|
Remote attestation has other uses - like, a server can ensure that a client isn't being mitm'd even without previously knowing anything about the client - but yeah, those are the two main ones.
|
# ? Jan 9, 2020 03:04 |
|
|
# ? Apr 27, 2024 19:33 |
|
u can build a virtual hsm, e.g. a signing oracle that won't spill key material to even a root-level attacker (or even the VM host, if ur running in a VM)
|
# ? Jan 9, 2020 03:17 |
|
animist posted:random question. Are there any applications for SGX besides DRM and spyware Doing computing on a potentially untrustworthy cloud platform (or at least untrustworthy in that it could be compromised), although that starts turning into a Turtles All The Way Down situation for actually performing the networking securely etc.
|
# ? Jan 9, 2020 03:45 |
|
very glad I missed watching people relitigate asset signing and user evaluation of signatories! anyway, we’re a week before Win 7 EOL and it looks like Firefox stumbled into a kernel bug caused by the Meltdown mitigations https://bugzilla.mozilla.org/show_bug.cgi?id=1606138 (it’s a fun little mystery, but the punchline is in comment 25)
|
# ? Jan 9, 2020 08:42 |
|
Subjunctive posted:very glad I missed watching people relitigate asset signing and user evaluation of signatories! This is good content
|
# ? Jan 9, 2020 14:44 |
|
Subjunctive posted:https://bugzilla.mozilla.org/show_bug.cgi?id=1606138
|
# ? Jan 9, 2020 14:51 |
|
oh drat did I miss code signing and whitelisting chat oh well, hope y’all don’t have any netscalers anywhere important. https://twitter.com/gossithedog/status/1216314355752620033?s=21 e: ahahaha https://twitter.com/gossithedog/status/1216305228561158144?s=21
|
# ? Jan 12, 2020 15:20 |
lol discord
|
|
# ? Jan 13, 2020 00:47 |
|
came to post that just now — it’s like they are holding phishing’s beer
|
# ? Jan 13, 2020 00:51 |
|
Shifty Pony posted:lol discord I don't really get how the feature is "very useful" to begin with.
|
# ? Jan 13, 2020 00:55 |
|
I've seen a number of sites that work the same way, like this google thing: https://messages.google.com/web/authentication Seems like they could improve these a minimal amount by having a "Are you sure you want to log in at a computer in ${location}?" Not going to stop anyone though.
|
# ? Jan 13, 2020 01:11 |
Guy Axlerod posted:I've seen a number of sites that work the same way, like this google thing: https://messages.google.com/web/authentication maybe require typing in a code from the phone on the computer you are attempting to login?
|
|
# ? Jan 13, 2020 01:17 |
|
LIVE AMMO COSPLAY posted:I don't really get how the feature is "very useful" to begin with. it's how a lot of phone chat apps work so you don't have to enter your password, you just have to prove you have control over another thing that's already logged in it's generally not done with QR codes though, for this exact reason
|
# ? Jan 13, 2020 01:43 |
|
Shifty Pony posted:lol discord given the description of the system here I don't understand how an attacker can get control of your account. so it lets you log in faster because you scan a QR code that contains I guess your login credentials, so I guess if someone tricks you into giving them that QR code they get your account but how does scanning a rando QR code do anything other than throw an error (because it's invalid) or log you into someone else's account (because it's valid)????
|
# ? Jan 13, 2020 01:45 |
|
BattleMaster posted:given the description of the system here I don't understand how an attacker can get control of your account. Here's how it works: 1. You try to log in. 2. The device you're trying to log in on shows you a QR code identifying the device. 3. You scan the QR code with your phone that's already logged in, your phone processes the QR code and tells the service provider to log in the new device. You might think that there are bindingly obvious security issues with this flow, and you'd be right. You might think that nobody would be dumb enough to implement it, and you'd be wrong.
|
# ? Jan 13, 2020 01:52 |
|
on ios discord the qr code scanner is literally impossible to find, so that's kind of nice?
|
# ? Jan 13, 2020 02:07 |
|
Jabor posted:Here's how it works: that's way dumber than I thought
|
# ? Jan 13, 2020 02:12 |
BattleMaster posted:that's way dumber than I thought it always is.
|
|
# ? Jan 13, 2020 02:15 |
|
Jabor posted:Here's how it works: wait, so this is the workflow for linking signal desktop to signal except instead of your actions generating the code in a special flow and the linking process making it blindingly clear what happens when you point your camera at it, it just automagically does it if you point the camera at a QR code in that view? unrelated, i really need to get a cloth pattern made out of tiled QR codes someday and just photobomb everything
|
# ? Jan 13, 2020 03:03 |
so the discord app says "yup, this sure is a QR code" more or less and gives full access? lmao
|
|
# ? Jan 13, 2020 03:18 |
|
.
