Security Fuckup Megathread - v13.69 - plugins may violate privacy

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v13.69 - plugins may violate privacy

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

# ¿ Jan 24, 2017 22:58

Adbot: ADBOT LOVES YOU

# ¿ May 21, 2024 04:24

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

https://twitter.com/ericgeller/status/823337091719397377

# ¿ Jan 25, 2017 15:36

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

BiohazrD posted:

Hahahahahahahahahahahahahahahahahahahahahahahahahahahaha

BiohazrD posted:

Hahahahahahahahahahahahahahahahahahahahahahahahahahahaha

BiohazrD posted:

Hahahahahahahahahahahahahahahahahahahahahahahahahahahaha

BiohazrD posted:

Hahahahahahahahahahahahahahahahahahahahahahahahahahahaha

BiohazrD posted:

Hahahahahahahahahahahahahahahahahahahahahahahahahahahaha

BiohazrD posted:

Hahahahahahahahahahahahahahahahahahahahahahahahahahahaha

# ¿ Jan 25, 2017 16:29

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

flosofl posted:

He explains later on that there's a hash for each image (or something like that). So the new file won't display because there's no way that someone that has managed to compromise the computer to load the images can replace the hashes.

# ¿ Jan 31, 2017 12:04

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Countdown until Giuliani gets invited to Keynote RSA and/or BlackHat

# ¿ Jan 31, 2017 19:50

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

https://twitter.com/DKMatai/status/831250823757848576

loving rsa in a nutshell

# ¿ Feb 13, 2017 22:28

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Gonna be at rsa this week, any good things to do there or good party recommendations for thursday?

# ¿ Feb 14, 2017 02:26

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

this is literally one hour of RSA tomorrow. such quality

and part of the rest of the afternoon

# ¿ Feb 14, 2017 06:56

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Finally recovered from RSA. The security bubble is in some serious decline y'all.

1) The free shwag was lovely this year. No free shirts or other poo poo.
2) Want any of the cool poo poo, time to sit through a 20-30 minute sales presentations
2) The parties were garbage. One of the 'hottest' parties gave you two free drink tickets.
3) There were also way less parties than previous years

Dare I say, IT Security might be in decline

Also, as a white person..............

# ¿ Feb 23, 2017 04:10

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

https://twitter.com/NathOnSecurity/status/834796736308793344

# ¿ Feb 24, 2017 04:39

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

So, infosec twitter is all abuzz about mastodon. What is it and why would I sign up for it other than a stupid username land grab? Is it like that dumb facebook replacement from a while ago?

# ¿ Apr 6, 2017 20:06

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Luigi Thirty posted:

oh and also due to its hosed up federation model anyone can start their own federation and download all your locked/blocked/whatever posts and publish them anyway

Feature not bug. Won't fix.

# ¿ Apr 7, 2017 02:21

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

OSI bean dip posted:

Most (really all) people who post in this thread will never be the target of such attacks. Even though I do have legitimate and founded fears about certain actors and my line of work, the use of a Stingray is far down the list and should be for anyone else.

Seriously, I've been under investigation and three letter agencies read my blog and even then I'm not worried about this poo poo.

If you're worried just shred the phone and get a new number.

# ¿ Apr 13, 2017 08:31

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Also, the exploits were still useful to them anyway.

Just cause someone has your kit doesn't mean you burn your tools.

Like, they could still use them despite knowing someone has access to them. Ethically questionable. But this is the NSA we're talking about so......

# ¿ Apr 15, 2017 17:43

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

So I use nmap all the loving time. If you have a service that doesn't just barf out whatever the gently caress it is to any ole synack (or anything) and you put it on a non-standard port you have a good chance of making sure people have no idea what the gently caress it is.

For example, NJE defaults to port 175. Unless you send a very specific packet with the right user/pass combo (I'm simplifying here) it just sends a RST packet.

You put that on some weird rear end port like 60666 there's no way an attacker will know what it is.

On top of that, in an enterprise environment scanning one host with nmap -p- takes me about 10-15 minutes. I have 100 systems included in a pentest, thats 25 hours to just check open ports. Forget banner grabbing with -sV.

Obviously you can just speed that up with masscan, but lol you'll get detected so loving fast using masscan and hopefully blocked, so whats the point.

I'm not saying it's good security, like, how does putting sshd on port 42069 make it any harder to find it? But I can understand why less experienced people might see moving a port away from standard can have any effect on security because it appears to obfuscate. And does lower the risk (a minuscule amount) from automated poo poo hitting it and getting lucky, but if your box gets popped cause the username/password was in some default wordlist used by those bots your company is hosed anyway.

I'll caution with this though, if you're in an enterprise and they have all these lovely custom apps running on non-default ports, your asset tracking (IP/Port to Application) better be spot loving on. Otherwise you're gonna be hosed when something like struts comes calling. And this feeds back in to logging. If you can't map IP/Port back to an application back to an owner and use some weird custom port ranges to track that poo poo for forensics you're hosed long term.

