Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«168 »
  • Post
  • Reply
wyoak
Feb 14, 2005

a glass case of emotion


Fallen Rib

Wiggly Wayne DDS posted:

Well no poo poo, the problem is at no point have you backed up that the average user needs this particular feature set - or that leaving a file in a dropbox folder is requiring technical proficiency of an autist. For all my fake concerns, you aren't showing any of yours to be real.
A KeePass/Dropbox solution is enough of a pain to setup on mobile devices that I couldn't recommend it to most people, and given how much browsing is done on mobile these days it's a legitimate concern. I'm sure there's like 20 apps for that, but I dunno which is the best/which devs we trust.

Even basic desktop browser integration requires a plugin and you run into the same problems (which plugins do we trust and won't be abandoned in 8 months?)

Personally I like 1password, LastPass's history is worrisome enough that I don't feel comfortable there.

wyoak fucked around with this message at Dec 21, 2015 around 21:07

Adbot
ADBOT LOVES YOU

bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me


Alereon posted:

Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.

I agree with this. I'm not a high powered pentesting security researcher but I understand the risks. Call me an idiot if you want but I just don't want to deal with the hassle that is keepass. Lastpass is easily more secure than what I was using before, web browser password storage. So it is an improvement, and it means I can use a different, secure password for each site.

I say all this as someone who is very much into computers. It's very hard for me to convince anyone not into computers to use lastpass, I can;t imagine trying to convince someone that they should use keepass.

bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me


Also, if you really want to argue that people only need passwords on one machine, then you must know a lot of people that only own a phone and no PC.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Alereon posted:

Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.

quote:

Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion.

How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"?

Here's what we can easily tell about KeePass and a cloud-based file distribution service:

  • The source code is readily available
    • This means we know how the data is encrypted
    • This also means we can audit the source code ourselves
    • This also means that it is hard to change the source code without a third party becoming aware
  • It's easy to add an extra layer of security to your password vault
  • It's extensible with plugins that permit the use of most popular off-site cloud services

Now that we have established the things we know about KeePass, what can we say about LastPass?

  • It is not open source
    • This means we cannot know how the data is encrypted without trusting a third party to perform an audit
    • This means we cannot audit the source code ourselves
    • This also means that it is possible to change the source code without its userbase ever knowing
    • It also means that we have to trust LastPass that they'll disclose every breach
  • The other two points from the KeePass list aren't important here

If you think that your accounts are not important, then fine, use LastPass. But don't go around saying that it has adequate security because as I have already demonstrated it has been rife with problems that would otherwise not exist if we were to just use a file-based password manager.

wyoak
Feb 14, 2005

a glass case of emotion


Fallen Rib

OSI bean dip posted:

How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"?

Here's what we can easily tell about KeePass and a cloud-based file distribution service:

  • The source code is readily available
    • This means we know how the data is encrypted
    • This also means we can audit the source code ourselves
    • This also means that it is hard to change the source code without a third party becoming aware
  • It's easy to add an extra layer of security to your password vault
  • It's extensible with plugins that permit the use of most popular off-site cloud services

Now that we have established the things we know about KeePass, what can we say about LastPass?

  • It is not open source
    • This means we cannot know how the data is encrypted without trusting a third party to perform an audit
    • This means we cannot audit the source code ourselves
    • This also means that it is possible to change the source code without its userbase ever knowing
    • It also means that we have to trust LastPass that they'll disclose every breach
  • The other two points from the KeePass list aren't important here

If you think that your accounts are not important, then fine, use LastPass. But don't go around saying that it has adequate security because as I have already demonstrated it has been rife with problems that would otherwise not exist if we were to just use a file-based password manager.
How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered?

Marinmo
Jan 23, 2005

Prisoner #95H522 Augustus Hill

wyoak posted:

How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered?
They won't, so in the end they'll end up less secure than Lastpass users since the latter are always running the latest version. Further, I'm not so sure he read the end of his gospel the very audit he posted [EDIT: sorry, that wasn't him, to be fair they kinda seem to agree though], the part where it says "To finish, we want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days. It was very easy to communicate and work with them.". That's professional - no system is 100 % secure and the response to the flaws discovered in it tells you a lot about how you can expect those and future issues to be addressed. Convenience and security will always be polar opposites, but too much of either will just tip the scale towards less security anyway. Lastpass generally strikes the perfect balance for everyone who doesn't fancy child pornography or work for the NSA.

