|
Toast Museum posted:Didn't it come out that intelligence agencies were intercepting shipments of hardware and reflashing them with compromised firmware before they hit the market? Yes. But for devices that typically cost thousands as opposed to $60 for a home network device.
|
#
?
Oct 5, 2015 23:50
|
|
|
|
| # ? Jun 3, 2024 06:11 |
|
|
The cheaper ones they can probably compromise during manufacturing.
|
|
#
?
Oct 6, 2015 04:55
|
|
|
Subjunctive posted:The cheaper ones they can probably compromise during manufacturing. If it's a TP-LInk, you're right. 
|
|
#
?
Oct 6, 2015 05:06
|
|
|
oh bean dip you have a full-take feed from my heart
|
|
#
?
Oct 6, 2015 05:12
|
|
|
talos just published a really great article on the angler exploit kit: http://talosintel.com/angler-exposed/
|
|
#
?
Oct 6, 2015 15:17
|
|
|
BIOS is a minor thing these days. Read up about Management Engine that is inside every new Intel CPU nowadays.
|
|
#
?
Oct 7, 2015 15:05
|
|
|
System Management Mode has been a thing since the 486 (and the 386SL). It's what handles things like translating USB keyboards to a PS/2 interface in OSes that don't have USB support for example. The CPU can be interrupted at any point by a system management interrupt and the OS can't do a drat thing about it. Of course, the NSA wrote a rootkit for it.
|
|
#
?
Oct 7, 2015 18:54
|
|
|
ME can read the whole RAM unrestricted though, including SMRAM. It's like an OS for the CPU running on a separate chip. http://libreboot.org/faq/#intel
|
|
#
?
Oct 7, 2015 19:31
|
|
|
omeg posted:ME can read the whole RAM unrestricted though, including SMRAM. It's like an OS for the CPU running on a separate chip. Firewire can read RAM unrestricted as well. So can Thunderbolt. And ExpressCard. ME isn't just there to spy on you, though. It's intended for stuff like power management that the OS shouldn't ever be touching, since it could horribly damage the hardware if it got it wrong. Intel's solution was the simplest approach available: let the motherboard vendor take control of the entire system briefly whenever it needs to do important poo poo with the hardware. The problem is that this approach leaves security up to motherboard vendors, and their approaches probably range from "Don't give a poo poo" to "Let's sell backdoor access to our systems to the highest bidder". Then your system goes through the fabs, packaging, shipping, customs, etc. At any point, a malicious party can sneak in and do horrible poo poo to the system. It's a Catch-22: To secure your system, it can never leave your possession. But your system was out of your possession from the start. Therefore, it can never be truly secure.
|
|
#
?
Oct 7, 2015 19:59
|
|
|
I wonder if there were any public audits of fab security and how easy it is to plant something there. Probably not too hard for some random Chinese fab making HDD or network card controllers.
|
|
#
?
Oct 7, 2015 20:13
|
|
|
omeg posted:I wonder if there were any public audits of fab security and how easy it is to plant something there. Probably not too hard for some random Chinese fab making HDD or network card controllers. We had some Intel engineer on here who insisted it was drum-tight but refused to elaborate at all. The thing is there's now stuff like dopant-level trojans that can be trivially modified at the fab, and cannot be visually differentiated from the un-modified designs. It doesn't matter if you require triple-encrypted file signoffs and handcuff the suitcase to a courier and express it across the Pacific if the night before you can just slip some guy living in the dorms at the fab $50k to replace the file and forget that you were ever there.
|
|
#
?
Oct 8, 2015 04:15
|
|
|
My friend and her Macbook Pro got redirected to a page that served an alert dialogue with the OS X widgets hidden and some extremely lazy faux OS X branding. It had a scary message about a compromise and a number to call. So she called it. It was some guy in India that told her they could remove a koobface infection for $200, she panicked and enabled a remote desktop service but didn't pay them anything. I'm not sure about which remote desktop service nor how long it was running. It is her work laptop so writing it off as gone is fine and she's got backups. She changed her passwords. The webpage this alert was served on has a minimally plausible .info domain that was registered on the 10th. It uses AWS nameservers, has google analytics, and they have an 1-808-xxx-xxxx number (Hawaii? the alert says it's toll free). She was asking me about reinstalling OS X on it, personally I would absolutely not trust the reinstallation image and I would at least try to verify any firmware and replace the harddrive so I checked out the logs to see if I can identify anything persistent they'd installed to get an idea of the scope of the damage. I've never done incident response and I don't use OS X so I can't be sure but there weren't any obviously out of place processes running. The hosts file was intact, the only changes in /etc were some weird files in /etc/cups. In the installation log at the time of infection the EFI volume was mounted and had something installed and an SMC firmware update was applied but it's consistent with logs for running the system update. In the system log this is apparently what was done. It also shows that the firewall was enabled, which she said she watched him do for her over the remote desktop connection. So he enabled the firewall and installed updates(?) Was that just for show or to get her to enter the administrator password in the remote desktop session? How do I find out what the actual infection is?
|
|
#
?
