|
Yeah, on a personal system just crank UAC up so they get all the reminders, and make sure they understand the implications of saying yes to that prompt. Or give them a linux box and make them deal with that until they surrender and use windows right
|
# ? Oct 31, 2020 19:05 |
|
|
# ? May 27, 2024 15:33 |
RFC2324 posted:Yeah, on a personal system just crank UAC up so they get all the reminders, and make sure they understand the implications of saying yes to that prompt.
|
|
# ? Oct 31, 2020 20:02 |
|
Happy Thread posted:What are your all's thoughts on how to safely convert new or used USB drives you've purchased into trustworthy boot drives or secure storage drives? Lmao look at this guy trusting trust.
|
# ? Oct 31, 2020 21:30 |
|
"it's just like UAC" is kind of where I was landing. It's not the built in Administrator account. It's just a Microsoft account I can assign the user type of "administrator" rather than "regular". Edit: typos
|
# ? Oct 31, 2020 21:45 |
|
Martytoof posted:I use iCloud Keychain syncing on all my fruit devices and I've yet to think of a single reason to switch to something else. I’ve never heard anything bad about keychains security- but it’s a real pain to access the passwords when you want to use it with anything non Apple.
|
# ? Oct 31, 2020 21:56 |
|
BlankSystemDaemon posted:Windows has had support for limited user access ever since they moved on from the Chicago kernel, and LUA is the generic term for what Unix-likes default to, with root being root and every other not being root (unless they're in wheel on the BSDs and can use su, or sudo+properly configured /etc/sudoers is setup). I'm not sure what you are trying to tell me here. Obviously Windows can be set up to be annoying about escalating access just like linux, but its all about UX. I'm a linux guys and will defend it, but I have also never had to manually define what application to use to escalate to sudo in an MS environment. Making someone who doesn't do this for fun do it on a linux machine at home is punishment for not using windows sanely. It's not hard. I feel like almost everyone is missing that we are talking about a partners personal machine, not a work one with someone who isn't going to play games using it.
|
# ? Oct 31, 2020 22:31 |
Time for a proper Holy poo poo moment: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.
|
|
# ? Nov 1, 2020 02:01 |
|
Oh poo poo, when I saw Samy was involved I knew it was serious
|
# ? Nov 1, 2020 02:11 |
|
BlankSystemDaemon posted:Time for a proper Holy poo poo moment: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. This was kinda being done previously with UPnP services on SOHO routers, but yeah this makes it even easier.
|
# ? Nov 1, 2020 02:15 |
|
I'm happy that my browsers block access to any RFC1918 IP space from the web and that I have WebRTC turned off because of constant abuse from virtually every site on the internet trying to use it to port scan.
|
# ? Nov 1, 2020 02:22 |
|
BlankSystemDaemon posted:Time for a proper Holy poo poo moment: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. Yeah, this is some great display of stack mastery.
|
# ? Nov 1, 2020 02:28 |
|
BlankSystemDaemon posted:Time for a proper Holy poo poo moment: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. I'm either more exhausted or drunk than I realize, this is breaking my brain
|
# ? Nov 1, 2020 02:32 |
|
Potato Salad posted:I'm either more exhausted or drunk than I realize, this is breaking my brain Its an impressive piece of work, and we're going to see more stuff like this in the future, especially with more and more websites pushing "edge services" that are more intrusive on your local machine.
