|
PuErhTeabag posted:My friend is redoing a website for a local business and found this homebuilt "crypto" gem written by a different local web developer in 2007. Luckily it didn't protect anything important, but still. Amazing. That reminds me of some code I wish I had saved during an investigation awhile ago. After finding a public web app that allowed login as admin using admin/admin I first assumed it was just your typical default admin account situation. Nope. There was a hardcoded list of two possible passwords: 'admin' and 'password', and depending on which word you entered you were logged in as either an admin or a general users, both having access to client data, even if the username you entered didn't exist. This was a major tech company.
|
#
?
Aug 17, 2020 20:16
|
|
|
|
| # ? Jun 11, 2024 23:14 |
|
|
PuErhTeabag posted:My friend is redoing a website for a local business and found this homebuilt "crypto" gem written by a different local web developer in 2007. Luckily it didn't protect anything important, but still. I can top this. When doing a full scan (for the first time since never) of all sites owned by the place I was working at, we found a page where you could download some privatish stuff for customers across the US and it was just the easiest SQL injection ever. The reason why? The instructions on the PAGE ITSELF was telling the customers how to SQL inject the page to fetch the data they needed. This site was not hidden behind login/cookies or anything. It was restricted behind an IP filter, but it was like 100+ customers across the US.
|
|
#
?
Aug 17, 2020 23:26
|
|
|
So this is maximum lovely microsoft. Doesn't patch a known exploit for a few years, when tasked on this bullshit just replies "keep your system up to date by installing this patch" and the dial-tone clicks.
|
|
#
?
Aug 18, 2020 01:13
|
|
|
That's what happens when the NSA doesn't allow you to fix it for a while.
|
|
#
?
Aug 18, 2020 01:18
|
|
|
Fame Douglas posted:That's what happens when the NSA doesn't allow you to fix it for a while. Pfft, next you're going to say that BitLocker is only for Windows Pro users and not home users because the Gov't wants to make it more marginally more expensive/difficult to encrypt files.
|
|
#
?
Aug 18, 2020 02:42
|
|
|
Shuu posted:...There was a hardcoded list of two possible passwords: 'admin' and 'password', and depending on which word you entered you were logged in as either an admin or a general users, both having access to client data, even if the username you entered didn't exist. This was a major tech company. That's totally believable and amazing. EVIL Gibson posted:... That's kind of bizarre, but also believable. When I was working in a different industry I learned that a large US company's warranty return information isn't user locked - so it was possible to query their database for return information of other suppliers just by knowing supplier codes.
|
|
#
?
Aug 18, 2020 03:45
|
|
|
At a previous job we found out that one of our vendors' "secure file transfer" solutions was actually just bog standard FTP. Also, they used one shared set of credentials for all of their clients to upload data to a wide open rwx folder, where all the data all of their clients ever uploaded sat indefinitely. Did I mention that this system stored PII & PHI? The best part is that we ended up paying them to develop a new file transfer system. Still can't wrap my head around that one. Sheep fucked around with this message at 07:31 on Aug 18, 2020 |
|
#
?
Aug 18, 2020 07:28
|
|
|
I'm sure they did the responsible thing and disclosed the breach, right? Right?
|
|
#
?
Aug 18, 2020 10:52
|
|
|
Sheep posted:The best part is that we ended up paying them to develop a new file transfer system. Still can't wrap my head around that one. SaaS vendor that our 'IT Business Partner and Project Manager' onboarded is asking us to to pay them to fix their application because even with SAML SSO enabled, users are still required to create passwords and can login directly bypassing our IdP. Apparently the first S in SSO actually stands for 'sconvenience' ?? edit: Oh and an end user just got hit with a change password policy in said SaaS, and it confused them because they're coming in from our SAML IdP, so the vendor's suggestion was to increase their local password policy to expire every 365 days. droll fucked around with this message at 18:28 on Aug 18, 2020 |
|
#
?
Aug 18, 2020 18:25
|
|
|
https://www.sans.org/dataincident2020quote:What is known for certain? All the expensive SANS training in the world coul--ehh nevermind
|
|
#
?
Aug 18, 2020 19:19
|
|
|
droll posted:SaaS vendor that our 'IT Business Partner and Project Manager' onboarded is asking us to to pay them to fix their application because even with SAML SSO enabled, users are still required to create passwords and can login directly bypassing our IdP. Apparently the first S in SSO actually stands for 'sconvenience' ?? lol, vendors
|
|
#
?
