|
huh got a popup message from cox saying i was connected to the zeus botnet, injected into steam (that counts as a browser i guess). ran mbam and about 5 hours in it found something called artemis[randomnumbers] as IDed by mcafee (forgot to run cleaner programs in safe mode sigh) which i must assume is what was causing the problem due to the name i hope you liked my story
|
#
?
Dec 18, 2015 07:49
|
|
|
|
| # ? Apr 26, 2024 10:30 |
|
|
There's a lot about cellphone OS security that I don't know. Is this a reasonable place to ask some basic questions? For example, a lot of sites do 2fa through apps like Google Authenticator or Duo Mobile in lieu of hardware token like an RSA hardware token. How secure is 2fa through a phone in comparison, and are there distinct weak points to be aware of? Let's assume an unrooted phone with encryption enabled, using a strong passcode. There's always a chance of sec fuckups in general computing environment compared to a simple security token, but are there known weaknesses, say, if a malicious app is accidentally installed, or your phone connects to a hostile network? If anyone happens to know about iPhone/TouchID security in particular, I'm curious how that ties in to device encryption. When the phone is shut off completely it requires the passcode for access (and again every few days for good measure). Otherwise it can be unlocked more conveniently with TouchID. Consider the following three iPhone states: 1) iPhone just turned on and is asking for device passcode to continue, 2) iPhone is locked and can be unlocked with TouchID, and 3) iPhone on for >2 days and is now locked and requiring password reentry to unlock. Is there a difference between these 3 states relating to the security of the full device encryption? For example does a phone being unlockable via TouchID (or generally being on with background processes running) indicate that a decryption key could be recovered from RAM more easily? If this is a dumb question, feel free to let me know; I have very little knowledge of this security architecture.
|
|
#
?
Dec 29, 2015 02:56
|
|
|
Dixie Cretin Seaman posted:There's a lot about cellphone OS security that I don't know. Is this a reasonable place to ask some basic questions? quote:For example, a lot of sites do 2fa through apps like Google Authenticator or Duo Mobile in lieu of hardware token like an RSA hardware token. How secure is 2fa through a phone in comparison, and are there distinct weak points to be aware of? Let's assume an unrooted phone with encryption enabled, using a strong passcode. There's always a chance of sec fuckups in general computing environment compared to a simple security token, but are there known weaknesses, say, if a malicious app is accidentally installed, or your phone connects to a hostile network? quote:If anyone happens to know about iPhone/TouchID security in particular, I'm curious how that ties in to device encryption. When the phone is shut off completely it requires the passcode for access (and again every few days for good measure). Otherwise it can be unlocked more conveniently with TouchID. Consider the following three iPhone states: 1) iPhone just turned on and is asking for device passcode to continue, 2) iPhone is locked and can be unlocked with TouchID, and 3) iPhone on for >2 days and is now locked and requiring password reentry to unlock. Is there a difference between these 3 states relating to the security of the full device encryption? For example does a phone being unlockable via TouchID (or generally being on with background processes running) indicate that a decryption key could be recovered from RAM more easily? If this is a dumb question, feel free to let me know; I have very little knowledge of this security architecture.
|
|
#
?
Dec 29, 2015 03:08
|
|
|
apseudonym posted:Between 2 and 3 as far as I know of iOS's encryption model the keys are still in RAM, so all those hardware attackers are equally applicable. The first boot requirements and passcode logic isn't so much about the keys as it is a bunch of other things. Thanks for the info. Practically speaking, how hard is that kind of attack for an unrooted phone? Assuming you're not a target of a TLA is it reasonable to ignore?
|
|
#
?
Dec 29, 2015 05:19
|
|
|
Dixie Cretin Seaman posted:Thanks for the info. Practically speaking, how hard is that kind of attack for an unrooted phone? Assuming you're not a target of a TLA is it reasonable to ignore? Depends the attacker, the device, and you. Are you on a newish version of the OS and avoid downloading and installing stuff outside the official stores or going out of your way to disable security features? If so you're in a very good spot, you're more likely to get your 2 factor phished than your phone owned, the person is way easier to exploit than the device. Use 2FA, it makes it way harder for hackers in unspecifiedistan to get into your poo poo. Your phone is a good device for this since you have it on you and you are almost certainly not interesting enough for a targeted attack. If your adversary is the government where those services are hosted or where their officers are you're already hosed anyways 
|
|
#
?
