|
DeaconBlues posted:Nice thread topic! Theris posted:What's wrong with MD5? I mean, it turns my street's name (why are you using license plate numbers instead of something easy to remember when you're stretching it into a good password anyway? We're trying to keep things simple here!) into "0904572d42fdd0ef1cd93fb1047fe2d0." That's a great password! Look how long and random it is! And without involving super complicated hard to learn software like Keepass.
|
# ¿ Nov 20, 2015 18:51 |
|
|
# ¿ Apr 28, 2024 14:10 |
|
DeaconBlues posted:It wasn't a joke post. Yep, I do use a password manager (LastPass) but I knew there'd be people recommending Keepass so I mentioned I don't want to use it. Does that help?
|
# ¿ Nov 20, 2015 21:26 |
|
Antillie posted:Well Sourceforge is the official place to get Veracrypt and Veracrypt isn't abandoned so I don't think there is anything wrong with getting it from them. Sourceforge was never the official place to get GIMP. Also the results of the code audit of TrueCrypt prove that it and by extension its open source derivatives in fact can be trusted. Stop spreading FUD.
|
# ¿ Nov 20, 2015 23:34 |
|
Antillie posted:I was incorrect about VeraCrypt. It is in fact hosted at codeplex. However I did back up my claim about TrueCrypt with a link to a summary of the audit results. quote:Also the results of the code audit of TrueCrypt prove that it and by extension its open source derivatives in fact can be trusted. Stop spreading FUD. Antillie posted:Interesting. Still those are things that can be fixed. Serious flaws are found in software all the time. I don't see how finding OS level flaws in TrueCrypt makes it harder to trust than Firefox or Chrome. Even Bash has had serious issues over the years.
|
# ¿ Nov 20, 2015 23:55 |
|
Inspector_666 posted:Right but why is 9521, 9533 the last pair in that guy's code?
|
# ¿ Nov 21, 2015 00:01 |
|
deep impact on vhs posted:facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php
|
# ¿ Dec 17, 2015 23:36 |
|
deep impact on vhs posted:considering he didn't touch any user data, only confirm he was able to pivot to a bucket containing user data, i'd say he was fairly safely within scope he kept a copy of undisclosed sensitive material for over a month after notifying them of the initial bug, then worked off of that to try and pull more payments you'd be pushing the limits on a pentest by doing this, nevermind a bug bounty
|
# ¿ Dec 18, 2015 00:26 |
|
deep impact on vhs posted:http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
|
# ¿ Dec 18, 2015 00:32 |
|
Rakthar posted:I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?
|
# ¿ Dec 18, 2015 00:57 |
|
Rakthar posted:So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what? Rakthar posted:You can substitute the word "targeted attack" for APT when you see the term if you want to: Rakthar posted:Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question?
|
# ¿ Dec 18, 2015 01:12 |
|
Rakthar posted:Are you familiar with the term 'paraphrase' wyoak posted:It's a bad acronym, but I mean high level attacks that are aimed specifically at a certain target. cheese-cube posted:Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.
|
# ¿ Dec 18, 2015 01:56 |
|
Rakthar posted:So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally. Wiggly Wayne DDS fucked around with this message at 03:21 on Dec 18, 2015 |
# ¿ Dec 18, 2015 03:09 |
|
Lastpass has had too many dumb security issues. Use 1password or KeePass.
|
# ¿ Dec 21, 2015 10:25 |
|
Inspector_666 posted:I also only know of one "breach" that Lastpass has had, and all it did was release stuff that's already encrypted up the wazoo. Alereon posted:KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest.
|
# ¿ Dec 21, 2015 16:24 |
|
Alereon posted:Lastpass isn't insecure, it just makes intelligent default choices to balance security and convenience for its users. Most people want features like trusted devices and offline access to their vault., and if you don't no one makes you keep them enabled.
|
# ¿ Dec 21, 2015 16:44 |
|
Inspector_666 posted:Isn't the entire draw of cloud-based password managers multi-platform support?
