|
I guess I am finally going to be switching over to Keepass XC. Also RIP to a great master password, gonna take me a while to undo that muscle memory.
|
#
?
May 17, 2023 14:33
|
|
|
|
| # ? May 28, 2024 23:46 |
|
|
SlowBloke posted:I'm not big on the dev response to "this CVE means the master password does gently caress all" being "I'll release an update if i have enough stuff to justify writing a changelog". I understand it's free software and i have zero authority on this work schedule, it's just weird IMHO. You're still supposed to give the developer time to actually fix or not fix the vulnerability. 90 days is the default for good reason.
|
|
#
?
May 17, 2023 14:47
|
|
|
Ynglaur posted:You're still supposed to give the developer time to actually fix or not fix the vulnerability. 90 days is the default for good reason. The dev has a viable patch in that thread. I'm perplexed at not releasing an out of band update on the spot, maybe mentioning "issue is critical, I'm prioritizing delivery times instead of testing" and then proceeding with the usual delivery schedule.
|
|
#
?
May 17, 2023 14:52
|
|
|
SlowBloke posted:Thank god i use keepassXC or Keepassium. I think the infosec expert made the PoC public after this message https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/#37b9 where the dev casually says "Eh, I'll add it to the pile". Uh, did you read the thread you linked, because the dev immediately recognized it as important and worked to fix it. The previous keepass maybe-exploit of "use the password dump feature in the program by turning it on in the .ini config" was the one where the dev was like eh I'll add something eventually. Because that thing was dumb. If an attack isn't worse than a keylogger it's not worth special attention. This CVE is worse than a keylogger and is going to be fixed fairly promptly. Sirotan posted:Also RIP to a great master password, gonna take me a while to undo that muscle memory. Unless you have reason to suspect your machine is compromised, why would you do that?
|
|
#
?
May 17, 2023 14:53
|
|
|
Klyith posted:Uh, did you read the thread you linked, because the dev immediately recognized it as important and worked to fix it. It didn't release a compiled build on the homepage/delivery channels, which i feel is the cause of the PoC becoming public. I'm not going to request the dev to be flayed on the city square, just perplexed at the logic behind not compiling/publishing an emergency build on sourceforge/winget. SlowBloke fucked around with this message at 15:05 on May 17, 2023 |
|
#
?
May 17, 2023 14:56
|
|
|
Klyith posted:Unless you have reason to suspect your machine is compromised, why would you do that? Because I am probably due to rotate it anyway and also I am just generally paranoid. 
|
|
#
?
May 17, 2023 14:59
|
|
|
SlowBloke posted:It didn't release a compiled build, which i feel is the cause of the PoC becoming public. I'm not going to request the dev to be flayed on the city square, just perplexed at the logic behind not compiling/publishing an emergency build on sourceforge/winget. It's not that awful of a CVE. You need to be locally compromised, or to have your pc stolen by an attacker who is either very sophisticated (can dump ram from the chip) or gets lucky (password recoverable from page / hibernation file, which is not guaranteed, and also means you weren't using drive encryption*). *if you aren't using drive encryption on a PC that might be stolen, you have very little grounds to complain about other people's security failings edit: also lmao there was no delay, the guy posted it publicly after the dev said "did you turn off password obscuring", which is an entirely reasonable first response to that post. No 90 days, no private communication. The guy who found it hosed up, not the dev. Klyith fucked around with this message at 15:17 on May 17, 2023 |
|
#
?
May 17, 2023 15:11
|
|
|
Sirotan posted:Because I am probably due to rotate it anyway and also I am just generally paranoid. What purpose does rotation of master passwords serve? Someone brute-forced expensively it against your database and is just sitting on it to unlock a future version with a few more saved passwords in it? I have decades-old master passwords and good loving luck to me if I change them.
|
|
#
?
May 17, 2023 15:27
|
|
|
Subjunctive posted:What purpose does rotation of master passwords serve? Someone brute-forced expensively it against your database and is just sitting on it to unlock a future version with a few more saved passwords in it? I have decades-old master passwords and good loving luck to me if I change them. I'm fully aware and will admit it's mostly an irrational decision. To be honest the password is a bit too personal no it isn't the name of my pet and I've known I should probably have changed it for a while now so I am finally using this as my excuse. It's really not a big deal and I was mostly being hyperbolic ok!!
|
|
#
?