Dec 29, 2015 06:12
|
|
|
apseudonym posted:Depends the attacker, the device, and you. Sorry, I guess I was unclear. I meant how hard is it to, for example, grab whole device encryption keys from RAM on an unrooted iPhone. My understanding is that this kind of thing is mostly theoretical and it would be beyond the capabilities of non-government adversaries. Is this about right? e.g. if there was some grey-market Chinese kit for owning smartphone encryption then there probably wouldn't be those anti-encryption political rants floating around recently...
|
|
#
?
Dec 29, 2015 06:28
|
|
|
Dixie Cretin Seaman posted:Sorry, I guess I was unclear. I meant how hard is it to, for example, grab whole device encryption keys from RAM on an unrooted iPhone. My understanding is that this kind of thing is mostly theoretical and it would be beyond the capabilities of non-government adversaries. Is this about right? e.g. if there was some grey-market Chinese kit for owning smartphone encryption then there probably wouldn't be those anti-encryption political rants floating around recently... If the keys are in memory and they have physical access? Doable but I couldn't tell you the difficulty on an iPhone because I don't really do hardware attacks  .e: probably harder than breaking all your other devices by a good amount.
|
|
#
?
Dec 29, 2015 06:33
|
|
|
E: Apparently Lastpass security is already a discussion in the Infosec thread, so I'll avoid cluttering up this thread with the same arguments.
Dixie Cretin Seaman fucked around with this message at 20:03 on Dec 29, 2015 |
|
#
?
Dec 29, 2015 19:30
|
|
|
I hope this is an okay place to ask this. My Win 8.1 touchscreen laptop started freezing after removing some load-bearing crapware, so I did a 'refresh' on it. It works now, but a friend suggested that I'd might as well get the upgrade to Windows 10 now that I have lost all my programs anyway. However, I remember the tech news talking about the surveillance stuff in Win10 and the hysteria that followed. Looking for the news after the fact, I'm having a little trouble discerning if this is something I should be worried about, or if it is no worse than your average big company operating in the surveillance state in the 2010's. This laptop is going to be used for either Skype or Google Hangouts and maybe paying bills and Facebook. If the Win10 surveillance is not worse than what is already unavoidable in using services from Google and Facebook, then I suppose I don't care. If it is somehow worse, i suppose if I had to, I could make the jump to Ubuntu. I am hesitant to take that step just in case I need some software that doesn't run on Linux some point soon.
|
|
#
?
Jan 6, 2016 15:43
|
|
|
The answer is quite simple. Yes, Microsoft put a bunch of tracking stuff in there. Whether it's worse than any other big company, I don't know. What I do know is that you can just turn it all off. You have to dig through two screens of settings, but it isn't even that hard. People are mostly angry because it's opt-out instead of opt-in. Other than that Windows 10 is a straight update over Windows 8.1, I find it a lot more pleasant to work with. So do the upgrade (while you still can. After some point this year Win 8 --> Win 10 upgrade won't be free anymore), turn off the spy settings, and enjoy your life. E: I do suggest you google a guide on how to turn those spy settings off. That way you certainly won't miss one. Carbon dioxide fucked around with this message at 20:15 on Jan 6, 2016 |
|
#
?
Jan 6, 2016 20:13
|
|
|
When you upgrade you'll hit a screen telling you to "use express settings." From there you can specify you want to customize your settings, and you can turn off the tracking stuff from there. The November update to Windows 10 is essentially Service Pack 1 in all but name and it looks like Microsoft's committed to keeping the OS more current going forward, so get on the ship now before August 2016.
|
|
|
#
?
