped it before anything was actually executed.
|
# ? Jun 12, 2021 11:05 |
|
It's a long-standing issue with grabbing new source code and heuristic antivirus which, for a large part, just asks "is this computer code?" "is it signed?" and "have I seen this code before?" if all 3 are no many engines will flag it outright, or give it a high distrust modifier. Once it's assuming the code is bad it'll see a DLL injection and flag it there. All this to say, if you have a high level of trust in your ability to determine a safe source, just create a directory to unpack and compile code in and whitelist it in defender.
|
# ? Jun 12, 2021 12:44 |
|
Khablam posted:All this to say, if you have a high level of trust in your ability to determine a safe source, just create a directory to unpack and compile code in and whitelist it in defender. Working in tech has taught me that if you have a high level of trust in your ability to judge anything you are probably wrong
|
# ? Jun 12, 2021 16:31 |
|
Carbon dioxide posted:WTF. Haha I did not think to check the issues page, that is sketchy for sure! I'll probably reinstall the OS in a day or two, is there anything I need to be particularly careful of before then? I'm not sure exactly what malware like this is trying to do, i.e. steal passwords or things like that.
|
# ? Jun 12, 2021 17:51 |
|
If it was just source you are safe from that particular hit, so if thats your only concern then formatting because of it is dumb That said, a regular system wipe is good for Windows
|
# ? Jun 12, 2021 17:57 |
|
Booyah- posted:Haha I did not think to check the issues page, that is sketchy for sure! I really wouldn't worry all that much since 1. it's quite likely it was a false positive and 2. even if it isn't, your AV blocked it before it executed anything. It's unlikely your computer is actually infected.
|
# ? Jun 12, 2021 17:57 |
|
Okay, thanks!
|
# ? Jun 12, 2021 18:19 |
|
I'm a non IT professional / non CS educated person who is trying to learn InfoSec and general IT skills along the way. I'm already using password managers, 2FA, use good unique passwords but haven't yet really looked at my own PC admin and home wifi etc. This is more from a hobbyist perspective of trying to learn InfoSec, so my threat model is artificial in this case but I'm interested in learning tradeoffs and risks etc. So to start, I figured I'd learn some basics first by going through my regular devices and home network and learning about different configurations for different threat models. For an absolute beginner, what's a good general guide on "hardening" home windows PCs and laptops in terms of being secure enough to not being a low hanging fruit for bad actors? I'm talking here about configuring my Windows accounts, privileges etc and having multiple accounts setup on a home PC? Realized recently that my main account has been lazily setup as an admin which I imagine is not a good practice, and I need to add an account for my partner too but with enough privileges so she can install steam games, and also have my accounts setup so that I can still install apps and games (im assuming here there's some sort of setup for prompted admin passwords?) Finally, while maybe some day I'd be curious with nerding out on Linux etc in the meantime I'd rather just learn Windows since it's what I use at home and work. Plus I wouldn't mind along the way learning stuff in PowerShell or CMD because I've always wanted to improve my CLI skills because I'm lazy and would love to learn more productivity stuff for work (I'm a general "knowledge worker" so learning anything to make my bullshit job copy pasting text from Excel and Word into emails would be great along the way).
|
# ? Jul 7, 2021 17:38 |
|
I'm not sure if there's a more appropriate place to post this. So, I'm pretty sure my laptop has been compromised (Windows 10). Here's why I think this. I would love for someone to convince me I'm just being paranoid: Observation #1: When I try to open Git Bash, it gives the following error: This is because there's an open SSH connection started by a cygwin shell (explained here). If I run code:
code:
So to summarize: - There's an open SSH connection which I didn't start. - The process name has been changed to something else. - The connection is opened when Windows starts up, and as best I can tell it is not related to any legitimate program/services. Observation #2: I have an Apache/PHP/MySQL server running an ancient app that I'll probably be responsible for forever, being the sole developer (and unable to just ghost the client because I'm way too nice). The server isn't public (only accessible on localhost). I was looking at the access and error logs when I noticed some weird entries: code:
This is real odd, for a variety of reasons: - that's an ipv6 address. The reason those requests are being denied is I'm restricting connections in .htaccess files to specific ipv4 address. 127.0.0.1/localhost being among the allowed addresses, of course. But not '::1'. As in, if I open a browser and go to 'http://127.0.0.1/SystemResources', I'll just see a 404 error in the log like so: code:
- In fact, this is the first time I've seen an ipv6 address in the log files, and I've been working on this thing for over ten years. - Even though those requests are ostensibly coming from my laptop, as per the tracert, they don't reflect my laptop's configuration, which defaults to ipv4. - 'SystemResources' and 'ROOT' are not directories actually being served by Apache, obviously, nor are they aliases (why would they be?). SystemResources is a folder under Windows (C:\Windows\SystemResources) and ROOT makes me think of an environment variable. - That last entry shows a WMI path (or command? I don't know much about WMI) being passed to the Apache OPTIONS directive. That...doesn't make any sense, at least as far as I understand. It's additionally weird because running apache on windows is atypical (I didn't know any better when I started it in the before times). It doesn't make sense on a couple different levels, and it just seems very unlikely