Marinmo fucked around with this message at Dec 21, 2015 around 22:37

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

wyoak posted:

How many people who had a friend recommend KeePass/Dropbox are going to upgrade KeePass if a vuln is discovered?
If this is going into arguments over auto-updating then:

KeePass FAQ posted:

Why does KeePass try to connect to the Internet?

KeePass has an option to automatically check for updates on each program start. In order to check for updates, KeePass downloads a small version information file and compares the available version with the installed version. No personal information is sent to the KeePass web server.

Automatic update checks are performed unintrusively in the background. A notification is only displayed when an update is available. Updates are not downloaded or installed automatically.

The option is disabled by default. You can enable/disable it in 'Tools' -> 'Options' -> tab 'Advanced'.
Otherwise the arguments devolves into implementation differences and how similar vulnerabilities on each platform have different impacts.

Marinmo posted:

They won't, so in the end they'll end up less secure than Lastpass users since the latter are always running the latest version. Further, I'm not so sure he read the end of his gospel the very audit he posted [EDIT: sorry, that wasn't him, to be fair they kinda seem to agree though], the part where it says "To finish, we want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days. It was very easy to communicate and work with them.". That's professional - no system is 100 % secure and the response to the flaws discovered in it tells you a lot about how you can expect those and future issues to be addressed. Convenience and security will always be polar opposites, but too much of either will just tip the scale towards less security anyway. Lastpass generally strikes the perfect balance for everyone who doesn't fancy child pornography or work for the NSA.
Convenience and security are not polar opposites. There's a balancing act on the high-end of the spectrum, but you can design a system that is secure by default, and is convenient for the end-user. If they were polar opposites then browsers would be getting far more inconvenient as security's improved, when the opposite has happened. As far as the statement you quoted it's a standard blurb for showing that the company receiving the report didn't immediately bring out the lawyers, and that other researchers don't need to worry when coming forward. It doesn't answer the response where they ignored half the issues.

If you're looking for a password manager there are far better alternatives, but if you're that much of a fan of the product that you ignore security issues in a security thread then we're well past the point of discussion.

wyoak
Feb 14, 2005

a glass case of emotion


Fallen Rib

Wiggly Wayne DDS posted:

If this is going into arguments over auto-updating then:

Otherwise the arguments devolves into implementation differences and how similar vulnerabilities on each platform have different impacts.
Yeah, it's off by default which means most people who install it are never going to update it. My point is that you can't ignore that part of it, and there's all the other parts of an environment (multiple devices, browser integration, etc) that something like LastPass has covered - is your phone app developer going to release an update if a vulnerability surfaces? How about the author for whichever plugin you're using to integrate with your browser? Are you even sure those app/plugin developers aren't doing something stupid right now? Has KeePass itself ever gone through a thorough audit?

Like I said, I don't totally trust LastPass either, but for most people KeePass + Cloud is either going to be too cumbersome, so it'll sit unused, or will never be updated, which is probably bad too.

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


Alereon posted:

KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does.

You are straight up making up crap here to the extent that I doubt you have actually used Dropbox. The storage format is a file that sits on a disk, and you can apply any synchronization mechanism to that file that you want. You can put it in Dropbox, Google Drive, you can periodically email itself to you, whatever.

Syncing the file is the only real problem that exists with multi-device Dropbox and it's trivially easy to drop in one of the idiot-proof turnkey solutions that exist for that very simple, very well-known problem. Keepass even recently added a feature that will auto-merge the files if you happen to have out-of-sync states happen. It's super easy.

quote:

Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass.

You seem to think you have to engineer some high-performance ACID database cluster and it's loving hilarious. I've been using Dropbox to sync a Keepass file across multiple devices for years and I haven't engineered jack poo poo. Here's the secret engineering method: you create a Dropbox account and create a Keepass file in it. You put some passwords in it, and hit Save, and Dropbox blasts it across all your devices.