|
# ¿ Dec 21, 2015 16:46 |
|
Alereon posted:Yes, it says that if credentials are saved locally to your machine, then an attacker with access to your machine may be able to gain access to your Lastpass vault data and account. This is not the threat model most people care about, and anyone that does can mitigate it by making changes to their account settings. Honestly dude you are making mountains out of molehills, Lastpass is compellingly better than the alternatives for everyone that isn't an autist and doesn't want to buy an app once for every platform they own.
|
# ¿ Dec 21, 2015 17:24 |
|
Alereon posted:You are inventing fake concerns. The default configuration of Lastpass does not protect you from an attacker with access to your machine, because that is not a relevant threat for most users and changing the way the software works to protect against that would require usability compromises that are unacceptable to most users. Users for whom those compromises ARE acceptable can change their account settings, or hell just use KeePass if they care that much. quote:KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like offline access
|
# ¿ Dec 21, 2015 21:28 |
|
Alereon posted:Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass. quote:Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.
|
# ¿ Dec 21, 2015 21:41 |
|
wyoak posted:How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered? KeePass FAQ posted:Why does KeePass try to connect to the Internet? Marinmo posted:They won't, so in the end they'll end up less secure than Lastpass users since the latter are always running the latest version. Further, I'm not so sure he read the end of If you're looking for a password manager there are far better alternatives, but if you're that much of a fan of the product that you ignore security issues in a security thread then we're well past the point of discussion.
|
# ¿ Dec 21, 2015 23:54 |
|
Rufus Ping posted:Same - I hadn't heard of Facebook before but after a quick poke around their home page they get my seal of approval
|
# ¿ Apr 22, 2016 18:50 |
|
ItBurns posted:Noted.
|
# ¿ Apr 28, 2016 19:46 |
|
co199 posted:I would qualify this by saying "you shouldn't be running antivirus as a primary line of defense in 2016". There are some use cases for it, but it's better supplemented with additional tools (on endpoints at least). co199 posted:I can point to a real world example with a customer I just finished working with that had no security software on approximately 1000 endpoints in a healthcare environment, even though they had a standing contract with a major AV vendor. They didn't replace AV with anything, they just didn't have anything on their systems. When they got hit by a 7-year-old worm and came screaming to us, we pointed out that the exact hashes they had would have been picked up by their AV solution and they really had no excuse as to why it hadn't been deployed. co199 posted:Traditional AV is on life support, but as a last line of defense (e.g. if AV detects something you're already hosed but maybe it might save you a little bit) it's worth having. co199 posted:EDIT: I should note that there were a lot of internal politics that led to that decision (due to acquisitions and such) but people are literally taking the saying "AV is dead" at face value and running with nothing, in the real world, in 2016. The security industry needs to be careful about what they soapbox.
|
# ¿ Apr 29, 2016 23:42 |
|
Paul MaudDib posted:If they have professional experience, why don't they do more than ask me how antivirus works? I explained it to them, and they said "nah" and asked again. I read the thread they told me to read and their explanation was that the NSA was gonna blast right through consumer antivirus and I guess their edge filtering was gonna stop the NSA in their tracks or something.
|
# ¿ May 2, 2016 06:19 |
|
Paul MaudDib posted:e: Furthermore, security by infinitesimal user-base is not a viable defense mechanism. Seriously, this thread - "forget antivirus, just install gentoo on grandma's computer" Subjunctive posted:My company has > 10K end-user machines and we don't run AV.
|
# ¿ May 2, 2016 06:32 |
|
Paul MaudDib posted:For real though I appreciate that antivirus is a layer that can have its own vulnerabilities, but the number of critical vulnerabilities in a given antivirus package is much less than the number of vulnerabilities in software that is corralled within an AV perimeter. There's been like what, 2 escalation or escape attacks within a year? Versus how many exploits of software installed on client endpoints? It's probably less than a half-dozen total.