Jan 6, 2016 20:23
|
|
|
Magnetic North posted:If the Win10 surveillance is not worse than what is already unavoidable in using services from Google and Facebook, then I suppose I don't care. If it is somehow worse, i suppose if I had to, I could make the jump to Ubuntu. The problem with this plan is that Canonical has pushed Ubuntu to become eerily similar to Windows 10 in this respect. You must opt-out of some annoying OS data vaccuming on there as well.. https://fixubuntu.com/ Just keep in mind that its always good to do some research and check the privacy settings on your OS from the get go.
|
|
#
?
Jan 6, 2016 22:14
|
|
|
Rooney McNibnug posted:The problem with this plan is that Canonical has pushed Ubuntu to become eerily similar to Windows 10 in this respect. You must opt-out of some annoying OS data vaccuming on there as well.. I guess the lesson here is that data will get hoovered because data is money.
|
|
#
?
Jan 7, 2016 00:22
|
|
|
Largely speaking, all the scary terms bloggers like to throw up relate to cortana. Using cortana means all your enquiries are uploaded to MS. This shouldn't really be a surprise to anyone since siri & google now do precisely the same thing, but I guess that doesn't make clicks. (i.e. this is literally just how it functions outside of any and all "pulling" they may or may not do). Besides that, there's a lot of misunderstanding how anonymised usage stats works, and you would be hard-pressed to find any well supported software that doesn't do this on some level, end-user side or server-side. Look at this bullshit which is being passed around - https://bgr.com/2016/01/05/microsoft-windows-10-spying-2015-user-data/ Of their list of "spying" data, 4 out of 7 are pulled server-side based on access, and one other could be extrapolated from their server data. There's a lot of hysteria over not much of an issue, but it's fair to say opt-in is pretty lovely, and MS are predictably demonstrating their PR team is still the worst in the industry. Data is money, but data is also user feedback that can't be tainted by user bias as strongly as feedback questionnaires, or any other method. Since the internet became popular you will forever find a loud screaming mass of people complaining about any and all changes, even if it directly benefits them. Asking users what they want has lost a lot of value since every minority interest can get whipped into a frenzy whilst the majority silently just use it.
|
|
#
?
Jan 7, 2016 01:10
|
|
|
Anyone else get a Malware warning from Windows 10 when trying to install the latest version of Keepass v2.31? The website says to ignore it and Malwarebytes didn't get any hits when scanning it so I assume Windows is just being dumb or something right now.
|
|
#
?
Jan 11, 2016 01:55
|
|
|
John Lightning posted:Anyone else get a Malware warning from Windows 10 when trying to install the latest version of Keepass v2.31? The website says to ignore it and Malwarebytes didn't get any hits when scanning it so I assume Windows is just being dumb or something right now. W8 seemed to complain about the same thing. Not sure what the beef was, and it didn't seem to come with any weird stuff from Sourceforge (which reportedly started packing adware into stale project downloads).
|
|
#
?
Jan 11, 2016 02:35
|
|
|
John Lightning posted:Anyone else get a Malware warning from Windows 10 when trying to install the latest version of Keepass v2.31? The website says to ignore it and Malwarebytes didn't get any hits when scanning it so I assume Windows is just being dumb or something right now. What specifics can you provide with regards to the identity et cetera?
|
|
#
?
Jan 11, 2016 03:18
|
|
|
OSI bean dip posted:What specifics can you provide with regards to the identity et cetera? http://imgur.com/a/Ff5Tx None of that is probably what you are looking for but maybe it is useful? Let me know and I can try to take more pictures and/or find more info. I haven't installed the update yet since I want to be sure nothing fishy is going on.
|
|
#
?
Jan 11, 2016 03:50
|
|
|
For those travelling on vacation, what are some very basic standard security stuff to go for? I don't mean super crazy encryption or ultra paranoid thwarting secret agents or anything like that, but more like to protect yourself against common theft or bad wifi when you're travelling? I've heard of some options like basic honeypot OS' installed so when your laptop is booted up by someone stealing it, it goes to a clean OS, and installing something like Prey to monitor. I know lots of people go all out paranoid by using a fully clean laptop but I don't have anything important, I just want to deter the most common stuff. I don't want to spend hours setting up my Windows 8 laptop to dual boot Linux or whatever. I know to avoid internet banking and to only use HTTPS for connections, but should I invest in a VPN as well? Anyways, some thoughts from the experts would be great.
|
|
#
?
