|
https://splashdot.github.io/scam1/ This was interesting: a scam specifically targeting those smart enough to take advantage of an IDOR, but not smart enough to realize they're being baited.
|
#
?
Nov 4, 2021 14:15
|
|
|
|
| # ? Apr 18, 2024 17:28 |
|
|
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/crypkey-license-service-allows-privilege-escalation/ https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29486 quote:06/11/2021 - Initial email to vendor lol
|
|
#
?
Nov 4, 2021 16:02
|
|
|
rafikki posted:https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/crypkey-license-service-allows-privilege-escalation/ Disappointed this wasn’t called CrypKeeper with a fancy website and custom domain. c’mon trustwave have some fun with it.
|
|
#
?
Nov 4, 2021 17:52
|
|
|
looks like it's mostly used as copy protection for all kinds of SCADA poo poo, cool, cool
|
|
#
?
Nov 4, 2021 18:02
|
|
|
shame on an IGA posted:looks like it's mostly used as copy protection for all kinds of SCADA poo poo, cool, cool
|
|
#
?
Nov 4, 2021 18:26
|
|
|
cryyper
|
|
#
?
Nov 4, 2021 18:32
|
|
|
mystes posted:Luckily privilege escalation isn't a big deal when everyone's just vncing in with a shared administrator password. lol 
|
|
#
?
Nov 4, 2021 19:19
|
|
|
Holy poo poo VNC. I forgot about that
|
|
#
?
Nov 4, 2021 20:39
|
|
|
Welcome to OT networks.
|
|
#
?
Nov 4, 2021 20:43
|
|
|
mystes posted:Luckily privilege escalation isn't a big deal when everyone's just vncing in with a shared administrator password. idk, seems to me the gently caress up would be allowing anyone who you don't expect to have admin the ability to login to control systems at all.
|
|
#
?
Nov 4, 2021 20:43
|
|
|
i use VNC every day to talk to my windows vm on my linux server that runs some ham radio software that connects to a raspberry pi thats hooked to a 35 year old radio. works great
|
|
#
?
Nov 4, 2021 21:23
|
|
|
I feel like thats VNC's primary purpose; as but one portion of a rube goldbergian contraption designed to do a thing so esoteric that there isnt a turnkey solution for it
|
|
#
?
Nov 4, 2021 21:25
|
|
|
Jonny 290 posted:i use VNC every day to talk to my windows vm on my linux server that runs some ham radio software that connects to a raspberry pi thats hooked to a 35 year old radio. works great This is very similar to the average OT network tbh
|
|
#
?
Nov 4, 2021 22:00
|
|
|
i use nomachine instead of vnc. it works pretty well.
|
|
#
?
Nov 4, 2021 22:14
|
|
|
Jonny 290 posted:i use VNC every day to talk to my windows vm on my linux server that runs some ham radio software that connects to a raspberry pi thats hooked to a 35 year old radio. works great
|
|
#
?
Nov 4, 2021 22:27
|
|
|
I use VNC to prepare my PC for GameStream/Steam Link because apparently putting a feature into either that will automatically change resolution without creating weird scaling or aspect ratio issues would be too hard. This all takes place on my own network, though. It's not exposed to the internet.
|
|
#
?
Nov 5, 2021 04:17
|
|
|
shout out to the sr network engineer at a regional retail company that had a vnc box with no password whatsoever sitting under his desk. guess what the entry point was for the pen test consultant team to go from zero to domain admin in about 2 hours, from a store computer vlan?
|
|
#
?
Nov 5, 2021 10:11
|
|
|
finally we know da vnc code
|
|
#
?
Nov 5, 2021 10:29
|
|
|
https://github.com/advisories/GHSA-73qr-pfmq-6rp8quote:The npm package coa had versions published with malicious code. Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold. This is pretty bad, lol.
|
|
#
?
Nov 5, 2021 13:36
|
|
|
we clearly need node but on blockchain so we can know which versions are bad
|
|
#
?
Nov 5, 2021 13:40
|
|
|
quote:COA is a parser for command line options that aim to get maximum profit from formalization your program API. what
|
|
#
?
Nov 5, 2021 14:01
|
|
|
COA is parser for command line options that good grammar (and also malware!)
|
|
#
?
Nov 5, 2021 14:16
|
|
|
mystes posted:https://github.com/advisories/GHSA-73qr-pfmq-6rp8 terrible coa incidents. 
|
|
#
?
Nov 5, 2021 14:16
|
|
|
https://github.com/advisories/GHSA-g2q5-5433-rhrf posted:rc  humm I wonder why they picked this one to infect, too
|
|
#
?
Nov 5, 2021 14:29
|
|
|
Love the vague feeling of nausea as I hit enter on my command to check the versions of a potentially compromised node package that is on my system even though I never installed it directly.
|
|
#
?
