|
Cup Runneth Over posted:https://news.ycombinator.com/item?id=29705957 it's ok, Travis Ormandy said lastpass is fine and he definitely didn't have some kind of proverbial gun against his noggin
|
#
?
Dec 28, 2021 19:59
|
|
|
|
| # ? May 28, 2024 21:08 |
|
|
log4shell episode 3: Return of the JNDI https://lists.apache.org/thread/4dok5924ohqzoftm90jxndx1cxhtdzzw Esran fucked around with this message at 20:31 on Dec 28, 2021 |
|
#
?
Dec 28, 2021 20:28
|
|
|
I’m on vacation and my phone is off so, despite me helping out for the last two weeks and change, good luck whoever’s job it ACTUALLY is to coordinate the response on this stuff at work 
|
|
#
?
Dec 28, 2021 20:32
|
|
|
Esran posted:log4shell episode 3: Return of the JNDI As entertaining as it is for this to go on forever (just kill the class already!), the requirement that "...an attacker with permission to modify the logging configuration file..." means they're assuming access sufficient that an attacker would very likely be capable of doing RCEs through numerous other means already. Not sayin' don't fix it / upgrade when you can, but this doesn't sound all that particularly frightening, given the context.
|
|
#
?
Dec 28, 2021 20:36
|
|
|
Esran posted:log4shell episode 3: Return of the JNDI is it me or like many trilogies, the third is kinda weak? it's like those classic "if you have ad admin access, you can do a lot of damage!"
|
|
#
?
Dec 28, 2021 20:36
|
|
|
Yes, thankfully this one sounds like an "upgrade during normal working hours".
|
|
#
?
Dec 28, 2021 20:39
|
|
|
I'm curious on how the IT department in my company reacted to this. I currently have no idea what's going on, due to extended Christmas vacation, so I can't await getting back in January. Their kneejerk reaction to the PrintNightmare stuff this summer was to proactively break printing for everyone in the company.
|
|
#
?
Dec 28, 2021 22:47
|
|
|
Then the correct response is to proactively break *everything*
|
|
#
?
Dec 28, 2021 22:50
|
|
|
To be fair, enterprise printing was a mistake and I fully approve of proactively breaking printing on principle for everyone.
|
|
#
?
Dec 28, 2021 23:23
|
|
|
Esran posted:log4shell episode 3: Return of the JNDI "where an attacker with permission to modify the logging configuration file" who gives a poo poo
|
|
#
?
Dec 29, 2021 00:08
|
|
|
Yeah if that counts then you might as well start listing all the things that can be done with a bootable USB stick or hypervisor access and calling them vulns
|
|
#
?
Dec 29, 2021 00:25
|
|
|
Thanks Ants posted:Yeah if that counts then you might as well start listing all the things that can be done with a bootable USB stick or hypervisor access and calling them vulns they are, they are just <WONTFIX>
|
|
#
?
Dec 29, 2021 01:35
|
|
|
evil_bunnY posted:"where an attacker with permission to modify the logging configuration file" Yeah, at that point they already won.
|
|
#
?
Dec 29, 2021 03:09
|
|
|
evil_bunnY posted:"where an attacker with permission to modify the logging configuration file" It's not dangerous at all except when used as part of a supply chain attack. Hacker finds a commonly used but rarely updated software package. Hacker finds a way to compromise the package so it now includes a pre-hosed version of Log4J and something that pings a C&C on rare occasion. Now the hacker has a self-identifying list of servers open for a RCE until people figure out the root cause.
|
|
#
?
Dec 29, 2021 04:22
|
|
|
chin up everything sucks posted:It's not dangerous at all except when used as part of a supply chain attack. A version that, apparently, cannot just pop open a shell for itself...?
|
|
#
?
Dec 29, 2021 04:38
|
|
|
Volmarias posted:A version that, apparently, cannot just pop open a shell for itself...? Depends on how long they want to maintain access to devices, or if they want to burn them immediately. There is a business in backdooring devices and then selling access to them to other criminals.
|
|
#
?
Dec 29, 2021 05:11
|
|
|
These kinds of vulnerabilities are how hackers might escalate privileges, move laterally, and establish persistence after they've already gained some access inside a network. It should absolutely get patched, but it's fine to roll in into you regular patch schedule because it's not nearly as bad as the first log4j vulnerability.
|
|
#
?
Dec 29, 2021 09:41
|
|
|
spankmeister posted:These kinds of vulnerabilities are how hackers might escalate privileges, move laterally, and establish persistence after they've already gained some access inside a network. It should absolutely get patched, but it's fine to roll in into you regular patch schedule because it's not nearly as bad as the first log4j vulnerability.
|
|
#
?
Dec 29, 2021 12:57
|
|
|
Ynglaur posted:I'm halfway through the thread and it's just nerds arguing with someone to update a blog post from 2017 because apparently if to write a piece of code ever you have an obligation to update your blog posts about it in perpetuity. On the other hand https://twitter.com/GossiTheDog/status/1475881608557338634
|
|
#
?