GWBBQ fucked around with this message at 19:43 on Jan 14, 2020 |
# ? Jan 13, 2020 03:18 |
|
Skim Milk posted:so the discord app says "yup, this sure is a QR code" more or less and gives full access? lmao No, I'm sure it decodes the code and hands the authentication token back to the server. What it doesn't do is ask (in the phone app) are you trying to log in using Google Chrome on Windows 10 in Denver, Colorado? or whatever. edit: Having tested it out, the web site dispays a QR code next to the username & password fields. Scanning the QR code in the app displays a prompt in the app telling you to look at the PC to verify you're logging in with the right user. The PC has switched to displaying your username. You tap a "Let's Go" button in the app, and your PC logs in. The text prompt in the app is some cutesy bullshit about magic passes in the usual Discord style. It does technically say you're logging in but I'm not at all surprised that the end users were easily tricked into this, especially if they haven't logged out in a while and seen the QR codes at the login prompt. pseudorandom name fucked around with this message at 03:38 on Jan 13, 2020 |
# ? Jan 13, 2020 03:22 |
|
https://twitter.com/TwelveSecurity/status/1215400715297968135 elasticsearch paywalling the auth plugin is a decision that is continuing to pay dividends, mongo style
|
# ? Jan 13, 2020 07:24 |
|
ive never used discord but on googles messages for web you have to specifically go into the messages for web interface to get to the code scanner and then you get a notification saying you are connected to the web client and even afterward periodically the notification informing you that you are connected to the web client will return what is discord doing wrong here? do they log you in if you just scan any random qr code without going into the "link to web client" option first or are they not notifying you that you have done so?
|
# ? Jan 13, 2020 07:25 |
|
LastInLine posted:what is discord doing wrong here? do they log you in if you just scan any random qr code without going into the "link to web client" option first or are they not notifying you that you have done so? the discord app is doing a really bad job of telling the user that they are in the process of logging in on another computer because they use idiotic cutesy gamer lingo and tell the app nothing about the desktop login (geolocation, operating system, browser) to prevent MITM the social engineering is something about logging in for a contest, and the app UX is so terrible that it doesn’t really contradict that, especially if you’re a naive kid
|
# ? Jan 13, 2020 07:32 |
|
The user gets an e‐mail or whatever that says “hey scan this QR code using the Discord app and get free stuff”. So they open the Discord app and tap “scan QR code”. The app isn’t clear that the QR code scanning feature is only for logging in on another device. It will not be used for promotions or anything else. Never point it at any page that isn’t an official Discord one.
|
# ? Jan 13, 2020 07:40 |
|
Storysmith posted:https://twitter.com/TwelveSecurity/status/1215400715297968135 that guy really hates wyze huh
|
# ? Jan 13, 2020 07:41 |
|
|
# ? Jan 13, 2020 07:43 |
|
Yikes
|
# ? Jan 13, 2020 09:47 |
|
Acer Pilot posted:that guy really hates wyze huh he's got a big old boner for chinese conspiracies
|
# ? Jan 13, 2020 12:20 |
Platystemon posted:The user gets an e‐mail or whatever that says “hey scan this QR code using the Discord app and get free stuff”. also there is apparently effectively zero attempt to make sure that the code being scanned is being generated by the computer client that the phone is physically at. the client login QR code is static so an image of it can be sent to a victim and it will work. the client QR code should be rotating every few seconds and once scanned should immediately change to encode some form of token passed from the phone to the server to the client with a very short validity window (like a second or so, max). ideally they should have the time-limited qr codes and have a manual confirmation where the person types a code from the phone app into the computer client being logged in. I'm fairly sure google Authenticator requires that.
|
|
# ? Jan 13, 2020 12:39 |
|
do the discord QR code’s also have some kind of url handler to redirect the scanner into the app?
|
# ? Jan 13, 2020 13:39 |
|
BattleMaster posted:that's way dumber than I thought new thread title imo
|
# ? Jan 13, 2020 14:00 |
|
Another branded vulnerability https://cablehaunt.com/ buffer overlow in a bunch of cable modems edit: running broadcom's eCos although they acknowledge that branded stuff is somewhat fearmongering quote:From our perspective, our only choice was to go big and branded to try to reach the affected end-users and let awareness bubble up from there. With this we run the risk of being seen as fearmongering upstarts who tries to sensationalize a buffer overflow in modems which some people would say is almost expected to be vulnerable. But this universal acceptance of modems and routers being insecure was not something we wanted to add to.
|
# ? Jan 13, 2020 16:15 |
|
big and branded
|
# ? Jan 13, 2020 16:17 |
|
fins posted:... Project zero 3 part blog post on this is up now https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html
|
# ? Jan 13, 2020 16:27 |
|
Cocoa Crispies posted:do the discord QR code’s also have some kind of url handler to redirect the scanner into the app? the QR codes contain a discordapp.com URL, so if you scan it via e.g. the iOS Camera app it'll ask you if you want to open it in Discord, which will jump straight to the Discord QR code scanner and make you scan it again
|
# ? Jan 13, 2020 18:00 |
|
ewiley posted:oh drat did I miss code signing and whitelisting chat wait, whats up with netscalers
|
# ? Jan 13, 2020 18:40 |
|
If you didnt mitigate them before last weekend some cryptominer script kiddie will have written a bunch of nonsense to your /netscaler/portal/templates directory and tried to replace your netscaler daemon https://twitter.com/cyb3rops/status/1216310642552049666 https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
|
# ? Jan 13, 2020 19:07 |
|
|
# ? Apr 27, 2024 19:33 |
|
https://twitter.com/0xSkywalker/status/1216334099851481090
|
# ? Jan 13, 2020 21:37 |