to me that some random program would generate such a request. - mod_info isn't active and phpinfo is disabled, yet those requests clearly demonstrate that whoever or whatever is making them knows that the apache server is running on windows, somehow. - The request to the SystemResources directory is just weird. It assumes that the server is configured to have an alias that points to that directory. No one in their right mind would ever do that. These log entries generally just don't make any sense to me. The WMI one in particular. If you assume I'm compromised, via an ssh tunnel, I would think that they wouldn't need to attempt to get to those system directories through requests to the Apache server. Those requests to the Windows system directories were, again, made by my laptop. If the intent was to get to those directories, they could simply just navigate to them. So, requesting those addresses on the Apache server is not only weird (for all the mentioned reasons), but also superfluous. Similarly, executing powershell cmdlets through an OPTIONS request is not a thing. as a log entry it looks very suspicious. Given how nonsensical this all is, it makes me wonder if the point of the requests is not to actually get access to those system directories or call WMI commands (somehow), but to put scary looking entries into the log files. I'm going to do a Windows reset/re-install, of course, just because I don't know what else to do. But, that's what I ended up doing the last time this Git Bash weirdness (and other weird poo poo) started happening. And it did resolve the Git Bash issue, at the time. But now it's happening again, which makes me think I'm compromised at a much deeper level, or at least to the point where re-installing Windows isn't a solution. I'm very frustrated that I'm not savvy enough to figure out the SSH connection issue, like what the (renamed) ssh process is. Is there any way to detect that, based on network activity or whatever?. In general I'm just not experienced enough in security to really know what to do or what my options are, assuming my laptop is compromised, besides doing a full reset. Which... apparently doesn't work, since this is the second time this has happened. Again, it would be nice if someone could convince me that I'm wrong about all this and just being paranoid, reading intent into things that are actually innocuous. edit - I'm not really interested in talking about my reasoning for thinking I might know who might be responsible, and absent any explanation the suggestion just seems unhinged. Orbis Tertius fucked around with this message at 05:37 on Aug 8, 2021 |
# ? Aug 7, 2021 21:05 |
|
Orbis Tertius posted:So to summarize: I haven't looked at the rest, but I want to point out that your chain of reasoning here is extremely shaky. You don't actually know any of this! You googled up some random internet dude's post about a problem with similar symptoms, and have arrived at these conclusions by assuming your root cause must be the same as his. But it doesn't have to be, and in fact the lack of a ssh process is a clue that it isn't. Googling the error message led me to: https://stackoverflow.com/questions/45799650/git-bash-error-could-not-fork-child-process-there-are-no-available-terminals which has a whole bunch of comments raising possible causes and fixes. Some of them are the same as random internet dude's, some definitely aren't. It all sounds like the consequences of cygwin being a weird and janky compatibility shim to make Unix software run on Windows, so your first instinct when it acts up shouldn't be "omg I have been hacked!!!", it should be "ah poo poo this junk broke again". (If I were you, I'd look into running tools like git on WSL2 - I haven't used it personally but from what I've heard it probably works a lot better on average than cygwin.) I'd also add that if you are really super convinced you have a rogue SSH connection open, you should be installing and using network monitoring tools to look for it.
|
# ? Aug 7, 2021 21:55 |
|
BobHoward posted:(If I were you, I'd look into running tools like git on WSL2 - I haven't used it personally but from what I've heard it probably works a lot better on average than cygwin.) Yes, much better.
|
# ? Aug 7, 2021 21:56 |
|
BobHoward posted:I haven't looked at the rest, but I want to point out that your chain of reasoning here is extremely shaky. You don't actually know any of this! You googled up some random internet dude's post about a problem with similar symptoms, and have arrived at these conclusions by assuming your root cause must be the same as his. But it doesn't have to be, and in fact the lack of a ssh process is a clue that it isn't. Thanks, thats along the lines of what I wanted to hear...Ive actually transitioned to working in WSL but still had git installed in windows. I did do more research about the Cygwin error than just that one article, and the open SSH connection was the reason I decided on. But, I could just be coming to conclusions that fit with my suspicions. Orbis Tertius fucked around with this message at 22:29 on Aug 7, 2021 |
# ? Aug 7, 2021 22:17 |
|
Orbis Tertius posted:Thanks, thats along the lines of what I wanted to hear...Ive actually transitioned to working in WSL but still had git installed in windows. just gonna point out that when you troubleshoot you should never "decide on" an option, you should be ruling things out systematically and as conclusively as possible. and "i don't think thats what it is" and "I don't like that answer" are not conclusive, they are in fact the opposite of conclusive
|
# ? Aug 7, 2021 22:46 |
|
Don't see how this is a hard one to prove or disprove. Fire up procexp and wireshark and go looking for evidence
|
# ? Aug 7, 2021 23:52 |
|
Orbis Tertius posted:
Too late OP do you have a history of paranoid schizophrenia? Also check for a carbon monoxide leak
|
# ? Aug 7, 2021 23:56 |
|
Rufus Ping posted:Too late No, I don’t. I have procexp but I don’t really know what I’m looking for. I’ll give wireshark a go. Thanks for the suggestions.
