|
sadus posted:Oh boy "Hacking Chromecasts/Google Homes/SmartTVs Progress: 7893/123141 [6.40973%]" thanks for raising infosec/white supremacy awareness, fuckheads
|
#
¿
Jan 2, 2019 18:16
|
|
|
|
| # ¿ May 9, 2024 03:14 |
|
|
Wiggly Wayne DDS posted:if you want a lot more detail on mac malware in 2018: Did they actually sign their code because it would be pretty trivial to kill it if they did and if they didn't then you're going to have to click through a lot of warnings to get it to launch. AV software on Mac is a blight on an otherwise reasonably secure platform and you should not install it. e: lol of course they're leveraging lovely Java security for persistence BangersInMyKnickers fucked around with this message at 22:20 on Jan 2, 2019 |
|
#
¿
Jan 2, 2019 22:16
|
|
|
Wiggly Wayne DDS posted:well ya agreed i figured i'd post the list of malware to laugh at. not impossible to get hold of a code signing cert though let's be honest Yeah it's not difficult, but it also means you can push a revocation which will block the install going forward and block launching on existing infected systems. First couple suckers are going to get popped but after that you've turned over the keys to deactivate your payload to the other team
|
|
#
¿
Jan 2, 2019 22:26
|
|
|
its definitely better in something like iOS where you don't have admin rights and code is delivered through an app store, but it still works well enough on a more conventional OS that isn't dog poo poo like windows that allows unsigned code to do loving anything forever because someone clicked a UAC dialog once months prior
|
|
#
¿
Jan 2, 2019 22:41
|
|
|
Wiggly Wayne DDS posted:i was thinking about the detection->revoked stage where you go from it being live to blacklisted before it's hit more machines in the case of loading malicious ca trusts or certs locally, standard practice from MS seems to be to automatically push local trust updates to the clients to bin them so they don't stick around for too long. I assume Apple is doing something similar since they've clearly thought through code signing on their platform and are far more mature in that space that Windows. there's never going to be a 100% effective route for blocking polymorphic threats short of going full applocker and only allowing known certs/vendors/hashes and even then you need to watch out for poo poo like dll injection, 3rd party components like jars and whatnot though it severely reduces potential impact since you don't have an immediate path to escalate to root/admin unless someone is turning over their password
|
|
#
¿
Jan 2, 2019 23:06
|
|
|
considering who it is, I wouldn't hold your breath
|
|
#
¿
Jan 3, 2019 23:44
|
|
|
lol the wife has a lovely sarnsung WiFi tablet for work and I noticed the clock on the lock screen was wildly wrong and I looked in to it and it supports an NTP Daemon but will only sync if you manually force it there is no scheduler for it
|
|
#
¿
Jan 4, 2019 05:23
|
|
|
sadus posted:Just went to try Windows 2019 for the first time and kicked off Windows updates, hmmm Its embedded in legacy IE (not edge) for backwards support since Win10 was released. Flash's native updater sucks rear end, doesn't work properly, and MS decided to tell them to gently caress off and are pushing the updates themselves. This is well-documented and generally only of the only good decisions MS has made in the last 5 years.
|
|
#
¿
Jan 4, 2019 17:06
|
|
|
Pile Of Garbage posted:UPnP is straight garbage and i thought i was already dead in tyool 2019. i don't care how chomecast uses UPnP, the fact that it uses it at all is a huge loving red flag, even if it apparently "doesn't use it in a bad way." its a large protocol suite designed to do broadcast discovery and happens to have some ability to request port forwards from a upstream NAT. some kind of discovery protocol is a requirement for any kind of soho environment without proper DNS infrastructure. you're tilting at windmills and being an idiot. the problem are the routers enabling the port forward functionality by default, implementing in a shoddy manner, and not updating/supporting their poo poo in the field.
|
|
#
¿
Jan 4, 2019 17:10
|
|
|
like... what do you want? netbios discovery? I guess they could use mdns but that's not secure either and pretty much none of these discovery protocols ever will be. are you going to advocate home kerb-based auth and service advertisement for ever single home network?
