|
Do you have SOC 2 type 2?
|
# ? Jun 30, 2020 17:42 |
|
|
# ? Apr 26, 2024 01:18 |
|
lol https://twitter.com/FCC/status/1278009203228098562
|
# ? Jun 30, 2020 18:15 |
|
D. Ebdrup posted:Maybe they think it'll be friends. Thank you for this. I need to go read that series again.
|
# ? Jun 30, 2020 19:15 |
Darchangel posted:Thank you for this.
|
|
# ? Jun 30, 2020 19:29 |
|
droll posted:Last week I was pulled into a SaaS rollout and discovered that the vendor of the application continues to allow direct password login after you federate with SAML. The data stored in this platform was rated a 9 out of 10 on their risk analysis. The vendor DEVELOPERS response when I asked them WTF they thought SSO was for? "Well it would be a lot of work to fix this so just tell your users to only use the SSO link".
|
# ? Jun 30, 2020 21:01 |
|
No it is not. It's something niche to the industry my employer is in. They're writing a SOW to make us pay for them to fix their security hole, too. If my colleagues had just followed my process we would have caught it before they signed the contract. Not that this always works, they also recently completely ignored our recommendation NOT to use a SaaS vendor that failed miserably in my vetting process, all because the business (1 person) preferred the layout as it was familiar to something she had used before. We already have a really robust platform that does the same thing but she didn't like it. My colleagues refuse to gather hard business requirements that aren't just feelings. It's madness.
|
# ? Jun 30, 2020 21:49 |
|
If it makes you feel any better, at my place we'll roll out a new product without SSO and then get upset that it doesn't have SSO, only to find out that it does and we're idiots.
|
# ? Jul 1, 2020 06:18 |
|
Hubspot does the same, if you have an account that uses SSO, you can just call password reset and use either way. There's lot of saas tooling that just implements SSO hilariously lovely.
|
# ? Jul 1, 2020 10:22 |
|
droll posted:No it is not. It's something niche to the industry my employer is in. They're writing a SOW to make us pay for them to fix their security hole, too. If my colleagues had just followed my process we would have caught it before they signed the contract. Not that this always works, they also recently completely ignored our recommendation NOT to use a SaaS vendor that failed miserably in my vetting process, all because the business (1 person) preferred the layout as it was familiar to something she had used before. We already have a really robust platform that does the same thing but she didn't like it. My colleagues refuse to gather hard business requirements that aren't just feelings. It's madness. Internet Explorer posted:If it makes you feel any better, at my place we'll roll out a new product without SSO and then get upset that it doesn't have SSO, only to find out that it does and we're idiots.
|
# ? Jul 1, 2020 11:01 |
|
Speaking of SSO, Guacamole supports SAML now: https://guacamole.apache.org/releases/
|
# ? Jul 1, 2020 17:45 |
|
D. Ebdrup posted:I take it you've listened to the radio series? If not, you absolutely should! Yes, but should listen again, as well.
|
# ? Jul 1, 2020 18:44 |
|
...are they wrong though
|
# ? Jul 1, 2020 20:27 |
|
There's been a take down of a criminal-exclusive encrypted communication network. https://www.theguardian.com/uk-news/2020/jul/02/blow-for-uk-organised-as-command-and-control-network-is-hit I think this falls in the 'Don't put all your eggs in the same basket' clause of DON'T ROLL YOUR OWN CRYPTO. Edit: https://www.vice.com/en_uk/article/3aza95/how-police-secretly-took-over-a-global-phone-network-for-organised-crime Pablo Bluth fucked around with this message at 13:02 on Jul 2, 2020 |
# ? Jul 2, 2020 12:58 |
|
https://twitter.com/fasterthanlime/status/1278645178044121088
|
# ? Jul 2, 2020 19:19 |
|
what the gently caress is that real?
|
# ? Jul 2, 2020 19:42 |
|
The Fool posted:what the gently caress https://twitter.com/mrisher/status/1278724912585179136 https://twitter.com/mrisher/status/1278737942932930561 uhhhhh, holy moly. sounds like his PC was compromised, the hacker used the logged-in 2fa-authed session to disable 2fa and steal passwords. "desensitizing to 2fa challenges" is a legit worry, but the one place that you shouldn't worry about it is for turning off the 2fa
|
# ? Jul 2, 2020 21:00 |
|
iOS 14 now pops an alert whenever an app sucks whatever's in your clipboard out. Spoiler: everyone is doing it. https://www.youtube.com/watch?v=pRSWdtoUAjo
|
# ? Jul 2, 2020 21:06 |
|
Klyith posted:uhhhhh, holy moly. sounds like his PC was compromised, the hacker used the logged-in 2fa-authed session to disable 2fa and steal passwords. There are plenty of instances where an authed device can remove MFA without an MFA challenge. It makes MFA adoption a lot easier, because it makes recovery easier. Using a Google account as an example, they can't do recovery via email. Recovery via SMS is just as problematic, if not more. Expecting users to keep backup codes is having way too much faith in them. Not sure what folks expect. If you don't want this to happen, don't save your login on the device. Then you'll have to MFA every time.
