|
It should stop the spam push notifications until the target pressed accept by mistake/annoyance attack?
|
#
?
Nov 16, 2022 10:09
|
|
|
|
| # ? Apr 25, 2024 19:52 |
|
|
Andohz posted:It should stop the spam push notifications until the target pressed accept by mistake/annoyance attack? Totally does. BUT like others have mentioned, if they get a rube on the other end they can be socially engineered to give away the OTP over the phone or via text. Its been a fairly common practice for a while now.
|
|
#
?
Nov 16, 2022 16:46
|
|
|
Almost as if the human element is always dumb and the failure point
|
|
#
?
Nov 16, 2022 17:19
|
|
|
RFC2324 posted:Almost as if the human element is always dumb and the failure point No MFA <<< MFA using SMS <<< MFA using push notifications saying "accept/deny" <<< MFA using "select the number" <<< Yubikeys Edit: The things to the left are not necessarily bad just because they can be broken. They're still better than the things further left.
|
|
#
?
Nov 16, 2022 20:02
|
|
|
BaseballPCHiker posted:Totally does. BUT like others have mentioned, if they get a rube on the other end they can be socially engineered to give away the OTP over the phone or via text. Its been a fairly common practice for a while now. It's almost entirely driven by two high-profile cases in which big companies were penetrated because they had users just hit ACCEPT. This is a good thing generally, but it doesn't necessarily reflect an actual hierarchy of risks around 2FA. 2FA has kinda coasted for a long time, it's good we're re-examining and strengthening it a bit.
|
|
#
?
Nov 16, 2022 20:41
|
|
|
Methylethylaldehyde posted:Thanks you for to verification of email and password! Right, but that's no less secure than before.
|
|
#
?
Nov 16, 2022 23:52
|
|
|
if i had a buck for every time i asked a team to make a simple upgrade to increase their security profile and they pushed back because it wasn't 100% bulletproof, i'd have, idk $100 or so it's second only to the guy who, when you ask him to stop logging passwords, or to stop leaking information, or whatever, says "but that's security by obscurity!!"
|
|
#
?
Nov 17, 2022 01:19
|
|
|
speaking of sms mfa https://www.bankinfosecurity.com/twitter-second-factor-authentication-has-vulnerability-a-20475 quote:A researcher contacted Information Security Media Group on condition of anonymity to reveal that texting "STOP" to the Twitter verification service results in the service turning off SMS two-factor authentication. this is so loving funny lmao
|
|
#
?
Nov 17, 2022 01:31
|
|
|
While what I can send to a cell phone and expect to actually get delivered has been locked down pretty tightly in the last year or so as a result of SMS spam, I'd bet I could still get a spoofed SMS delivered to Twitter's 2FA service. I'm not going to actually test it because I don't feel like getting my upstream carriers on my rear end, but lol....
|
|
#
?
Nov 17, 2022 01:56
|
|
|
Achmed Jones posted:if i had a buck for every time i asked a team to make a simple upgrade to increase their security profile and they pushed back because it wasn't 100% bulletproof, i'd have, idk $100 or so I told a developer SHA1 was not a secure way to store passwords once and he needed to switch to bcrypt and he demanded I sit there for like an hour and explain to him what it was and why it was better
|
|
#
?
Nov 17, 2022 05:45
|
|
|
CLAM DOWN posted:speaking of sms mfa Unless this works from a spoofed sms, it's not really a vulnerability, since you'd need to sim swap them and at that point you've broken sms 2fa anyway Fake e: just occurred to me that perhaps someone could be phished into sending it themselves. Send a lot of annoying emails and put "TEXT STOP TO <number> TO UNSUBSCRIBE" or something
|
|
#
?
Nov 17, 2022 09:04
|
|
|
Cup Runneth Over posted:I told a developer SHA1 was not a secure way to store passwords once and he needed to switch to bcrypt and he demanded I sit there for like an hour and explain to him what it was and why it was better Unless he was kidnapping you, just promise to send him some reading and be on your way.
|
|
#
?