|
|
#
¿
Jan 4, 2019 17:19
|
|
|
I agree that would own
|
|
#
¿
Jan 4, 2019 17:26
|
|
|
how they hell do you manage that they lock you out of practically everything unless your vcenter server is old as dirt
|
|
#
¿
Jan 4, 2019 17:41
|
|
|
Shame Boy posted:wait they force you to use the web version these days? christ i'm glad i don't have to manage VM's anymore when 5.0 came out they locked the thick client to basically read-only but there was practically a riot because the flash client was horrible and then they walked that back in 5.5 so the thick client can do some amount of edits to existing vms/hosts which helps with bootstrapping a failed cluster or whatever but a whole lot of stuff is inaccessible/read-only from that point forward
|
|
#
¿
Jan 4, 2019 17:45
|
|
|
4.x was so loving good and I miss those days but I'm not ops any more so that's someone else's problem. we sat out 5.x until 5.5 came out and missed the worst of it because they walked backed on their loving idiotic vcpu/vram licensing scheme they were trying to push that would gently caress over everyone's over provisioning strategy
|
|
#
¿
Jan 4, 2019 17:46
|
|
|
6 seems okay and that's when I went to html console only because safari/osx and that works pretty well for all the routine stuff
|
|
#
¿
Jan 4, 2019 17:48
|
|
|
Pile Of Garbage posted:i don't see how i'm an idiot for calling poo poo what it is: poo poo. upnp is straight garbage, i accept that it has been adopted and exists and that the majority of problems are due to lovely implementation but that aside it's dumb trash! christ you are stupid
|
|
#
¿
Jan 4, 2019 17:55
|
|
|
don't break the seal on your router
|
|
#
¿
Jan 7, 2019 15:00
|
|
|
Farmer Crack-rear end posted:speaking of meltdowns what's the status of the big spectre/meltdown hullabaloo from last year? how many systems out there are thought to still be vulnerable? variant 4 came out and ms made a new mitigation for it. melt/spectre mitigations are still disabled by default for their server os's but win10 has them on by default and windows now has the microcode update bundled to mitigate spectre for most intel platforms you'll see in the wild. new cpu's are shipping with the microcode "fixes" built in but it will be years before we have silicon that is actually engineered around this issue. we'll likely see continued optimizations around syscall performance hurting disk calls from NVMe's that work around the performance impact of the mitigations before we see a true fix.
|
|
#
¿
Jan 7, 2019 19:40
|
|
|
CmdrRiker posted:Github, on behalf of Microsoft, will be allowing unlimited free private repos for free accounts. I don't know if this is ol' drown out competition with free services thing or just let's try to accumulate all the data thing. 
|
|
#
¿
Jan 7, 2019 21:02
|
|
|
Schadenboner posted:I mean, tbf hasn’t this been their strategy with universities as well? Yeah, make the kids in college learn your tools and then the companies that will hire them are forced to pay the service contracts. It works pretty well, I'm fine with it.
|
|
#
¿
Jan 7, 2019 21:20
|
|
|
trust chain on that is completely hosed. you're not allowed to have an upstream trust intermediate have an expiration before the expiration of the downstream trust.
|
|
#
¿
Jan 8, 2019 22:50
|
|
|
okay welcome to the loving dumbest pki implementation I have ever seen: wwww.disa.mil exp 11/18/19 DOD ID SW CA-38 exp 9/23/21 DoD Root CA 3 exp 2/17/19 <-- lol DoD Interop Root CA 2 exp 8/15/19 <-- lolè Federal Bridge CA 2016 exp 5/15/20 TSCO SHA256 Bridge CA exp 2/19/19 <-- who the gently caress is this? Alexion Pharmaceuticals Issue 2 CA exp 8/2/27 <-- WHO THE gently caress IS THIS?? Why the gently caress doesn't this stop at DoD Root CA 3 is beyond me but even that they hosed up your root should always have the last expiration date
|
|
#
¿
Jan 8, 2019 22:55
|
|
|
I 100% assure you the actual mil systems are pushing all their hosed up root and intermediate certs through GPOs to override the numerous PKI validation errors hahahaha Alexion is a Symantec-issued cert mischief managed
|
|
#
¿
Jan 8, 2019 22:56
|
|
|
I wonder if they attempted to somehow shim in the Symantec trust chain behind the DoD Root CA after the fact when all the contractors and whoever on non-mil systems didn't have it in their trust store and complained about the validation errors. That sounds like something dumb enough for Symantec to try for a buck. There shouldn't be any trust chain to civ computers on this at all. fyi there's like 4 or more different trust chains on this mess depending on your browser/os/phase of the moon https://www.ssllabs.com/ssltest/analyze.html?d=www.disa.mil&s=156.112.108.76&hideResults=on BangersInMyKnickers fucked around with this message at 23:05 on Jan 8, 2019 |
