|
I use KeePass 2. I store the file on Google Drive with password and a 2048 bit cert I transfer manually to all devices/laptops (ie, never touches storage controlled by a third party). I know Google Drive is a third-party so why am I using it and the answer is it's easier to access than Dropbox for me in Android/Windows/Linux. General question for you out there. I have a bug I've been meaning to write up for a Cisco product. Do I contact them even if I no longer have access to the device to retest (took a new job)? The only CVE's I've written is when I still had access to the device at the end.
|
#
¿
Dec 24, 2015 20:40
|
|
|
|
| # ¿ May 5, 2024 02:42 |
|
|
Magnetic North posted:Since you were talking password managers, and I asked in the android thread with no luck, I figured I'd ask here. Drive will work. Each time you access your file from drive it makes a temp file of the latest version of the file. The issue is then you can't save it because its temp. I am not sure you can save back to drive on Android. In my case, I don't change my passwords fast enough that when I do its on my pc. I save the new file there and then I have access to the new one. Does your password storage app use certs as well along with password auth?
|
|
#
¿
Dec 29, 2015 06:34
|
|
|
Magnetic North posted:I guess I will mess with Drive to see if Password Safe will play nice with it. It means you can make it so it also requires your private keyfile that you manually configure on the clients since it is also encrypted with your public
|
|
#
¿
Dec 29, 2015 17:31
|
|
|
PBS posted:If you log into a website with a user id and an rsa token (generated on a laptop / mobile, using a pin), would the login to the website be considered 2fa? No. For proper 2fa you need something you know (password) and something you have (token). The userid can easily not be something you only know especially in an environment that combines first names and last names for the username or where you publicly post. edit: example: I am John Anthony Smith. You are Angela Julia Faraday. My user name is "jasmith". I take Angea's token. Just because I happen to know that her username is most likely "ajfaraday" is not enough to satisfy "something you know". It is better said as "something you privetly know" or in most cases password. Just don't be like some sites I've assessed where they used tokens and replaced the "you know" password with a grid of images so you select the one that you picked during account creation or something Web 2.0. EVIL Gibson fucked around with this message at 00:38 on Feb 16, 2016 |
|
#
¿
Feb 15, 2016 22:45
|
|
|
PBS posted:So if your PIN is 123456, you input this into the SecureID token client and it will spit out something like 01923227. Where/how/why is doing the calculation to take "123456" to "01923227". Where in relation to the application requiring the authentication. How is it converting a the FOB token to 01923227. And why exactly is the client requirement to come up with something like this? Just from thinking of what your system is trying to do you are going to a get a lot more problems of people passing token time outs while they go through this conga-line of confusion.
|
|
#
¿
Feb 16, 2016 04:32
|
|
|
Dex posted:his application isn't involved in this part of the chain, it's all rsa securid and their client software. i'd suggest reading their docs if you're curious about the how and why of it You are right. I remember one place where I used a personal pin plus token to log into the vpn. Then I moved a place that connected your password (really the hash I think) from your ad creds to the token device. The apparent usefulness this got was that this place was on the ball in removing people from ad so that removing the user meant their token could no longer be used because they no longer existed. Plus the other bonus is that the user password follows the password policy is also applied to the pin. I had a pin for the token for about 24 months and I only changed it when I lost the drat thing. Edit: of course you need to keep the ad and the rsa servers
|
|
#
¿
Feb 18, 2016 01:07
|
|
|
deep impact on vhs posted:can confirm that it's awful, we have one in place where i work now. I found a Cisco device where, without any creds on the login page, could run commands on the server, as root, through the password field. I use it for a demonstration (while not mentioning the product or model) of why you sanitization is a thing when dealing with user input. Same box also allowed me to change a password without knowing the previous password by making sure the pass auth response was changed a "false" to "true" (easy to do with Burp Suite) to submit back to the server. In summary, it is like saying I give the guy that checks my previous password garbage and he tells me to gently caress off. I step to the next guy in the process who asks me what the previous guy said about me and I tell him the other guy just loved me. "Everything checks out, your password is changed."