|
# ? Nov 1, 2020 02:38 |
|
Potato Salad posted:I'm either more exhausted or drunk than I realize, this is breaking my brain It’s basically: - SIP as a protocol requires that the other end connect back into a “random” port on your computer, which is specified in the connection handshake - to make this work, NAT gateways look for outbound SIP traffic and rewrite the addresses to point to the outer side of the gateway, and forward traffic from there to the port specified - TCP “messages” that are too big for the configured/negotiated MSS get split across multiple IP packets - if you line things up just right, you can get the browser to send an HTTP request that gets split such that the second IP packet looks like a SIP packet that you forge with the address and port you want the NAT gateway to forward to - he can line things up just right with a lovely toolbox of tricks and patience - the NAT gateway sees that second packet and does the SIP forwarding dance - now, if you can get a browser to load a page, you can get its NAT gateway to open up forwarding to anything on that network (assuming that your NAT gateway is susceptible to this, but I suspect that very many are)
|
# ? Nov 1, 2020 03:24 |
Subjunctive posted:(assuming that your NAT gateway is susceptible to this, but I suspect that very many are) I doubt you can find a firewall that doesn't implement it.
|
|
# ? Nov 1, 2020 11:48 |
|
BlankSystemDaemon posted:If they aren't, people're gonna have problems with SIP (which is what's being used in this attack), along with IPSec (and PPTP/LTP), TFTP, plus IRC XDCC and FTP as listed on the site, and there's likely other protocols that use it too. It could implement it without being susceptible to the packet splitting element, by maintaining more state such that it recognized that the constructed REGISTER was part of the HTTP request. This would be more expensive computationally, though.
|
# ? Nov 1, 2020 15:21 |
|
Subjunctive posted:It could implement it without being susceptible to the packet splitting element, by maintaining more state [...] Does it actually require more state to be held? Couldn't it just check the thing that looks like a sip packet has fragment offset = 0 (ie not fragmented or first fragment)
|
# ? Nov 1, 2020 17:07 |
|
BlankSystemDaemon posted:If they aren't, people're gonna have problems with SIP (which is what's being used in this attack) We handle NAT by using TCP where possible for the SIP part and then just standard UDP hole punching for RTP. If we have to run SIP over UDP we send a keepalive every 45 seconds which is enough to keep the connection open through most NATs, and the few that closed earlier we have always been able to just request that the client's IT extend their timeout. It works great, no ALG required. That said as Subjunctive pointed out this is not an inherent flaw in the concept of ALGs, just an exploit of a potentially common design flaw.
|
# ? Nov 1, 2020 17:25 |
Subjunctive posted:It could implement it without being susceptible to the packet splitting element, by maintaining more state such that it recognized that the constructed REGISTER was part of the HTTP request. This would be more expensive computationally, though. The other problem is that the vast majority of devices and CPEs nowadays implement the functionality in some kind of hardware offload functionality, meaning it's not something you can fix in software. wolrah posted:That said as Subjunctive pointed out this is not an inherent flaw in the concept of ALGs, just an exploit of a potentially common design flaw.
|
|
# ? Nov 1, 2020 18:05 |
This has more to do with privacy than security but I'm not sure of a better thread for this sort of stuff. Has anyone found a good alternative to Google Voice? I've had my number there for years but I am in the process of de-googling my life and it's one of the last things I have left. I'm not keen on moving my number to my carrier as I am on someone else's plan but may just compartmentalize GVoice if I have to and leave it on my phone.
|
|
# ? Nov 1, 2020 23:53 |
|
Rufus Ping posted:Does it actually require more state to be held? Couldn't it just check the thing that looks like a sip packet has fragment offset = 0 (ie not fragmented or first fragment) yeah, that might work. would be a pretty cheap check, could even put it in the offload hardware BlankSystemDaemon posted:Even with Berkeley Packet Filter which is a virtual machine designed to handle packets, it's insanely expensive. Is it really expensive to check ip.ip_off == 0 in a BPF implementation? eBPF is JITted in Linux and the BSDs these days I think, and that’s a pretty light bit of code to generate: fixed offset against fixed value, mask out the DNF bits if you want to be especially picky, branch prediction will be extremely accurate because fragmentation in the wild is quite quite rare. That they made bad choices about hardware offload implementation isn’t predestined or necessary. They chose that, and they could have chosen to make tighter checks before adding forwards. If the offload engine isn’t fragment-aware either then there are fuckups at two levels, yawn. It’s not like most router makers fix a lot of poo poo in software anyway, so it may not be much of a practical difference anyway.
