|
stevewm posted:Even worse.. the email and phone number are clickable links. Clicking on them lets you update the email or phone number used to "verify". I love this
|
# ? Aug 24, 2020 20:41 |
|
|
# ? Apr 26, 2024 14:31 |
|
stevewm posted:Some time ago I posted about a card processing companies' website we use having absolutely useless 2FA. Oh good, the old methodology of "Escape the Security Requirement through a couple clicks" lives on past Windows 95. Nothing says "Secure" like "Being so helpful in our UI that you don't have to be secure"
|
# ? Aug 24, 2020 20:48 |
|
Every time I login, I feel like the tired old movie cliche where someone gets around security by just typing "BYPASS". It takes less clicks to bypass then it does to actually use the "verification" process. I would like to point out it SHOWS which email address and/or phone number it is sending the code to. Most other 2FA implementations usually hide this, or only show the last couple characters. It also helpfully tells you that you can click on the email or phone to update it! Bonus: When you change the email, it ALSO changes the email address on the account as well. And it does so without verification. It doesn't send any notification that it has been changed.
|
# ? Aug 24, 2020 21:17 |
stevewm posted:Some time ago I posted about a card processing companies' website we use having absolutely useless 2FA. I'd totally do more digging around this site. I guarantee you there's some default creds or some dev tokens stored in a css page somewhere
|
|
# ? Aug 24, 2020 21:53 |
|
That or didnt scrub the commit pages like one page I found and had poor folder permissions for the webhost
|
# ? Aug 24, 2020 23:30 |
CommieGIR posted:That or didnt scrub the commit pages like one page I found and had poor folder permissions for the webhost Guarantee they have a poo poo responsible disclosure system too.
|
|
# ? Aug 25, 2020 08:34 |
|
CyberPingu posted:Guarantee they have a poo poo responsible disclosure system too. What is responsible disclosure? Do you mean immediate lawsuit threats?
|
# ? Aug 25, 2020 09:49 |
|
Biowarfare posted:What is responsible disclosure? Do you mean immediate lawsuit threats?
|
# ? Aug 25, 2020 10:03 |
Biowarfare posted:What is responsible disclosure? Do you mean immediate lawsuit threats? Do responsible disclosure stuff not exist in the US?
|
|
# ? Aug 25, 2020 10:44 |
|
CyberPingu posted:Do responsible disclosure stuff not exist in the US? If you can be successfully sued for it despite covering your rear end and doing it in good faith, you don't do it in America.
|
# ? Aug 25, 2020 10:51 |
|
Three months ago I responsibly disclosed an issue I found in a website that allows me to login without a password. I've gotten sick of waiting and am reporting their site to both Square and Stripe, as they integrate for payment processing and their blatant disregard for security horrifies me.
|
# ? Aug 25, 2020 11:40 |
|
Kazinsal posted:If you can be successfully sued for it despite covering your rear end and doing it in good faith, you don't do it in America. over here the company in question just tells the cops you hacked and stole something from them and they put you in jail if it's large enough lol balkan ftw
|
# ? Aug 25, 2020 12:45 |
|
CyberPingu posted:Do responsible disclosure stuff not exist in the US? It does in the sense that "responsible" is "over Tor and pastebin"
|
# ? Aug 25, 2020 14:31 |
|
xtal posted:It does in the sense that "responsible" is "over Tor and pastebin" isn't TOR compromised by the NSA at the very least at this point? I know they had taken over several of the entry/exit nodes a few years back, and would expect that to have become more commonplace
|
# ? Aug 27, 2020 18:57 |
|
RFC2324 posted:isn't TOR compromised by the NSA at the very least at this point? I know they had taken over several of the entry/exit nodes a few years back, and would expect that to have become more commonplace You post to a v3 hidden service, not the public internet via an exit
|
# ? Aug 27, 2020 19:55 |
|
RFC2324 posted:isn't TOR compromised by the NSA at the very least at this point? I know they had taken over several of the entry/exit nodes a few years back, and would expect that to have become more commonplace only if you use an exit node, which if you're using tor properly you shouldn't.