Even my dad can figure it out. Like, my technologically-impaired grad advisor totally had a Dropbox and used it to sync projects with multiple different people. You vastly underestimate the market penetration of Dropbox. Everyone uses it and everyone knows it.

quote:

You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like trusted devices and offline access to a cached db that seem like anathema to you and Wiggly Wayne are incredibly valuable to users.

So why not use Chrome Sync and just store your passwords in the clear (sync'd across all your devices) then? Why would you even need a password manager if you don't care about storing them securely?

At that point you can probably just search for "generate random characters" and use that as a password too. I mean it's not like some website is ever going to connect that xxXBlaseIt420Xxx@gmail.com is the right account for that password. Or just like, smash random buttons.

Yeah, sure, that's on the low end of the security that's possible with a password manager. But the Chrome Sync + wildly punch keyboard solution is definitely better than just sharing passwords between websites.

Paul MaudDib fucked around with this message at Dec 22, 2015 around 15:52

Marinmo
Jan 23, 2005

Prisoner #95H522 Augustus Hill

Wiggly Wayne DDS posted:

If this is going into arguments over auto-updating then:

Otherwise the arguments devolves into implementation differences and how similar vulnerabilities on each platform have different impacts.

Convenience and security are not polar opposites. There's a balancing act on the high-end of the spectrum, but you can design a system that is secure by default, and is convenient for the end-user. If they were polar opposites then browsers would be getting far more inconvenient as security's improved, when the opposite has happened. As far as the statement you quoted it's a standard blurb for showing that the company receiving the report didn't immediately bring out the lawyers, and that other researchers don't need to worry when coming forward. It doesn't answer the response where they ignored half the issues.

If you're looking for a password manager there are far better alternatives, but if you're that much of a fan of the product that you ignore security issues in a security thread then we're well past the point of discussion.
You do realize that 99 % of people just click the X on the update-reminders? You are aware that's basically the reason Win10 forces updates and restarts in the middle of the night if the user doesn't manually set a time to restart (not restarting isn't even an option)? So even if it had auto-update enabled, the very same casual users you claim are better off with Keepass would not update it. Most probably ever. So now that we have that out of the way ...

I have no idea what you're saying about browsers. Seriously, it doesn't make any sense at all. They are constantly balancing between security and convenience for crying out loud. Bundling flash isn't really the epitome of security is it? And they are constantly hit with different exploits - all of them (Chrome, Firefox etc). In your rationale then, we'd all be using lynx or some poo poo because god forbid our browser could run JS (which I reckon is where most exploits originate). The post on the lastpass blog is general security hints which the researcher himself points to as good ways to mitigate the exploit he found - what else do you want? Chances are - and no, we don't know this for sure but snooping around in the source of the non-binary extension will give us a good idea - that the other issues were fixed as well. But I'm sure you don't care either way, you just want to rant and rave and ignore the security issues and inconveniences with the solutions you prefer.

Marinmo fucked around with this message at Dec 22, 2015 around 00:34

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


On the other hand having security software automatically install itself from across the internet is also a thing that gives people heartburn.

It's one thing in the context of a secure package-management system like APT. That infrastructure doesn't exist on Windows, the infrastructure used by the majority of the KeePass userbase.

It would be better if it did auto-install updates but it's kind of a defensible decision based on the backlash it would cause.

Marinmo
Jan 23, 2005

Prisoner #95H522 Augustus Hill

Paul MaudDib posted:

On the other hand having security software automatically install itself from across the internet is also a thing that gives people heartburn.

It's one thing in the context of a secure package-management system like APT. That infrastructure doesn't exist on Windows, the infrastructure used by the majority of the KeePass userbase.
Agreed (also on the edit). Honest question: IF one autoupdates Keepass via it's autoupdater, is the new installer verified somehow (MD5, GPG sigs or the like)? Otherwise, we're kinda back to square 1 there ...

FSMC
Apr 27, 2003
I love to live this lie

Are there any safe keepass or 1pass ports for android? I went for lastpass a few years ago because all the android apps for keepass looked like sketchy unofficial ports.

PBS
Sep 21, 2015


FSMC posted:

Are there any safe keepass or 1pass ports for android? I went for lastpass a few years ago because all the android apps for keepass looked like sketchy unofficial ports.

