|
Powerful Two-Hander posted:I've posted about our home rolled database query wrapper that manages "secure" access to production databases as it was logging passwords in plaintext (which got fixed), but I was messing around with it today (because if you're not gonna fix the fact that it uses an rdp wrapper that has local admin on a server used to "host" the sessions then I'm going to see what is left on said server) and the session URLs it pings to get the db creds are a) logged b) are not one time, they persist and c) are callable from anywhere storing shared credentials used by a client app is one of those impossible to solve problems. how do you protect credentials from a user but still give them access to those creds inside an application so it can authenticate? Windows has built in data protection apis for it, but it doesnt ultimately protect you from someone who really knows what they're doing. the best you can do is lock down the remote desktop so they cant get to the tools that let them use the data protection api and/or generate the creds on the webservice side you could have the client provide credentials to get the encrypted creds and only store those creds with the legitimate client so you cant access it outside the rdp. this has the same shared creds problem, but if youve done the work to mitigate access to the creds it would improve the security of the webservice the better way to do this is not use shared creds on the client at all. either use windows auth directly to the db and handle security in sql server or create a data service that takes the users creds (as windows or oauth or something) and handle auth in the data service.
|
#
?
Oct 15, 2020 18:19
|
|
|
|
| # ? Apr 23, 2024 08:56 |
|
|
https://twitter.com/jonasLyk/status/1316104870987010048 lol, this guy still making GBS threads on microsoft
|
|
#
?
Oct 15, 2020 19:36
|
|
|
Rufus Ping posted:I don't believe so but maybe subjunctive can weigh in I don’t believe so, no. I haven’t been following it but I suspect someone would have told me if my long-held dream was coming true it would have been great for delegating sub-CAs too, so that Microsoft could issue for *.microsoft.com and be actually restricted rather than just pinky-swearing
|
|
#
?
Oct 15, 2020 19:39
|
|
|
Subjunctive posted:I don’t believe so, no. I haven’t been following it but I suspect someone would have told me if my long-held dream was coming true intermediate CA's with name constraints are not uncommon, but nothing on the roots AFAIK
|
|
#
?
Oct 15, 2020 20:38
|
|
|
apseudonym posted:intermediate CA's with name constraints are not uncommon, but nothing on the roots AFAIK that's great. last I looked at it iPhones didn't support the extension, which means that you couldn't mark it critical, which meant it wasn't super useful. that was at least 3 years ago, though
|
|
#
?
Oct 15, 2020 20:46
|
|
|
Shaggar posted:storing shared credentials used by a client app is one of those impossible to solve problems. how do you protect credentials from a user but still give them access to those creds inside an application so it can authenticate? i agree with all this pretty much, and I've said similar stuff when people go "alright so what would you do then?" but it gets pretty much ignored. like idk over a year ago I flagged that there is only one level of account permissions "allowed" on servers and that's admin. No separate login as a Service role, just admin, so even if you use Windows auth for your db access, chances are that account can be used to log on to a host directly and then go nuts. edit: I should clarify you can still do logon as a Service by granting at service setup but you'd need an account to logon to the server in the first place and that will have admin rights so ahhhhhh Powerful Two-Hander fucked around with this message at 21:33 on Oct 15, 2020 |
|
#
?
Oct 15, 2020 21:25
|
|
|
Subjunctive posted:that's great. last I looked at it iPhones didn't support the extension, which means that you couldn't mark it critical, which meant it wasn't super useful. that was at least 3 years ago, though Wow, iOS didn't support Name Constraints till 10.13...
|
|
#
?
Oct 15, 2020 21:33
|
|
|
apseudonym posted:Wow, iOS didn't support Name Constraints till 10.13... yeah, so you still can’t mark it critical...
|
|
#
?
Oct 15, 2020 21:39
|
|
|
Subjunctive posted:yeah, so you still can’t mark it critical...  critical or not won't matter on platforms that support it at least I guess
|
|
#
?
Oct 15, 2020 21:40
|
|
|
Powerful Two-Hander posted:i agree with all this pretty much, and I've said similar stuff when people go "alright so what would you do then?" but it gets pretty much ignored. yeah granting users access to the sql db directly is not a great option (especially if you arent using procs) cause they can just do the access from wherever. altho u could restrict access to the db via the firewall so only the rdp hosts and maybe some known administrator hosts can access.
|
|
#
?
Oct 15, 2020 21:44
|
|
|
https://twitter.com/__steele/status/1316914387710599168
|
|
#
?
Oct 16, 2020 03:40
|
|
|
Nice
|
|
#
?
Oct 16, 2020 04:09
|
|
|
xtal posted:Nice
|
|
#
?