|
# ? Jul 2, 2020 22:18 |
AlternateAccount posted:iOS 14 now pops an alert whenever an app sucks whatever's in your clipboard out. Spoiler: everyone is doing it.
|
|
# ? Jul 2, 2020 22:31 |
|
Honestly I kind of agree with the Google engineer. If someone's popped your computer, you might have bigger problems than Google's threat model.
|
# ? Jul 2, 2020 22:34 |
Buff Hardback posted:Honestly I kind of agree with the Google engineer. If someone's popped your computer, you might have bigger problems than Google's threat model. Counterpoint the second: Soon it'll be obfuscated assembly code. Just loving lol if you think even Google has the skills to do heuristics that can properly protect against all the poo poo that can be done with that.
|
|
# ? Jul 2, 2020 22:47 |
|
That's the thing though. If you are already that compromised the attacker has no need to pop your google account anyways. They can just sit there and scrape your interactions at the source. They likely get more that way since you have no warning of anything gone awry that might change your behavior.
|
# ? Jul 2, 2020 23:15 |
|
But they didn't. Instead they exploited another vulnerability to strip away your protection from being compromised (and allow them to login whenever they like). It's like allowing someone to change your password without providing your current password. Just dumb.
|
# ? Jul 3, 2020 00:34 |
|
Cup Runneth Over posted:But they didn't. Instead they exploited another vulnerability to strip away your protection from being compromised (and allow them to login whenever they like). I'm not a security engineer so this may seem a dumb question: how can you disable MFA if you lost your "other" device (whatever that may be, phone, dongle, etc.) ? I can see the security hole here, but there's also the practical portion to consider. People do lose/reset/whatever their devices so they need a way to update that token, right? I know DigitalOcean has a set of backup codes that can be used, if you have the paper with them printed, but in a major catastrophe (like your house burning down) odds are they are not stored in a fire-proof safe deposit box or off-site. They should, of course, but more often than not they arent. Volguus fucked around with this message at 00:54 on Jul 3, 2020 |
# ? Jul 3, 2020 00:52 |
|
D. Ebdrup posted:Just loving lol if you think even Google has the skills to do heuristics that can properly protect against all the poo poo that can be done with that. Aren't you describing a holy grail though? Automatic detection of THE INTENT of some arbitrary actions?
|
# ? Jul 3, 2020 01:01 |
|
Because I've been loving with non-Turing-complete languages lately, the idea of analyzing Turing-complete code to determine if it's malicious is as impossible as determining if it halts. To avoid the possibility of endless loop bugs, you write in a non-Turing-complete language. To avoid the possibility of security vulnerabilities, stop running untrusted Turing-complete code on your computer. By definition that will never be safe. Yes this is a long way of saying disable JavaScript and never use WASM.
|
# ? Jul 3, 2020 01:14 |
Potato Salad posted:Aren't you describing a holy grail though? Automatic detection of THE INTENT of some arbitrary actions? xtal posted:Because I've been loving with non-Turing-complete languages lately, the idea of analyzing Turing-complete code to determine if it's malicious is as impossible as determining if it halts. To avoid the possibility of endless loop bugs, you write in a non-Turing-complete language. To avoid the possibility of security vulnerabilities, stop running untrusted Turing-complete code on your computer. By definition that will never be safe. Yes this is a long way of saying disable JavaScript and never use WASM.
|
|
# ? Jul 3, 2020 08:09 |
|
D. Ebdrup posted:Technically speaking, no language is Turing complete - because the termination checker can't check itself. That's not what Turing completeness means, at all. You're mixing up Turing completeness with the halting problem. A language is Turing complete if you can use it to write an emulator for arbitrary Turing machines. A Turing machine is just a finite state machine that takes input from a single spot on an infinite tape, and can optionally overwrite the current tape symbol, shift its position, or halt based on FSM state transitions. The "infinite tape length" and "unlimited possible states" requirements are typically waived when discussing real-world systems, for obvious reasons. That's the entire definition in simple terms. Almost all programming languages are Turing complete. It takes some effort to design a non-Turing complete language, because you can get to a Turing machine with nothing but variable storage, conditionals, and jump instructions (or, if you feel like goto is harmful, loop structures that don't put predefined fixed bounds on the number of trips through the loop, or recursion). The halting problem is separate. It says that there's no algorithm that can take in a program for a Turing-complete system and an input to that program, and reliably answer the question of whether the program eventually halts. This isn't a limitation of Turing machines; it's just provably mathematically impossible. The concept of a Turing machine doesn't involve a "termination checker," because that's something that can't exist, even in a mathematical abstraction where the Turing machine can have an infinite length tape and an arbitrary number of states for the head.