|
|
#
¿
Mar 3, 2016 01:42
|
|
|
So here's a random tool I always use when scoping out a target; Bing. Stop laughing. But really, Bing has a feature no other search engine out there has including Google. It gives the user the ability to search for domains by IP. Why is this useful? It gives possible ways to get into the target domain via another vulnerable domain. So the sequence of events that have to happen is 1) The target site is fully patched 2) The target site is on a shared-host with a site (it could be a firewall rule giving the sites the same IP remember), let's call it the side-target, that is not fully patched (Wordpress, Drupal are super good targets) 3) The side-target installation has a path traversal issue or the ability to run remote commands via the site 4) If there is no virtualization or weak very sandboxing. 5) Compromising the side-target can allow for access to the host all the sites are served on including your target Bing lets you get a bit of Shodan functionality for free. Type the following to Bing search for where SA is hosted at. code:
|
|
#
¿
Mar 20, 2016 20:35
|
|
|
Rufus Ping posted:That's cloudflare you idiot It's an example you idiot. Meaning, IT WOULDN'T WORK IN THIS CASE But it's not like anyone sets up other domains such a private github account on the same ip, or maybe a monitoring web app, or everything to add to the stupidity of IoT. If you do not understand this, sorry!
|
|
#
¿
Mar 21, 2016 03:21
|
|
|
OSI bean dip posted:Not-quite-a-SIEM-but-almost-good-enough but Splunk has a cloud solution. Splunk can be difficult to set up to pull in data from various logtypes, and massaging it correctly so it doesn't run the peg the CPU by indexing all the time, but once it's going it goes great especially when running correlations. I have not used/configured it, but I heard FireEye TAP works really well. Make sure to research and include the costs of pushing your logs/events into the cost. If you generate lots of events and want to push them all to the cloud, it can wipe out the savings.
|
|
#
¿
Apr 27, 2016 23:16
|
|
|
Guy found a bank mobile app had a method that didn't check if the user actually had access to an account. This is the kind of stuff you would find in a Very Vulnerable Web App by OWASP where you think, "Who would actually program the application like this?". https://boris.in/blog/2016/the-bank-job/ The guy did a few very bad things that if he did in the states, he would be in federal prison. Things like using accounts not owned by him for tests (he did mention he used family accounts but that is not him) or threatening for some kind of bug bounty. Powered Descent posted:I don't know about easily, though of course only the spooks know for sure. Heard stories that investigations with a mission to track down and nail users trying to look up insidious sites like kiddie porn hosts that there were a good portion of users who would burn all creds as soon as they think anything is going funny. Things like the pages changing a bit, weird private messages they received, or even if they are being routed weirdly. Hard to pin down. But this does not stop from random Joe Smoe treating Tor like the internet and sees no cause for alarm in putting their real full names, addresses, or phones into a page if the site requests it. That is the type of user that keeps getting nailed because it's the lowest branch but with the difference a lot of people hang around that level. EVIL Gibson fucked around with this message at 21:56 on May 18, 2016 |
|
#
¿
May 18, 2016 21:24
|
|
|
Cugel the Clever posted:No--I entered my password on account creation and then it emailed it back to the address I provided. Isn't that particularly awful security policy? To be specific, it means they are storing your password in the clear ready to become the next rock you.txt. doesn't sound like they are expecting you to change it like a normal one time use pass.
|
|
#
¿
May 25, 2016 17:23
|
|
|
Subjunctive posted:It's much easier to get hostile content into a browser than into an app, and typically that hostile content operates in a more flexible environment (scripting, wide access to system APIs). Faked email, Twitter "viruses", compromised ad networks, takeover of non-https sites on public wifi, site hacking. Even if an app exposes a URL scheme, it tends to be quite narrow. Apps are sort of the reverse. They are much more vulnerable to trusting the client too much/giving way more information than the client app actually needs or is providing. If I am understanding you correctly, you are considering the web service endpoints that the app talks to as the URL scheme?
|
|
#
¿
Aug 18, 2016 16:00
|
|
|
Who's going to derbycon? If anyone is going to be there tomorrow morning by 8am, me and 10 others are going on a bourbon tour and there is a couple seats open from people not being able to attend. Stopping at 6 distilleries including buffalo trace hard hat tour which I keep hearing as being a really good tour.