|
#
¿
Jan 8, 2019 23:02
|
|
|
The amount of fuckery I see in those various attempts at trust chains would take a team of the finest idiots you could find years to achieve
|
|
#
¿
Jan 8, 2019 23:24
|
|
|
openssl has too many easily-configured silent error modes and belongs in the trash heap of history since they clearly have zero interest in actually making a usable and secure product for the world but instead are just throwing a loose bag of parts at you with limited constraints or guidance
|
|
#
¿
Jan 10, 2019 14:46
|
|
|
geonetix posted:because, did you expect anything else? vehicle 3 has legs
|
|
#
¿
Jan 11, 2019 14:48
|
|
|
lol this is the same poo poo that brought down el chapo reenacted at a national scale
|
|
#
¿
Jan 11, 2019 18:47
|
|
|
Cocoa Crispies posted:RSA is a product marketing conference. goatse-wall as a service
|
|
#
¿
Jan 15, 2019 15:27
|
|
|
Shifty Pony posted:Proquest apparently stores passwords in plain text and when you use their password recovery feature simply emails you your login and password. they haven't been sued so they don't give a poo poo
|
|
#
¿
Jan 16, 2019 13:46
|
|
|
Cool, I'm seeing something In The Wild attempting to execute a payload against the SEP scanning engine on Windows. SEHOP is killing it, but its only a matter of time before they figure out an evasion.
|
|
#
¿
Jan 16, 2019 16:49
|
|
|
Wiggly Wayne DDS posted:got any samples? just the log lines of ccSvcSvr getting merked by SEHOP. going to try to correlate it to some kind of traffic on the border firewall logs but there is very little to go on here
|
|
#
¿
Jan 16, 2019 17:41
|
|
|
there is a private disclosed priv elevation exploit against the version of 14 that we are on, and I haven't been able to upgrade to 14.2 because they turbofucked the firewall module and are still sorting that out so all in all this is a great situation
|
|
#
¿
Jan 16, 2019 17:42
|
|
|
Symantec says its something in the wild hitting against the IPS engine but it should be resolved with the latest def set. They're not really sure who's doing it or what the payload is, so I suspect its a bandaid fix
|
|
#
¿
Jan 16, 2019 18:10
|
|
|
geonetix posted:re SEP im 75% sure it’s just taviso sending them a poc again tavis isn't sending my loving desktops payloads to make the IPS engine throw SEHOP faults and die, this thing is in the wild
|
|
#
¿
Jan 16, 2019 20:05
|
|
|
geonetix posted:lmao ok, the 25% it is. do you have samples? I like to toss it into mcafee and other poo poo tier stuff not yet. SEHOP faults are tricky because all you get it "bad thing happen, killed process". no caching proxy here to pull it from. maybe something is recoverable from a browser cache somewhere (probably not, IPS crashing probably stopped it before it could write to disk). trying to correlate it to remote ips in the firewall logs. apparently Symantec doesn't have a sample of the payload either
|
|
#
¿
Jan 16, 2019 20:22
|
|
|
Lain Iwakura posted:in sec news on my end, i am finally starting my years long security orchestration project global rm -rf / job on puppet
|
|
#
¿
Jan 16, 2019 21:24
|
|
|
RE Symantec IPS vulnerability: I don't think its been properly fixed in the IPS module. I'm seeing evidence in the logs of clients getting popped all over the place (not servers) and the ones that don't throw SEHOP errors have their SONAR module uploading copies of their ccSvcHst process to Symantec for analysis
|
|
#
¿
Jan 16, 2019 23:02
|
|
|
evil_bunnY posted:how’s the payload delivered? suspicion is some kind of drive-by but since its being processed in-memory from the wire and then nuked actually recovering conclusive evidence is proving difficult
|
|
#
¿
Jan 17, 2019 16:59
|
|
|
|
| # ¿ May 9, 2024 03:14 |
|
|
evil_bunnY posted:do you have some kind of exec logging? some parts of our org are still on Symantec, I’ll ask if they’ve seen crashes. Not at the moment, still waiting on approval for a sysmon rollout. Not sure if it would have given us anything if the heap is being modified in-memory. Hopefully is just some manner of memory leak that’s being inadvertently triggered and overwriting nonsense to the heap but I don’t have confirmation yet.
|
|
#
¿
Jan 18, 2019 14:31
|
|