|
Zamujasa posted:they mention the previous version only looked at the list of files they're trying to find any shortcuts to iexplore.exe even if they have a non-standard name
|
#
?
Feb 15, 2023 02:19
|
|
|
|
| # ? Sep 30, 2023 04:38 |
|
|
jokes on them all my porn is in a folder called not porn in c: root not getting my homegrown billy
|
|
#
?
Feb 15, 2023 03:13
|
|
|
Hearing rumours at my company that they got told by Lastpass that the breach was backups for all their users and they are going to drop a report about it next week lol. Lastpass is hosed.
|
|
#
?
Feb 15, 2023 10:55
|
|
|
Carrier posted:Hearing rumours at my company that they got told by Lastpass that the breach was backups for all their users and they are going to drop a report about it next week lol. Lastpass is hosed. lmao and their last report was very specifically angling for that to have not been the case. security crew next week is going to be skyrim guards lmao
|
|
#
?
Feb 15, 2023 11:31
|
|
|
Amazing how LastPass and all these guys never learn that transparency upfront with customers goes a long way. Enjoy the hit to your buisiness
|
|
#
?
Feb 15, 2023 16:00
|
|
|
lomarfPass
|
|
#
?
Feb 15, 2023 16:27
|
|
|
cinci zoo sniper posted:lmao and their last report was very specifically angling for that to have not been the case. security crew next week is going to be skyrim guards lmao I thought they already admitted they lost control of all the encrypted lastpass vaults from a backup source, or is this something else related to GoTo backups?
|
|
#
?
Feb 15, 2023 16:51
|
|
|
Dr_0ctag0n posted:I thought they already admitted they lost control of all the encrypted lastpass vaults from a backup source, or is this something else related to GoTo backups? im referring just to the most recent (lol) disclosure, https://www.goto.com/blog/our-response-to-a-recent-security-incident quote:Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted. the vaults were gone yes, but here they talk about encryption keys, implying a specific set of services being affected by that, as in not lastpass. while every sane security team should have been operating under the assumption that every single lastpass item is compromised from the original disclosure of the current lastpass story arc, the optics for them are going to be, miraculously, even more catastrophal if they need to add to the above that lastpass was in fact further pwned
|
|
#
?
Feb 15, 2023 16:56
|
|
|
Captain Foo posted:lomarfPass
|
|
#
?
Feb 15, 2023 18:12
|
|
|
edit: I don’t know the difference between lastpass and circleci lol
|
|
#
?
Feb 15, 2023 18:21
|
|
|
Pollyanna posted:edit: I don’t know the difference between lastpass and circleci lol in your defence, they’re the same thing - a software product you shouldn’t be using
|
|
#
?
Feb 15, 2023 18:47
|
|
|
Captain Foo posted:lomarfPass LaffPass
|
|
#
?
Feb 15, 2023 21:57
|
|
|
Wiggly Wayne DDS posted:lol why does this go back two years libg deez nutls
|
|
#
?
Feb 16, 2023 04:28
|
|
|
godaddy truly is a universal hosting services provider https://www.bleepingcomputer.com/news/security/godaddy-hackers-stole-source-code-installed-malware-in-multi-year-breach/
|
|
#
?
Feb 18, 2023 12:54
|
|
|
Twitter is making SMS based MFA require a Twitter Blue subscription. Non-paying users either have to manually remove SMS MFA from their account themselves themselves or switch to an app or token based MFA else they risk being locked out of their account in a month.
|
|
#
?
Feb 18, 2023 14:17
|
|
|
sms mfa should never be allowed in the first place
|
|
#
?
Feb 18, 2023 14:24
|
|
|
some mfas always trying skate uphill
|
|
#
?
Feb 18, 2023 14:45
|
|
|
dpkg chopra posted:some mfas always trying skate uphill CRIP EATIN BREAD posted:sms mfa should never be allowed in the first place yeah, people are having a meltdown over this like it's some kind of security nightmare, but as noted it's only making the non-blue accounts more secure
|
|
#
?
Feb 18, 2023 14:57
|
|
|
infernal machines posted:yeah, people are having a meltdown over this like it's some kind of security nightmare, but as noted it's only making the non-blue accounts more secure like most things lonny is involved in, the risk increases the more you pay
|
|
#
?
Feb 18, 2023 15:02
|
|
|
somehow mfers at work keep turning off their mfa on google workspace, forcing me to add them to the exemption group temporarily when their session eventually expires
|
|
#
?
Feb 18, 2023 15:18
|
|
|
infernal machines posted:yeah, people are having a meltdown over this like it's some kind of security nightmare, but as noted it's only making the non-blue accounts more secure are we really at a point where sim swapping is so bad and easy that we’re back to single-factor logins being better if you don’t have a hardware token?
|
|
#
?
Feb 18, 2023 15:23
|
|
|
i think we're at the point where app based and totp mfa are considerably better and they are both available options for blue and non-blue accounts per people complaining about the loss of sms if you are not a twitter blue subscriber, you still have at least two other mfa options, you just can't use sms mfa, presumably because sms messages cost money to send.
|
|
#
?
Feb 18, 2023 15:26
|
|
|
infernal machines posted:yeah, people are having a meltdown over this like it's some kind of security nightmare, but as noted it's only making the non-blue accounts more secure Agile Vector posted:like most things lonny is involved in, the risk increases the more you pay really it's the perfect analogy, you have to way for tesla "fsd" too
|
|
#
?