|
# ¿ May 2, 2016 07:26 |
|
If you've not paid attention to AV vulns lately we're pointing at zero interaction pre-auth rces to system - not lpes. That or destroying any concept of cert validity. Worse than the disease.
|
# ¿ May 2, 2016 14:30 |
|
It's heuristics with marketing, and they refuse to give anyone access to analyse it without signing a NDA
|
# ¿ May 5, 2016 12:46 |
|
mAlfunkti0n posted:Looks like LinkedIn database was leaked .. yay security!
|
# ¿ May 18, 2016 18:23 |
|
not apt enough
|
# ¿ Jun 7, 2016 20:53 |
|
Great so what does this have to do with infosec? Your privacy is a different subject entirely and you can go yell about it in D&D.
|
# ¿ Aug 25, 2016 18:31 |
|
Dylan16807 posted:You can rowhammer from javascript, which is enough to keep it in mind as a threat. ultramiraculous posted:No but, for real, is there a reason every endpoint shouldn't be implementing in-memory heuristics to catch this kind of behavior? If it affects VMs, should we be worried about our Mac users running MS Office images? This is working from my memory of the issue, and undoubtedly more has come to light since then. One thing to keep in mind is that the kernel/sandbox fixes aren't necessarily comprehensive - it's not difficult to break a PoC, but the underlying issue is another story. BangersInMyKnickers posted:They're really glossing over that they're doing this on non-ECC DIMMs. I don't think they've managed anything beyond crashing the hypervisor on ECC memory, even DDR3.
|
# ¿ Sep 3, 2016 13:42 |
|
Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented. NFX posted:Is LessPass and LastPass the same thing?
|
# ¿ Nov 8, 2016 17:55 |
|
well no. limited amount of 'unique' quotes/lyrics if it's a random word list then each word is functionally a character when bruteforcing (given a public list)
|
# ¿ Nov 14, 2016 18:25 |
|
we just went over how 'higher entropy' ignores that you're changing the construction of your password inherently
|
# ¿ Nov 14, 2016 18:48 |
|
welcome to passphrases, for when you can't use a password manager
|
# ¿ Nov 14, 2016 20:46 |
|
CLAM DOWN posted:Fair, but a software solution is far more flexible and powerful, because you can customize what you allow and what you don't on which system. However you're absolutely right, and only a physical block like glue would stop that.
|
# ¿ Nov 22, 2016 19:00 |
|
well no poo poo you tailor the solution based on the business needs, but don't say a software solution is more flexible and powerful when it's lax and vulnerable
|
# ¿ Nov 22, 2016 19:11 |
|
if you're at the stage where gluing the port is an option then you may want inflexibility in your security model, you're also locking the keyboard/mouse into the port with the machine in a sealed unit
|
# ¿ Nov 22, 2016 19:15 |
|
|
# ¿ Apr 28, 2024 14:10 |
|
CLAM DOWN posted:Ok fine, the term "powerful" needs more meaning than that, but 100% it's more flexible, gluing a port shut is about as inflexible as you can get... here is sopho's device control: https://community.sophos.com/kb/en-us/64174 quote:Device Exemptions then there's the other kind of 'endpoint protector', meet cososys' endpoint protector: quote:The extended use of portable devices has not only increased the efficiency and mobility of our daily work tasks but, at the same time has posed another significant threat to companies' data security. USB devices and other portable devices, although small and at a first glance harmless, are one of the top causes for security incidents with millions of dollars in losses for the business. The need for controlling the use of devices in corporate environments has become nowadays a must in order to keep up with latest security challenges. https://www.kb.cert.org/vuls/id/591667 quote:CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent account vulnerability https://www.sec-consult.com/fxdata/..._v10_wo_poc.txt quote:Vulnerability overview/description: Wiggly Wayne DDS fucked around with this message at 19:37 on Nov 22, 2016 |
# ¿ Nov 22, 2016 19:33 |