|
|
#
¿
Sep 21, 2016 13:11
|
|
|
stevewm posted:Not big enough to need QSA, self reporting. Mainly because pci can't loving make up its mind what the hell its talking about and keeps changing its standards and definitions of words. It has it made it so you need to hire a consultant to make sure you are doing things right (which I recommend you try you hardest to do) Such as what you can store about a card and what you can't. I think at one point it didn't mention cvv should not be stored which.... Could be interpreted as you could store cvvs. Also processors give no fucks. They just want a check box to click saying the customer said they are good so they have plausible deniability when you share you mysql connection to the outside world. Just think about it this way. Some good advice can be bad advice if you don't know the other factors of their situation. If you give a person good advice to put a lock on the door to their house without asking enough follow-up questions they can blame you for giving bad advice even though they didn't say anything about how the door in question was a screen door. EVIL Gibson fucked around with this message at 17:17 on Oct 26, 2016 |
|
#
¿
Oct 26, 2016 17:08
|
|
|
fyallm posted:I want to learn how. Since you are taking a bootcamp, they should be drilling most of the stuff and give you material to research later (since all the students in there are in the same situation as you) I used Eleventh Hour CISSP for refreshing my head. https://www.amazon.com/Eleventh-Hour-CISSP%C2%AE-Third-Study/dp/0128112484/ref=sr_1_4?ie=UTF8&qid=1477844800&sr=8-4&keywords=cissp There is also the Pocket Prep smartphone guides which really worked for me because it let's you focus on domains instead of doing the whole test repeatedly. In my case, I worked a good while on a contracted project where the product was chip cards. I picked up lots, and I mean LOTS, of crypto during that time. There is one domain for that kind of stuff that I could build a test WITHOUT that crypto domain. I also liked the fact you can configure the tests to show you the correct answer along with a reason why it was the correct and why the other answers were incorrect (though they can be bullshit, like "Answer A is wrong because it's not Answer B".) edit: Oh, forgot to remind you. The CISSP will have questions with some of the answers NOT from the domain that look good enough to trick people who did not really study. EVIL Gibson fucked around with this message at 17:44 on Oct 30, 2016 |
|
#
¿
Oct 30, 2016 17:39
|
|
|
Mustache Ride posted:Mostly consulting groups it seems. What a waste of time the past 2 interviews have been. What type of security are you hiring for. I could help you with some questions I would ask for those positions.
|
|
#
¿
Dec 8, 2016 23:37
|
|
|
Story for an app I use with weird authentication. I got into making retropies for friends. The problem is that when you import a game, there is no meta data for it. There is a built in meta scanner but it is slow and has real problems with correctly indentifying games titles. I looked around and found this site with their own videogame DB and a standalone client that accesses the DB quickly and with more accuracy. How it works is that you make a forum account and authenticate with that account through the application; that tells you how many "threads" you are allowed to use. Everyone starts with 1 but if you donate to support the database , you get more threads. Threads are how many download streams you can open to the DB. Within the application options there is a button to press that , I assumed, talks to the api to query how many threads you are allowed. There are some apps, web and thick client , where the client is sent a message of some kind which the app converts to know what permissions you are allowed. A thing you can do with Burp Suite is to auto replace response text which I've used to give me more access than is allowed (this is why i believe smart phone apps is the wild frontier of new findings as many people are already finding out. Badly done apis lead to severe damage). What I was looking for in the response was some type of data element (XML, JSON, etc ) that refered to my current allowed thread count (1) and replace it with the another number (2+) and see if the application will change permissions without me having to break out IDA . With Burp you can capture thick client app traffic (where you can't adjust the proxy setting like this app) by finding out what domains the app talks to and then changing your hosts file to send all of that domain's traffic to Burps proxy. You still need to know which specific domains so use Wireshark to look at the communication while using the app and identify your apps traffic. I did not run this application since Christmas so a new version was released and asked me if I wanted to update. One of the notes said to fix a "small security issue". Well... Now I don't want to update . Looking at the communication going out I saw I was sending out an HTTPS request with my username and pass to the api call whenever I told the app to get my current thread count. I would not put the creds in the get params but it's a throwaway email . What I saw was a second set of creds though that weren't mine; they were the developers. The username was the same as the forum user that made it and what was even better was the password was a timestamp of the release date of the client with two random alphanumeric characters at the end. Which means I could predict his password in the future by just looking up the last release date of the client and guess it in 32*32 attempts. I upgraded my client and that call is now gone but I hope that is somewhat instructive of how to start testing thick web clients with Burp. EVIL Gibson fucked around with this message at 03:36 on Feb 22, 2017 |
|
#
¿
Feb 22, 2017 03:30
|
|
|
gallop w/a boner posted:. This will help: https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/ To summarize : At PowerShell's core is an implementation of System.Management.Automation C# framework. By making a new C# exe with access and run commands on that framework it is a gimped version (no threading and slow as poo poo) of PowerShell but PowerShell nevertheless. Then you hide this gimped PowerShell into a new whitelisted process and that is your stager.