Edit: Also, wanted to add, nmaps tcp probes are hot garbage. So say you put a weird server (some weird sip server) on a non-standard port. There's a very good change nmap won't be able to do the banner correlation because of the way those rules are written. You can fix that with some flags but most people don't even know this is a potential problem. If you put it on the standard port it will find it in half a second. Not saying it'll stop someone of YOSPOS caliber but it'll stop most script kiddies and/or pentesters at trustwave.

Optimus_Rhyme fucked around with this message at 01:51 on Apr 20, 2017

# ¿ Apr 20, 2017 01:47

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Most companies also don't put signage on their datacenters. Why? :iiam:

But yeah, convention centers are an apt comparison. Was a car metaphor unavailable?

# ¿ Apr 20, 2017 02:39

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

hackbunny posted:

this is mega retarded. giga retarded even. think about what you just wrote and then throw your computer in the trash. what an idiotic thing to say, I'm not even attempting to refute this ridiculous assertion. what is it about security that makes people into the smartest idiots on earth

Dunning Krueger and makes it people the loving worst case in point the AV thread in grey forums

# ¿ May 27, 2017 23:03

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

I'm just glad I can watch a movie with my wife and not scoff at the scene where the politician with a pacemaker dies from a hacker in some Amsterdam hacker space

# ¿ May 31, 2017 04:38

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Because security people are the worst. Like they're cjs on steroids

# ¿ Jun 1, 2017 15:48

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

https://twitter.com/wendynather/status/870094831082651648

# ¿ Jun 1, 2017 18:01

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

You should put this as your signature when you reply:

# ¿ Jun 1, 2017 20:33

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

I like this time of year. About a month and a half from DEFCON all the lovely Stunt Hacks come out as they get acceptance letter from DEFCON.

# ¿ Jun 8, 2017 00:25

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

# ¿ Jun 9, 2017 03:55

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

How's proton mail?

Does signal let you delete messages from all devices or have a timer?

# ¿ Jun 10, 2017 23:46

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Is there an app you cam self host that you can trust?

# ¿ Jun 11, 2017 02:38

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

funny Star Wars parody posted:

all computer touchers will perish along with their bourgeoisie overlords for enabling capitalist domination

Thats why you work in security so you can pivot to evil insider when the guillotines start fallin

# ¿ Jun 11, 2017 16:10

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

apseudonym posted:

Wait I thought we were here to put down internet revolutionaries

Lol, why you think enterprise security is so bad? Nobody can be this incompetent by accident.

# ¿ Jun 11, 2017 16:46

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

http://la9deanon.tumblr.com/post/161704038759/comprometida-la-pasarela-de-pagos-de-idental

Hackers stole money from company and returned to wronged customers

# ¿ Jun 12, 2017 08:16

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

code:

0--0------A1--------------------------------------------------1.RU. 345600 IN NS ns-de.bible.ru.
0--0------A1--------------------------------------------------1.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A1--------------------------------------------------1.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A2--BBBBB--I-BBBBB--L------EEEEEE-----RRRRR--U----U-2.RU. 345600 IN NS ns-de.bible.ru.
0--0------A2--BBBBB--I-BBBBB--L------EEEEEE-----RRRRR--U----U-2.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A2--BBBBB--I-BBBBB--L------EEEEEE-----RRRRR--U----U-2.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A3--B----B-I-B----B-L------E----------R----R-U----U-3.RU. 345600 IN NS ns-de.bible.ru.
0--0------A3--B----B-I-B----B-L------E----------R----R-U----U-3.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A3--B----B-I-B----B-L------E----------R----R-U----U-3.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A4--BBBBB--I-BBBBB--L------EEEEE------R----R-U----U-4.RU. 345600 IN NS ns-de.bible.ru.
0--0------A4--BBBBB--I-BBBBB--L------EEEEE------R----R-U----U-4.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A4--BBBBB--I-BBBBB--L------EEEEE------R----R-U----U-4.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A5--B----B-I-B----B-L------E----------RRRRR--U----U-5.RU. 345600 IN NS ns-de.bible.ru.
0--0------A5--B----B-I-B----B-L------E----------RRRRR--U----U-5.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A5--B----B-I-B----B-L------E----------RRRRR--U----U-5.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A6--B----B-I-B----B-L------E----------R---R--U----U-6.RU. 345600 IN NS ns-de.bible.ru.
0--0------A6--B----B-I-B----B-L------E----------R---R--U----U-6.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A6--B----B-I-B----B-L------E----------R---R--U----U-6.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A7--BBBBB--I-BBBBB--LLLLLL-EEEEEE--0--R----R--UUUU--7.RU. 345600 IN NS ns-de.bible.ru.
0--0------A7--BBBBB--I-BBBBB--LLLLLL-EEEEEE--0--R----R--UUUU--7.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A7--BBBBB--I-BBBBB--LLLLLL-EEEEEE--0--R----R--UUUU--7.RU. 345600 IN NS ns-ru.bible.ru.
0--0------A8--------------------------------------------------8.RU. 345600 IN NS ns-de.bible.ru.
0--0------A8--------------------------------------------------8.RU. 345600 IN NS ns-nl.bible.ru.
0--0------A8--------------------------------------------------8.RU. 345600 IN NS ns-ru.bible.ru.

