|
CLAM DOWN posted:Yup, I'm fully aware of all that. CLAM DOWN posted:e: actually gently caress that, a software solution absolutely can be "powerful", you're being wrong by immediately dismissing any software option as "lax and vulnerable", I'm curious what products you've actually tried and used in production quote:Have you used either Check Point port protection, or Bit9 Parity/CarbonBlack USB device features? Subjunctive posted:Can't you just cut the keyboard cable and get access to the USB traces electrically?
|
#
¿
Nov 22, 2016 19:42
|
|
|
|
| # ¿ May 13, 2024 18:31 |
|
|
CLAM DOWN posted:I highly recommend not dismissing things that you have never used or tried and don't know anything about. Keeping an open mind is very beneficial.
|
|
#
¿
Nov 22, 2016 19:52
|
|
|
i'm just amused that you're against not trusting security software, and will only listen to people who've deployed specific variants of the same snakeoil
|
|
#
¿
Nov 22, 2016 19:57
|
|
|
CLAM DOWN posted:I never said either of those things. I simply asked a question. You're putting words in my mouth and making assumptions, and doing so in an unnecessarily hostile and unproductive way. You haven't been open to any kind of real discussion since the start, so have a good one. CLAM DOWN posted:Yup, I'm fully aware of all that. Have you used either Check Point port protection, or Bit9 Parity/CarbonBlack USB device features? Wiggly Wayne DDS posted:will only listen to people who've deployed specific variants of the same snakeoil Wiggly Wayne DDS posted:i'm just amused that you're against not trusting security software CLAM DOWN posted:e: actually gently caress that, a software solution absolutely can be "powerful", you're being wrong by immediately dismissing any software option as "lax and vulnerable", I'm curious what products you've actually tried and used in production CLAM DOWN posted:I highly recommend not dismissing things that you have never used or tried and don't know anything about. Keeping an open mind is very beneficial. i'm extremely open to discussion, but if you're going to dismiss me while not putting forward anything then there was never going to be a discussion to begin with
|
|
#
¿
Nov 22, 2016 20:07
|
|
|
BangersInMyKnickers posted:application throwing cert errors.
|
|
#
¿
Nov 23, 2016 21:56
|
|
|
how did that make security worse exactly
|
|
#
¿
Dec 6, 2016 23:33
|
|
|
oh so it wasn't a second factor then
|
|
#
¿
Dec 6, 2016 23:37
|
|
|
doctorfrog posted:Curious, what's the thread's personal policy or advisement for physical password storage, as inscribed a notebook or something? As in, having a hard copy backup of at least your password database password and suitable instructions for use so your next-of-kin can unlock your cat pics when you're quite dead? Is it "don't do it, under any circumstances, you idiot," "safety deposit box only," "folded up in a sock drawer," in the easily lock-picked fire safe, etc.
|
|
#
¿
Dec 7, 2016 20:35
|
|
|
Internet Explorer posted:I'm not aware of any history of vShield exploits. I did a quick look and I see one from 2012 that seems rather benign.
|
|
#
¿
Dec 13, 2016 22:15
|
|
|
hostile attacker someone or good red team someone
|
|
#
¿
Dec 13, 2016 22:46
|
|
|
when you get compromised how are you informing your potential userbase
|
|
#
¿
Mar 11, 2017 00:31
|
|
|
we've had multiple arguments about lastpass in this thread when their security failures come to light so let's get this over withratbert90 posted:He also tore 1pass a new one earlier, but people seem to ignore that. note that compromise was june 2015 and their security guarantees on what an attacker can do with that information are absurdly inaccurate when compared to this november 2015 assessment. i've summarised that assessment before but for those who don't want to read the entire thing: Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.
|
|
#
¿
Mar 21, 2017 12:43
|
|
|
lastpass vuln is up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1209#c5quote:win = window.open("https://1min-ui-prod.service.lastpass.com/"); quote:LastPass responded and said they have NXDOMAIN'd 1min-ui-prod.service.lastpass.com while they investigate. quote:I've uploaded the exploit here:
|
|
#
¿
Mar 21, 2017 19:19
|
|
|
PBS posted:1password makes it hilariously difficult to import from lastpass.
|
|
#
¿
Mar 22, 2017 08:01
|
|
|
baka kaba posted:Is there a recommended source of files to use for keyfiles? Like in case you misplace your only copy of butt.jpg and you have trouble getting a byte-for-byte identical copy again. Is there a good generator system, or reliable source of files that (probably) won't ever change?
|
|
#
¿
Mar 22, 2017 13:14
|
|
|
baka kaba posted:I've never used a keyfile for anything, but aren't they literally files? And the point is to have a bunch of unpredictable data in it?
|
|
#
¿
Mar 22, 2017 13:40
|
|
|
Subjunctive posted:I'm not sure that I would classify a Word doc as having lots of random data, hmm.
|
|
#
¿
Mar 22, 2017 14:20
|
|
|
that they've gone to the media to coerce payment and didn't make an example of, say, a thousand random devices being wiped says it all
|
|
#
¿
Mar 23, 2017 07:34
|
|
|
Double Punctuation posted:MS spent zero money on that patch because they already made it for POSready.
