|
Evis posted:Same. Someone performing a social engineering attack would know that information better than I do. I forget what I had for breakfast much less financial details going back a few years. I recently setup a RSA SecurID 2FA system. When you created an account on the user side it wants you to set security questions. It had a selection of questions you could choose from, and those few questions that seemed any good I couldn't remember the answer for.
|
#
¿
Feb 1, 2018 16:41
|
|
|
|
| # ¿ May 2, 2024 08:02 |
|
|
Proteus Jones posted:Yeah, I'm not a fan of autofill AT ALL. Fortunately, 1Passowrd allows you to temporarily copy fields manually to the clipboard, including OTPs. I imagine Keepass is similar given all the recommendations for it. I don't like using clipboard for passwords even momentarily, I prefer Keepass autotype or manual typing. I would think keylogging should be at least significantly harder than reading clipboard. I wouldn't be surprised if there was some way for website javascript to read clipboard. The last straw for me was when I was using a Ubuntu VM meant for server management at work, and I tried to paste a string and I got a string from home. It had leaked through a separate Win7 VM with an RDP to it. So I had copied a string at my home computer, Remote Desktop Connection dutifully sent the clipboard to the Win7 VM, and even though the local console was locked, Virtualbox copied that to the host desktop and from there to the Ubuntu VM, and presumably every other VM I had running. After that I cut the clipboard sharing for the management VM. Double Punctuation posted:This is why most password complexity requirements are bullshit. It’s a lot better to let users pick a long (20 characters absolute minimum) passphrase that’s easy to remember than it is to require symbols and stuff. All you should be doing with complexity requirements is setting a minimum character count and prohibiting repeated or keyboard sequences like 1234567890 or qwertyuiop. Klyith posted:password complexity requirements are bullshit, but "everyone should use passphrases" is also bullshit. passphrases are: Yeah, a 20 letter passphrase doesn't help much when the owner uses it on every website and it's stolen from some hobbyist forum run by one dude. Brute forcing can be technically limited by restricting the failed online logging attempts and increasing the password hashing complexity, but services are pretty much powerless against reuse. The only method I can think of, is to require the pasword to include a specific, short, random string. If every website did that then all passwords would have to be at least partially unique. But that would be even more draconian than usual password requirements.
|
|
#
¿
Feb 14, 2018 00:46
|
|
|
Kerning Chameleon posted:Well, obviously, but I'd be foolish to rely on a critical step in threat mitigation with solely "trust myself to never make a mistake with my emails ever". If the biggest weakness in infosec is between the chair and the monitor, then obviously what I need to be doing is remove my own stupid brain from the equation as much as physically possible. Can I really trust myself to not make a mistake 100% of the time? Of course not, I think we've well-established that I'm An Idiot. One option is to do your emailing and suspect browsing inside a virtual machine and store your Keepass on the host computer.
|
|
#
¿
Feb 23, 2018 21:50
|
|
|
Beccara posted:Cheers guys, I'm being met with "Why are you even raising this? It's not a problem" and "The vendor says they wont do anything so why don't you trust them?" It doesnt sit right with me and it sounds like it shouldn't sit right with anyone The issue is not simply trusting the people at the vendor. When they want to implement such a shoddy and dangerous update method it is an indication of incompetence and you can't trust that they are able to protect their own systems. They would be a direct route to the heart of your systems and probably many others. When the wrong people learn about this setup the vendor becomes a juicy target for adversaries. Your company may not be a big enough target to spend such effort for hacking, but sound like the vendor would certainly be and your company and numerous others will go down with them.
|
|
#
¿
May 24, 2018 11:51
|
|
|
apropos man posted:If you were being a purist about entropy you'd have used the first auto-generated password you were given. The one that you liked the look of has slightly less randomness than the first one you were given. This is something that I have been worrying about "pwgen". I prefer it because it generates memorable passwords, but how much weaker must they be since they are so easy to remember.
