|
So in the spirit of bashing IoT device makers, here's a new one (I think): https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/ Neither the mobile app or website uses HTTPS, they in fact actively disabled SSL hostname validation, their website allows for enumeration of phone numbers, which is a problem because you control the cooker over a loving SMS with no authentication whatsoever.
|
# ? Apr 20, 2017 08:26 |
|
|
# ? Apr 27, 2024 14:29 |
|
Finding IoT vulnerabilities must just be shooting fish in a barrel at this point.
|
# ? Apr 20, 2017 08:42 |
|
Thanks Ants posted:Finding IoT vulnerabilities must just be shooting fish in a barrel at this point. Morbidly obese fish, in a small batch whisky barrel, that has been fit down the bore of a cannon.
|
# ? Apr 20, 2017 09:05 |
|
Furism posted:So in the spirit of bashing IoT device makers, here's a new one (I think): https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/ quote:9th April 2017 – Discovered that @Aga_official had blocked me on Twitter! "If we ignore the problem, maybe it will go away."
|
# ? Apr 20, 2017 09:57 |
|
Just wanted to say thank you for this as well.
|
# ? Apr 20, 2017 14:22 |
|
Furism posted:So in the spirit of bashing IoT device makers, here's a new one (I think): https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/ quote:We believe that a business called Action Point (link opens Google cached PDF content) led the integration project. This led us on to the GSM module which we think is manufactured by Tekelek. Tekelek have a history in remote monitoring of oil storage tanks, heating systems, process control and medical devices among many things. These appear to be monitored using SMS, so I wonder where else this bizarre unauthenticated text messaging process might lead
|
# ? Apr 22, 2017 03:53 |
|
https://twitter.com/ReneFreingruber/status/855090151411855361/photo/1 Javascript was a mistake.
|
# ? Apr 22, 2017 07:28 |
|
Absurd Alhazred posted:Javascript was a mistake. This has nothing to do with it being JavaScript. If Node didn't exist they'd use Lua or Python or Tcl and it would fail exactly the same way.
|
# ? Apr 22, 2017 09:49 |
|
So the interpreter process is signed, but code it's loading isn't? How is this problem supposed to be solved correctly?
|
# ? Apr 22, 2017 12:50 |
|
The same way powershell handles it. It doesn't, AFAIK.
|
# ? Apr 22, 2017 13:31 |
|
Forgall posted:So the interpreter process is signed, but code it's loading isn't? How is this problem supposed to be solved correctly? You can do what Carbon Black does, whitelist all the valid processes, and look for processes spawning poo poo that they shouldn't. If word invokes powershell, you probably hosed up, if outlook launches a bat file, you probably hosed up. Random unsigned programs being downloaded and invoked by Chrome or IE? Nope, block that poo poo. It seems to work really well at my firm, we basically don't have malware tickets, which is absurd given the 1k+ endpoints we have.
|
# ? Apr 22, 2017 18:01 |
|
that doesn't make sense in this scenario. the python interpreter doesn't necessarily "spawn" any other processes when it executes a malicious script
|
# ? Apr 22, 2017 18:52 |
|
Bit9/CarbonBlack is great and powerful but it basically requires at least one FTE in a normal sized enterprise to manage
|
# ? Apr 22, 2017 19:10 |
|
CB/Bit9 is a great product, but its not designed for large enterprises. If you have over 10k endpoints, you better be prepared to throw a poo poo ton of money and FTEs to keep it running.
|
# ? Apr 22, 2017 20:30 |
|
Part of the problem is that's GeForce Experience, which is a notoriously lovely program that NVIDIA loves to bundle with their driver updates. Their custom build of Node is always out of date. I have never seen a release that hasn't set off PSI.
|
# ? Apr 22, 2017 21:18 |
|
I really enjoy how Carbon Black sucks up 16% of my CPU when I'm compiling code at work.
|
# ? Apr 22, 2017 23:37 |
|
https://9to5mac.com/2017/04/20/how-to-spot-a-phishing-attempt-fake-apple-site/ I'd never seen this before - our corporate version of Chrome still shows this: https://www.xn--80ak6aa92e.com as https://www.apple.com for me. Just a proof of concept, I know.
|
# ? Apr 25, 2017 15:45 |
|
Solaron posted:https://9to5mac.com/2017/04/20/how-to-spot-a-phishing-attempt-fake-apple-site/ IE won't go to the phishing link. It just says check the spelling and try again. Was it already taken down?
|
# ? Apr 25, 2017 16:17 |
|
No, still shows as Apple for me on Chrome. My IE does the same thing though.
|
# ? Apr 25, 2017 16:21 |
|
Chrome for Android does this:
|
# ? Apr 25, 2017 16:26 |
|
Fired up an instance of Chrome, and I can paste the link in to there, but it shows it as https://www.xn--80ak6aa92e.com instead of apple. So I guess my users are safe at work. Relatedly unrelated, Chrome's now throwing up a "Your connection is not secure" to users accessing one of our subdomains, because it's mixed http/https, and we're getting a number of tickets and calls about it. I'm stepping on our applications team to fix it, but they say it's not critical, so they'll fix it as they get around to it. The desensitization is going to come back to bite us, I know it.