Feb 5, 2016 22:43
|
|
|
Melian Dialogue posted:For those travelling on vacation, what are some very basic standard security stuff to go for? I don't mean super crazy encryption or ultra paranoid thwarting secret agents or anything like that, but more like to protect yourself against common theft or bad wifi when you're travelling? I've heard of some options like basic honeypot OS' installed so when your laptop is booted up by someone stealing it, it goes to a clean OS, and installing something like Prey to monitor. I know lots of people go all out paranoid by using a fully clean laptop but I don't have anything important, I just want to deter the most common stuff. I don't want to spend hours setting up my Windows 8 laptop to dual boot Linux or whatever. I know to avoid internet banking and to only use HTTPS for connections, but should I invest in a VPN as well? Anyways, some thoughts from the experts would be great. Always assume that if your laptop or phone gets stolen that it is lost forever and that having it encrypted is the safest thing to do to ensure that at worst you're out a grand or two. I really do suggest going down this road as it'll at least not make you worry about what was on there. As for safeguarding your Internet access, this one is a bit tricky as it depends on your skillset. Many people will automatically jump at suggesting a VPN service but I am always hesitant to do so. Are you travelling on business or is this personal? What's your computer skill level? Can you use SSH?
|
|
#
?
Feb 5, 2016 23:19
|
|
|
OSI bean dip posted:Always assume that if your laptop or phone gets stolen that it is lost forever and that having it encrypted is the safest thing to do to ensure that at worst you're out a grand or two. I really do suggest going down this road as it'll at least not make you worry about what was on there. Personal travel, and my computer skill level is alright, but I don't know what SSH is, so no I can't use it. All I'd really like is to prob encrypt my harddrive, and have some sort of honeypot OS that is booted up automatically that has none of my personal files on it. and have one of those tracking programs (like Prey) in case some idiot steals it and doesn't wipe everything. I'm at a house rental with wifi there, and will probably stick to that instead of internet cafes, but I want a good balance between best bang for your buck.
|
|
#
?
Feb 6, 2016 00:03
|
|
|
OSI bean dip posted:Always assume that if your laptop or phone gets stolen that it is lost forever and that having it encrypted is the safest thing to do to ensure that at worst you're out a grand or two. I really do suggest going down this road as it'll at least not make you worry about what was on there. I have OpenVPN to my home router for use on work/public WiFi. Any concerns there I should be thinking about?
|
|
#
?
Feb 6, 2016 03:17
|
|
|
Adix posted:I have OpenVPN to my home router for use on work/public WiFi. Any concerns there I should be thinking about? I actually meant a service that sells VPN access. Having one that exits out of your home or a VPS is a good idea because then you know your ingress and egress points will stay consistent. Melian Dialogue posted:Personal travel, and my computer skill level is alright, but I don't know what SSH is, so no I can't use it. All I'd really like is to prob encrypt my harddrive, and have some sort of honeypot OS that is booted up automatically that has none of my personal files on it. and have one of those tracking programs (like Prey) in case some idiot steals it and doesn't wipe everything. I'm at a house rental with wifi there, and will probably stick to that instead of internet cafes, but I want a good balance between best bang for your buck. What OS are you running?
|
|
#
?
Feb 6, 2016 03:58
|
|
|
OSI bean dip posted:I actually meant a service that sells VPN access. Having one that exits out of your home or a VPS is a good idea because then you know your ingress and egress points will stay consistent. Windows 8.1. I'd like to have it autoboot to a honeypot OS if its preconfigured upon shutdown/hibernate.
|
|
#
?
Feb 7, 2016 00:58
|
|
|
Melian Dialogue posted:Windows 8.1. I'd like to have it autoboot to a honeypot OS if its preconfigured upon shutdown/hibernate. When do you leave? Do you work downtown? I could just sit down with you over a coffee if you'd like and see what can be fleshed out. I assume you live in my neck of the woods.
|
|
#
?