|
|
#
¿
Feb 24, 2017 22:55
|
|
|
Potato Salad posted:h- wh- how Bit flipping until you get the hash. I am assuming that even though most of the colors are black and red, they aren't all exactly the same shade and how gif works you can force a frame to update a part that doesn't need to change. Update a red pixel with red while, usually, normal gif animation will automatically ignore that pixel update. Edit:Also gif has text metadata sections which can be messed with. http://forensicswiki.org/wiki/GIF EVIL Gibson fucked around with this message at 20:49 on Mar 8, 2017 |
|
#
¿
Mar 8, 2017 20:47
|
|
|
B-Nasty posted:Don't roll your own. Microsoft Identity has a hasher built in: Microsoft.AspNet.Identity.Core/PasswordHasher.cs. It uses PBKDF2 (1000 iterations) to generate a 128 bit salt and 256 bit key. It automatically adds a version number, appends those items together, and returns a nice Base64 string that you can store in the DB. It also has a VerifyHashedPassword method that does a constant-time comparison and (smartly) returns an enumeration of whether it passed or not. One thing I liked one company did for deciding iterations is to pick an amount of time you are willing to have the user want. For our case, 3 seconds. On the same production system create a script to run a hash starting with with default iterations and just add to that count (by a thousand ) and keep times until the acceptable time passed. For a pdkf the default count is a thousand. We found 3 seconds of time on our system required 32000 or so iterations. The system was then made upgradeable (whenever a user changed or reset the password) so if we got better systems the count was increased and we made sure the count could never be decreased. It might be overkill but our organization had to protect information on people that not only had to be under the general standards but also HIPAA which is a loving bitch to work with sometimes.
|
|
#
¿
Mar 9, 2017 22:51
|
|
|
Hollow Talk posted:Eh, not really. It just means I can use the same function for checking hashed emails and hashed passwords, i.e. the difference between these two, which I suppose becomes moot if I don't bother to hash emails. You should be focussing on difficulty and not mashing stuff together because you can. Your N is only 16. Default scrypt N is 16384. What is your biggest worry of why you believe username , email, and date time needs to go in there? Are you allowing weak passwords and need other sources to make it more complex? Is this a very sensitive service no one should have account names listed and stored in the clear? Where are you requirements coming from and what is your user base that you need this over the top hashing method?
|
|
#
¿
Mar 11, 2017 07:08
|
|
The two different structs remain (though the two tables have been consolidated into one), since those scrypt functions are also used for instances where people enter passwords for something else without having to supply an email address at all. Thanks for the comments!