|
# ? Nov 2, 2020 00:25 |
|
cage-free egghead posted:This has more to do with privacy than security but I'm not sure of a better thread for this sort of stuff. Whatsapp is the only other free one I know about. If you don't want to give Zuckerfucker your call logs then you'll have to shell out some cash. Skype is $7/month, that's the cheapest I've found.
|
# ? Nov 2, 2020 01:38 |
|
I believe Microsoft Teams is free to download and use in Teams-to-Teams calls if you have a Microsoft account.
|
# ? Nov 2, 2020 03:26 |
I guess I should have specified. I'm not looking for a messaging app, but rather a service that I can bring my number to that allows me to call and text via data. GVoice has been good with how much I jump from phone to phone or from different carriers. Then I just log into Voice and everything is just like it was.
|
|
# ? Nov 2, 2020 03:36 |
|
If you're comfortable with doing things yourself, voip.ms is actually fairly decent and cheap for putting a number on as they charge by usage (1c/min, plus like $1/mo for a number) generally with pops throughout North America. Any sip client works, and they've got a no-frills sms app too.
|
# ? Nov 2, 2020 04:07 |
So what kind of mitigation can be done on the slipstream attack besides disabling ALGs? I know I can disable the SIP ALG on my PAN FWs (and it usually is due to the aforementioned issues with it and VOIP), but it seems like the other ALGs are susceptible and I don't immediately see a way to disable those. In the details, one of the steps is "HTTP POST" to server on TCP port 5060 (SIP port) initiated, avoiding restricted browser ports Which is easy enough to restrict to only trusted destinations, but I assume this only applies if you're attacking the SIP ALG.
|
|
# ? Nov 2, 2020 14:49 |
|
BlankSystemDaemon posted:Sure, except, see above about it being implemented in hardware. rafikki posted:So what kind of mitigation can be done on the slipstream attack besides disabling ALGs? I know I can disable the SIP ALG on my PAN FWs (and it usually is due to the aforementioned issues with it and VOIP), but it seems like the other ALGs are susceptible and I don't immediately see a way to disable those. In the details, one of the steps is If you actually need any of those protocols then apply rules that lock them down as restrictively as is practical. cage-free egghead posted:I guess I should have specified. I'm not looking for a messaging app, but rather a service that I can bring my number to that allows me to call and text via data. GVoice has been good with how much I jump from phone to phone or from different carriers. Then I just log into Voice and everything is just like it was. The built-in Android SIP client is technically usable but it's not great in a lot of ways.
|
# ? Nov 2, 2020 17:06 |
Voip.ms looks promising, they just released support for SMS too. Looks to work pretty similarly to Voice in that you can port your number to them and then just forward any calls to that number to any device you want, as with SMS. Voip.ms paired with LinPhone on FDroid looks to be a popular option that is relatively inexpensive.
|
|
# ? Nov 2, 2020 17:52 |
|
SECFUCK TIME! I got emails from SpaceX! I am not employed by SpaceX, but I do work on Buildroot which SpaceX uses! - My name and all of the other Buildroot developers have emails attached to many of the packages SpaceX is using. - Their email scraper probably didn't filter out emails not ending in SpaceX - All of the Buildroot maintainers/developers now have every engineer who is working on Starlinks email address lmao.
|
# ? Nov 2, 2020 17:58 |
|
I don't like SaaS that sends emails to all my business users from their domain but with one of my user's first and last name in the From:, because that's basically how phishing attacks happen (typically the phish leverages our CEOs name). I don't think I can even whitelist/prevent the warning that Gmail slaps on the message "be careful, this matches someone in your org but didn't come from yourdomain.com". Am I wrong to be annoyed by SaaS vendors that do this?