|
|
#
¿
Sep 9, 2018 11:57
|
|
|
This blog post might align with the interests of this thread. Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second
|
|
#
¿
Oct 23, 2018 20:41
|
|
|
D. Ebdrup posted:Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V? I don't think that exclusive to Windows. When I have VirtualBox virtual machines running on my Ubuntu 16 computer I am unable to start any KVM virtual machines. I haven't tested if it were possible to start them the other way around.
|
|
#
¿
Feb 7, 2019 19:44
|
|
|
I got another reminder how scary clipboard can be when I was copying some YouTube links on my home computer, and noticed that my Ditto clipboard manager also had bunch of strings I had copied earlier today at work. I copy a string inside my Ubuntu virtual machine running under VirtualBox. From there the string is first transferred to my host computer running bare bones Lubuntu, then to another virtual machine running Windows and sitting in the lock screen. And as it happens, on yesterday evening I had taken RDP connection to that same virtual Windows from home. The screen lock had been activated ages ago, but the RDP connection was still alive so anything I copied anywhere in my system would merrily travel upstream all the way. Some of my coworkers can have half a dozen RDP connections to different machines, with nested RDPs going god knows where. You would need a flowchart to figure out where any innocent clipboard copies would end up.
|
|
#
¿
Feb 21, 2019 23:10
|
|
|
We really need more non-profit associations or other organisations to run services like these, and other services useful for internet. Don't want to rely on individuals or businesses for something like this.
|
|
#
¿
Jun 11, 2019 23:01
|
|
|
fyallm posted:I've hit control V, had someone message me on skype while logging into a site and it sent my username and password to them. I never use control v anymore. I've tried mitigating this issue by configuring autotype to only type the password without enter. I can type the username myself or the browser can remember it. Another configuration that I need is a 200 ms typing delay, otherwise characters start dropping when you try to autotype them through a VirtualBox console and couple RDP sessions. Can you imagine how frustrating it is watching KeePass two finger type the password knowing you could type it faster yourself. In my opinion, copy-pasting passwords should be completely forbidden. The danger of autotyping in a wrong window is minimal compared to where copied password can end up. If you must copy it make sure you don't have any RDP sessions or virtual machine consoles open. I learned my lesson when I tried to paste a string inside a Lubuntu virtual machine and instead of the string I wanted, I got a string that I had copied the previous night on my home computer. That string had travelled through a RDP session to Win7 virtual machine, from there over the VirtualBox console, that had been showing the Windows lock screen the whole time, to the Linux host computer and from there to the Lubuntu virtual machine. After that I disabled clipboard on quite a few of my VirtualBox machines.
|
|
#
¿
Jul 25, 2019 20:50
|
|
|
The question could be approached from the opposite direction, what benefit does FTPes provide. I would consider SFTP with OpenSSH as the gold standard for secure file transfer. It's probably one of the most widely used options after HTTPS, and you don't have to build a buggy web app, just set a few config options. OpenSSH is probably used in some way by majority of the organisations in the world, much of it critically important. It's also open source, so I have a hard time thinking about a software that would receive more scrutiny. On the other hand there are multitude of FTP servers, but nowadays they are all niche products with small userbase. And FTPES as newer feature was developed well after FTP was in wide use. Couple years ago I had to setup an FTP server for a lovely temperature logging IoT which only supported plain FTP. I found it a chore trying to decide what FTP server I would trust the most and how to configure it correctly. SFTP would have been a much preferable option. Something also that caught my eye on the wiki article. quote:In explicit mode (also known as FTPES), an FTPS client must "explicitly request" security from an FTPS server and then step up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue in insecure mode or refuse the connection. So the connection may be secure, or it may be not. Why even have that option.
|
|
#
¿
Nov 22, 2019 21:04
|
|
|
Bob Morales posted:I'm digging through a pile of servers and removing any RAM cache from RAID controllers and destroying them today. Because paranoid. Now that I think about it, I'm not sure how to erase the data on the flash backed write cache on our company servers, what data might be there and in which situations it gets written there. I assume it only happens if the server loses power, so most of the UPS connected servers will have them empty. But then there are those few servers that have started misbehaving enough that I've gone to yank the power leads.
