|
Wiggly Wayne DDS posted:Well no poo poo, the problem is at no point have you backed up that the average user needs this particular feature set - or that leaving a file in a dropbox folder is requiring technical proficiency of an autist. For all my fake concerns, you aren't showing any of yours to be real. Even basic desktop browser integration requires a plugin and you run into the same problems (which plugins do we trust and won't be abandoned in 8 months?) Personally I like 1password, LastPass's history is worrisome enough that I don't feel comfortable there. wyoak fucked around with this message at 22:07 on Dec 21, 2015 |
#
?
Dec 21, 2015 21:54
|
|
|
|
| # ? Apr 25, 2024 08:56 |
|
|
Alereon posted:Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it. I agree with this. I'm not a high powered pentesting security researcher but I understand the risks. Call me an idiot if you want but I just don't want to deal with the hassle that is keepass. Lastpass is easily more secure than what I was using before, web browser password storage. So it is an improvement, and it means I can use a different, secure password for each site. I say all this as someone who is very much into computers. It's very hard for me to convince anyone not into computers to use lastpass, I can;t imagine trying to convince someone that they should use keepass.
|
|
#
?
Dec 21, 2015 22:04
|
|
|
Also, if you really want to argue that people only need passwords on one machine, then you must know a lot of people that only own a phone and no PC.
|
|
#
?
Dec 21, 2015 22:05
|
|
|
Alereon posted:Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass. quote:Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"? Here's what we can easily tell about KeePass and a cloud-based file distribution service:
Now that we have established the things we know about KeePass, what can we say about LastPass?
If you think that your accounts are not important, then fine, use LastPass. But don't go around saying that it has adequate security because as I have already demonstrated it has been rife with problems that would otherwise not exist if we were to just use a file-based password manager.
|
|
#
?
Dec 21, 2015 22:06
|
|
|
OSI bean dip posted:How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"?
|
|
#
?
Dec 21, 2015 22:18
|
|
|
wyoak posted:How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered? Marinmo fucked around with this message at 23:37 on Dec 21, 2015 |
|
#
?
Dec 21, 2015 23:29
|
|
|
wyoak posted:How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered? KeePass FAQ posted:Why does KeePass try to connect to the Internet? Marinmo posted:They won't, so in the end they'll end up less secure than Lastpass users since the latter are always running the latest version. Further, I'm not so sure he read the end of If you're looking for a password manager there are far better alternatives, but if you're that much of a fan of the product that you ignore security issues in a security thread then we're well past the point of discussion.
|
|
#
?
Dec 21, 2015 23:54
|
|
|
Wiggly Wayne DDS posted:If this is going into arguments over auto-updating then: Like I said, I don't totally trust LastPass either, but for most people KeePass + Cloud is either going to be too cumbersome, so it'll sit unused, or will never be updated, which is probably bad too.
|
|
#
?
Dec 22, 2015 00:07
|
|
|
Alereon posted:KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You are straight up making up crap here to the extent that I doubt you have actually used Dropbox. The storage format is a file that sits on a disk, and you can apply any synchronization mechanism to that file that you want. You can put it in Dropbox, Google Drive, you can periodically email itself to you, whatever. Syncing the file is the only real problem that exists with multi-device Dropbox and it's trivially easy to drop in one of the idiot-proof turnkey solutions that exist for that very simple, very well-known problem. Keepass even recently added a feature that will auto-merge the files if you happen to have out-of-sync states happen. It's super easy. quote:Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass. You seem to think you have to engineer some high-performance ACID database cluster and it's loving hilarious. I've been using Dropbox to sync a Keepass file across multiple devices for years and I haven't engineered jack poo poo. Here's the secret engineering method: you create a Dropbox account and create a Keepass file in it. You put some passwords in it, and hit Save, and Dropbox blasts it across all your devices. Even my dad can figure it out. Like, my technologically-impaired grad advisor totally had a Dropbox and used it to sync projects with multiple different people. You vastly underestimate the market penetration of Dropbox. Everyone uses it and everyone knows it. quote:You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like trusted devices and offline access to a cached db that seem like anathema to you and Wiggly Wayne are incredibly valuable to users. So why not use Chrome Sync and just store your passwords in the clear (sync'd across all your devices) then? Why would you even need a password manager if you don't care about storing them securely? At that point you can probably just search for "generate random characters" and use that as a password too. I mean it's not like some website is ever going to connect that xxXBlaseIt420Xxx@gmail.com is the right account for that password. Or just like, smash random buttons. Yeah, sure, that's on the low end of the security that's possible with a password manager. But the Chrome Sync + wildly punch keyboard solution is definitely better than just sharing passwords between websites. Paul MaudDib fucked around with this message at 16:52 on Dec 22, 2015 |
|
#
?