Oct 15, 2015 08:27
|
|
|
I got notified today that someone logged on to my Facebook from a different country, so I changed it to a different password. Now I'm scanning all 3 computers. Nothing came up so far. I'm not sure how to do something similar for an android phone. I'm also wondering if it was likely a keylogger, or some other site with the same password getting hacked and the hash reversed.
|
|
#
?
Oct 15, 2015 23:06
|
|
|
22 Eargesplitten posted:other site ... same password Found the problem.
|
|
#
?
Oct 15, 2015 23:14
|
|
|
Yeah, I know, but I have never set up lastpass and there is no way I'm going to remember 30-40 passwords, anyone who says they do is a liar.
|
|
#
?
Oct 15, 2015 23:17
|
|
|
22 Eargesplitten posted:some other site with the same password You're gonna want Keepass or lastpass and use them for everything.
|
|
#
?
Oct 15, 2015 23:18
|
|
|
Yeah, this is probably my impetus for that. Wasn't there one that is getting bought by a lovely company? Was that lastpass?
|
|
#
?
Oct 15, 2015 23:23
|
|
|
22 Eargesplitten posted:Yeah, this is probably my impetus for that. Looks like they were recently bought out, yeah. I've been happy with keepass for years though. Just plunk the database into your dropbox (or better yet spideroak) and you can access it from all your devices - they have a free app for droid and I think apple now.
|
|
#
?
Oct 15, 2015 23:37
|
|
|
I've used Lastpass for years and love it, even though they just got bought by LogMeIn. It's $24/year for premium--which for me just means I can use the Windows Phone app (yes, they even have an app for that platform)--or free if you don't need mobile or 2-factor authentication.
|
|
#
?
Oct 16, 2015 00:24
|
|
|
22 Eargesplitten posted:Yeah, I know, but I have never set up lastpass and there is no way I'm going to remember 30-40 passwords, anyone who says they do is a liar. I had a system. I memorized a dozen strings of different lengths, never writing them down anywhere. I did write myself reminders though, like site XYZ = string 1 + 8 + 4. I kept those reminders on paper. Hundreds of possible combinations with just 12 things to actually memorize. Install a password manager though.
|
|
#
?
Oct 16, 2015 02:07
|
|
|
22 Eargesplitten posted:I got notified today that someone logged on to my Facebook from a different country, so I changed it to a different password. Now I'm scanning all 3 computers. Nothing came up so far. I'm not sure how to do something similar for an android phone. I'm also wondering if it was likely a keylogger, or some other site with the same password getting hacked and the hash reversed. You should be using 2fa
|
|
#
?
Oct 16, 2015 02:09
|
|
|
Suspicious posted:I had a system. I memorized a dozen strings of different lengths, never writing them down anywhere. I did write myself reminders though, like site XYZ = string 1 + 8 + 4. I kept those reminders on paper. Hundreds of possible combinations with just 12 things to actually memorize. That is a really smart way to do it. I'm going to just do the password manager. I'll see what allows 2fa, but I really don't value anything but my Steam account, Google account, and bank accounts enough to do it. I have to use 2fa for logmein at work, which makes sense, but also sucks. Particularly because the only time I use Central over Rescue is to check if someone has a computer because we don't have an inventory like a normal company.
|
|
#
?
Oct 16, 2015 03:02
|
|
|
Another good password system is to use song lyrics, you can keep notes like Somethingawful = Journey Google = Ozzy will confuse most people you don't even have to list the song. The only problem is typing that in on mobile and if the site allows for 30+ character long passwords. It's usually a good idea to know a few of your passwords without needing your keepass database, like your google password. Go to get a new phone, and you probably need that in store. They go through making a new one even if I insist I have one the password is just mangled in a database. I hate phone stores. I love keepass, but sometimes you just can't have access to it, like your windows login password.
|
|
#
?
