|
Harik posted:from a month ago RE china's firewall and VPNs: How does that solution compare/contrast to something like obs4proxy? I thought you could take the OSI model and then add obfuscation into it somewhere with a generalized algorithm. xtal fucked around with this message at 01:46 on May 10, 2020 |
#
?
May 10, 2020 01:43
|
|
|
|
| # ? May 20, 2024 17:48 |
|
|
Harik posted:from a month ago RE china's firewall and VPNs: is ssh an illegal vpn app? tunnel your VPN through an SSH connection 
|
|
#
?
May 10, 2020 05:11
|
|
|
RFC2324 posted:is ssh an illegal vpn app? You smile, but that's an actual service provided by some commercial VPNs, and for exactly this reason. (And also pretty straightforward to set up if you're doing a roll-your-own solution.)
|
|
#
?
May 10, 2020 05:36
|
|
|
Powered Descent posted:You smile, but that's an actual service provided by some commercial VPNs, and for exactly this reason. (And also pretty straightforward to set up if you're doing a roll-your-own solution.) I don't expect to be in China anytime soon, but yeah, ssh tunneling is easy
|
|
#
?
May 10, 2020 05:56
|
|
|
RFC2324 posted:is ssh an illegal vpn app? Sometimes, yes. They block SSH connections from time to time, or throttle the poo poo out of them to the point of being unusable. It did work last time I was over there in person, but a few years later it was so bad that git checkout over ssh was taking multiple hours for a few hundred meg repo. I manually created a bundle and put it on a cleartext webserver on the same network and they downloaded it in minutes. xtal posted:How does that solution compare/contrast to something like obs4proxy? I thought you could take the OSI model and then add obfuscation into it somewhere with a generalized algorithm. I don't know, honestly. there's thousands of "solutions" but the issue is there's a firewall that you're illegally bypassing and they're always finding new ways to crack down. I think the reason google et all cracked down on SNI fronting was they were told on no uncertain terms that if they didn't the firewall would simply block them entirely. That's just a guess but it happened basically immediately after projects talking about how it was a way around lovely censorship. absolutely can't stand having to work with them because the most trivial poo poo becomes a multiple-hour ordeal bypassing the firewall.
|
|
#
?
May 10, 2020 06:32
|
|
|
Conrad Meyer, one of the people working on security on FreeBSD, just showed me the most useful feature: using ssh controlmaster to automatically set up master connections for an initial connection to a host, so that subsequent connections all go through that. It seems especially useful if you're doing ssh to or from China.
|
|
#
?
May 10, 2020 18:55
|
|
|
Yeah, this is good, but I'd suggest using %C instead of %r@%h-%p, where available. I hit path length issues on some longer hostnames, but %C is a fixed length has that avoids that. You might also like to use ProxyJump, and tunnel all of your connections through one host first.
|
|
#
?
May 11, 2020 00:48
|
|
|
Guy Axlerod posted:You might also like to use ProxyJump, and tunnel all of your connections through one host first.
|
|
#
?
May 11, 2020 06:46
|
|
|
Ouch. https://www.engadget.com/thunderbolt-flaw-access-data-theft-075856181.html It's not like you can just disable thunderbolt on devices either since they are what most of the docking systems are built around now. I suppose you can push out a group policy turning off suspend to ram, but good luck getting people to completely turn off their notebooks when they are unattended. I also have no idea how you verify to an auditor that a computer was powered off when it was stolen, otherwise the drive isn't protected by the encryption.
|
|
#
?
May 11, 2020 16:11
|
|
|
quote:Apple computers running macOS are unaffected by the vulnerability unless you’re running Boot Camp, according to Ruytenberg. Huh, I would have expected this was at a PHY level, but apparently it's a weakness in Windows and Linux.
|
|
#
?
May 11, 2020 17:50
|
|
|
Their website says in the "I have an Apple Mac. Am I affected?" section: "MacOS If you are running MacOS, your system is partially affected by Thunderspy. For recommendations on how to help protect your system, please refer to protections against Thunderspy. Windows and Linux (Boot Camp) Running Windows or Linux using the Boot Camp utility disables all Thunderbolt security. Therefore, your system is trivially affected by Thunderspy." https://thunderspy.io/ Apple would need to implement kernel DMA protection for Boot Camp as well, it seems: https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt It's a feature provided by the UEFI. Lambert fucked around with this message at 18:17 on May 11, 2020 |
|
#
?
May 11, 2020 18:14
|
|
|
On my hp I have to use admin credentials to approve new thunderbolt devices. Does this bypass that?
|
|
#
?