Dec 29, 2021 19:17
|
|
|
Cup Runneth Over posted:On the other hand Consider me wrong then! Thanks for following up.
|
|
#
?
Dec 29, 2021 23:22
|
|
|
why in all dear god would you use your master password for a password manager in multiple places
|
|
#
?
Dec 29, 2021 23:36
|
|
|
Arivia posted:why in all dear god would you use your master password for a password manager in multiple places It said that you only have to remember one password so...
|
|
#
?
Dec 29, 2021 23:45
|
|
|
Arivia posted:why in all dear god would you use your master password for a password manager in multiple places I mean every single cloud-based password manager service uses your master password as both your vault key and as the login to the website. No possible downsides to that, right?
|
|
#
?
Dec 30, 2021 00:27
|
|
|
Rescue Toaster posted:I mean every single cloud-based password manager service uses your master password as both your vault key and as the login to the website. No possible downsides to that, right? Not beyond the concept of one key to the kingdom, or accessing your vault from anywhere other than localhost. The website is really just a GUI, after all.
|
|
#
?
Dec 30, 2021 01:46
|
|
|
Rescue Toaster posted:I mean every single cloud-based password manager service uses your master password as both your vault key and as the login to the website. No possible downsides to that, right? at least 1password asks for the secret key thing to prove i have something in addition to knowing something on the website, but jeez
|
|
#
?
Dec 30, 2021 01:57
|
|
|
Arivia posted:at least 1password asks for the secret key thing to prove i have something in addition to knowing something on the website, but jeez It's been a while since I've accessed the cloud client, but I think you can also set it up so that you can use one of the native apps to validate access as well. e: nope as I think about further, that's for validating native app installs I think. not cloud.
|
|
#
?
Jan 1, 2022 00:34
|
|
|
I guess I'm not even differentiating about native clients vs browser plugins vs javascript 'client'. Doesn't change the fact that to login to the 1password or lastpass or bitwarden website your regular old login is your master password. KeePass is the only thing I can think of that lets you use a server/account completely divorced from your master vault password. I think 1password takes the cake for dumbest poo poo ever "Your Secret Key was created on your own device. We have no record of your Secret Key and can’t recover it." "Your Secret Key and your 1Password account password both protect your data. They’re combined to create the full encryption key that encrypts everything you store in 1Password." ...and then just to login to the website for any dumb reason please type both your master password and secret key into these text boxes in your browser! No person or browser has ever been tricked with a fake website ever before, so there's no risk of you losing both at the same time, thankfully! I'm well aware I seem to be the only person on earth that thinks this is stupid I guess. Rescue Toaster fucked around with this message at 00:53 on Jan 1, 2022 |
|
#
?
Jan 1, 2022 00:50
|
|
|
The threat profile you just described is the same for Office 365, Google, and any other service you log into that doesn't run on hardware you control that passes over a network you also don't control. Would a separate website password be more secure, if it then gave you access to a second page on which you entered your master password? What would a separate website password do?
|
|
#
?
Jan 1, 2022 01:56
|
|
|
Ynglaur posted:The threat profile you just described is the same for Office 365, Google, and any other service you log into that doesn't run on hardware you control that passes over a network you also don't control. Given the choice I would never enter my master password in a regular old hosted webpage in a web browser. I would never use a 'web vault', I'd stick to standalone apps and/or a browser plugin if necessary. I get what you're saying about threat profile. Would you trust google or office 365 enough to put every single password to every single service you use in a google doc, if all the encrypting & decrypting was done right in the browser in javascript on a regular webpage (not even in a special browser plugin, just a hosted page)? Because right now that's basically what you're forced to do with all the big password manager sites, that's the level of trust you place in them. I would trust them to hold onto an encrypted file for me, and that's it. That's what I want out of a cloud password manager service.
|
|
#
?
Jan 1, 2022 03:31
|
|
|
Rescue Toaster posted:Given the choice I would never enter my master password in a regular old hosted webpage in a web browser. I would never use a 'web vault', I'd stick to standalone apps and/or a browser plugin if necessary. I’m not an infosec professional and I don’t have the energy to roll my own keepass or whatever. I use 1Password (subscription) because yeah it is at least a bit safer overall even if someone just has to pop my master password on any of my devices to get in. There are definitely more secure options but I am very limited by means and ability and tbh I have had it for like six years now and no complaints ever. And honestly with covid and everything it’s nice that I was able to give my next of kin the master password to get into my poo poo easily if I do croak. Already came close once this year.
|
|
#
?