Oct 16, 2015 15:17
|
|
|
your password systems are dumb and insecure and you should all feel bad
|
|
#
?
Oct 16, 2015 15:21
|
|
|
Wiggly Wayne DDS posted:your password systems are dumb and insecure and you should all feel bad What should we be using instead for passwords that don't realistically work with keepass such as windows login and the keepass password itself? It takes forever to crack a 30+ character password even if you knew it was only letters, which you obviously shouldn't do. Or are you bashing keepass? You shouldn't leave a note about the password at all unless you are using it as your sole system because you find keepass too much of a pain somehow.
|
|
#
?
Oct 16, 2015 15:30
|
|
|
90% of my passwords are insecure and i do not give a poo poo. financial and work accounts are the only ones worth protecting
|
|
#
?
Oct 16, 2015 15:36
|
|
|
pixaal posted:What should we be using instead for passwords that don't realistically work with keepass such as windows login and the keepass password itself? It takes forever to crack a 30+ character password even if you knew it was only letters, which you obviously shouldn't do. Or are you bashing keepass? You shouldn't leave a note about the password at all unless you are using it as your sole system because you find keepass too much of a pain somehow. Uh. So you're making too many assumptions here. First of all, you should be using passwords where you cannot use a password manager to be something you can actually remember. There is nothing wrong this mindset as there are solutions around this but they're not really practical for most people's day-to-day use. The kicker is that you are supposed to not reuse the password anywhere else. If you are using the same password at home as you are at work, you're being stupid about it. If you have the same password across your desktop and your laptop for example, that is not really dumb because they're your machines and you reduce the risk between your home life and work life getting compromised. However, when it comes to using services that you have zero control over or beyond your own computer's login, you should be using randomly-generated passwords stored within a password manager. Starting off, your password manager should not have a password that is not reused elsewhere as well and if you can help it, introduce some sort of two-factor authentication (be it a key file or some sort of token-based device). It's very easy to keep a few passwords memorized as long as they're limited to things like your password manager or computer login, but these passwords should not be reused elsewhere at all and should be unique to the service or system it is for. For a nice convenience factor, you can use your password manager in conjunction with a cloud-based file sharing service like Dropbox or OneDrive so you can have access to the password file from your work computer, home computer, mobile phone, or whatever. In the password manager, you should be taking an inventory of all of the services and systems you have access to and want to manage within it. When you start to use one, you should immediately use this as an excuse to do two things: the first being change the passwords on all of the services and the second is enabling any sort of two-factor authentication scheme that the service provides. When you reset the passwords, you should make note of the password length requirements and use them to their maximum. Save the passwords and make your accounts are up to date with regards to e-mail address and phone numbers if you should run into problems getting into them later on. There is absolutely no excuse for not using a password manager if you're resorting to silly ideas like songs or mnemonics. Please don't suggest this openly and if you wish to continue using this idea then keep it to yourself as you're putting others as risk. I do also suggest reading this thread and to ask questions there.
|
|
#
?
Oct 16, 2015 15:52
|
|
|
What makes mnemonics silly, rather than just obsolete in most applications now that password managers exist?
|
|
#
?
Oct 16, 2015 16:59
|
|
|
22 Eargesplitten posted:Yeah, this is probably my impetus for that. it was lastpass. the press release about it had the line, "as we become part of the logmein family over the next several months, we’ll be releasing updates to lastpass, introducing new features..." to me, lastpass is complete the way it is. so either there is going to be mind blowing new features that we didn’t know we needed, or more likely there will be some sort of bloatware that will be shoehorned in. logmein is going to ruin lastpass like they did with hamachi back in 2006 imo. i hope that's just my cynicism talking.
|
|
#
?
Oct 16, 2015 17:29
|
|
|
Honestly, not a fan of logmein from professional experience, so Keepass it is. Unless there is something big to recommend another.
|
|
#
?
Oct 16, 2015 18:03
|
|
|
unclenutzzy posted:90% of my passwords are insecure and i do not give a poo poo. financial and work accounts are the only ones worth protecting The argument against this is that every insecure account is another hook that can be used in a social engineering attack against the important ones Also a password manager makes it trivial anyway so you might as well make it all secure
|
|
#
?
Oct 16, 2015 18:56
|
|
|
lastpass also got hacked once or twice. I recommend 1password.
|
|
#
?
Oct 17, 2015 06:30
|
|
|
OSI bean dip posted:Yes. But for devices that typically cost thousands as opposed to $60 for a home network device. Cheap consumer factories are not bastions of honesty and lol if you think stuff ships clean from there.
|
|
#
?