May 17, 2023 15:37
|
|
|
Sirotan posted:I'm fully aware and will admit it's mostly an irrational decision. To be honest the password is a bit too personal no it isn't the name of my pet and I've known I should probably have changed it for a while now so I am finally using this as my excuse. It's really not a big deal and I was mostly being hyperbolic ok!! Since you seem to plan to move to XC, you can bind yubikeys using HMAC-SHA1 to unlock the db. It has partial compatibility with the various mobile clients since keepass don't have an official implementation.
|
|
#
?
May 17, 2023 17:29
|
|
|
Anyone done the CISSP lately? Is there a training + voucher bundle anyone would recommend? I have team members wanting to partake and haven't taken the exam in a while. I am lazy and the 1500 bundle from ISC is the only thing I have looked up.
|
|
#
?
May 19, 2023 03:15
|
|
|
Is anyone here using the encrypted visibility engine in either stealthwatch or FTD? It sounds potentially really cool, but I’m curious what the reality of it is.
|
|
#
?
May 25, 2023 13:30
|
|
|
Sickening posted:Anyone done the CISSP lately? Is there a training + voucher bundle anyone would recommend? I have team members wanting to partake and haven't taken the exam in a while. I took mine about 3-4 years ago now. Based on my experience and that a few others I work with, I would recommend just going out and buying the 11th Hour Guide, one of the big recommended books like Shon Harris's, and a smattering of YouTube videos. The test is way overhyped and in my experience really not that difficult. Especially for people with a few years of IT experience.
|
|
#
?
May 25, 2023 14:05
|
|
|
Draft OWASP Top 10 list for LLMs just dropped. https://owasp.org/www-project-top-10-for-large-language-model-applications/descriptions/
|
|
#
?
May 26, 2023 12:25
|
|
|
Diva Cupcake posted:Draft OWASP Top 10 list for LLMs just dropped. This'll help a ton.
|
|
#
?
May 26, 2023 16:23
|
|
|
Diva Cupcake posted:Draft OWASP Top 10 list for LLMs just dropped. great timing, thanks for sharing. we're having big conversations right now about LLM products. also looks like a working group is forming which seems like an interesting way to get on ground floor. https://owasp.org/www-project-top-10-for-large-language-model-applications/ Famethrowa fucked around with this message at 17:14 on May 26, 2023 |
|
#
?
May 26, 2023 17:02
|
|
|
Famethrowa posted:great timing, thanks for sharing. we're having big conversations right now about LLM products. Serious question here, why is LLM06:2023 - Overreliance on LLM-generated Content classified as a vulnerability? Shouldn't a user's use of the output be outside of the responsibility of the application if the output is produced according to the rules of the system?
|
|
#
?
May 28, 2023 02:05
|
|
|
Mantle posted:Serious question here, why is LLM06:2023 - Overreliance on LLM-generated Content classified as a vulnerability? Shouldn't a user's use of the output be outside of the responsibility of the application if the output is produced according to the rules of the system? Considering how users will use the application in practice is an integral part of designing an application to be secure, and it's definitely something you want to take into account when evaluating the risks that come alongside bringing that application into your environment.
|
|
#
?
May 28, 2023 02:11
|
|
|
Mantle posted:Serious question here, why is LLM06:2023 - Overreliance on LLM-generated Content classified as a vulnerability? Shouldn't a user's use of the output be outside of the responsibility of the application if the output is produced according to the rules of the system? I thought the same thing but came around to it. It feels borderline but LLM really seems like it'd grease the skids when it comes to bad decisions since it is even more thoughtless then combing StackExchange. not much different then requiring security training or phishing tests imo.
|
|
#
?
May 28, 2023 04:10
|
|
|
Is there a go-to solution anyone can recommend for certificate hygiene/lifecycle which doesn’t depend on itself acting as a CA? Bonus points if it can consume HashiCorp Vault as a secrets store. I have a number of applications which depend on certificates signed by pre-existing internal CAs, as well as certificates signed by external public CAs. HC Vault is at my disposal, but unless it acts as its own CA the PKI engine doesn’t seem to be what I need. I doubt any tool will offer me end-to-end certificate lifecycle given the external interop required, but frankly right now I just want to put some additional rigour around the workflow to generate keys and CSRs. Short a tool, I think I’m going to just whip up some quick commands to OpenSSL generate a CSR and write the ephemeral stdout to a Vault KV2 store. I’m in full shower mode thought this morning after vacation so I’ve given this exactly two minutes of critical thought and fully expect this to be riddled with holes; But at the same time I’m also hoping to get from a per-project key request/management process to something where I can at least be sure there’s one source of truth for private keys and CSRs using the secrets store we’ve dumped money into. Don’t want perfect to be the enemy of the good here.
|
|
#
?