|
|
#
¿
Oct 12, 2020 21:07
|
|
|
Cup Runneth Over posted:Do they have physical shredders for hard drives yet? I want to reduce a rectangle of metal to strips. In the 00s I was researching for drive destruction and I found a hand-operated single drive shredder. Same principle as the videos posted, but with a handle on the side you cranked. I bet that would have been some satisfying to use, probably even better than the hammer.
|
|
#
¿
Oct 13, 2020 23:16
|
|
|
Defenestrategy posted:As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that. It might be more useful if you can find subjects that people will care about. Just this week our IT sec did presentation where they told about a recent small scale phishing campaign that snared about a dozen people. Instead of immediately using their accounts for spamming as usual, the phishers waited until near the payday, logged in to our SAP HR system and changed the bank account numbers. People started asking questions when their pay euros were no where to be seen. Beside the multitude of organisational failures that this was possible, this is the best example why you should not get phished that I have seen.
|
|
#
¿
Mar 5, 2021 02:42
|
|
|
Defenestrategy posted:Personally I'm not sure what my price would be responsible to wake up and do poo poo possibly. Do you even want engineers working on critical poo poo with no sleep? I guess there are ways to deal with this. My coworkers have told of one case of saturday storage system fix, where the resident expert was too drunk to let on the keyboard. He was saying the required commands and there was other guy translating them to sober talk and typing them out.
|
|
#
¿
Mar 13, 2021 01:50
|
|
|
We have some cases where we use Squid proxy with a restricted set of allowed domains. And the Squid listens on multiple ports with different restrictions and a server is allowed to connect to specific instance.
|
|
#
¿
Jun 3, 2021 00:39
|
|
|
RFC2324 posted:Ill have to try this, but MS is convinced that I *need* one drive in my life. It might be the ms account, but having my license tied to that instead of hardware or a piece of paper or a sticker on the side of the case is soooo much easier, particularly if you tend to solve 95% of issues by just flattening and rebuilding I think I'll disagree with this. Licenses from eBay are so cheap I'd rather have a serial string attached to the hardware than deal with accounts or waste my time calling MS when I get new hardware. Just spend a minute on eBay and the old hardware will still have its license and can go on to continue it's life.
|
|
#
¿
Jun 30, 2021 16:04
|
|
|
Biowarfare posted:Chrome (?) + Brave installs into and runs %appdata% and doesn't need admin That's why the computers in my university use Applocker to block them. You can't run any .exes outside "Program Files" or some other allowed directories. I've always had local admin access and getting Spotify to work was far from trivial.
|
|
#
¿
Sep 21, 2021 04:13
|
|
|
We have also been dealing with this at work. Coworker has been testing servers with this python script, but hasn't gotten a hit yet. https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 Either the servers are using Log4j 1.x, or they are using OpenJDK from RHEL or Ubuntu which have partially mitigated this years ago with CVE-2018-3149.
|
|
#
¿
Dec 10, 2021 13:57
|
|
|
There's now speculation that Log4j 1.x is also vulnerable. And it's of course also EOL'd and won't receive updates. https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
|
|
#
¿
Dec 10, 2021 14:17
|
|
|
Fart Amplifier posted:The log4j vulnerability was known of for 5 years Should've come up with a name and a hashtag 
|
|
#
¿
Dec 11, 2021 21:37
|
|
|
Bob Morales posted:Does deleting the jndi class file not cause an error/crash when the function is called? Based on these it sounds non-issue. https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306 https://github.com/apache/logging-log4j2/commit/3203d3eab6bdd12fdad7ded1860db16a89468c3f
|
|
#
¿
Dec 19, 2021 18:22
|
|
|
Rust Martialis posted:New! Improved! Script! Now go down the next level and make the script scan for any .jars inside the .jars, unpack them and look for JNDI. Oh, and also include .wars in your scan. I have to say this has been more more than the usual vulnerability. As a sys op group we usually try to figure how much to panic, then we twiddle our thumbs while waiting a patch from Red Hat, Ubuntu or VMware. Screw trying to binary patch or compile from sources. But this time the interesting part has been trying to locate where we have it and then we can just zip-delete the problem or drop in patched jars from the upstream. First round was lsof-grepping for any log4j jars. Then we extended that to locate and find. Then we find out they can be inside .wars and need to start recursive searching. Biggest annoyance has been containers since we can't as easily fix them.