Aug 18, 2020 19:24
|
|
|
Sheep posted:At a previous job we found out that one of our vendors' "secure file transfer" solutions was actually just bog standard FTP. Also, they used one shared set of credentials for all of their clients to upload data to a wide open rwx folder, where all the data all of their clients ever uploaded sat indefinitely. Did I mention that this system stored PII & PHI? This sounds very much like Patterson Dental, makers of Eaglesoft, who had an open FTP that definitely stored customer data including PHI on the reg until a security researcher publicized the PHI part. They then called the FBI on him. I still work with Patterson because the dental software world is horrible and there isn't really much choice, and while they swapped the FTP for a HTTPS based web upload page that has its own problems, they are still definitely one of those companies that acts we're the unreasonable IT nazis when we refuse to give everyone local admin.
|
|
#
?
Aug 18, 2020 21:26
|
|
|
Martytoof posted:https://www.sans.org/dataincident2020
|
|
#
?
Aug 18, 2020 21:47
|
|
|
There's a horror story about Eaglesoft that's been posted here before. Not Infosec but it was something like a multi-office practice and Eaglesoft's default/hard-coded behavior was doing SELECT * on their entire patient database across their entire practice and trying to load DICOM images over a WAN link every time records were accessed. Or something. Eaglesoft is poo poo and probably all the other dental software is poo poo too.
|
|
#
?
Aug 18, 2020 21:52
|
|
|
evil_bunnY posted:This is actually a good writeup, and it further underlies that MS doesn't give a loving poo poo if you phish from azure. What does this have to do with Azure?
|
|
#
?
Aug 18, 2020 22:31
|
|
|
We don't allow end users to create forwards outside of our email domain for this very reason. A CEO at another company in our industry got phished and the attacker set up a forward to steal all their juicy secrets.
|
|
#
?
Aug 18, 2020 23:08
|
|
|
droll posted:We don't allow end users to create forwards outside of our email domain for this very reason. A CEO at another company in our industry got phished and the attacker set up a forward to steal all their juicy secrets. Forwarding rules outside of the company should be off in a tenant by default. I drat well know its in the secure score rating and one of the first things they suggest you do outside of MFA. Getting owned by this is willful neglect by today's standards.
|
|
#
?
Aug 18, 2020 23:38
|
|
|
I think Microsoft is moving that direction. I know I saw a recent Major Change Update 10x A Day Notification about it.
|
|
#
?
Aug 18, 2020 23:53
|
|
|
droll posted:SaaS vendor that our 'IT Business Partner and Project Manager' onboarded is asking us to to pay them to fix their application because even with SAML SSO enabled, users are still required to create passwords and can login directly bypassing our IdP. Apparently the first S in SSO actually stands for 'sconvenience' ?? Ask me about having to write unit tests for a vendor because A) they didn't have any and B) they didn't believe me when I stated that something was broken via C) their support forums that required MSIE 7 and wouldn't allow you to sign in with anything else (until you changed your useragent...) Happiness Commando posted:There's a horror story about Eaglesoft that's been posted here before. Not Infosec but it was something like a multi-office practice and Eaglesoft's default/hard-coded behavior was doing SELECT * on their entire patient database across their entire practice and trying to load DICOM images over a WAN link every time records were accessed. Or something. You're thinking of This TDWTF article
|
|
#
?
Aug 19, 2020 03:49
|
|
|
Volmarias posted:You're thinking of This TDWTF article When I first read that story I had to check some details because I was convinced it was about my client.
|
|
#
?
Aug 19, 2020 05:49
|
|
|
So I presume everyone saw that article about the Security Consulting firm gaming the CREST exam for all their interns by having NDA breaching mock exams on a GitHub repo... Right?
|
|
|
#
?
Aug 19, 2020 07:04
|
|
|
Rather than presuming why don't you link to it
|
|
#
?
Aug 19, 2020 07:13
|
|
Rufus Ping posted:Rather than presuming why don't you link to it Huh sorry I thought I had https://www.theregister.com/2020/08/14/crest_investigates_ncc_group/
|
|
|
#
?
Aug 19, 2020 08:03
|
|
|
As seen in the Idiots on Social Media thread over in PYF: https://twitter.com/bt_uk/status/1291348291251208195?s=21 Screenshotted for posterity: 
|
|
#
?
Aug 19, 2020 15:33
|
|
|
beuges posted:What's the thread's opinion of ZeroTier? I used to run it every day (personal user, using windows & iphone app) and it's really good. I piped RDP over it and there's no noticeable lag or anything... the best compliment I can give is that I don't have to think about it at all. The app UI is slightly janky, but you get what you pay for I guess.
|
|
#
?