Feb 7, 2016 07:28
|
|
|
OSI bean dip posted:When do you leave? Do you work downtown? I could just sit down with you over a coffee if you'd like and see what can be fleshed out. I assume you live in my neck of the woods. I appreciate the help! But, I probably won't have time to sit down before the trip, and am going to try and fit in doing this on my own time. Can you give me a head start with some terms or stuff to google and learn about installing and configuring?
|
|
#
?
Feb 7, 2016 20:39
|
|
|
Melian Dialogue posted:I appreciate the help! But, I probably won't have time to sit down before the trip, and am going to try and fit in doing this on my own time. Can you give me a head start with some terms or stuff to google and learn about installing and configuring? To be honest, your suggestion of having an OS that you can boot into that is there for in case you have to show something on your workstation to a border guard or whatever may not be practical. It would be far simpler to just reinstall a fresh OS with nothing on it and then just access whatever is valuable via a remote session. At least then you will not have to be as concerned about your data being stolen and there will be nothing of value to extract from the machine. I don't travel with my main computer mainly because it's full of crap and instead I just keep a spare machine on hand for this very reason. Lain Iwakura fucked around with this message at 21:35 on Feb 9, 2016 |
|
#
?
Feb 9, 2016 20:03
|
|
|
OSI bean dip posted:To be honest, your suggestion of having an OS that you can boot into that is there for in case you have to show something on your workstation to a border guard or whatever. It would be far simpler to just reinstall a fresh OS with nothing on it and then just access whatever is valuable via a remote session. At least then you will not have to be as concerned about your data being stolen and there will be nothing of value to extract from the machine. I don't travel with my main computer mainly because it's full of crap and instead I just keep a spare machine on hand for this very reason. Or do a clean install on the hard disk and boot from a Windows to Go USB drive that has all your porn on it.
|
|
#
?
Feb 9, 2016 20:45
|
|
|
Melian Dialogue posted:Personal travel, and my computer skill level is alright, but I don't know what SSH is, so no I can't use it. All I'd really like is to prob encrypt my harddrive, and have some sort of honeypot OS that is booted up automatically that has none of my personal files on it. and have one of those tracking programs (like Prey) in case some idiot steals it and doesn't wipe everything. I'm at a house rental with wifi there, and will probably stick to that instead of internet cafes, but I want a good balance between best bang for your buck. Are you going to a country where there's a reasonable chance that local law enforcement will even give a single poo poo about your stuff getting stolen, let alone tracking someone down using info you give them from Prey? If not, don't even bother. If so, still strongly consider not bothering and just encrypting your HD.
|
|
#
?
Feb 9, 2016 20:59
|
|
|
Melian Dialogue posted:Windows 8.1. I'd like to have it autoboot to a honeypot OS if its preconfigured upon shutdown/hibernate. Back when TrueCrypt was a darling of opensource, I achieved this by using it's hidden OS / plausible deniability boot. Basic concept - one password boots one OS instance, a second password boots a different one. You could obfuscate this was happening by changing the displayed text. eg On boot, it would display 'Press space and enter to continue' If you typed the actual password, it would boot normally into your OS. If you pressed space and enter (i.e. you were using a single space as a password) it would boot the hidden OS. Anyone stealing the laptop and who was dumb enough to use it would then get the version which phoned home. The problem with achieving the same in TYOOL2016 is truecrypt is discontinued, and insecure. The main fork veracrypt has fixed all notarized flaws in truecrypt, but hasn't itself had an extensive audit. If you generally trust well-used opensource software to be secure this might be an option, but if you'd rather someone rubber-stamp it, then it's lacking that. Cryptographically it has no flaws in either version.
|
|
#
?
Feb 9, 2016 21:35
|
|
|
Personally I'd just rather travel light and not take anything beyond a smartphone unless it is completely necessary.
|
|
#
?