|
# ? Apr 25, 2017 16:34 |
|
Avenging_Mikon posted:Fired up an instance of Chrome, and I can paste the link in to there, but it shows it as https://www.xn--80ak6aa92e.com instead of apple. So I guess my users are safe at work. Edit: nevermind, I misunderstood you. It's still interesting though that the page itself is shown as apple.com when you go there.
|
# ? Apr 25, 2017 16:40 |
|
CLAM DOWN posted:Chrome for Android does this: On my up-to-date Chrome for Android it shows up as Apple.com
|
# ? Apr 25, 2017 19:32 |
|
Furism posted:On my up-to-date Chrome for Android it shows up as Apple.com Mine is Chrome Beta actually, is yours the main public channel?
|
# ? Apr 25, 2017 20:06 |
|
CLAM DOWN posted:Mine is Chrome Beta actually, is yours the main public channel? Yes, must be it.
|
# ? Apr 26, 2017 07:01 |
|
Edit: Ugh, wrong thread.
|
# ? Apr 26, 2017 20:24 |
|
Might be too late to uninstall Ghostery, but who knows? https://twitter.com/1BlockerApp/status/858578767039651841
|
# ? Apr 30, 2017 21:24 |
|
I uninstalled it a while ago because it interfered too much with normal browsing and didn't provide significant protection over adblock. Dodged a bullet, there!
|
# ? Apr 30, 2017 21:47 |
|
Can't find the source for that screencap on Cliqz's website; quick glance at various discussions about the acquisition seem mixed instead of soundly negative; proponents point out things like how Mozilla has invested in Cliqz and Cliqz' technology is open source, both of which appear verifiable. So that gives me two questions: a) is or is not Cliqz actually a slimy tracking company, and b) if there's proof they are, what are the other alternatives (pay or free) for people wanting Safari ad blocking? (... is 1Blocker legit, for example?) Literally asking for a friend (I use Chrome w/ uBlock Origin + Disconnect), I'd have a hard time getting them to switch off of Safari unfortunately.
|
# ? Apr 30, 2017 23:37 |
|
bitprophet posted:Can't find the source for that screencap on Cliqz's website; quick glance at various discussions about the acquisition seem mixed instead of soundly negative; proponents point out things like how Mozilla has invested in Cliqz and Cliqz' technology is open source, both of which appear verifiable. Why not just recommend they use uBlock Origin for Safari?
|
# ? Apr 30, 2017 23:46 |
|
bitprophet posted:Can't find the source for that screencap on Cliqz's website https://cliqz.com/en/support -> company info -> how does cliqz earn money?
|
# ? Apr 30, 2017 23:50 |
|
flosofl posted:Why not just recommend they use uBlock Origin for Safari? Because last time I looked, it wasn't available for Safari. But I see that changed about 5 months ago, so, happy day! Thanks! astral posted:https://cliqz.com/en/support -> company info -> how does cliqz earn money? Well that'll teach me to look under 'About' instead of 'Support'
|
# ? May 1, 2017 02:48 |
|
So I just installed the eBay app on my Android phone after a factory reset. On first start it says "signing in with smart lock..." together with animated 'doing something' graphic for a few seconds, before realising that it can't pull creds from anywhere. I check out what "smart lock" is, where pertaining to password auth: https://support.google.com/accounts/answer/6197437 For fucks sake. You only ever have to log into the eBay app once, when you first run it. I'm not sure exactly what I'm getting annoyed at here. It's either that users are now ushered toward saving all their passwords with their Google account, or it's the fact that the eBay app tries to pull creds without even asking you if you want it to do so. Either way it's convenience gone mad and it cannot be as safe as using a decent password manager.
|
# ? May 2, 2017 14:14 |
|
There's a version of uBlock Origin for Safari now.
|
# ? May 2, 2017 21:58 |
|
apropos man posted:. Why do you think that?
|
# ? May 3, 2017 08:13 |
|
Docjowles posted:There's a version of uBlock Origin for Safari now. Does this use the faster/more efficient official Safari content blocking API? I checked the github and couldn't find anything regarding that.
|
# ? May 3, 2017 08:28 |
|
DON'T ROLL YOUR OWN ROBOTS
|
# ? May 3, 2017 13:20 |
|
You can roll your robots, just don't loving expose them to the internet.
|
# ? May 3, 2017 13:50 |
|
Hackers have been attacking SCADA for ages.
|
# ? May 3, 2017 13:52 |
|
|
# ? Apr 27, 2024 14:29 |
|
Subjunctive posted:Hackers have been attacking SCADA for ages. Yeah. It is the main reason why I get uppity about certain things. When you have machines that can kill you tend to have a different outlook than say if your only concern is data loss.
|
# ? May 3, 2017 14:53 |