Oct 16, 2020 05:29
|
|
|
Truga posted:https://twitter.com/jonasLyk/status/1316104870987010048 was this the same guy who had a baffling "POC" video involving being able to tab through hidden fields on a windows login screen and then when microsoft told him that wasn't a critical vuln he just screamed about how not owned he was until he vanished or was that someone else
|
|
#
?
Oct 16, 2020 05:59
|
|
|
SoundMonkey posted:was this the same guy who had a baffling "POC" video involving being able to tab through hidden fields on a windows login screen and then when microsoft told him that wasn't a critical vuln he just screamed about how not owned he was until he vanished that's him and he owns
|
|
#
?
Oct 16, 2020 06:09
|
|
|
wait until he discovers that nothing enforces ntfs permissions if you read the file system outside of windows
|
|
#
?
Oct 16, 2020 13:58
|
|
|
that sounds harder to exploit from inside a vm guest
|
|
#
?
Oct 16, 2020 14:02
|
|
|
it does?
|
|
#
?
Oct 16, 2020 14:03
|
|
|
install gentoo, op
|
|
#
?
Oct 16, 2020 19:15
|
|
|
Carthag Tuek posted:install gentoo, op don't post post suicide requests
|
|
#
?
Oct 16, 2020 19:48
|
|
|
It sounds like he's saying that normal users now have read only access to raw block devices by default which does actually seem to be a real permissions issue?
|
|
#
?
Oct 17, 2020 02:30
|
|
|
there should be a physical pull tab you can flip on a hard drive to secure it similar to the security mechanism on cassette tapes
|
|
#
?
Oct 17, 2020 07:22
|
|
|
Computer Serf posted:there should be a physical pull tab you can flip on a hard drive to secure it similar to the security mechanism on cassette tapes if there's one thing computer and electronics developers are good at, it's physical security mechanisms
|
|
#
?
Oct 17, 2020 07:36
|
|
|
mystes posted:It sounds like he's saying that normal users now have read only access to raw block devices by default which does actually seem to be a real permissions issue? edit: well technically I didn't test a completely normal user but it works while non-elevated Dylan16807 fucked around with this message at 08:56 on Oct 17, 2020 |
|
#
?
Oct 17, 2020 08:54
|
|
|
SoundMonkey posted:if there's one thing developers are good at, it's security
|
|
#
?
Oct 17, 2020 10:38
|
|
|
Computer Serf posted:there should be a physical pull tab you can flip on a hard drive to secure it similar to the security mechanism on cassette tapes brb hacking my hard drive with a hole puncher
|
|
#
?
Oct 17, 2020 15:44
|
|
|
Computer Serf posted:there should be a physical pull tab you can flip on a hard drive to secure it similar to the security mechanism on cassette tapes how about a write protect screw instead?
|
|
#
?
Oct 17, 2020 16:01
|
|
|
Trabisnikof posted:how about a write protect screw instead? text me
|
|
#
?
Oct 17, 2020 16:04
|
|
|
Carthag Tuek posted:brb hacking my hard drive with a hole puncher https://www.youtube.com/watch?v=-bpX8YvNg6Y
|
|
#
?
Oct 17, 2020 18:46
|
|
|
your voting system is a pos https://twitter.com/Perpetualmaniac/status/1317695488565665793?s=20
|
|
#
?
Oct 18, 2020 07:27
|
|
|
crepeface posted:your voting system is a pos 
|
|
#
?
Oct 18, 2020 08:31
|
|
|
goes without saying but seriously don’t touch this poop.
|
|
#
?
Oct 18, 2020 08:35
|
|
|
no charges will be filed because lmao fascists facing justice for anything in hellyear 2020
|
|
#
?
Oct 18, 2020 08:40
|
|
|
Midjack posted:goes without saying but seriously don’t touch this poop. instead, watch 4chan wallow in it like common swine and then be the INTERNET HACKER FORUM that CNN is talking about tomorrow morning
|
|
#
?
Oct 18, 2020 08:41
|
|
|
Midjack posted:goes without saying but seriously don’t touch this poop. too late. please welcome the new president of the united states, nick mullen
|
|
#
?
Oct 18, 2020 08:44
|
|
|
The SecFuck is believing anything from 4chan that discredits election results
|
|
#
?
Oct 18, 2020 16:25
|
|
|
Funny if fake, funny if real
|
|
#
?
Oct 18, 2020 16:42
|
|
|
according to people who know what they're talking about, there is no way to use that to actually change someone's vote without committing big boy crimes. the warning popups are inaccurate or poorly worded
|
|
#
?
Oct 18, 2020 16:59
|
|
|
Invalidating someone's vote is bad enough.
|
|
#
?
Oct 18, 2020 17:54
|
|
|
|
| # ? Apr 23, 2024 08:56 |
|
|
spankmeister posted:Invalidating someone's vote is bad enough.
|
|
#
?
Oct 18, 2020 18:28
|
|