|
|
#
¿
Dec 25, 2021 01:28
|
|
|
Arivia posted:I’m not an infosec professional and I don’t have the energy to roll my own keepass or whatever. I use 1Password (subscription) because yeah it is at least a bit safer overall even if someone just has to pop my master password on any of my devices to get in. There are definitely more secure options but I am very limited by means and ability and tbh I have had it for like six years now and no complaints ever. But do you really need to roll your own Keepass? Do you have any cloud storage, Google Drive, Dropbox, whatever? You download and install the client, which is pretty much the same you would do with any other manager. Then create a new database, set the master password and any other security settings you want and save the database in your cloud storage folder. The biggest extra complication is deciding which browser plugin to choose, since Keepass doesn't have an official recommended one.
|
|
#
¿
Jan 1, 2022 22:57
|
|
|
I think that option is enabled only if the fruit-module is enabled by "vfs objects = fruit".
|
|
#
¿
Feb 1, 2022 18:35
|
|
|
BlankSystemDaemon posted:I don't know of an appliance that doesn't have it turned on by default. Based on Synology's advisory it's only used in DSM 6.2, DSM 7.0 and the other software versions aren't affected. QNAP hasn't issued an advisory, so either they aren't affected or they have their hands full with DEADBOLT. NetApp doesn't seem to be affected. TrueNAS in default configuration isn't affected, "but cases where users have opted to share same paths via AFP and SMB simultaneously are impacted."
|
|
#
¿
Feb 2, 2022 18:34
|
|
|
cr0y posted:I mean to be fair anytime that I connect with someone on a dating app that is better looking than I am I go full-blown Maybe they just have better Photoshop skills than you?
|
|
#
¿
Apr 29, 2022 11:21
|
|
|
I started wondering if I would rather have an device that can turn designed by an IoT company, who doesn't need to concern about how to make a good lock. Or a lock manufacturer who now has to figure out how to connect their lock to the Internet. But all of those methods does seem ambitious. Guess that's what we can expect from an IoT company.
|
|
#
¿
Aug 28, 2022 20:25
|
|
|
This is what I would use, but I'm annoyed that "Intermediate" supports down to Android 4.4, but "Modern" requires Android 10. Is there not a configuration that would work with Android 7 or 8 or something.
|
|
#
¿
Oct 23, 2022 18:04
|
|
|
BlankSystemDaemon posted:I rather hope it's a lesson that people will take to heart, that smaller mastodon instances should only be used by people who have the same technological and political opinions as the admins of that particular instance. We need more internet services run by NGOs. My main email address is provided by a registered society. If a corporation would try to buy the service it would be a hopeless effort. I have my one vote like everyone else and I would vote against it, as I assume would most members. If the society runs into monetary issues it would probably be easy to squeeze few euros out of the members. But I paid my 30€ joining fee 15-20 years ago and they have never asked for another penny.
|
|
#
¿
Nov 23, 2022 00:17
|
|
|
BlankSystemDaemon posted:Why limit yourself to one, or a few, addresses? I have my own domain with new email addresses whenever I want one. I even used to run SMTP receiver at my home. But all that is a huge hassle no one should have to go through. Even the domain renewals have been much bigger expense that the society, not to mention the email hosting. Instead any grandpa can get a capitalism-free email address from the society. I use the society email as my main address and the personal domain for secondary and temporary uses, as a preparation for the day I don't want to deal with a domain anymore.
|
|
#
¿
Nov 23, 2022 02:12
|
|
|
Does any of the competition have higher quality auth keys?