|
|
#
¿
May 13, 2017 14:24
|
|
|
baka kaba posted:Why's it bad that someone uploaded that? Isn't the idea to have a signature in place so all the AV can detect the killswitch-less version if someone removes that and pushes it out again? registering the domain blind was a terrible idea, and all the worse that researchers are now encouraged to do it before ramifications are known for potential publicity
|
|
#
¿
May 15, 2017 10:29
|
|
|
whole lot of unexpected posts itt
|
|
#
¿
Jul 2, 2017 09:39
|
|
|
i hear of good security conferences in germany and belgium
|
|
#
¿
Aug 3, 2017 23:37
|
|
|
Double Punctuation posted:If you've actually committed a crime, maybe you shouldn't go to a convention that's about stopping the crime you committed.
|
|
#
¿
Aug 4, 2017 00:16
|
|
|
the clause was never about the breach in the first case, that's about their services
|
|
#
¿
Sep 8, 2017 22:38
|
|
|
yeah i'm sure the malware made sure to hook into the uninstaller as well, nevermind the other secondary payloads that haven't been found
|
|
#
¿
Sep 18, 2017 22:08
|
|
|
BangersInMyKnickers posted:The writeup from Avast claims that they neutered the C&C servers before any kind of payload could occur, though how they are actually confirming that claim is a bit of a mystery. It was arbitrary code installed as System so the worst case persistent rootkit is a possibility though considering the visibility they PROBABLY cleaned things up for the majority of users. not quite sure how they'd be able to make such a bold claim given the window of infection and degree of invasive analysis required to detect that weeks later, but that's their side of the matter Wiggly Wayne DDS fucked around with this message at 15:56 on Sep 19, 2017 |
|
#
¿
Sep 19, 2017 15:46
|
|
|
mllaneza posted:I'm no expert, but the paper is out:
|
|
#
¿
Oct 15, 2017 22:49
|
|
|
NevergirlsOFFICIAL posted:I was just  include knowing that ios and osx are different?
|
|
#
¿
Dec 3, 2017 01:53
|
|
|
a) ids is garbage and insufficient for new attacks of this calibre b) poc was made against facebook - twice. the second poc was after the engineers attempted a fix and a different variation of the attack was made c) bleichenbacher variants aren't something that have been forgotten to the mists of time, it's the basis of DROWN
|
|
#
¿
Dec 13, 2017 01:49
|
|
|
NevergirlsOFFICIAL posted:what cert should I get? I have ceh and I don't like it because "certified ethical hacker" sounds really stupid.
|
|
#
¿
Dec 19, 2017 21:58
|
|
|
EVIL Gibson posted:It used to be an awesome cert.
|
|
#
¿
Dec 19, 2017 22:04
|
|
|
deimos posted:This affects non VMs as well, theoretically a Javascript payload could install a rootkit. That's how hosed this is. rowhammer was publicised in 2014, you should have been in a panic since then if this affects you
|
|
#
¿
Jan 3, 2018 17:48
|
|
|
i've yelled and yelled about lastpass before. here's a post from 2015 after they have multiple breaches, which they said wasn't really a problem as they couldn't read your passwords due to the master password, also 2fa and other restrictions made the rest of the attackers data useless. what their pr forgot to mention was a vulnerability had been notified to them in that time period that showed a design decision allowing a bypass to requiring the master password:Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented. Wiggly Wayne DDS posted:lastpass vuln is up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1209#c5
|
|
#
¿
Feb 13, 2018 19:04
|
|
|
i'm always impressed with what software people manage to find for a more or less solved problem seriously can you guys make a list somewhere? these weird recommendations people make on forums for 'security software anyone should have' that no one in security's heard of it legitimately impressive. it's a massive blindspot in auditing as, as a general rule, security researchers tend to only audit apps they've heard of or use causing this wide divide
|
|
#
¿
Feb 13, 2018 20:36
|
|
|
ElCondemn posted:I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked... Wiggly Wayne DDS posted:Here's a rundown of an audit publicised last month: https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/ https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ quote:Was my master password exposed? quote:Were passwords or other data stored in my vault exposed? in response to that rough audit they had the following to say: Wiggly Wayne DDS posted:Especially given their response to the issues presented.
|
|
#
¿
Feb 16, 2018 17:32
|
|
|
Stanley Pain posted:Wasn't the latest problem with LastPass something really stupid like having an API call that just let you dump all the login credentials and it was trivial to exploit or am I thinking of something else?
|
|
#
¿
Feb 16, 2018 17:55
|
|
|
yeah there's a high burnout rate in security of people who actually care and want to get things fixed running against people who just want a paycheck and will patch around the issue to make sure that paycheck keeps coming
|
|
#
¿
Feb 16, 2018 18:50
|
|
|
Lain Iwakura posted:There's also the crowd that does it to look really freaking cool not realising that they're tools and aren't doing anything interesting.
|
|
#
¿
Feb 16, 2018 19:06
|
|
|
ElCondemn posted:I used to only use keepass, when I got off Dropbox and started self-hosting my file sync that became a non-starter. Also the fact that my family isn't as tech savvy has made browser integrated password managers the only option for me. Believe me if every website supported OIDC I'd use that in a heartbeat but the options are limited. I haven't seen anything that makes me want to immediately drop Lastpass since there hasn't been a remote or server-side exploit that doesn't require a compromised client. But sure I'm just a shill who works for Amazon (what?) that wants everyone to be insecure... for reasons... also my post wasn't directed at you at all, there's more than one conversation happening.
|
|
#
¿
Feb 16, 2018 19:37
|
|
|
|
| # ¿ May 13, 2024 18:31 |
|
|
what part of that required a compromised client...?
|
|
#
¿
Feb 16, 2018 19:49
|
|