Dec 22, 2015 00:51
|
|
|
Wiggly Wayne DDS posted:If this is going into arguments over auto-updating then: I have no idea what you're saying about browsers. Seriously, it doesn't make any sense at all. They are constantly balancing between security and convenience for crying out loud. Bundling flash isn't really the epitome of security is it? And they are constantly hit with different exploits - all of them (Chrome, Firefox etc). In your rationale then, we'd all be using lynx or some poo poo because god forbid our browser could run JS (which I reckon is where most exploits originate). The post on the lastpass blog is general security hints which the researcher himself points to as good ways to mitigate the exploit he found - what else do you want? Chances are - and no, we don't know this for sure but snooping around in the source of the non-binary extension will give us a good idea - that the other issues were fixed as well. But I'm sure you don't care either way, you just want to rant and rave and ignore the security issues and inconveniences with the solutions you prefer. Marinmo fucked around with this message at 01:34 on Dec 22, 2015 |
|
#
?
Dec 22, 2015 01:30
|
|
|
On the other hand having security software automatically install itself from across the internet is also a thing that gives people heartburn. It's one thing in the context of a secure package-management system like APT. That infrastructure doesn't exist on Windows, the infrastructure used by the majority of the KeePass userbase. It would be better if it did auto-install updates but it's kind of a defensible decision based on the backlash it would cause.
|
|
#
?
Dec 22, 2015 01:33
|
|
|
Paul MaudDib posted:On the other hand having security software automatically install itself from across the internet is also a thing that gives people heartburn.
|
|
#
?
Dec 22, 2015 01:37
|
|
|
Are there any safe keepass or 1pass ports for android? I went for lastpass a few years ago because all the android apps for keepass looked like sketchy unofficial ports.
|
|
#
?
Dec 22, 2015 02:33
|
|
|
FSMC posted:Are there any safe keepass or 1pass ports for android? I went for lastpass a few years ago because all the android apps for keepass looked like sketchy unofficial ports. 1password has an android app, I can't really speak to it's safety though.
|
|
#
?
Dec 22, 2015 02:40
|
|
|
It's really good
|
|
#
?
Dec 22, 2015 05:10
|
|
|
Marinmo posted:Agreed (also on the edit). Honest question: IF one autoupdates Keepass via it's autoupdater, is the new installer verified somehow (MD5, GPG sigs or the like)? Otherwise, we're kinda back to square 1 there ... It's not really a true auto-update; it just asks you to download the new installer .exe from (puke) SourceForge. The installer .exe and program .exe are both signed, though.
|
|
#
?
Dec 22, 2015 15:09
|
|
|
Is there ever a valid reason for the PasswordNotRequired AD attribute to be set to True?
PBS fucked around with this message at 04:01 on Dec 23, 2015 |
|
#
?
Dec 23, 2015 02:57
|
|
|
PBS posted:Is there ever a valid reason for the PasswordNotRequired AD attribute to be set to True? Microsoft has terrible documentation on this but its purpose is not for the user but for the administrator to set a blank (null) password. With this flag, users cannot change their passwords to blank but passwords can be set to blank by an administrator.
|
|
#
?
Dec 23, 2015 04:16
|
|
|
OSI bean dip posted:Microsoft has terrible documentation on this but its purpose is not for the user but for the administrator to set a blank (null) password. With this flag, users cannot change their passwords to blank but passwords can be set to blank by an administrator. Ah alright. So it doesn't necessarily mean the password is null or that you can proceed past authentication without one, but the potential for accounts with null passwords is there so long as it's enabled. PBS fucked around with this message at 05:25 on Dec 23, 2015 |
|
#
?
Dec 23, 2015 05:20
|
|
|
personally i like keepass, i have it on a locally accessible windows fileshare so i can copy it to my laptop and other devices when i update it
|
|
#
?
Dec 23, 2015 20:38
|
|
|
Which is the preferred version if I were to start using keepass on Linux and a copy of my vault on an android phone: keepass or keepassx? Hmm. I see there is also a keepass 1 and keepass 2. DeaconBlues fucked around with this message at 21:02 on Dec 23, 2015 |
|
#
?
Dec 23, 2015 20:56
|
|
|
I use KeePass 2. I store the file on Google Drive with password and a 2048 bit cert I transfer manually to all devices/laptops (ie, never touches storage controlled by a third party). I know Google Drive is a third-party so why am I using it and the answer is it's easier to access than Dropbox for me in Android/Windows/Linux. General question for you out there. I have a bug I've been meaning to write up for a Cisco product. Do I contact them even if I no longer have access to the device to retest (took a new job)? The only CVE's I've written is when I still had access to the device at the end.
|
|
#
?