|
|
#
¿
Jan 1, 2023 21:12
|
|
|
There is a new method for hijacking WhatApp accounts through VoiceMail. The hacker tries to login while you are sleeping. WA sends a PIN code over SMS. Hacker honestly tells WA they didn't receive the SMS and ask for a call. WA robotcalls, it goes to voicemail. Hacker checks your voicemail using the last 4 digits of your phone number as PIN code. https://twitter.com/ihackbanme/status/1616192784960217088
|
|
#
¿
Jan 29, 2023 13:17
|
|
|
Busy Bee posted:Is anyone familiar with Standard Notes? https://standardnotes.com/ If you want to store logins without cloud service then you want KeePass, it's the standard recommendation.
|
|
#
¿
Feb 3, 2023 09:26
|
|
|
Rescue Toaster posted:I'm planning on picking up a domain to use for email to get some important accounts off of gmail (in terms of password reset/etc...), and also probably so some local devices have a unique domain name and I can do internal certs that are actually trusted. I'm late to this discussion, but there's an angle to this matter I didn't notice anyone addressing. At the end of the day, the scenario you are worried about is one where you would simultaneously lose the access to your Gmail and another independent service that uses the email address for resets. This seems unlikely. I can assume there are numerous reasons why one can lose access to Gmail, but that should be a non-issue for the other services. Just log in to the services and change their email addresses used for resets. This of course assumes the service allows changing the email address without first sending a verification email to the old address. But that would be pretty stupid design to require and you probably should test any services that are important to you for this. Another issue is that to my understanding email addresses are generally frowned upon and considered untrustworthy, just not as bad as SMS. If a service is so important to you that you are trying to protect against Gmail problems, then that seems like a sign you should disable email password resets completely and come up with alternate recovery methods. Although this may not be that easy as I experienced recently myself. I started the AppleTV app on my TV after a long time and it wanted to update. After the update it wanted a reactivation and did it over web on my laptop. After logging in the website I heard a faint bling in the distance and I had to go searching for the ancient iPad I never use. Then I tried to figure out an alternative 2FA option. Turns out the options are a phone number, Apple device or two FIDO security keys. I found it nice they pointed out you need two keys, but wouldn't you also need two Apple devices for the same reason. The keys would be best option, but they had some limitations like not working with iCloud for Windows and require a recent iOS. It wouldn't work with my iPad, which I think could be an issue.
|
|
#
¿
Feb 12, 2023 20:45
|
|
|
When I got my first online banking account around the turn of the millenium it came with a credit card sized paper OTP sheet. That was pretty much the only option with online banking. Some bank may have had an alternative method, but all required 2FA. A lot of elderly have learned to use the OTP sheets over the years.
|
|
#
¿
Feb 18, 2023 20:52
|
|
|
adnam posted:That's awesome. Wonder what structural factors lead to that being a less likely possibility. It has been ages since I last got a credit card, but I believe the two methods to acquire one are an in-person meeting in the bank office where you will show your driver's license or another valid authentication, or you use your online banking account which has always required 2FA authentication by every bank since the turn of the millenia. I don't think it's possible to get a card by sending signed paperwork anywhere. My understanding is in US paper spam often includes pre-filled credit applications/ads. Those aren't a thing at all. My own bank may occasionally mail me ads, but any actual application would have to go another path. I don't think any other bank besides my own has sent me ads since forever.
|
|
#
¿
Mar 29, 2023 23:17
|
|
|
Klyith posted:Listen very carefully: the first rule of passwords that you do not reuse the same password for multiple services. We have a solution for this issue. We must learn from that recent password game and all services must implement obnoxious and random password requirements. When a service requires that your password is at least 13 characters long, must contain at least two numbers, three capitals and one small letter, the 4th character must be Y, 7th number 2, and 11th character must be # you are unlikely to be able no reuse it.
|
|
#
¿
Jul 20, 2023 22:28
|
|
|
AEMINAL posted:I had TONS of weird entries in drivers/etc That services-file you are looking at is just a listing of standard names for different port numbers. Every Unixy computer has the same listing and it doesn't do anything.
|
|
#
¿
Aug 16, 2023 17:35
|
|
|
|
| # ¿ May 2, 2024 08:02 |
|
|
SlowBloke posted:https://learn.microsoft.com/en-us/purview/communication-compliance Finally we have a metric to show that ITsec is doing their work!
|
|
#
¿
Aug 16, 2023 20:52
|
|