May 29, 2023 12:56
|
|
|
If you end up scripting it, I found cfssl useful for this kind of thing
|
|
#
?
May 29, 2023 15:42
|
|
|
I always forget cfssl exists. It makes generating x509 with key usage flags so much easier than trying to remember how to do it with OpenSSL since I can never find my notes when I need them.
|
|
#
?
May 29, 2023 16:03
|
|
|
some kinda jackal posted:I have a number of applications which depend on certificates signed by pre-existing internal CAs, as well as certificates signed by external public CAs. HC Vault is at my disposal, but unless it acts as its own CA the PKI engine doesn’t seem to be what I need. I think I'm missing something. The PKI module in Vault can definitely generate and sign certs of any type, with any data your heart desires. You'll need some kind of authority to sign- whether that is a CA (bad idea) or an online intermediate signing cert (better idea). It's not a true CA or machine identity solution since it can't do CRLs and the other niceties of a real CA system, and instead relies on the setup of the Vault backend issuing very short certificates that expire quickly. I've used it in a lights-out system that tossed certs into a k8s secret storage. It should be just fine.
|
|
#
?
May 29, 2023 20:54
|
|
|
Yeah I think I did a terrible job of explaining the actual problem. I suppose I'd call what I'm trying to build a service oriented certificate management .. process,, but not a CA specifically. Right now various technology owners generate private keys and CSRs based only on policy documents to guide them; private key storage/backup is also only bound by policies and not process, etc. I want to standardize certificate request/renewal activities such that they're handled by a specific team, but I also want to give them a tool to make both generation and secure storage of these artifacts easier. The simplest, least short term effort solution is just to provide the organization a JIRA workflow to request a certificate with specific attributes and a defined set of folks will use [some tool] to generate the key material and send it to either a public CA for signing (for external sites) or for our internal CA (long standing, no intent to move to Vault) for signing, then store the PEM bundle in Vault since that's where we store other secret material. Technology owners can then retrieve the key material based on Vault policies, but I'm not terribly worried that Infra Dude X happened to be SSH'd into dev.mycompany.com to generate a privkey and CSR for prod.myservice.com and I've got prod key material lingering on some unexpected server, etc. Vault in this case is just a glorified keepass. It could just be that I don't understand what Vault can do well enough, but in my understanding there is no real process that I can invoke that will generate an RSA key and a CSR for that key, present it to an external CA (external to Vault, I mean, so /third party/ may be a better term). So in my case Vault is a nice to have simply because I already have it and I store secret material there. I may have continued to describe the situation terribley apologies if that's the case  -- I'm also pretty adamant about not making perfect the enemy of the good. There's still areas where I can't control what Infra Dude X does with key material once he gets it from Vault unless I have end-to-end Vault integration with the target technology, which is probably not even feasible if Vault isn't being used as a CA, etc. There's lots of places this breaks, but there are some low hanging fruit I can probably propose a solution to.Ultimately I'm just trying to be pragmatic. I can write some bash scripts to do all the above, and it's probably fairly simple since I can pipe things in and out of vault cli and openssl, but if I write it I have to support it, and I've got this gut feeling that there has to be some tool that already does this. some kinda jackal fucked around with this message at 23:26 on May 29, 2023 |
|
#
?
May 29, 2023 23:23
|
|
|
If you have budget, it sounds like you need something like AppViewX Cert+ or Venafi TLS Protect Essentially they're a go-between for your certificate-consuming applications and your certificate-issuing sources. You can configure them to generate CSRs and to handle key escrow/backup. They can also do discovery (finding certificates that are already out there), reporting (tracking what's been issued, when it expires, et cetera) and verification (is an HTTPS server issuing the latest version of the certificate). Something like this isn't a CA by itself. It's not for the technically faint of heart, but it sounds like it solves the issue you're describing.
|
|
#
?
May 30, 2023 03:58
|
|
|
Thanks, that gives me a good jumping off point to investigate the solution landscape. Appreciate it!
|
|
#
?
May 30, 2023 11:19
|
|
|
Is this not something that cert-manager (https://cert-manager.io) could handle?
|
|
#
?
May 30, 2023 15:00
|
|
|
we use venafi for this stuff, it works well enough but I don't have experience with any other products in the space
|
|
#
?