|
# ? Nov 3, 2020 18:25 |
|
droll posted:I don't like SaaS that sends emails to all my business users from their domain but with one of my user's first and last name in the From:, because that's basically how phishing attacks happen (typically the phish leverages our CEOs name). I don't think I can even whitelist/prevent the warning that Gmail slaps on the message "be careful, this matches someone in your org but didn't come from yourdomain.com". Am I wrong to be annoyed by SaaS vendors that do this? Definitely not, we got hammered hard by people doing that trick so we implemented quarantining of any message where the from line is one of our guys name, but the domain isn't @ourbussiness. While it stopped pretty much every the vast majority of phishing attempts, the only thing stopping us from just ignoring the quarantine entirely is that a lot of our cloud services do that exact thing.
|
# ? Nov 3, 2020 20:09 |
|
OK thank you so it's not just me. I now have 2 vendors that are doing it causing me headaches. I can't send them to gsuite admin quarantine, I have to send such email to Spam instead then use Gmail spam whitelisting to have the 2 vendor specific ones come to Inbox. But I still have stupid users digging into their Spam folders then asking the service desk about them...
|
# ? Nov 4, 2020 00:46 |
|
Even better is when the application claims to come from your email address. HP Test Director used to do this (the modern Micro Focus version probably still does.)
|
# ? Nov 4, 2020 04:32 |
|
My grip with KnowBe4 is that their "phishing campaigns" are not realistic. They force you to whitelist etc so your messages look authentic...when normally they would not.
|
# ? Nov 4, 2020 18:01 |
|
Bob Morales posted:My grip with KnowBe4 is that their "phishing campaigns" are not realistic. They force you to whitelist etc so your messages look authentic...when normally they would not. Isn't the idea that teaching your users to rely on warnings on unauthentic messages is not good, and that it's better to teach them how to spot phishing the normal, more universal ways?
|
# ? Nov 4, 2020 18:14 |
|
droll posted:Isn't the idea that teaching your users to rely on warnings on unauthentic messages is not good, and that it's better to teach them how to spot phishing the normal, more universal ways? That's how I read it. Thise warnings won't be there when they open up their personal email at work (lol if you think they won't) so better they have a universal skill than one that relies on your orgs specific setup.
|
# ? Nov 4, 2020 18:21 |
|
Bob Morales posted:My grip with KnowBe4 is that their "phishing campaigns" are not realistic. They force you to whitelist etc so your messages look authentic...when normally they would not. You can pretty easily make your own custom ones that look much more like traditional spam. I've used KnowBe4 at three different places now and in the end, theres always about 5-10% of people who will click on literally anything despite all the training in the world. At my last place we we're able to place them in a custom high risk pool for spam filtering that was MUCH more aggressive and basically whitelisted senders if I recall correctly.
|
# ? Nov 4, 2020 18:28 |
|
Bob Morales posted:My grip with KnowBe4 is that their "phishing campaigns" are not realistic. They force you to whitelist etc so your messages look authentic...when normally they would not. Another way to look at it is that it's a way to reinforce with your users that they need their judgement caps on at all times, even when an email doesn't have [External] in the subject
|
# ? Nov 4, 2020 18:57 |
|
BaseballPCHiker posted:I've used KnowBe4 at three different places now and in the end, theres always about 5-10% of people who will click on literally anything despite all the training in the world. At my last place we we're able to place them in a custom high risk pool for spam filtering that was MUCH more aggressive and basically whitelisted senders if I recall correctly. Why are they not being reeducated or terminated instead?
|
# ? Nov 4, 2020 18:58 |
|
|
# ? May 27, 2024 15:33 |
|
droll posted:Isn't the idea that teaching your users to rely on warnings on unauthentic messages is not good, and that it's better to teach them how to spot phishing the normal, more universal ways? They end up sending messages that don't have things like incorrect domains, invalid users, etc.
|
# ? Nov 4, 2020 19:01 |