# ¿ Jun 20, 2017 20:00

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

quote:

Hacking Sony�s SIEA for fun and unreleased games

I began working on a game for the PlayStation at some point in 2016. A key part of releasing a game on an SIEA console is the global product proposal (�GPP�) approval process. Depending on the studio, they�ll submit details of their upcoming games months to years before they are released, and ensure SIEA has no objection to the game�s content. This happens on a web portal all publishers have access to.

It was when I went to download my own global product proposal when I began noticing severe security issues with the ColdFusion-powered site. The issues found could have led to the release of hundreds in-development games and unannounced concepts (and thousands of documents in total) to me and anyone else who tried. All issues found � described below � were responsibly disclosed to Sony�s vulnerability reporting program and fixed in a reasonable amount of time. All third-party data was erased after testing. No bounties (or t-shirts) were given by Sony.

It is hard to understate the critical nature of this site. These documents contain detailed information about upcoming releases, including concept art, detailed story lines, and release dates. I was able to successfully pull the GPP for NBA 2k18, among others, which was quite detailed about its features and release dates.

It�s clear nobody has audited the codebase for security issues. Further, the act of getting access to it is not difficult � SIEA liberally accepts companies to publish on their platforms. The site is luckily IP whitelisted, but this does little against a determined attacker.

Downloading GPP documents (Issue A)

The interface allows you to view your own global product proposals and download their associated files. When I looked at the URL used to download the file, I became curious: /FileServer/IPAMaterials/IPA_MATERIALS_IS00006260_1.zip. You may be able to guess what happens next � I decremented the ID in the last part of the URL to IPA_MATERIALS_IS00006259_1.zip, and ended up with someone else�s global product proposal.
As mentioned above, global product proposals, especially of unreleased games, are extremely sensitive, and they were left lying in the web server�s almost fully public filesystem, stored with sequential file names.

Unfortunately, this started a series of insufficient fixes on Sony�s part. After reporting this issue in 2016, Sony silently attempted to fix it and did not notify me. I came back to this in 2017, wondering if it had been fixed, and found that they had added a five digit unique ID to every download URL. Not only was this unique ID not long enough, it did not appear to even be random � they all seemed to be in the 5x,xxx range. Amusingly, they also ended up disclosing the ColdFusion source code of the page when you left off the filename and went to /FileServer/IPAMaterials.

At this point (in April of 2017), I emailed them and informed them that the new fix was not sufficient. I also gave them a 90-day disclosure deadline. They committed to a fix by the end of May, and added a 512-bit unique ID by then.
However, in early June, I discovered that there was a �skeleton key� ID � one that works for every file � after attempting to view a product that didn�t exist. This is explained in more detail below. I reported this to them on June 7th, and it was (finally) fixed shortly after.
Viewing metadata (Issue B)

Above, I mentioned that you are able to view your own global product proposals. The page that lists and shows these proposals fetches the details of a submission with a POST request to ipa_track_submission_details.cfm. The ID of the submission requested is not checked against the current user, allowing anyone to view the metadata of any product proposal.

The identifier for a product proposal, a v_unique_id, is sequentially incremented. This makes guessing and bulk retrieval trivially possible.

The returned data is actually raw HTML, injected into the page after it�s retrieved via an XMLHttpRequest. After this was fixed, there was a weird quirk: querying an ID the user doesn�t have access to would return the expected HTML, but without any data where there normally would be.

However, on these pages without any data, there was still a link to download the proposal � and it returned the same unique ID for every invalid proposal. This unique ID turned out to work for every file. I am guessing that it is the encoded version of 0 (i.e. null), and if the unique ID matches 0 it is allowed to download any file, for testing/internal use.

Viewing a company�s GPPs (Issue C)

Finally, on the page that allows you to view proposals, the client makes a request to ipa_submissions_frontend.cfc in order to find out what GPPs exist for a given company. Unfortunately, the client controls the company identifier used here, again without any validation.
Again, the company ID is sequential and easily guessable. The returned data allows you to enumerate the names and statuses of all the company�s titles � less detailed than the above, but certainly concerning.

# ¿ Jun 22, 2017 20:09

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

https://www.youtube.com/watch?v=EzedMdx6QG4

# ¿ Jun 24, 2017 00:39

Adbot: ADBOT LOVES YOU

# ¿ May 21, 2024 04:24

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

Someone get that person am account

# ¿ Jun 25, 2017 17:07

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v13.69 - plugins may violate privacy