Nov 5, 2021 14:31
|
|
|
I've got it, but an old version. Good job I've been ignoring the dependabot PRs for years!
|
|
#
?
Nov 5, 2021 14:36
|
|
|
spankmeister posted:Welcome to OT networks. Everytime i interact with OT im stunned with how loving low effort every thing in that space is. I get that a lot of it needs a light footprint but the poo poo used to manage the stuff is also straight outta 2005.
|
|
#
?
Nov 5, 2021 16:43
|
|
|
npm 
|
|
#
?
Nov 5, 2021 16:51
|
|
|
home:code:code:code:code:
|
|
#
?
Nov 5, 2021 16:53
|
|
|
realtalk why does npm get got so often when rubygems, python's thing whatever it is, and cpan don't seem to hit this despite broadly similar models? is it because of javascript's lovely stdlib that has taught people to import a million packages for everything, so one being bad has a higher blast radius? different skill level of the community? wider usage? i suspect a combination of all that but 
|
|
#
?
Nov 5, 2021 17:23
|
|
|
Speaking of node, I have a long-standing belief that you can tell the quality of a project immediately by how well its build system is set up. Node is at the bottom of that list.
|
|
#
?
Nov 5, 2021 17:24
|
|
|
Achmed Jones posted:realtalk why does npm get got so often when rubygems, python's thing whatever it is, and cpan don't seem to hit this despite broadly similar models? is it because of javascript's lovely stdlib that has taught people to import a million packages for everything, so one being bad has a higher blast radius? different skill level of the community? wider usage? maybe they do get hit and no one has noticed
|
|
#
?
Nov 5, 2021 17:31
|
|
|
Achmed Jones posted:is it because of javascript's lovely stdlib that has taught people to import a million packages for everything, so one being bad has a higher blast radius? different skill level of the community? probably these two. even a tiny little project that depends on a single popular framework will import an unreal amount of dependencies. also, javascript developers aren't very smart people, and don't quite understand what they're doing, or the consequences of their actions.
|
|
#
?
Nov 5, 2021 17:38
|
|
|
CRIP EATIN BREAD posted:probably these two. even a tiny little project that depends on a single popular framework will import an unreal amount of dependencies. also, javascript developers aren't very smart people, and don't quite understand what they're doing, or the consequences of their actions. very few people will voluntarily remain javascript developers once they understand what they are doing, and the consequences of their actions
|
|
#
?
Nov 5, 2021 17:40
|
|
|
Achmed Jones posted:realtalk why does npm get got so often when rubygems, python's thing whatever it is, and cpan don't seem to hit this despite broadly similar models? is it because of javascript's lovely stdlib that has taught people to import a million packages for everything, so one being bad has a higher blast radius? different skill level of the community? wider usage? it's because rubygems doesn't make it easy to run arbitrary code every time it installs or packages a release when you type "npm install" to download a dependency, that dependency can also come with pre-install hooks which can execute code before the dependency even finishes installing it's quite simple since they don't have to even look at the original project's code to add an exploit. they just add a line to the package.json that executes their malicious file directly a quick stackoverflow skim says it takes a lot of customization and hoop-jumping to set that up in rubygems, but NPM supports those hooks right out of the box and has them turned on by default
|
|
#
?
Nov 5, 2021 18:14
|
|
|
nah it's trivial in rubygems https://www.rubydoc.info/github/rubygems/rubygems/Gem.post_install
|
|
#
?
Nov 5, 2021 18:50
|
|
|
could also be that rubygems has better security re: compromised accounts fuckin up packages (or demographic differences where owners don't use mfa etc) i havent used cpan in like uhh almost 20 years now so no idea what's going on there Penisface posted:very few people will voluntarily remain javascript developers once they understand what they are doing, and the consequences of their actions lol this really does match with, like, 95% of the devs i know. there's a couple that purposefully touch js but dang it aint many
|
|
#
?
Nov 5, 2021 18:55
|
|
|
i work at a ruby shop and it does happen but infrequently. one strong advantage for ruby is that it’s a dead language that it’s only used by a handful of senior developers world-wide, so the payoff for building a custom vuln for some rails factory #9363 is quite low
|
|
#
?
Nov 5, 2021 18:57
|
|
|
yeah that's true enough. once ruby stopped being the bootcamp du jour a lot of things changed with it of course that whole section of my resume is basically useless now but i suppose it doesn't really matter. and im sure that if i really want to ever touch ruby again there'll always be a few legacy rails shops limping along. and tons of people use puppet but ehhhhhh
|
|
#
?
Nov 5, 2021 19:01
|
|
|
|
| # ? Apr 18, 2024 17:28 |
|
|
rails being ~omakase~ probably had some incidental security benefits here. it has a pretty sprawling dependency tree but a lot fewer of those dependencies are just some rando's side project and there is at least theoretically someone looking at the entire dependency tree and vaguely validating it.
|
|
#
?
Nov 5, 2021 19:37
|
|