Feb 9, 2016 21:36
|
|
|
Volmarias posted:Are you going to a country where there's a reasonable chance that local law enforcement will even give a single poo poo about your stuff getting stolen, let alone tracking someone down using info you give them from Prey? Yeah this is a good point, and really I don't have that sensitive of data anyways. HD's encrypted, so I'm comfortable with that, and no, I'm not trying to evade border guards or anything like that.
|
|
#
?
Feb 9, 2016 22:10
|
|
|
Take the HD out entirely and boot from usb while you are on your trip, then if the laptop is stolen you get a nice new one on insurance.
|
|
#
?
Feb 9, 2016 22:56
|
|
|
What's the best iOS app for Keepass out there? It needs to be able to sync with my key file that's hosted on Dropbox. I don't mind paying a bit if I can get an easy to use interface.
|
|
#
?
Feb 22, 2016 15:46
|
|
|
quote:1Password is available for Windows, Mac, iOS, and Android--no version for Linux exists but there are tools to decrypt the password file... What tool[s] are these? I'm invested into 1Password because my main computer is a Mac and I have an iPhone but now at work I have a Linux desktop. I don't need 1Password on my Linux desktop, I just need to occasionally access some passwords on it so I don't care about full two-way syncing and whatnot. I thought about Wine, but the thing is I don't have a Windows key for 1Password. There is supposedly a "1Password Anywhere" feature that I can throw on a USB stick but apparently this only is available if you use like Dropbox syncing and I don't use Dropbox. Is there a way for me to access my 1Password passwords in Linux without having to buy a Windows license?
|
|
#
?
Feb 24, 2016 09:08
|
|
|
Boris Galerkin posted:What tool[s] are these? I'm invested into 1Password because my main computer is a Mac and I have an iPhone but now at work I have a Linux desktop. I don't need 1Password on my Linux desktop, I just need to occasionally access some passwords on it so I don't care about full two-way syncing and whatnot. I thought about Wine, but the thing is I don't have a Windows key for 1Password. There is supposedly a "1Password Anywhere" feature that I can throw on a USB stick but apparently this only is available if you use like Dropbox syncing and I don't use Dropbox. Is there a way for me to access my 1Password passwords in Linux without having to buy a Windows license? I haven't seen much else but there is this: http://www.lucianofiandesio.com/1password-in-linux It's kind of janky so your mileage will vary and as a result I cannot really recommend it either.
|
|
#
?
Feb 25, 2016 16:43
|
|
|
What are your guys' thoughts on the whole Blackphone thing? Is it overhyped as some uber-security phone or is it actually not bad for what it's selling? I think they are coming out with a tablet soon too.
|
|
#
?
Feb 25, 2016 19:46
|
|
|
Melian Dialogue posted:Is it overhyped as some uber-security phone You answered your own question.
|
|
#
?
Feb 25, 2016 19:53
|
|
|
Is there a way to use two-factor authentication to open a KeePass database (preferably with Google Authenticator) that doesn't require entering 3 keys? That seems pretty prohibitive since it will take you 60-90 seconds to open your database. I know it's not a long time, but I'm sure it would drive me crazy before long.
|
|
#
?
Feb 25, 2016 20:25
|
|
|
|
| # ? Apr 26, 2024 10:30 |
|
|
Melian Dialogue posted:What are your guys' thoughts on the whole Blackphone thing? Is it overhyped as some uber-security phone or is it actually not bad for what it's selling? I think they are coming out with a tablet soon too. It's crap. hooah posted:Is there a way to use two-factor authentication to open a KeePass database (preferably with Google Authenticator) that doesn't require entering 3 keys? That seems pretty prohibitive since it will take you 60-90 seconds to open your database. I know it's not a long time, but I'm sure it would drive me crazy before long. There is one solution but it hasn't been touched in almost three years: https://bitbucket.org/devinmartin/keeotp/wiki/Home Personally I'd just go the keyfile route, move the files around manually, and such. There's this too: http://keepass.info/help/kb/yubikey.html Yubikeys only run you $20.
|
|
#
?
Feb 25, 2016 20:29
|
|