Oct 17, 2015 15:47
|
|
|
I'm pretty positive he meant that the effort going into said ploy was intended to have the highest-value targets for most ROI compared to Aunt Sally's Kindle wifi or the local indie coffee shop's clientele.
|
|
#
?
Oct 17, 2015 18:54
|
|
|
Lastpass was the best password manager before logmein bought them, nothing has changed. Until it does, I don't see a need to change away from it. I also don't understand the why them being hacked should be a factor. To me, their response should carry more weight than just the fact that they were hacked. We have a security guy at work and it seems like his only consideration is if something was hacked or not. I also use two factor auth for Lastpass
|
|
#
?
Oct 18, 2015 02:33
|
|
|
Well keepass is free to sync between devices while lastpass is not, which made up my mind right quick. But lastpass is otherwise pretty cool I guess.
|
|
#
?
Oct 18, 2015 15:54
|
|
|
Forever_Peace posted:Well keepass is free to sync between devices while lastpass is not, which made up my mind right quick. Then again KeePass relies on you having something like Dropbox available everywhere, which isn't always possible. I can install Dropbox or personal OneDrive on my work laptop, but I can install the LastPass plugin.
|
|
#
?
Oct 18, 2015 16:44
|
|
|
myron cope posted:I also don't understand the why them being hacked should be a factor. To me, their response should carry more weight than just the fact that they were hacked. We have a security guy at work and it seems like his only consideration is if something was hacked or not. Because it comes down to how they were breached and the consistency of them being so. Here's articles from the past four years of LastPass being breached: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ - PII details stolen http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/ - exploit to steal credentials for other websites https://blog.lastpass.com/2011/05/lastpass-security-notification.html/ - likely a database breach So we have one vulnerability on the software allowing attackers to potentially steal credentials and then the other is where information was compromised. Even if LastPass is using sane software development techniques, they're still a target and I don't think that the worst to happen to them has happened. Personally I'd avoid them simply because you have zero control over how your passwords are stored and there are far more reasonable methods to go about this. If you or your security person (which I think and hope you're giving a gross simplification of their statement here) have this idea that a website should be "hacked" before you'll consider it secure, then that's woefully ignorant. Breaches do happen and can be forgivable, but you should not have trust over a site after the fact without a decent understanding of how they got breached in the first place. In the case of LastPass we've had stolen information and a vulnerability that could have lead to users having their credentials stolen. None of this would have happened if you had a password manager like KeePass or it would have been quite limited with something like 1Password.
|
|
#
?
Oct 18, 2015 17:54
|
|
|
Ynglaur posted:Then again KeePass relies on you having something like Dropbox available everywhere, which isn't always possible. I can install Dropbox or personal OneDrive on my work laptop, but I can install the LastPass plugin. I'm not sure where/how else you would need it. You can have iOS with PassDrop (and the Dropbox app to make syncing manually not suck, and be 3 miles down in a coal mine with your passwords in your pocket.
|
|
#
?
Oct 18, 2015 18:21
|
|
|
|
| # ? Jun 3, 2024 06:11 |
|
|
Tapedump posted:Wait, um, website or cell phone? I thought we were talking about KeePass? My point re: Dropbox is that if you want, say, a password manager on your work laptop, it needs to be something you can install. If you can't install Dropbox, or something similar, your passwords won't be in sync. KeePass is great, but it relies on you running your own infrastructure. Also, read the full blogs from LastPass before jumping to panicked conclusions. 1. In the first link, if there was a database breach, that's why they use a minimum of 5000 iterations of PBKDF2-SHA256 and salt it. 2. In the second link, the defect permitted the individuals encrypted database to be breached (albeit only if you used a feature that allowed sharing of login credentials, which doesn't seem like a great idea in most use cases). Again, PBKDF2-SHA256, etc. 3. They identified network traffic from a machine that they couldn't immediately explain. The amount of data was only enough for a few users' databases. I'm not trying to white knight (too much), but you can think through the following scenarios: 1. A nation-state is after me. My login information is as good as compromised. 2. Attacks that try to cast a wide net are more likely to target Lastpass, because there's a lot of valuable data there. How much do I trust PBKDF2-SHA256, etc.? 3. Attacks try to target me specifically. I'd personally trust Lastpass' infrastructure over my own. (The biggest threat remains a keylogger, of course.) Just my 2 cents, of course.
|
|
#
?
Oct 18, 2015 19:25
|
|