|
# ? Aug 28, 2020 02:05 |
|
Wasn't TOR released to the public by the NSA for the specific purpose of obfuscating which of the nodes were actually controlled by the NSA Shouldn't it have been considered compromised from launch given who designed the spec?
|
# ? Aug 28, 2020 15:44 |
|
klosterdev posted:Wasn't TOR released to the public by the NSA for the specific purpose of obfuscating which of the nodes were actually controlled by the NSA Basically, no. The fact that the NSA uses it means it's probably mathematically secure. A lot of crimes have been committed over Tor but there has been no record of Tor being the reason why someone is prosecuted or convicted. For case studies: 1. With Ross Ulbricht, his server leaked the IP address and then he was tracked through conventional means. 2. With Freedom Hosting, the USA deployed Javascript exploits targeting Tor Browser on Windows with the purpose of revealing the IP.. If they could easily break Tor, they wouldn't rely so much on revealing the public IP through side channels. I think there was also a case of someone delivering a bomb threat over Tor to avoid an exam. This was easily tracked down because they could see which computers in the area had connected to Tor and start their investigation there, regardless of what they did. It's true, according to Snowden's leaks, that just using Tor marks people for further surveillance. xtal fucked around with this message at 15:51 on Aug 28, 2020 |
# ? Aug 28, 2020 15:49 |
|
TOR is perfectly fine if you know what it can and can't do, and how your OS works. The fact that there's a windows client with javascript enabled by default just seems like a huge obvious trap to me, but combined with whonix or tails or whatever it can be very useful.
|
# ? Aug 28, 2020 16:07 |
|
klosterdev posted:Wasn't TOR released to the public by the NSA for the specific purpose of obfuscating which of the nodes were actually controlled by the NSA It was designed by the Naval Research Lab as a way for spies (?) to be able to securely communicate. That said, using Tor is going to put you up there on the "do watch" list.
|
# ? Aug 28, 2020 16:21 |
Volmarias posted:It was designed by the Naval Research Lab as a way for spies (?) to be able to securely communicate. That said, using Tor is going to put you up there on the "do watch" list. Everything does, when the loving lunatics are running the asylum, as is the case with this hellworld.
|
|
# ? Aug 28, 2020 16:57 |
|
D. Ebdrup posted:Posting on SomethingAwful will also land you on watchlists. Hell, just working as a sysadmin puts you in the spooks' crosshairs, since just about anything they'd like to get into, there's a sysadmin who already has access to it, and we're likely to be the weakest link. https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ The Intercept posted:Once the agency believes it has identified a sys admin’s personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a target’s computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware “implant” and gain unfettered access to the data stored on its hard drive. And people wonder why I run noscript and route all my traffic through a good VPN...
|
# ? Aug 28, 2020 17:19 |
|
Powered Descent posted:Hell, just working as a sysadmin puts you in the spooks' crosshairs, since just about anything they'd like to get into, there's a sysadmin who already has access to it, and we're likely to be the weakest link. If you're on the Mossad side of the Mickens' Mossad/Not-Mossad threat model, you're still vulnerable to rubber hose based attacks.
|
# ? Aug 28, 2020 18:08 |
|
Volmarias posted:If you're on the Mossad side of the Mickens' Mossad/Not-Mossad threat model, you're still vulnerable to rubber hose based attacks. With that attitude, why take any infosec steps at all? If adversaries are always either incapable or omniscient, with no in-between, then what's the point? In this case, the point is that I just don't want to be an obvious soft target. I'm not likely to be their actual goal, after all. If (by some bizarre circumstance) the feds wanted to warrantlessly hack into my employer's systems, they'd have much better entry point candidates than me. Say, the DBA down the hall who runs all those janky third-party Facebook plugins on his work laptop.
|
# ? Aug 28, 2020 19:01 |
|
Powered Descent posted:With that attitude, why take any infosec steps at all? If adversaries are always either incapable or omniscient, with no in-between, then what's the point? I'm suggesting you be realistic about what you're actually defending against and how.