Aug 19, 2020 19:21
|
|
|
https://twitter.com/frontendbeast/status/1296046119089315841
|
|
#
?
Aug 19, 2020 21:26
|
|
|
It's actually the Ø glyph, not a 0. Joke's on the people who thought they were being insecure 
|
|
#
?
Aug 19, 2020 22:18
|
|
|
Those FUCKERS stole MY PASSWORD >:|
|
|
#
?
Aug 19, 2020 23:24
|
|
|
gently caress sake lads.
|
|
|
#
?
Aug 20, 2020 07:53
|
|
|
From the Post Good Tweets (ed because I thought it was the flight sim thread? woops!) thread: Imagine if someone had instead deliberately injected specifically malformed data into OSM to trigger a vulnerability: Absurd Alhazred fucked around with this message at 16:54 on Aug 20, 2020 |
|
#
?
Aug 20, 2020 16:50
|
|
|
Absurd Alhazred posted:From the Flight Sim thread: Airforceproud95 has really been stepping up his game? 
|
|
#
?
Aug 20, 2020 16:51
|
|
|
Schadenboner posted:Airforceproud95 has really been stepping up his game? "November Romeo Three Zero Niner Seven Very Heavy, please confirm, you are requesting clearance to land THE MOON?"
|
|
#
?
Aug 20, 2020 17:38
|
|
|
Volmarias posted:"November Romeo Three Zero Niner Seven Very Heavy, please confirm, you are requesting clearance to land THE MOON?" I think that would be "Super"? E: Although I think that it's mostly to do with wing wake/turbulence and damned if I know what a oblate spheroid would do? Schadenboner fucked around with this message at 17:48 on Aug 20, 2020 |
|
#
?
Aug 20, 2020 17:45
|
|
|
Absurd Alhazred posted:From the Post Good Tweets (ed because I thought it was the flight sim thread? woops!) thread: as mentioned the dataset is the same they use in bing maps, this isn't live updates they're pulling from osm
|
|
#
?
Aug 20, 2020 17:55
|
|
|
So the moon is like 7.342×10^22 kg, I don't know what the prefix for 10^22 is. BALL LUNA ZETTA-SUPER would be off by an order of magnitude and the ICAO might have an issue?
|
|
#
?
Aug 20, 2020 18:07
|
|
|
To be fair, if it's a one off, I think they'd be ok with a special variant.
|
|
#
?
Aug 20, 2020 18:32
|
|
|
Wiggly Wayne DDS posted:what exactly would someone inject into buildings:stories? this would have passed sanity checks after microsoft grabbed the data from osm, you can see the values used here: https://taginfo.openstreetmap.org/keys/building:levels  
|
|
#
?
Aug 20, 2020 19:31
|
|
|
$ gets a good result as well, but again without knowing what you're blinding injecting to...?
|
|
#
?
Aug 20, 2020 19:49
|
|
|
Some time ago I posted about a card processing companies' website we use having absolutely useless 2FA. After trying multiple times to get a hold of someone about it and never receiving a response, nearly 2 years later it is still this way. Ready to name and shame... FirstAmerican Payment Systems is the name. This is their backend website known as "FirstView".  This is the challenge screen you are presented with. You can select to receive a code via email or text. Except you don't need to do it. You can just click "User Settings" at the bottom which takes you to the settings screen inside the account. From there you can click Home to get to the main screen. Since the introduced "2FA" i've never actually had to do it! Even worse.. the email and phone number are clickable links. Clicking on them lets you update the email or phone number used to "verify". So if someone did get your username/password. They could easily change the email/phone number the "2FA" codes go to. Thankfully you can't really do anything on this website. It only shows the last 4 of card numbers, no names, and you cannot perform any type of transactions. It is reporting only.
|
|
#
?
Aug 24, 2020 16:48
|
|
|
|
| # ? Jun 11, 2024 23:14 |
|
|
In applications where a device TPM is required for key storage ( for 802.1x and HTTPS, not things like full disk encryption ) what is the general view on fTPMs like Intel Platform Trust or ARM TrustZone? Are there any standards that require discrete TPMs? My searching indicates vulnerabilities have been found in both fTPMs and dTPMs so it doesn't seem like one is more inherently secure. I'm coming at it from the product side and wondering if the platforms support fTPMs will we ever realistically run into any requirements that explicitly state using a dTPM.
|
|
#
?
Aug 24, 2020 20:37
|
|