|
# ? Jul 3, 2020 08:57 |
That guy seems pretty dumb if I'm being brutally honest. Thinking that because he can see his own passwords stored in Google's password managers that that means they are being stored in plaintext. I'm also gonna assume he ticked the "Remember this device for 30 days" thing when he logged on to that machine. Which disables 2FA for 30 days because it assumes you are clever enough not to get RAT'd CyberPingu fucked around with this message at 11:02 on Jul 3, 2020 |
|
# ? Jul 3, 2020 09:08 |
|
CyberPingu posted:That guy seems pretty dumb if I'm being brutally honest. Thinking that because he can see his own passwords stored in Google's password managers that that means they are being stored in plaintext. If a security system doesn't work for a normal person it's bad security. When / if 2fa becomes more prevalent, any shortcut to turn off 2fa is going to become an avenue of attack. It's not a thing that google wants to deal with because support costs. And they don't really care about the hit to security because these are one-off attacks which means no major blowback. A thousand people will lose their phones and need to reset their 2fa for every one that is hacked.
|
# ? Jul 3, 2020 17:23 |
|
Klyith posted:If a security system doesn't work for a normal person it's bad security. When / if 2fa becomes more prevalent, any shortcut to turn off 2fa is going to become an avenue of attack. You were so close, yet so far. Here, I fixed it for you. quote:If a security system doesn't work for a normal person it's bad security. A thousand people will lose their phones and need to reset their 2fa for every one that is hacked.
|
# ? Jul 3, 2020 17:28 |
|
Internet Explorer posted:You were so close, yet so far. Here, I fixed it for you. That's not a very good fix though, because anyone who loses their phone without a logged-in session is still boned. For example, a common time to lose your phone is while traveling. Travel also makes the 2fa auth pop again because you're in a new location. The answer to the lost phone problem is to design and promote better account recovery options, not make it trivial to turn off 2fa. Google accounts are so many peoples' master account that everything else in their life is set up to do recovery to. More people should be using 2fa on that. I'm all for usable security, but I think the choice google made is for their maximal convenience, not the best usability & security for users.
|
# ? Jul 3, 2020 18:49 |
I mean. People are asked to save backup codes when you set up 2FA for the specific reason of if you lose your phone.
|
|
# ? Jul 3, 2020 18:55 |
|
CyberPingu posted:I mean. People are asked to save backup codes when you set up 2FA for the specific reason of if you lose your phone. If you're not a computer toucher or computer toucher adjacent you're not doing that though.
|
# ? Jul 3, 2020 20:09 |
|
FWIW: this was also an edge case of him needing a macOS device so he had bought a VPS running macOS that was using VNC by default, so he installed nomachine. It seems like more of an edge case than "oops rdp popped", so I'm not really sure what the right answer is.
|
# ? Jul 3, 2020 20:48 |
|
Volmarias posted:If you're not a computer toucher or computer toucher adjacent you're not doing that though.
|
# ? Jul 3, 2020 21:13 |
Volmarias posted:If you're not a computer toucher or computer toucher adjacent you're not doing that though. The onus of security of an account is on the users end. Not the company. The company can provide the tools but it's up to the user if they want to use it. Everyone has the ability to learn how these devices work. Google exists, search engines exist. If they don't want to learn that's on them. If they want to keep secure personal data but don't take appropriate steps to secure it what realistically do you think can be done. Your insurance company isn't going to pay out if your house gets robbed and they found out you left your doors unlocked.
|
|
# ? Jul 3, 2020 23:00 |
|
Realistically you educate and lower barriers to entry. It is important that safety is accessible to everyone, regardless of their knowledge or skill set or familiarity with computers. Inevitably that means designing for the lowest common denominator, and that’s a good thing! Take the example of yubikeys or hardware 2FA. Right now, they’re great for protection, but hard to train average users to take advantage of and poorly adopted by major service providers. The lower you make the barrier to entry, the more valuable the product, and the more better security practices can spread among consumers. Give it another five to ten years of workshopping and competition in the marketplace, and I’ll be able to get my mother on it. a reminder: https://www.nngroup.com/articles/computer-skill-levels/ The Iron Rose fucked around with this message at 01:51 on Jul 4, 2020 |
# ? Jul 4, 2020 01:46 |
Most 2FA solutions would work for you average Joe user. Even though SMS sucks balls on the secure list, it's still better than nothing and I would wager most people that own a computer also own a phone and have used it to send a message before. Implementing 2FA sucks, the support burden is really bad especially when it comes to resetting it. Depending on what you are providing, most of the time it has to lead to the end user providing proof of account ownership. There are ways of semi automating that e.g memorable security questions or something. But it's still one of the things we struggle with a lot because resetting 2FA for one of our customers usually involves about a 20min phonecall to our support.
|
|
# ? Jul 4, 2020 08:25 |
|
|
# ? Apr 26, 2024 01:18 |
I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself. I'm half-convinced that would solve every problem with SMS 2FA that doesn't involve the targeted attacks, for example where accounts are stolen via social engineering.
|
|
# ? Jul 4, 2020 10:20 |