Dec 24, 2015 20:40
|
|
|
Wow you nerds get uppity about password managers. Counter point, password managers are bad. Anyhoo, any advice for someone trying to get into the security field?
|
|
#
?
Dec 25, 2015 02:26
|
|
|
Jeesis posted:advice for someone trying to get into the security field? going out on a limb here but maybe don't poo poo over people's advice and then ask for more
|
|
#
?
Dec 25, 2015 02:33
|
|
|
EVIR Gibson posted:I use KeePass 2. I store the file on Google Drive with password and a 2048 bit cert I transfer manually to all devices/laptops (ie, never touches storage controlled by a third party). But isn't the actual app you use on android closed source and made by a random 3rd party?
|
|
#
?
Dec 25, 2015 03:14
|
|
|
Jeesis posted:Wow you nerds get uppity about password managers. Show your skill by using a known exploit to download data from an AWS bucket and then brag about it on your blog.
|
|
#
?
Dec 25, 2015 04:59
|
|
|
destroy a CSO's public image with a single blog post
|
|
#
?
Dec 25, 2015 06:38
|
|
|
Jeesis posted:Anyhoo, any advice for someone trying to get into the security field? make friends and don't poo poo on their advice
|
|
#
?
Dec 25, 2015 07:08
|
|
|
Don't hang out online with people that get butthurt over your posting who somehow also are too cool to use the shift key.
|
|
#
?
Dec 25, 2015 19:33
|
|
|
sarehu posted:Don't hang out online with people that get butthurt over your posting who somehow also are too cool to use the shift key. This is a good post. I like it because it demonstrates three variants of tribalism in only a single sentence: the Boomer xenophobia about avoiding the shift key, Gen-X angst over people who think they're cool, and the Millennial attitude that an echo chamber is objectively better than differences in belief. Forums poster sarehu, thank you for this gift.
|
|
#
?
Dec 25, 2015 19:56
|
|
|
Researchers investigate North Korea's Red Star OS 3 and the presentation from 32c3: https://www.youtube.com/watch?v=KTBemKiSgWI
|
|
#
?
Dec 28, 2015 18:52
|
|
|
Since you were talking password managers, and I asked in the android thread with no luck, I figured I'd ask here. I use Password Safe. I started keeping my safe on my Android phone because I needed to access my passwords on multiple computers. I used to be able to just hook it up, use USB Mass Storage to access the phone like a drive, and open my safe. That doesn't work the same way with my new phone, since it uses MTP; Password Safe doesn't want to access it from the phone, possibly because it's a device and not a drive, so there is no path? I'm not honestly sure. I could copy it each time I wanted to use it, but the idea is to consolidate the location so I don't accidentally overwrite some new entry by mistake. Is there a way to restore or replicate my old functionality with Password Safe? While I would like to avoid migrating, I will if I have to, and would appreciate any suggestions for what to migrate to. (I see mention of KeePass as an open source option, which I will look into.)
|
|
#
?
Dec 29, 2015 01:52
|
|
|
Is the Password Safe file encrypted? Could always Google Drive it for access across devices.
|
|
#
?
Dec 29, 2015 01:58
|
|
|
Magnetic North posted:Since you were talking password managers, and I asked in the android thread with no luck, I figured I'd ask here. Drive will work. Each time you access your file from drive it makes a temp file of the latest version of the file. The issue is then you can't save it because its temp. I am not sure you can save back to drive on Android. In my case, I don't change my passwords fast enough that when I do its on my pc. I save the new file there and then I have access to the new one. Does your password storage app use certs as well along with password auth?
|
|
#
?
Dec 29, 2015 06:34
|
|
|
I guess I will mess with Drive to see if Password Safe will play nice with it.DeaconBlues posted:Is the Password Safe file encrypted? I believe Password Safe encrypts by default? I mean, I don't see an option that says "encrypt vault" but Wikipedia says it encrypts. EVIR Gibson posted:Does your password storage app use certs as well along with password auth? I'm sorry, but I don't fully understand what this means.
|
|
#
?
Dec 29, 2015 15:32
|
|
|
Magnetic North posted:I guess I will mess with Drive to see if Password Safe will play nice with it. It means you can make it so it also requires your private keyfile that you manually configure on the clients since it is also encrypted with your public
|
|
#
?