Jan 1, 2022 03:55
|
|
|
Rescue Toaster posted:Given the choice I would never enter my master password in a regular old hosted webpage in a web browser. I would never use a 'web vault', I'd stick to standalone apps and/or a browser plugin if necessary. I don't understand why you think you're "forced" to use the web vault feature of 1Password - they have native apps and extensions for basically every OS and browser that work the way you describe (proper e2ee where the server just holds an encrypted blob) The only thing I'm aware of that necessitates logging into their website is if you need to update your billing details - at which point, sure, they could pwn you with some backdoored JS that siphons off your secret key and master password instead of doing everything in the browser. But your complaint appears to be about something more than this one edge case?
|
|
#
?
Jan 1, 2022 04:10
|
|
|
Rescue Toaster posted:Given the choice I would never enter my master password in a regular old hosted webpage in a web browser. I would never use a 'web vault', I'd stick to standalone apps and/or a browser plugin if necessary. This is a reasonable and consistent position, at least. My personal threat profile is such that I'm fine trusting a limited set of providers with certain info. MFA makes this quite a bit safer than a few years ago. Also, Happy New Year Infosec goons! May your CVEs be interesting, easily patched, and already remediate by your limited blast radii.
|
|
#
?
Jan 1, 2022 04:11
|
|
|
Rufus Ping posted:The only thing I'm aware of that necessitates logging into their website is if you need to update your billing details - at which point, sure, they could pwn you with some backdoored JS that siphons off your secret key and master password instead of doing everything in the browser. But your complaint appears to be about something more than this one edge case? No this is my primary complaint. The login information to the website/cloud service for billing and syncing has nothing to do with the actual vault password. They should not be conflated, period. My brain is screaming at me that this is bad design and it makes it hard to trust or feel comfortable with the rest of the ecosystem. I'll be the first to admit I have a hard time sometimes separating 'this is a practical threat' vs 'this is just unnecessary attack surface'. A supply side attack is always possible with the clients, that's basically unavoidable. But opening up a weird world of JS or domain fuckery or sketchy SSL cert issuers or other BS going on in a browser and so on just so you don't have a separate login password seems so unnecessary. I agree with Ynglaur that MFA helps a lot as they'd have to combine some theft of the credentials with stealing a client device that has the vault since they shouldn't be able to get both from the service without a MFA token. This assumes they won't just reset/bypass the MFA if you contact support and complain though. 1password for sure has a 'lost mfa' recovery process through support that you cannot opt out of or disable. Rescue Toaster fucked around with this message at 05:12 on Jan 1, 2022 |
|
#
?
Jan 1, 2022 05:09
|
|
|
Rescue Toaster posted:Would you trust google or office 365 enough to put every single password to every single service you use in a google doc, if all the encrypting & decrypting was done right in the browser in javascript on a regular webpage (not even in a special browser plugin, just a hosted page)? tbh, I probably would. breaking gdocs is way more valuable that doing a phish good enough to compromise me, and I don’t think I’m an interesting-enough target to warrant burning a vuln like that.
|
|
#
?
Jan 1, 2022 05:16
|
|
|
Rescue Toaster posted:But opening up a weird world of JS or domain fuckery or sketchy SSL cert issuers or other BS going on in a browser and so on Bearing in mind 1P takes advantage of HSTS preloading, CAA records, DNSSEC, etc, think exactly what an attacker would have to achieve to be successful in your chosen attack. And then consider that, unless you happen to be logging in to update your billing information while this is going on, it doesn't affect you at all.
|
|
#
?
Jan 1, 2022 06:17
|
|
|
Woke up, saw 9 unread, thought, oh gently caress, 2.18.0
|
|
#
?
Jan 1, 2022 08:46
|
|
|
AKA - Always Keep rear end.
|
|
#
?
Jan 1, 2022 11:04
|
|
|
Rufus Ping posted:I think you'd benefit from being more precise here: what exact scenario(s) involving domains and SSL certs are you imagining? Phishing is absolutely a relevant attack. Why do they even need to know your client-generated key in addition to your password in this scenario anyway? What additional security does it provide compared to password alone?
|
|
#
?
Jan 1, 2022 13:36
|
|
|
Arivia posted:I’m not an infosec professional and I don’t have the energy to roll my own keepass or whatever. I use 1Password (subscription) because yeah it is at least a bit safer overall even if someone just has to pop my master password on any of my devices to get in. There are definitely more secure options but I am very limited by means and ability and tbh I have had it for like six years now and no complaints ever. But do you really need to roll your own Keepass? Do you have any cloud storage, Google Drive, Dropbox, whatever? You download and install the client, which is pretty much the same you would do with any other manager. Then create a new database, set the master password and any other security settings you want and save the database in your cloud storage folder. The biggest extra complication is deciding which browser plugin to choose, since Keepass doesn't have an official recommended one.
|
|
#
?
Jan 1, 2022 22:57
|
|
|
|
| # ? May 28, 2024 21:08 |
|
|
Jabor posted:Phishing is absolutely a relevant attack. Jabor posted:Why do they even need to know your client-generated key in addition to your password in this scenario anyway? What additional security does it provide compared to password alone?
|
|
#
?
Jan 1, 2022 23:19
|
|