Nov 17, 2022 09:22
|
|
|
Cup Runneth Over posted:I told a developer SHA1 was not a secure way to store passwords once and he needed to switch to bcrypt and he demanded I sit there for like an hour and explain to him what it was He scammed you out of a free 1-hour bcrypt training session.
|
|
#
?
Nov 17, 2022 09:22
|
|
|
Cup Runneth Over posted:I told a developer SHA1 was not a secure way to store passwords once and he needed to switch to bcrypt and he demanded I sit there for like an hour and explain to him what it was and why it was better
|
|
#
?
Nov 17, 2022 12:08
|
|
|
Wiggly Wayne DDS posted:what is bcrypt and why is it better than SHA1? Well, for one SHA1 is deprecated and easily attacked now. Achmed Jones posted:if i had a buck for every time i asked a team to make a simple upgrade to increase their security profile and they pushed back because it wasn't 100% bulletproof, i'd have, idk $100 or so "No, that's called best practices and you are not following them."
|
|
#
?
Nov 17, 2022 14:26
|
|
|
CommieGIR posted:Well, for one SHA1 is deprecated and easily attacked now. Source?
|
|
#
?
Nov 17, 2022 15:38
|
|
|
CommieGIR posted:Well, for one SHA1 is deprecated and easily attacked now. Even in 2009, the right answer to hashing was SHA-256 (or SHA512/256 as that's faster on a 64bit CPU). The right way to store passwords, incidentally, has been scrypt - also since 2009. EDIT: All of this is documented in Cryptographic Right Answers. BlankSystemDaemon fucked around with this message at 19:32 on Nov 17, 2022 |
|
#
?
Nov 17, 2022 15:39
|
|
|
AlternateAccount posted:Duo now supports the thing where the site presents a code you have to enter into the app. Gonna be standard fare all around, I expect. Good. Absurd Alhazred posted:Is that better or worse than push verifications? Think of it as a push notification where you have to actually have to be the person who asked for the push (or at least get lucky clicking the right number, or click what the scammer told you to click). It's better, but it's still nowhere near as good as having a proper binding cryptographic dongle
|
|
#
?
Nov 17, 2022 16:00
|
|
|
Mustache Ride posted:https://shattered.it/ Yup. This was in 2021. But file dedup/collision is different from storing people's loving passwords with it in a database Cup Runneth Over fucked around with this message at 17:09 on Nov 17, 2022 |
|
#
?
Nov 17, 2022 17:05
|
|
|
is everyone else going through steps to rearchitecting their jobs network to a more "zero trust based" network or is it just me? I hate this, I hate zero trust, I hate everything involved in it, and I just want to check out until this is all over. Having to do all this crap in place instead of just blowing away the network and starting fresh is annoying.
|
|
#
?
Nov 17, 2022 18:32
|
|
|
Defenestrategy posted:is everyone else going through steps to rearchitecting their jobs network to a more "zero trust based" network or is it just me? Have you unplugged all your ethernet cords yet
|
|
#
?
Nov 17, 2022 19:01
|
|
|
Defenestrategy posted:is everyone else going through steps to rearchitecting their jobs network to a more "zero trust based" network or is it just me? We're rolling out a greenfield underlay network based on SR-MPLS for all our OT poo poo, then moving all our existing poo poo over to that network piece by piece. We can only do this because we have spare fibre capacity going literally everywhere, and I am eternally grateful for that fact. Trying to "do it live" would have sucked so hard.
|
|
#
?
Nov 17, 2022 19:02
|
|
|
Defenestrategy posted:is everyone else going through steps to rearchitecting their jobs network to a more "zero trust based" network or is it just me? yeah I'm in the middle of that what's sad is that genuine actual zero trust isn't being considered. in the end we're going to end up doing twice as much work but not get the same effectiveness
|
|
#
?
Nov 17, 2022 19:24
|
|
|
Wibla posted:We're rolling out a greenfield underlay network based on SR-MPLS for all our OT poo poo, then moving all our existing poo poo over to that network piece by piece. We can only do this because we have spare fibre capacity going literally everywhere, and I am eternally grateful for that fact. Trying to "do it live" would have sucked so hard. We’re doing a very similar thing right now as well, also for OT networks, using Arista VXLAN with Palo Alto MSS integration. It had to be a solution that we can roll in over time and easily connect downstream industrial network cells without loving everything up.
|
|
#
?