May 11, 2020 18:17
|
|
|
The Fool posted:On my hp I have to use admin credentials to approve new thunderbolt devices. Does this bypass that? Not sure about that, but this section may be of interest: Verifying whether your system supports Kernel DMA Protection If you have purchased your system in or after 2019, it might ship Kernel DMA Protection. Currently, we are aware of support on a limited number of models. Owners of these models may verify support as follows: HP EliteBook and ZBook (2019 and later): Power on the system and press F2. In the "Startup Menu" screen, select "BIOS setup (F10)". From the "Advanced" menu, select "System Options". In the screen that follows, verify "DMA Protection" is enabled. Lenovo ThinkPad P53, X1 Carbon (2019 and later): Power on the system and press F1. From the "Security" tab, select "Virtualization". In the screen that follows, verify "Kernel DMA Protection" is enabled. Lenovo Yoga C940 (models with "Ice Lake" CPU only): Always enabled by default. Status cannot be queried from UEFI.
|
|
#
?
May 11, 2020 18:17
|
|
|
So this is when the Surface team gets a smug look on their face and says "i told you so" about Thunderbolt security concerns, right?
|
|
#
?
May 11, 2020 18:36
|
|
|
Thunderbolt? More like Funderbolt.
|
|
#
?
May 11, 2020 19:47
|
|
|
D. Ebdrup posted:Thunderbolt? More like Funderbolt. More like Blunderbolt!
|
|
#
?
May 11, 2020 19:49
|
|
|
ThunderDONT
|
|
#
?
May 11, 2020 20:45
|
|
|
Definitely not good, but if an attacker has physical access you're already pwned in many ways.
|
|
#
?
May 11, 2020 21:00
|
|
|
Ynglaur posted:Definitely not good, but if an attacker has physical access you're already pwned in many ways. This is a HUGE issue for lost and stolen devices as having drive encryption is not longer a reasonable assurance that the data on the drive can't be recovered. So this massively changes the severity of a lost/stolen notebook in healthcare. Every lost or stolen device may have to be treated like a breach.
|
|
#
?
May 11, 2020 21:58
|
|
|
bull3964 posted:This is a HUGE issue for lost and stolen devices as having drive encryption is not longer a reasonable assurance that the data on the drive can't be recovered. sounds like a notebook that has to be locked down to citrix only
|
|
#
?
May 11, 2020 22:12
|
|
|
what bull3964 said is correct. encryption+reasonable corp policy means that you can mostly not care if a laptop gets stolen out of somebody's car. this completely ruins that. it's especially worrisome because if workers have to start working from office subnets anyway, it'll be harder to sell the C-suite on zero trust initiatives, which is bad for everybody
|
|
#
?
May 11, 2020 22:17
|
|
|
Absurd Alhazred posted:More like Blunderbolt! Ynglaur posted:Definitely not good, but if an attacker has physical access you're already pwned in many ways. You posted:Darn, I forgot my charger! Me posted:You can borrow mine! Also, now I own your computer. This is in contrast with Thunderspy which required access to a soldering iron.
|
|
#
?
May 11, 2020 22:20
|
|
|
just to be clear, though, thunderbolt isn't what chargers use - Achmed Jones fucked around with this message at 22:38 on May 11, 2020 |
|
#
?
May 11, 2020 22:22
|
|
|
Achmed Jones posted:just to be clear, though, thunderbolt isn't what chargers use - that's lightning. also, apple names are bad. but i mean s/charger/display or whatever That said it's more confusing nowadays with Thunderbolt 3, which uses USB-C form factor, and the fact that you can use it to talk purely data to eg drives. I don't think Thunderbolt 2 carried power (eg when I had a Thunderbolt 2 dock setup the laptop still needed separate power connection) but I'm too lazy to look it up. bitprophet fucked around with this message at 22:29 on May 11, 2020 |
|
#
?
May 11, 2020 22:25
|
|
|
you're 100% right, "Lightning" is wrong. I was thinking "magsafe", but now that everything is usb-C, thunderbolt3 and usbc have collapsed(-ish) and oy. yeah thunderbolt (prior to 3) was for displays, audio interfaces, etc - no power afaik Jesus I hate Apple naming
|
|
#
?
May 11, 2020 22:36
|
|
|
VERY VERY FRIGHTENING! Jeez, I can't believe you forced me to do this!
|
|
#
?
May 11, 2020 22:43
|
|
|
RFC2324 posted:sounds like a notebook that has to be locked down to citrix only Yeah, that doesn't reflect reality in just about every healthcare system out there. PII and PHI does make it on to end user devices and this vulnerability just blows a massive hole in the security storage encryption provided. I would not want to be in the data management department of any healthcare company after infosec gets wind of this and I have no idea how auditors are going to approach this.
|
|
#
?
May 11, 2020 22:44
|
|
|
Thise are all very good points. Thank you.
|
|
#
?