|
flosofl posted:https://arstechnica.com/security/2017/04/rash-of-in-the-wild-attacks-permanently-destroys-poorly-secured-iot-devices/ loving GOOD! People have been kind of harping on me because I just hate anything related to the cloud or iot and now people are finally loving realizing that this poo poo is totally hosed up. It is literally the reason i had my avatar changed because someone decided to give me red text saying the cloud is stupid and to be feared in jest, now see what poo poo could happen? Because a device needs to talk to things, servers or otherwise, it is still talking to the outside which means it has to listen (at some point). People dont loving need coasters ( there was a kickstarter for one to make sure everyone drank enough water), teddy bears,toasters, fridges,tvs, or what-the-poo poo YOUR PHYSICAL DOOR LOCKS to talk to the outside. What this attack did is now these manufacturers need to answer why the machine was compromised (which we already know why) but, most importantly, either may or not pay their customer. If the customers don't receive enough compensation i believe this is going to spread distrust from the customer base into the lovely iot industry . Just imagine... A world where the cloud is seen as a risk (which all companies need to do even when considering something as tried and true like AWS) you need to consider instead of a magical, do nothing wrong, service
|
|
#
¿
Apr 9, 2017 15:39
|
|
|
Double Punctuation posted:I loving love Cloud To Butt right now.  Also, is that malware that has you play a game to decrypt your stuff legit? I ... I want to be infected to play shmups.
|
|
#
¿
Apr 9, 2017 17:15
|
|
|
 But seriously, IoT will always be bad but people won't stop buying them because the "Internet is Stupid". One of the few things that would help is an industry standard to clear before a product is released like, i dunno, maybe not leave the telnet port open with default creds "admin/admin"
|
|
#
¿
Apr 10, 2017 16:31
|
|
|
wolrah posted:One of my friends has this smoker: https://www.charbroil.com/smartchef-digital-electric-smoker BTW I love setting Wi-Fi passwords with spaces in them because no one ever expects it to be a valid character. I think the main password lists out there don't have spaces in them unless you write some thing like a filter in hashcat.
|
|
#
¿
Apr 13, 2017 17:57
|
|
|
Doug posted:This isn't true. The ?s mask in hashcat which covers all special characters also includes the space. So if a mask uses ?s or ?a it's going to catch your space. That's what I meant, masks not filters. Do the rockyou default mask include spaces?
|
|
#
¿
Apr 14, 2017 21:53
|
|
|
pr0zac posted:Lol. You don't know what you're talking about. Smart lock is unequivocally a good idea and most likely more secure than a password manager. Both can be implemented poorly and that's all it matters.
|
|
#
¿
May 3, 2017 16:19
|
|
|
Speaking of third party auth... Everyone be SUPER CAREFUL of opening any share invites to view anything on google docs. A phishing attack is being discovered now that scrapes all your google contacts and has free reign over your gmail. From random names, but it always seems the first recipient is hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh[@]mailnator.com Here's a twitter post with a gif of what it looks like: https://twitter.com/zachlatta/status/859843151757955072 More info: https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam
|
|
#
¿
May 3, 2017 21:23
|
|
|
So that Intel bug was worse. It's the AMT implementation which allows you to remotely log into Intel servers remotely. As an admin you could log in and do adminly things after putting in your password, which would be hashed, and then authenticate you Turns out any password works! Not only will any password work, but no password is perfectly okay as well!
|
|
#
¿
May 6, 2017 17:41
|
|
|
apseudonym posted:That's not an accurate description of the bug. The bug was they were comparing only up to the attack supplied length. Gotcha.
|
|
#
¿
May 6, 2017 18:06
|
|
|
Mr Chips posted:it's not quite like that, if you try manually logging into the admin account via the web interface with no password you won't get anywhere. You actually need to fiddle with the HTTP a bit, there's a synopsis from the guy who found it here: https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf Now this is interesting. Using an unsafe read to get past the auth part of the binary. Neat. I just remember finding an HP equiv weak auth where you could choose which kind of creds you wanted to use, either local or nt auth.
