|
traditional banks can’t make a person-to-person payment system safe and I’m saying that as someone who bought a shmoocon ticket in a dark alley in Berlin
|
#
?
May 13, 2019 17:23
|
|
|
|
| # ? Apr 25, 2024 06:31 |
|
|
favorite beatle is secure as hell, just pick ringo
|
|
#
?
May 13, 2019 17:38
|
|
|
stu sutcliffe isn't even in the rainbow table
|
|
#
?
May 13, 2019 18:00
|
|
|
Cocoa Crispies posted:traditional banks can’t make a person-to-person payment system safe and I’m saying that as someone who bought a shmoocon ticket in a dark alley in Berlin Some hot key swapping going on in that dark alley
|
|
#
?
May 13, 2019 18:06
|
|
|
quote:Hoover's security question to her friend was: "Who is my favourite Beatle?" The fraudster would have had a one in four chance of getting it right — John, Paul, George or Ringo. In a test of RBC's Interac system, Go Public was given four chances to answer the security question correctly. Just inject this poo poo directly into my veins Ur Getting Fatter posted:Some hot key swapping going on in that dark alley 
|
|
#
?
May 13, 2019 19:46
|
|
|
Cisco Router Bug Has Massive Global Implications posted:Now, researchers are disclosing a remote attack that would potentially allow a hacker to take over any 1001-X router, and compromise all the data and commands that flow through it. And the best part is, that basically no vendor has a solution for this particular problem if they ever get hit by it - the closest work is described in my last post in the video titled Securing Bare Metal Hardware at Scale, and that was a year ago and I haven't heard much news about it yet. And since the trust root is apparently in the FGPA, we're truly hosed. 
BlankSystemDaemon fucked around with this message at 21:14 on May 13, 2019 |
|
#
?
May 13, 2019 20:47
|
|
|
D. Ebdrup posted:So far as I can tell, this also means that firmware runtime attestation is completely impossible, so you cannot know if the firmware that's on the system messes with any future firmware, unless you JTAG the system and push the firmware to it in a way that the firmware runtime cannot know about. doesn't sound terrible to fix: quote:They discovered that when Cisco’s secure boot detected a breach of trust in a system, it would wait 100 seconds—a pause programmed by Cisco engineers, perhaps to buy enough time to deploy a repair update in case of a malfunction—and then physically kill the power on the device. The researchers realized that by modifying the part of the bitstream that controlled this kill switch, they could override it. The device would then boot normally, even though secure boot accurately detected a breach. Sounds like this bit of logic just needs to be thought through again...but as they didn't release the specifics yet, it's hard to say ¯\_(ツ)_/¯ e: lmaorf quote:They also broke two of their routers during the process of physically manipulating and soldering on the boards to look for the reset pin.
|
|
#
?
May 13, 2019 21:23
|
|
|
flakeloaf posted:https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114 yeah as a bankster this is making the rounds today, shoulda set up autopay
|
|
#
?
May 13, 2019 21:39
|
|
|
Winkle-Daddy posted:doesn't sound terrible to fix: my read of that is that the code that decides what to do when secure boot can't verify the firmware can itself be modified, so all you need to do is modify it to just boot anyway.
|
|
#
?
May 14, 2019 01:49
|
|
|
Jabor posted:my read of that is that the code that decides what to do when secure boot can't verify the firmware can itself be modified, so all you need to do is modify it to just boot anyway. maybe, hard to tell if they have a real novel approach to fpga reverse engineering and if it can be generalized.
|
|
#
?
May 14, 2019 02:02
|
|
|
even if it's "easy" to fix there's plenty of poo poo that won't be
|
|
#
?
May 14, 2019 04:48
|
|
|
lol whatsapp owned by a goddamn buffer overflow like its 1999 again
|
|
#
?
May 14, 2019 10:02
|
|
|
Soricidus posted:lol whatsapp owned by a goddamn buffer overflow like its 1999 again yeah but c and c++ are real good, see
|
|
#
?
May 14, 2019 10:43
|
|
|
redleader posted:yeah but c and c++ are real good, see gotta keep the minimum fps high in the chat app
|
|
#
?
May 14, 2019 13:04
|
|
|
CVE-2019-11815 posted:The Linux Kernel is prone to a race-condition vulnerability.
|
|
#
?
May 14, 2019 16:58
|
|
|
Plank Walker posted:favorite beatle is secure as hell, just pick ringo How did you know?!?!
|
|
#
?
May 14, 2019 17:37
|
|
|
Looks like the Lenovo leaked CVEs have been released.
|
|
#
?