|
# ? Aug 8, 2021 01:51 |
|
Might wanna get checked out on the paranoid delusions, just saying
|
# ? Aug 8, 2021 16:42 |
|
Late to the party but those IPv6 addresses you're seeing are link-local addresses. They're sort of like the old IPv4 Autoconfiguration addresses. Almost definitely not significant. https://www.rfc-editor.org/rfc/rfc4291.html
|
# ? Aug 9, 2021 13:53 |
|
Hello, after reading the Op, I do realize it is mostly a security blanket, but I am having trouble with my Microsoft Security's real time protection settings, namely that it seems to be disabled and I cannot turn it on. Checking the help menu suggested the fix was removing other anti-virus/malware/etc programs which would interfere, but I have never installed another antivirus on this computer. I am unsure what to do going forwards. I realize that it wouldn't do much even after it is turned on, but something is better for peace of mind than nothing. Also, on another note, as someone with minor computer literacy, how difficult would it be to install and use uBlock Origin, or uBlock?
|
# ? Sep 30, 2021 21:40 |
|
Ashsaber posted:Hello, after reading the Op, I do realize it is mostly a security blanket, but I am having trouble with my Microsoft Security's real time protection settings, namely that it seems to be disabled and I cannot turn it on. Checking the help menu suggested the fix was removing other anti-virus/malware/etc programs which would interfere, but I have never installed another antivirus on this computer. I am unsure what to do going forwards. don't use uBlock, use origin, and you just get it off your browsers extension store
|
# ? Sep 30, 2021 22:51 |
|
Is this thread where I should ask how someone got a password for my Outlook.com account? The account has zero known breaches according to Have I Been Pwned.
|
# ? Nov 24, 2021 00:12 |
|
They've had data breaches in the past. Here's an article on one from 2019: https://nakedsecurity.sophos.com/2019/04/17/microsoft-confirms-outlook-com-and-hotmail-accounts-were-breached/
|
# ? Nov 24, 2021 03:32 |
|
WattsvilleBlues posted:Is this thread where I should ask how someone got a password for my Outlook.com account? The account has zero known breaches according to Have I Been Pwned. Where else did you use that password?
|
# ? Nov 24, 2021 05:02 |
|
RFC2324 posted:Where else did you use that password? That's the thing, nowhere. The account is only used for Outlook.com and my GP surgery website, and both passwords are different. The password for the Outlook site was randomly generated by Bitwarden. I had two factor authentication on anyway so they didn't get access (and it's how I know they had the password).
|
# ? Nov 24, 2021 11:55 |
|
Did you receive a notification to this effect from Outlook or something? If all that's true then the next most plausible options are someone watched you type it, you typed it into a computer with a keylogger (possibly your own), you typed/pasted it into a phishing site. The solution is the same in all cases: change the password to something new from a safe computer.
|
# ? Nov 24, 2021 15:10 |
|
I’ve heard tales that sometimes sync issues between Outlook and the Authenticator app can cause unsolicited authentication requests, but yeah if you’re worried then just change the password from a safe machine.
|
# ? Nov 24, 2021 17:42 |
|
Rufus Ping posted:Did you receive a notification to this effect from Outlook or something? I got a request on my 2FA app asking to authorise a log on. I'm running a Malwarebytes Scan. It's very strange. Password changed anyway. Thank god for 2FA. poo poo thing is, it's my grandmother's email address. She died in 2013, I just keep active for sentiment, it's not actually used for anything.
|
# ? Nov 24, 2021 17:44 |
|
|
# ? Jun 8, 2024 05:49 |
|
So a mates PC is showing symptoms that could point to an infection of some kind so I'm going to lend a hand over the weekend, but it's been years since I did any of this. What's the standard tool set for scanning a possibly infected personal PC on windows 10 these days? Last time I did this malwarebytes and superantispyware was the recommended combination is that still true? Also is there any good writeups on sorting malwarebytes results? I know last time I used it I had to spend quite a bit of time determining what was being flagged but wasn't actually anything harmful.
|
# ? Nov 26, 2021 00:41 |