|
DeaconBlues posted:No it doesn't help. This helps:
|
# ¿ Nov 20, 2015 21:45 |
|
|
# ¿ Apr 27, 2024 21:56 |
|
DeaconBlues posted:What you've mentioned there, dougdrums and Antillie, were my concerns about just using a hash. Particularly about the thief knowing about hashing and trying various hash algo's during the brute-force attempt. wyoak fucked around with this message at 23:41 on Nov 20, 2015 |
# ¿ Nov 20, 2015 23:38 |
|
Inspector_666 posted:Could you maybe explain it to those of us who are interested? Or is this thread just for people who are already so smart they don't need to actually discuss anything because holy poo poo you guys are gooning it up so loving hard. wyoak fucked around with this message at 23:59 on Nov 20, 2015 |
# ¿ Nov 20, 2015 23:53 |
|
Anyway this is neither here nor there but it kind of boggles my mind that computers can figure out if a 150 digit number is probably prime within a matter of microseconds and also that the 'probably' apparently isn't important.
|
# ¿ Nov 21, 2015 00:06 |
|
How common is DNS-based command and control / data exfiltration at this point? Does it only show up in APT-level attacks or has it started to filter down to more off-the-shelf type malware?
|
# ¿ Nov 25, 2015 18:37 |
|
OSI bean dip posted:Here's a question for you: what is an APT and why do you use that term? Actually just ignore that part completely, how common is communication over DNS these days? wyoak fucked around with this message at 20:38 on Nov 25, 2015 |
# ¿ Nov 25, 2015 20:36 |
|
Alereon posted:I'm just gonna note that it's possible to disagree without being dicks to eachother, so let's all work on making this thread about security and not nerds arguing.
|
# ¿ Dec 18, 2015 18:41 |
|
Wiggly Wayne DDS posted:Well no poo poo, the problem is at no point have you backed up that the average user needs this particular feature set - or that leaving a file in a dropbox folder is requiring technical proficiency of an autist. For all my fake concerns, you aren't showing any of yours to be real. Even basic desktop browser integration requires a plugin and you run into the same problems (which plugins do we trust and won't be abandoned in 8 months?) Personally I like 1password, LastPass's history is worrisome enough that I don't feel comfortable there. wyoak fucked around with this message at 22:07 on Dec 21, 2015 |
# ¿ Dec 21, 2015 21:54 |
|
OSI bean dip posted:How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"?
|
# ¿ Dec 21, 2015 22:18 |
|
Wiggly Wayne DDS posted:If this is going into arguments over auto-updating then: Like I said, I don't totally trust LastPass either, but for most people KeePass + Cloud is either going to be too cumbersome, so it'll sit unused, or will never be updated, which is probably bad too.
|
# ¿ Dec 22, 2015 00:07 |
|
OSI bean dip posted:Steganography is dumb and shouldn't be even hinted at if you're trying to be serious about a cryptography product. This is probably a semantic thing where we're using different definitions of steganography but my point is that deniable encryption isn't a dumb thing.
|
# ¿ Jan 22, 2016 18:02 |
|
nm i should read the whole thread
|
# ¿ Feb 17, 2016 16:50 |
|
Mr Chips posted:I'm having an annoying argument with our central IT infosec team at the moment over whether Windows client machine AV is even worth the hassle/expense. We (big public sector org) keep getting hit by web and email based malware that the AV does nothing for, yet they insist it's critical for endpoint protection.
|
# ¿ May 2, 2016 04:09 |
|
It's a vague metric too - SecureWorks was "impressed," but that doesn't really mean anything in a vacuum. If the other solutions they looked at blocked 10% of the attacks and Cylance blocked double that it might be seen as impressive but still isn't all that great real world. That said, their demos apparently allow BYOM and they seem to hold up pretty well there, although I'd like to know how much of the BYOM was just the latest CryptoLocker variant the attendees got hit with. edit: Supposedly Cylance works on offline systems so it's probably doing something more than "check with virustotal" but who knows wyoak fucked around with this message at 18:23 on May 5, 2016 |
# ¿ May 5, 2016 18:17 |
|
Patch your systems. Don't run 3rd party AV because it's probably not stopping anything, but if you really really want to, keep that patched that as well. AV vulnerabilities are especially scary because of things like filter drivers and because they run with system/root privs - most vulns require the user to actually do something to get infected and run at the user level. wyoak fucked around with this message at 20:21 on Jun 29, 2016 |
# ¿ Jun 29, 2016 20:17 |
|
baka kaba posted:As far as I'm aware 1password is like a KeePass setup (where everything's done locally and you just sync the encrypted database to any device that wants to use it) except it's a total solution. So they run a syncing service, they make apps for different devices, they make browser plugins etc, and you trust them because you're paying for this product, and it should all work nice because it's a professional company developing it
|
# ¿ Jul 11, 2016 06:02 |
|
Volmarias posted:Right, and that's why I'm asking about it. I don't have an interest in doing the syncing myself, I want them to do it and have everything magically work without effort or thought, even though I'm a team of one.