May 11, 2020 23:19
|
|
|
bull3964 posted:I would not want to be in the data management department of any healthcare company after infosec gets wind of this and I have no idea how auditors are going to approach this. Update pre-2018 laptops to new models that have Kernel DMA protection? That's the only thing needed to prevent the most dangerous attack (the one-time version where a laptop stolen while in sleep suspend is reflashed and memory dumped). Everything else is firmly in the region where security audits, even for HIPAA, ignore known potential attacks. Until there's any evidence that evil maids are a threat that exists everyone basically gets a free pass. Separately, this Wired story about Marcus Hutchins and his background -- yeah, he totally wrote some major malware and knew it was actively being used for theft -- is quite good. Sad but redemptive story. He was a kid who got in over his head and exploited, but he knew what was going down. Klyith fucked around with this message at 15:25 on May 14, 2020 |
|
#
?
May 14, 2020 15:17
|
|
|
is registering a domain really a heroic act
|
|
#
?
May 14, 2020 17:42
|
|
|
Jeoh posted:is registering a domain really a heroic act this plus he had no idea what the registering domain would do, he just saw it referenced and was like 'what's the worst that could happen' and got lucky he seems affable enough and does good work, but he's basically famous for having like the dumbest luck
|
|
#
?
May 14, 2020 19:46
|
|
|
the heroic part is when he kicks an amphetamine addiction and gives up his source of income and validation, then tries to make up for the guilt by putting out useful knowledge about malware on a blog with no expectation of gain it ain't running into a burning building, but I've never done that either
|
|
#
?
May 14, 2020 20:35
|
|
|
I met Marcus and he seemed nice. He also wasn't completely unknown before WannaCry, he was active on infosec Twitter forever.
|
|
#
?
May 14, 2020 20:55
|
|
|
Marcus is obviously a really good guy (who needs to kick his drug habit), and sinkholing is a common researcher tactic. I remember reading at the time people criticizing him for doing it, claiming that he might have instead done something like triggered a switch that rendered the files unrecoverable or something. But I don't think that really holds up to the facts. He was looking at the code itself and clearly saw it pinged the address before encrypting. I don't know if he knew whether it showed up anywhere else, but that seems as good a reason as any to believe that it's not going to affect already infected computers. Also, the story linked and Marcus himself addresses this directly, but lots of white hats have a black hat history. Many of them were script kiddies growing up. That's what often happens when you're raised as a kid with this unaccountable power. Regardless of whether he knew exactly what he was doing at the time, Marcus is a crazy smart guy and stopped some seriously bad poo poo from going down. He probably saved many lives with what he did. That makes him a hero in my book.
|
|
#
?
May 15, 2020 00:24
|
|
|
Cup Runneth Over posted:Marcus is obviously a really good guy (who needs to kick his drug habit), and sinkholing is a common researcher tactic. I remember reading at the time people criticizing him for doing it, claiming that he might have instead done something like triggered a switch that rendered the files unrecoverable or something. But I don't think that really holds up to the facts. he ran in and threw water on a fire without knowing if it was oil burning, while everyone else was trying to make sure it wasn't oil and there weren't any oxygen tanks next to it. try and get some perspective on it
|
|
#
?
May 15, 2020 13:17
|
|
|
The Fool posted:he seems affable enough and does good work, but he's basically famous for having like the dumbest luck If you look closely enough, this is how it pretty much always works
|
|
#
?
May 15, 2020 13:24
|
|
|
I'm not sure how wannacry could possibly have been made worse than it was by grabbing the domain. And if it had somehow become worse they could have just stopped resolving it. The most common thing people propose is that maybe the domain could have triggered it to shred data instead of encrypt. You know what? Good! Flip that switch hard! Remove the temptation for orgs with lovely IT to pay the ransom. The more people who do that, the worse it is for everyone by proving that ransomware works. In the US I'd love to see laws preventing at least the government at all levels from paying out ransoms. There's a distressing trend of municipal govts paying and putting forth very short-sighted cost explanations to rationalize it.
|
|
#
?
May 15, 2020 16:08
|
|
|
Klyith posted:In the US I'd love to see laws preventing at least the government at all levels from paying out ransoms. Got bad news for you re. how some cybersecurity firms manage to resolve ransomware attacks while allowing their client, the victim, to maintain plausible deniability about negotiating with criminals
|
|
#
?
May 15, 2020 16:23
|
|
|
I wonder how many of them are on the take, tbh.
|
|
#
?
May 15, 2020 17:51
|
|
|
|
| # ? May 20, 2024 17:48 |
|
|
Klyith posted:I'm not sure how wannacry could possibly have been made worse than it was by grabbing the domain. And if it had somehow become worse they could have just stopped resolving it. This was pretty much a textbook "pull a Homer" situation. It'd be like if you were watching a standard movie bomb defusal scene but some random dude off the street just walked by, saw a red wire, cut it, and the timer stopped. It worked, but it was pure luck that it did and had that luck not played out basically all the alternate outcomes would have made things worse for those involved.
|
|
#
?
May 15, 2020 20:08
|
|