May 30, 2023 16:38
|
|
|
If nothing else you can rest assured that your HBO Max account is safe, not even SkyNet could hack this poo poo  Bertha the Toaster posted:Why on earth would you subject people to this bullshit? Do they not want you to use their site?
|
|
#
?
May 31, 2023 03:06
|
|
|
Takes No Damage posted:If nothing else you can rest assured that your HBO Max account is safe, not even SkyNet could hack this poo poo BRB setting up a streaming service where you have to beat the Ocarina of Time water temple every time your IP changes
|
|
#
?
May 31, 2023 03:21
|
|
|
Kazinsal posted:BRB setting up a streaming service where you have to beat the Ocarina of Time water temple every time your IP changes tbh would probably be easier troubleshooting when my moms router goes out.
|
|
#
?
May 31, 2023 17:53
|
|
|
Google authenticator did the cloud thing huh
|
|
#
?
Jun 1, 2023 02:39
|
|
|
Hey has anybody seen or understood a Zelle scam where the scammer actually sent some money? I’m working a case at work and it came in after the East Coast Fraud nerds went home. Overall gist, a client got a 30$ Zelle transfer from someone he doesn’t know with a message about a stranded kid and can you forward this money on to them. Client contacted their banker who contacted us. At first I was like “Standard Zelle scam, block and delete” but then she asked “what do we do with the 30 bux?” Normally the Zelle scammers don’t send their marks money, or if they do, they reverse it within the window, so I’m curious if anyone has any insight. I realize this isn’t really an Infosec issue, and maybe I should bump the common cons and scams thread, but I figured I’d ask. Edit: crap I unbookmarked the scam thread, I’ll have to hunt it down
|
|
#
?
Jun 1, 2023 04:15
|
|
|
navyjack posted:Hey has anybody seen or understood a Zelle scam where the scammer actually sent some money? I’m working a case at work and it came in after the East Coast Fraud nerds went home. that is a very very very common zelle scam.
|
|
#
?
Jun 1, 2023 04:25
|
|
|
navyjack posted:Hey has anybody seen or understood a Zelle scam where the scammer actually sent some money? I’m working a case at work and it came in after the East Coast Fraud nerds went home. If I remember right the gist of this goes, You get sent money, so you being an upright citizen decide to refund the money promptly, then the scammers dispute the transaction/reverse it so you've now sent 30 bucks, and they've retrieved their 30 bucks. They then close the account out so you cant do the same to them and run with the money.
|
|
#
?
Jun 1, 2023 04:45
|
|
|
Defenestrategy posted:If I remember right the gist of this goes, Bingo! I knew there was a way they got their money out, but for the life of me I couldn’t figure it out. Thanks!
|
|
#
?
Jun 1, 2023 05:48
|
|
|
Anybody here have to use Tenable(.io)? They finally got rid of the Vulnerabilities and Assets 'workbenches' and jesus gently caress WHY. You can no longer do things like, at a glance see the total number of unique vulns in your environment. You get ">1000". Want more detail than that? gently caress you. Wanna see how many devices are currently vulnerable to one specific exploit? They'll tell you, if it's under 500 devices. If it's over 500, you only get to see ">500". Wanna export some data? You can select 5 items, or you can select all items. Nothing in between. Can't generate a report from the data because there are too many lines(???). Want to just export all the raw data with no filters applied so you can deal with it in Excel instead like a sane person? Lol, you can't, the export just silently fails. We just had a vendor demo this week for a replacement tool and it looked great and I am excited. I'm sure they are going to come back with pricing that we cannot afford and it is going to break my heart.
|
|
#
?
Jun 1, 2023 16:50
|
|
|
We're still using tenable.sc 😔
|
|
#
?
Jun 1, 2023 19:37
|
|
|
Gigabyte built a firmware-level backdoor into their motherboards https://arstechnica.com/security/2023/06/millions-of-pc-motherboards-were-sold-with-a-firmware-backdoor/amp/
|
|
#
?
Jun 1, 2023 19:38
|
|
|
|
| # ? May 28, 2024 23:46 |
|
|
klosterdev posted:Gigabyte built a firmware-level backdoor into their motherboards https://arstechnica.com/security/2023/06/millions-of-pc-motherboards-were-sold-with-a-firmware-backdoor/amp/ Aw man mine is on the list At least it sounds fairly straightforward to disable:https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/ quote:Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
|
|
#
?
Jun 2, 2023 06:53
|
|