Feb 18, 2023 15:29
|
|
|
El Mero Mero posted:are we really at a point where sim swapping is so bad and easy that we’re back to single-factor logins being better if you don’t have a hardware token? have you heard of totp
|
|
#
?
Feb 18, 2023 15:30
|
|
|
cinci zoo sniper posted:have you heard of totp 
|
|
#
?
Feb 18, 2023 15:39
|
|
|
cinci zoo sniper posted:have you heard of totp what is this new technology, im pretty sure a mainstream site like google hasnt integrated it for a decade or anything like that
|
|
#
?
Feb 18, 2023 15:47
|
|
|
el mero mero is right. there's a ton of people who won't use totp but will uses sms mfa. they are much better off with sms mfa than no mfa. that there's another better (but less user friendly) choice is irrelevant and misses the point
|
|
#
?
Feb 18, 2023 16:09
|
|
|
gently caress those people then, they can go kick rocks
|
|
#
?
Feb 18, 2023 16:16
|
|
|
If nothing else consider how much harder it's going to be to convince people to migrate away from SMS MFA now that Elon is marking it as a premium feature.
|
|
#
?
Feb 18, 2023 16:27
|
|
|
Achmed Jones posted:el mero mero is right. there's a ton of people who won't use totp but will uses sms mfa. they are much better off with sms mfa than no mfa. that there's another better (but less user friendly) choice is irrelevant and misses the point If they are on that level of non-technical, iOS has native TOTP and security key in the os at the tip of their finger(or face).
|
|
#
?
Feb 18, 2023 17:11
|
|
|
El Mero Mero posted:are we really at a point where sim swapping is so bad and easy that we’re back to single-factor logins being better if you don’t have a hardware token? from what i've heard sim swapping can be as simple as running into a verizion store and stealing the managers ipad assuming you get a few dozen swaps before it's deactivated a single sim swap costs like $100 Perplx fucked around with this message at 18:28 on Feb 18, 2023 |
|
#
?
Feb 18, 2023 18:26
|
|
|
Perplx posted:from what i've heard sim swapping can be as simple as running into a verizion store and stealing the managers ipad this genuinely sounds like a relevant factor though if that's what it takes. i was under the impression that the us network setup made it even easier than that
|
|
#
?
Feb 18, 2023 18:31
|
|
|
sms is obviously broken, but it it only matters if someone is targeting you it still more than does the job to protect you against the assholes just running down password breach lists looking for low hanging fruit and we all know that the people using sms arent using unique passwords
|
|
#
?
Feb 18, 2023 18:35
|
|
|
Achmed Jones posted:el mero mero is right. there's a ton of people who won't use totp but will uses sms mfa. they are much better off with sms mfa than no mfa. that there's another better (but less user friendly) choice is irrelevant and misses the point
|
|
#
?
Feb 18, 2023 18:36
|
|
|
CRIP EATIN BREAD posted:gently caress those people then, they can go kick rocks I don't have actual numbers on hand, but that's the majority of people by an order of magnitude
|
|
#
?
Feb 18, 2023 18:37
|
|
|
I was way off on pricing, I was thinking of an episode of darknetdiarieshttps://darknetdiaries.com/transcript/112/ posted:DREW: So, I’ll break it down to you based on carrier. So, T-Mobile at the moment costs you about $5,000 per swap. If they’re a fraud victim, then it costs you $7,500. A fraud victim has special protections on their account, but they’re still bypassable. Verizon is going to cost you upwards of probably $50,000. Verizon is extremely well secured, but it’s still possible if you have the right equipment. Like, you need a branch manager login which is a very high position. So, you need to be able to pay off that Verizon manager a lot, and you can’t hack them. You can’t – it appears, right now. I could be wrong. Maybe we’ll find new findings. But they pretty – you literally just need a insider. You can’t rat him or anything. For AT&T, I think that people are starting to decrease their prices down to $4,000, $2,000…$2,000 to $3,000 because their opus tool is not too secure.
|
|
#
?
Feb 18, 2023 18:38
|
|
|
The Fool posted:sms is obviously broken, it it only matters if someone is targeting you sms is not *inherently* broken though, it entirely depends on how telco peering and similar is actually done. if done well enough that the attack is "your chosen operators backend could access your second factor" then it's actually to my mind pretty decent. but afaik that is not actually the barrier in a lot of places/setups, and i think the "stealing an ipad from a telco manager" is imagining it *stronger* than it is.
|
|
#
?
Feb 18, 2023 18:41
|
|
|
Perplx posted:I was way off on pricing, I was thinking of an episode of darknetdiaries lmao att
|
|
#
?
Feb 18, 2023 18:43
|
|
|
Cybernetic Vermin posted:but afaik that is not actually the barrier in a lot of places/setups, and i think the "stealing an ipad from a telco manager" is imagining it *stronger* than it is. I have some recollection of a story about a compromised account that happened because the attacker just convinced a phone rep that they lost their phone and the phone rep ignored policy ( and a flag on the victim's account iirc ) and issued a new sim which is obviously a low bar, but still requires targeted effort
|
|
#
?
Feb 18, 2023 18:45
|
|
|
|
| # ? Sep 30, 2023 04:38 |
|
|
People have keys to their homes and cars, so it's only a small leap to convince them to also have keys to their computers and data, or at least their bank accounts.
|
|
#
?
Feb 18, 2023 19:22
|
|