|
# ¿ Jul 11, 2016 17:00 |
|
flosofl posted:Right, I wasn't trying to say it was the same thing, I was just piling on LastPass. Never been a fan of the subscription model and centralized storage for passwords. That's why I'm so disappointed in the latest 1Password offering. I use the standalone versions (where you supply the storage for the keystore), but I'd drop them like a bad habit if they migrated completely to a subscription model using their cloud storage.
|
# ¿ Jul 27, 2016 17:43 |
|
Swagger Dagger posted:He literally links to instructions on how to turn on Lastpass's multifactor auth Given the way the exploit works, it wouldn't make sense that MFA on Lastpass would help unless it asks you to re-verify every time it autofills a password field.
|
# ¿ Jul 27, 2016 20:01 |
|
OSI bean dip posted:1Password and KeePass are not overly complicated nor a "no compromise" method of security. wyoak fucked around with this message at 17:53 on Jul 29, 2016 |
# ¿ Jul 29, 2016 15:57 |
|
Rexxed posted:Classic Shell lets you customize the start menu with Classic Start but also has Classic Explorer and Classic IE as separate modules for windows explorer and IE. Most folks who use classic start probably don't use IE but it's still installed in Windows 10 since Edge is only sort of complete. Last time I used edge it had the option to open a web page in IE since a lot of things didn't work in Edge. Maybe it's better now but the last time I used a microsoft web browser was IE 4.
|
# ¿ Aug 3, 2016 16:53 |
|
Cugel the Clever posted:With basic SHA hash stuff sort-of figured out, I decided to take a look at GPG's signature verification whatsits. Pulled the latest executable from their website and decided to run the above tests on it, only to be somewhat miffed/confused that they only list the SHA1 checksums—have I misunderstood my reading elsewhere that SHA1 is better than nothing, but needlessly insecure relative to new algorithms?
|
# ¿ Aug 9, 2016 20:58 |
|
Meh I'd trust the big browsers more than some lovely app created by god-knows-who to program my remote control, and the spec draft basically leads with security which is a good sign. IoT is probably going to lead to lots of scary/hilarious screwups but I don't see this as particularly bad (and maybe actually keeps more things off of the real internet (probably not the manufacturers want their data)).
|
# ¿ Aug 11, 2016 16:50 |
|
Just make ChromeKernel already
|
# ¿ Aug 11, 2016 22:00 |
|
I'm trying to see where NIST says password expiration is out (like it says in the Sophos blog) and I'm not finding it. The draft says that authenticators SHOULD expire (800-63b-6.2). Sophos blog also has a thing saying KBA is out, but the draft says it's acceptable for identify verification. I think Sophos misinterpreted 'no expiration without reason,' although those words don't appear anywhere in the draft either so it's like whoever wrote the blog misunderstood someone who actually read the draft. wyoak fucked around with this message at 17:56 on Aug 19, 2016 |
# ¿ Aug 19, 2016 17:49 |
|
I wasn't arguing for/against password expiration, just saying that NIST's draft doesn't seem to match what Sophos is saying in their summary. NIST says that using an expired authenticator should specify that expiration is the reason for failure, Sophos seems to have telephone-gamed that into "No expiration without reason" -> "Passwords don't need to expire." Now, NIST does use the verbage SHOULD instead of SHALL, so maybe that's what they're referring to?