|
|
#
¿
May 7, 2017 20:37
|
|
|
Volmarias posted:"We need to get this thing out yesterday and they're not paying us to do anything after it's feature complete" mostly This is exactly right. Crunch time means the project manager will look for the easy and really lovely implementation to get them across the finish line. Here's another example where a car insurance company decided to not have authentication in really dangerous API calls. https://www.andreascarpino.it/posts/how-my-car-insurance-exposed-my-position.html
|
|
#
¿
May 11, 2017 18:28
|
|
|
The guy that registered that deactivation domain just registered it because it was a random sting they found and didn't connect it (at the time) to a function (which we now know prevents the spread). His frame of thought was in a tweet he did after the fact. Thinking about it more that was an actual super dangerous thing to do to register a domain without knowing why it's in the malware. It could have been a flag delete all keys immediately to prevent recovery, a signal to begin ramp up of the spread, or a sign for the malware to constantly mutate itself to prevent pattern based AV. EVIL Gibson fucked around with this message at 23:56 on May 14, 2017 |
|
#
¿
May 14, 2017 19:50
|
|
|
flosofl posted:It wasn't a whim to register. SOP when trying to "disarm" and analyze an outbreak is to try to sinkhole the C&C, which is what MalwareTech assumed this was. You do that so you can start to a) capture any active traffic for analysis and b) disrupt the C&C functions. The fact it was unregistered just made it easier to sinkhole, and you want to jump on it quickly in case it was an oversight and the attacker could correct it at any moment. It's all about liability. Read the Twitter message again. He didn't know what it did. They probably just did a strings and found the URL. There was no reason why the dude registered the domain without knowledge of what it would do when it happened besides it wasn't registered. Heres the actual tweet: https://mobile.twitter.com/MalwareTechBlog/status/863187104716685312 Thinking from a company point of view where if registering a domain did cause more damage, MalwareTech could be brought to court and be held liable for damages the moment the domain went online. It really seems out there, but lawsuits can be issued for less. If they had enough data to show the malware would dump after seeing the domain up; sure go ahead. It was just super dumb to register it before if they spent more time looking at it. EVIL Gibson fucked around with this message at 06:53 on May 15, 2017 |
|
#
¿
May 15, 2017 06:51
|
|
|
Last Chance posted:I don't know much about nothin' here, but wtf is this when I visit that URL: Worked on certs for the DOD. They have their own series of private CAs they use to authenticate everything including using it to auth base entry and their websites. They track every single cert by calling up the crl list every time you want to do something with your id. There is only one place in the org where you are allowed not to use your CAC card and that is if you are in the middle of the sea but you will get a new one as soon as you land on shore. Also, really super illegal to let someone look at or hold your card. They are always told to keep it close because if they do lose it or it's stolen, it is going to be a lovely nightmare for them.
|
|
#
¿
May 23, 2017 05:31
|
|
|
flosofl posted:I'll bet you say ATM machine and PIN number. If you took the ciscp or you did anything with certs, then all these should be common terms.
|
|
#
¿
May 23, 2017 15:04
|
|
|
Doug posted:No reason to be an rear end in a top hat, he was making a joke that you said 'CRL list' Certificate Revocation List List...hence the statement about ATM (automatic teller machine) machine and PIN (personal identification number) number. I was being a butt because I took his reply wrong.
|
|
#
¿
May 23, 2017 19:33
|
|
|
milk milk lemonade posted:I don't remember it being all that serious. I lost my CAC card at a dog park and they just gave me a new one. I had access to some relatively interesting stuff As soon as you report it missing they immediately deactivate it in the tracking system (DEERS I think. Woo acronyms. It's a loving nightmare). The pin will be locked out after a couple times permanently unless you go the office to give biometrics. Mainly there are baaad bases with questionable security practices that flashing the cac might be enough to get you in but you should hit a swipe machine someway along the way. The worldwide system is updated enough that current card you reported lost will not work on the swipe. For the other person talking about it being used for vet benefits, that is one of a few reasons you can use it outside of military use. I was just saying that if you don't keep track on it or have control of it beyond the normal uses, the rules say there are punishments. Funny story. You know how to get a card, you need to get it electronically signed by someone else in the system (and from the CA)? There was a little business going on where one of the issuers found a way to sign the same person while they had multiple versions of legit cacs. Utter poo poo storm when they found out Joe Smoe buying from the military store and finding no Joe Smoe actually there because the card was being used by someone else who changed the pic on it. This was like ten years ago or something . EVIL Gibson fucked around with this message at 07:15 on May 24, 2017 |
|
#
¿
May 24, 2017 05:01
|
|
|
|
| # ¿ May 5, 2024 02:42 |
|
|
Thermopyle posted:You can just install one of the apps from the Chrome store that unzip 7zip files. I'll admit it, this gave me a little chill.
|
|
#
¿
Jun 3, 2017 22:06
|
|