Dec 29, 2015 17:31
|
|
|
OSI bean dip posted:How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"? Hold on, in the other thread you personally vouch for 1Password, which as far as I can tell is also closed-source and also not routinely audited by 3rd parties. And Lastpass seems to subscribe to a paranoid, transparent philosophy in their blog posts about data breaches, where they disclose and advise password changes even for suspicious activity where they have no reason to think user vaults were exposed. If you use a 3rd party host like Dropbox are you really expecting to get full disclosure of potential breaches? By these arguments, shouldn't you be against everything except Keepass vaults, only stored locally? If you want to argue against any kind of cloud vault storage then do it, and acknowledge that you're leaving out a lot of users who just won't use a password manager that can't easily sync between multiple devices, including phones. But it sounds very disingenuous to ding one company for server security that is equally problematic for your preferred solutions (that is: not very problematic, as long as you use a strong password, right?) Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented. This, on the other hand, is a reasonable argument that they have exhibited some questionable security judgement w/r/t local attacks, and given their past transparency about possible server-side breaches, I was very disappointed in the detail of that response and exactly what mitigation strategies were put into place since being notified of the issues. Only tangentially related, but I've also always been uncomfortable with Lastpass' suggestion that they can keep your vault and passwords safe on questionable computers, like those at an internet cafe, using OTPs. I don't know if anyone's directly tested how much of your info some malware could grab in this scenario, but the assertion seems wildly naive and liable to give users a false sense of security. I've been using Lastpass for a few years and I'm not imminently terrified, but between this and the uncertainty surrounding the LogMeIn acquisition, I am looking at alternatives. I just tried installing 1Password for OS X and it errors out immediately upon opening it. Not exactly inspiring confidence here..
|
|
#
?
Dec 29, 2015 21:49
|
|
|
AVG seem to basically be a malware vendor these days: https://code.google.com/p/google-security-research/issues/detail?id=675
|
|
#
?
Dec 30, 2015 16:20
|
|
|
Jeesis posted:Anyhoo, any advice for someone trying to get into the security field? Is there a particular area in security that you are interested in? I can't help much on the pentesting/red team front but I can offer suggestions in the incident response and forensics area. This post will have a very heavy slant towards investigating targeted threats since that's what I do for my day job. If you want to get into incident response and forensics, I recommend picking up a copy of Incident Response & Computer Forensics which is written by several Mandiant guys. "Chapter 12: Investigating Windows Systems" has a very good primer on Windows forensics. It doesn't touch on everything but covers a lot of the main areas. Overall, some general areas that I recommend starting to be familiar with in order to be successful in incident response and forensics are: Malware Persistence Understand at a minimum the main ways malware can persist on a system across reboots on a Windows box. The most commonly used methods for persistence are Windows services followed by registry "Run" keys. Other ways malware can persist is through the Windows startup folders, the "UserInit" registry key, "Active Setup\Installed Components" registry key, scheduled task, WMI event, DLL search order hijacking, and a stupid number of other ways. If you want to get a pretty good idea on ways malware can persist, grab a copy of the Sysinternals tool Autoruns and just run it on your local system to see ways legitimate binaries are persisting on the system. Autoruns does a great job of showing where the persistence mechanism actually sits such as the full registry key paths or the full file path for say the startup folder. Lateral Movement You'll want to understand the ways an attacker can laterally move within an environment from system to system. Protip, 95% of the time an attacker will laterally move the same way a legitimate admin would. Quite literally, WMI, Powershell, PsExec, Windows scheduled task (named and unnamed), and RDP cover most cases. You'll want to be familiar with the forensic artifacts on the source, destination, and on the network (at a minimum being familiar with what ports each of those use) for those methods of lateral movement. If you want some hands on experience with investigating lateral movement forensic artifacts, then grab VMWare player (free), create a Windows VM, perform one of the ways you can laterally move to the VM from your localhost then grab a copy of Mandiant's Redline to create a collector that collects at a minimum a file listing, registry listing, and event log listing. Run the collector in your VM and analyze the data on your local host with either Redline or if you hate Redline, parse the Redline XML output documents to csv. You'll be able to timeline the event logs, registry, and file system around the time of your lateral movement test to see what it does on the target system. The Attack Lifecycle The attack lifecycle is the general overview of the what an attacker will do in an environment at a high level. It's good to know since you can use it as a predictor of what the attacker has done to get to where he is if the discovery of the breach is late in the lifecycle or what to expect the attacker to do if the discovery is early in the attack lifecycle. FireEye had a decent webinar on this topic. Frankly, if you are knowledgeable in the three above topics you'd be a good pick for an entry level incident response analyst regardless of your education background. If malware analysis is your interest, Practical Malware Analysis is a very good book, though as a heads up, the learning curve gets very steep several chapters in. If you want to learn more about assembly, I recommend some of the Open Security Training videos, specifically Introductory Intel x86 If anyone else has any questions about incident response or forensics let me know, I'm happy to answer them.
|
|
#
?
Jan 12, 2016 05:44
|
|
|
|
| # ? Apr 25, 2024 08:56 |
|
|
To expand on the Practical Malware Analysis front, this popped up on github the other day: https://github.com/RPISEC/Malwarequote:About the Course Might be a worthwhile place to start if you have some interest in reversing.
|
|
#
?
Jan 14, 2016 17:28
|
|