Nov 17, 2022 19:54
|
|
|
The closest I've been to zero trust is getting really good with Azure AD and to stop people trying to implement all their security with some box on the network edge that slows everything down and breaks any application with cert pinning. Fortunately the mass move to WFH has made these conversations easier.
|
|
#
?
Nov 17, 2022 19:56
|
|
|
BlankSystemDaemon posted:SHA1 wasn't a way to securely store passwords, even when you couldn't collide it. No it wasn't, yet people still do. Its fun explaining to them that SHA1 is not the way to store credentials, and then finding teams using MD5 to hash creds. Oh wait, its not fun, its a nightmare.
|
|
#
?
Nov 18, 2022 02:14
|
|
|
CommieGIR posted:No it wasn't, yet people still do. Its fun explaining to them that SHA1 is not the way to store credentials, and then finding teams using MD5 to hash creds.
|
|
#
?
Nov 18, 2022 15:55
|
|
|
BlankSystemDaemon posted:Ah, you're talking about the kind of Fun that can be found in Dwarf Fortress. Yup! Its fun explaining that, outside of certain use cases, you shouldn't be using certain hashing or crypto functions anymore. I love this career.
|
|
#
?
Nov 18, 2022 16:37
|
|
|
Ended up not taking the pentesting job I was offered since I’d have to move to TX 🤮 I did however manage to leverage the offer for a promotion at my current place (which I should mention is a great place to work). I was asked why I wanted to leave and I let them know I felt like I was being held back in my career, they understood and I’m now the first GRC manager for the company. Not too bad. Desktop support > sysadmin > GRC manager in just under a year. Love this field.
|
|
#
?
Nov 21, 2022 18:59
|
|
|
App13 posted:Ended up not taking the pentesting job I was offered since I’d have to move to TX 🤮 Congrats!!!
|
|
#
?
Nov 21, 2022 19:24
|
|
|
App13 posted:Desktop support > sysadmin > GRC manager in just under a year. Love this field. king/queen/royalty-of-preferred-designation
|
|
#
?
Nov 21, 2022 20:32
|
|
|
Draft kings got nailed and or some massive campaign on end users. I can't seem to find any technicals yet but...
|
|
#
?
Nov 22, 2022 01:32
|
|
|
They put out this statement. https://twitter.com/DK_Assist/status/1594769117894279168
|
|
#
?
Nov 22, 2022 01:35
|
|
|
Diva Cupcake posted:They put out this statement. There's a ton of chatter on Twitter about people with unique passwords and 2fa enabled getting hit, also my buddy is an IT guy said the same thing and is out 2,000 bucks at the moment. Really seems like a breach on DraftKings itself
|
|
#
?
Nov 22, 2022 01:48
|
|
|
cr0y posted:There's a ton of chatter on Twitter about people with unique passwords and 2fa enabled getting hit, also my buddy is an IT guy said the same thing and is out 2,000 bucks at the moment. Really seems like a breach on DraftKings itself The only thing I could maybe think of would be if there were some widely used browser extension which got compromised.
|
|
#
?
Nov 22, 2022 06:37
|
|
|
I'll be interested to see how this shakes out. Theres enough noise to convince me its not just a few people, and a good chunk of those affected seemed to have 2 factor enabled.
|
|
#
?
Nov 22, 2022 15:49
|
|
|
cr0y posted:There's a ton of chatter on Twitter about people with unique passwords and 2fa enabled getting hit, also my buddy is an IT guy said the same thing and is out 2,000 bucks at the moment. Really seems like a breach on DraftKings itself Yeah, but given the sort of site it is, I suspect they will redirect until the bitter end if it really is their systems.
|
|
#
?
Nov 22, 2022 16:55
|
|
|
a scummy casino has fly-by-night security? say it ain't so.
|
|
#
?
Nov 22, 2022 17:34
|
|
|
|
| # ? Apr 25, 2024 19:52 |
|
|
Famethrowa posted:a scummy casino has fly-by-night security? say it ain't so. Right?
|
|
#
?
Nov 22, 2022 18:24
|
|