|
# ¿ Aug 19, 2016 19:33 |
|
flosofl posted:If they use verbiage similar to RFCs then Yeah if I hadn't already bored myself reading specs I'd track down the old version and compare the verbiage but meh
|
# ¿ Aug 19, 2016 19:53 |
|
If you're big enough to need a QSA talk to them since your ROC is up to them anyway. If you're self-reporting use SAQ P2PE (after verifying that those terminals are the only point-of-interaction for credit cards in your environment, and that the terminals have been implemented per the vendor guidelines, and that they are actually PCI P2PE certified).
|
# ¿ Oct 25, 2016 20:41 |
|
OSI bean dip posted:I'd love to see what the LastPass apologists have to say about this. what
|
# ¿ Nov 8, 2016 17:09 |
|
Execution policy isn't really an effective security boundary. And yeah blocking the powershell console is really only going to limit legitimate productivity, there are tons of ways to run powershell code without the console.
|
# ¿ Feb 2, 2017 17:27 |
|
CLAM DOWN posted:Doublepost but idgaf, this is a good one:
|
# ¿ Feb 3, 2017 20:11 |
|
Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with).
|
# ¿ Jul 21, 2017 16:53 |
|
Double Punctuation posted:For SSDs, just delete the file normally, then do defrag C: /O, assuming it's the C drive. It's not perfect, but the alternative is secure erasing the entire drive.
|
# ¿ Sep 20, 2017 16:55 |
|
I use PIA when I'm connecting to public wifi but yeah, don't think that it's keeping you anonymous or anything like that. If I ever decide to do the math I'll figure out if it'd be cheaper to host an OpenVPN instance on AWS or something.
wyoak fucked around with this message at 18:20 on Oct 18, 2017 |
# ¿ Oct 18, 2017 18:17 |
|
Testikles posted:I got redirected here with an amateur question. Somebody received a spam email, spoofing my account. The email address is not any that I own but the header is my name - which is interesting because I never put my full name in these things.
|
# ¿ Nov 21, 2017 20:57 |
|
ElCondemn posted:I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked...
|
# ¿ Feb 16, 2018 17:24 |
|
I just ran into an issue where some of our partners were pulling the incorrect IPv4 addresses for their payment processor (CES / FirstData). The payment gateways are: vxn.datawire.net vxn1.datawire.net vxn2.datawire.net The correct IP's are 216.220.36.75, 205.167.140.10, and 64.243.142.36. However, our affected locations (in Alaska on two different ISP's) were getting 45.227.252.17 as the IPv4 address, which I think is registered to a web hosting company in the Caribbean. The HTTPS site at that IP is using a self-signed SSL certificate, issued on 7-5, for those domain names. The Hello World text is the same as the actual servers. This all looks like someone trying to harvest credit card records. Fortunately for us, our card processing software does verify the SSL certificate and didn't send any transactions since the cert wasn't signed by a trusted CA, but this is still really weird and I'm wondering how the ISP DNS servers are getting the wrong server. My initial thought was their router got popped by some bot since I'm sure no one updates their firwmare ever, but on investigating the bad records were actually coming from the ISP nameservers. From googling around and trying different public DNS servers in that corner of the world, I found that the University of British Colombia is serving the incorrect IP as well. Doing an NSLOOKUP against the public servers listed on this page will get you the wrong IP (at least as of 8:54 AM mountain time on 7-13-2018). One of the originally affected sites is now getting the correct IP information from their ISP (MTA Online), but ACS Alaska's nameservers are still serving incorrect info. I guess I'm wondering if anyone else is seeing this and how the records were poisoned, and who I would go try to report this to if I was so inclined. wyoak fucked around with this message at 16:23 on Jul 13, 2018 |
# ¿ Jul 13, 2018 16:15 |
|
The bar is so low that I'm somewhat impressed they caught it while it was happening, as opposed to nine months later
|
# ¿ Nov 28, 2018 22:21 |
|
Here's the deets, it's a decent read: https://www.securityevaluators.com/casestudies/password-manager-hacking/ 1Password7 is....disappointing wyoak fucked around with this message at 00:17 on Feb 20, 2019 |
# ¿ Feb 20, 2019 00:13 |
|
|
# ¿ Apr 27, 2024 21:56 |
|
Internet Explorer posted:Hurray, sanity prevails!
|
# ¿ Apr 25, 2019 22:17 |