May 14, 2019 18:31
|
|
|
been a while since the last pre-auth rdp rce
|
|
#
?
May 14, 2019 18:39
|
|
|
Wiggly Wayne DDS posted:been a while since the last pre-auth rdp rce thank christ we've moved everyone off windows 7
|
|
#
?
May 14, 2019 18:43
|
|
|
The Electronaut posted:Looks like the Lenovo leaked CVEs have been released. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/x86/mds.rst
|
|
#
?
May 14, 2019 19:27
|
|
|
BES doesn't like AD passwords that end with a space character how i learned this is not important
|
|
#
?
May 14, 2019 19:28
|
|
|
dont
|
|
#
?
May 14, 2019 19:30
|
|
|
BES only exists for the three people left using a blackberry at your company
|
|
#
?
May 14, 2019 19:32
|
|
|
*department
|
|
#
?
May 14, 2019 19:35
|
|
|
|
|
#
?
May 14, 2019 19:36
|
|
|
https://twitter.com/business/status/1128294423585071104?s=20 bloomberg is a reputable publication that should report on security more often because it does a good job at that
|
|
#
?
May 14, 2019 19:39
|
|
|
"completely defeating the kinds of eavesdropping that snowden proved global sigint agencies actually do all the time is a worthless gimmick, because it doesn't protect you against someone reading over your shoulder" is ... certainly a take, I guess
|
|
#
?
May 14, 2019 19:45
|
|
|
Wiggly Wayne DDS posted:been a while since the last pre-auth rdp rce CVSS3 Base 9.8 score, pre-authentication, wormable attack against RDP: quote:A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 lol
|
|
#
?
May 14, 2019 19:45
|
|
|
kevin
|
|
#
?
May 14, 2019 19:52
|
|
|
Number19 posted:CVSS3 Base 9.8 score, pre-authentication, wormable attack against RDP: goddamn, there is gonna be a lot of fallout from this one
|
|
#
?
May 14, 2019 19:57
|
|
|
Number19 posted:CVSS3 Base 9.8 score, pre-authentication, wormable attack against RDP:
|
|
#
?
May 14, 2019 19:58
|
|
|
Windows 7 and 2008? Ancient history.
EssOEss fucked around with this message at 20:13 on May 14, 2019 |
|
#
?
May 14, 2019 20:03
|
|
|
quote:Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
|
|
#
?
May 14, 2019 20:05
|
|
|
ah, its the legacy RDP and you can mitigate with NLA. This isn't so bad unless your shop completely sucks rear end. push a GPO to only support RDP with NLA and you're covered, no patch needed
|
|
#
?
May 14, 2019 20:05
|
|
|
Shaggar posted:NLA is enabled on 7, 2008, and 2008 r2 by default isn't it? yeah but it will also accept legacy RDP. I think you need to screw with GPOs to make it not accept them
|
|
#
?
May 14, 2019 20:05
|
|
|
Edit: double post
|
|
#
?
May 14, 2019 20:12
|
|
|
BangersInMyKnickers posted:yeah but it will also accept legacy RDP. I think you need to screw with GPOs to make it not accept them you do have to force NLA-only mode via gpo/registry. i have that set but patched it anyways because why not
|
|
#
?
May 14, 2019 20:16
|
|
|
also this affects winxp/server 2003 and it's so bad they are pushing legacy patches for those out of support platforms. there's going to be a ton of servers out there that still accept pre-NLA RDP so yeah this could get ugly
|
|
#
?
May 14, 2019 20:17
|
|
|
Number19 posted:you do have to force NLA-only mode via gpo/registry. i have that set but patched it anyways because why not Yeah I think that's why it doesn't impact newer OS's, they stopped supporting legacy RDP auth because that all old lovely XP/2003 could do but we're well pass end of their service life and MS is actually shutting off legacy protocols by default in their new releases
|
|
#
?
May 14, 2019 20:17
|
|
|
|
| # ? Apr 25, 2024 06:31 |
|
|
haveblue posted:what are the odds that you don't type in the name of your favorite beatle but pick it from a dropdown It's not as big of an issue as financial stuff, but United used to make you answer security questions via dropdown when logging in. I'm sure the 10 options the provide for my favorite pizza topping will keep me secure. Fake edit: Lol yeah they still use it.  Lain Iwakura posted:https://twitter.com/business/status/1128294423585071104?s=20 quote:It works on all operating systems, including Apple’s iOS, Google’s Android, and Microsoft’s rarely used mobile version of Windows. gently caress, I thought I was safe with my security through obscurity. 
|
|
#
?
May 14, 2019 20:20
|
|