|
# ? Aug 28, 2020 19:19 |
|
Volmarias posted:I'm suggesting you be realistic about what you're actually defending against and how. I'm defending against malware and advertiser tracking by blocking scripts on most sites. I'm defending against my ISP seeing everything I do online (and potentially selling it, now that that's perfectly legal for them to do) by running most of my traffic through a VPN. That same VPN also defends against the MPAA suing me for the small bit of torrenting I still do, keeps every random site I visit from knowing my home IP and physical location, and also enables simple tricks like watching youtube videos that are only supposed to be available in other countries. What exactly is unrealistic about those? It is true that all the stuff about the spooks is a hell of a lot more speculative. But if it's at least partially defended against by the precautions I'm already taking, then hey, that's great. I apologize if I gave the impression that the tinfoil-hat stuff was my only motivation for doing any personal infosec.
|
# ? Aug 28, 2020 19:57 |
|
Powered Descent posted:I'm defending against my ISP seeing everything I do online (and potentially selling it, now that that's perfectly legal for them to do) by running most of my traffic through a VPN. If you're concerned about privacy from an intrusive network operator, run your own VPN at a trusted location. Your home, your office, a $5/mo VPS with a trusted provider, whatever. Algo makes it drat near trivial to deploy one basically whenever you want, you could pretty easily create them on demand and destroy them when you're done. quote:That same VPN also defends against the MPAA suing me for the small bit of torrenting I still do, keeps every random site I visit from knowing my home IP and physical location, and also enables simple tricks like watching youtube videos that are only supposed to be available in other countries.
|
# ? Aug 28, 2020 21:50 |
|
Hrm.. Thats a interesting idea, making a rclone mount of SA Forums... Time to start hacking!
|
# ? Aug 28, 2020 22:32 |
|
I wonder when Jeffrey is going to start selling SA user data
|
# ? Aug 28, 2020 22:43 |
|
RFC2324 posted:I wonder when Jeffrey is going to start selling SA user data Jeffrey doesn't own the forums and SA user data is worthless to anyone but the Secret Service, to find out the identities of the C-SPAMmers posting death threats against elected officials. Fame Douglas fucked around with this message at 22:48 on Aug 28, 2020 |
# ? Aug 28, 2020 22:45 |
|
Jeffrey doesn’t need to own the forums if he has deploy rights to code that runs with database access. Snowden didn’t own the NSA either.
|
# ? Aug 28, 2020 22:59 |
Powered Descent posted:Hell, just working as a sysadmin puts you in the spooks' crosshairs, since just about anything they'd like to get into, there's a sysadmin who already has access to it, and we're likely to be the weakest link.
|
|
# ? Aug 28, 2020 23:07 |
|
Subjunctive posted:Jeffrey doesn’t need to own the forums if he has deploy rights to code that runs with database access. Snowden didn’t own the NSA either. What would the URL for the new shar
|
# ? Aug 29, 2020 00:00 |
|
Jeffrey could be sued, and considering his posting history shows him to not be a "risk-taker", that's not somethin he'd be willing to do.
|
# ? Aug 29, 2020 00:04 |
|
That's extremely long for a domain name
|
# ? Aug 29, 2020 00:39 |
|
lol if you think I haven't already hacked you all with my elevated privileged access as a mod just lol
|
# ? Aug 29, 2020 00:55 |
|
CLAM DOWN posted:lol if you think I haven't already hacked you all with my elevated privileged access as a mod just lol How come you never clicked on the suspicious link I PMed you? I mean, not that I would know if you did or not
|
# ? Aug 29, 2020 03:31 |
|
Cup Runneth Over posted:How come you never clicked on the suspicious link I PMed you? I mean, not that I would know if you did or not I am far far too elite to fall prey to your petty whaling schemes
|
# ? Aug 29, 2020 03:59 |
|
CLAM DOWN posted:I am far far too elite to fall prey to your petty whaling schemes But there's hot single women in {YOUR_AREA}
|
# ? Aug 29, 2020 08:38 |
|
|
# ? Apr 26, 2024 14:31 |
Subjunctive posted:Snowden didn’t own the NSA either. Well he did in a sense
|
|
# ? Aug 29, 2020 09:42 |