1password has an android app, I can't really speak to it's safety though.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


It's really good

B-Nasty
May 25, 2005



Marinmo posted:

Agreed (also on the edit). Honest question: IF one autoupdates Keepass via it's autoupdater, is the new installer verified somehow (MD5, GPG sigs or the like)? Otherwise, we're kinda back to square 1 there ...

It's not really a true auto-update; it just asks you to download the new installer .exe from (puke) SourceForge. The installer .exe and program .exe are both signed, though.

PBS
Sep 21, 2015


Is there ever a valid reason for the PasswordNotRequired AD attribute to be set to True?

PBS fucked around with this message at Dec 23, 2015 around 03:01

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

PBS posted:

Is there ever a valid reason for the PasswordNotRequired AD attribute to be set to True?

Microsoft has terrible documentation on this but its purpose is not for the user but for the administrator to set a blank (null) password. With this flag, users cannot change their passwords to blank but passwords can be set to blank by an administrator.

PBS
Sep 21, 2015


OSI bean dip posted:

Microsoft has terrible documentation on this but its purpose is not for the user but for the administrator to set a blank (null) password. With this flag, users cannot change their passwords to blank but passwords can be set to blank by an administrator.

Ah alright. So it doesn't necessarily mean the password is null or that you can proceed past authentication without one, but the potential for accounts with null passwords is there so long as it's enabled.

PBS fucked around with this message at Dec 23, 2015 around 04:25

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork


Fun Shoe

personally i like keepass, i have it on a locally accessible windows fileshare so i can copy it to my laptop and other devices when i update it

DeaconBlues
Nov 8, 2011


Which is the preferred version if I were to start using keepass on Linux and a copy of my vault on an android phone: keepass or keepassx?

Hmm. I see there is also a keepass 1 and keepass 2.

DeaconBlues fucked around with this message at Dec 23, 2015 around 20:02

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Switchblade Switcharoo

I use KeePass 2. I store the file on Google Drive with password and a 2048 bit cert I transfer manually to all devices/laptops (ie, never touches storage controlled by a third party).

I know Google Drive is a third-party so why am I using it and the answer is it's easier to access than Dropbox for me in Android/Windows/Linux.

General question for you out there. I have a bug I've been meaning to write up for a Cisco product. Do I contact them even if I no longer have access to the device to retest (took a new job)? The only CVE's I've written is when I still had access to the device at the end.

Jeesis
Mar 4, 2010

I am the second illegitimate son of gawd who resides in hoaven.

Wow you nerds get uppity about password managers.

Counter point, password managers are bad.


Anyhoo, any advice for someone trying to get into the security field?

mod saas
May 4, 2004
The Burger King Bows To Ugoff


Grimey Drawer

Jeesis posted:

advice for someone trying to get into the security field?

going out on a limb here but maybe don't poo poo over people's advice and then ask for more

FSMC
Apr 27, 2003
I love to live this lie

EVIR Gibson posted:

I use KeePass 2. I store the file on Google Drive with password and a 2048 bit cert I transfer manually to all devices/laptops (ie, never touches storage controlled by a third party).

I know Google Drive is a third-party so why am I using it and the answer is it's easier to access than Dropbox for me in Android/Windows/Linux.

General question for you out there. I have a bug I've been meaning to write up for a Cisco product. Do I contact them even if I no longer have access to the device to retest (took a new job)? The only CVE's I've written is when I still had access to the device at the end.

But isn't the actual app you use on android closed source and made by a random 3rd party?

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


Jeesis posted:

Wow you nerds get uppity about password managers.

Counter point, password managers are bad.


Anyhoo, any advice for someone trying to get into the security field?

Show your skill by using a known exploit to download data from an AWS bucket and then brag about it on your blog.

Daman
Oct 28, 2011


destroy a CSO's public image with a single blog post

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Jeesis posted:

Anyhoo, any advice for someone trying to get into the security field?

make friends and don't poo poo on their advice

sarehu
Apr 20, 2007

(call/cc call/cc)

Don't hang out online with people that get butthurt over your posting who somehow also are too cool to use the shift key.

mod saas
May 4, 2004
The Burger King Bows To Ugoff


Grimey Drawer

sarehu posted:

Don't hang out online with people that get butthurt over your posting who somehow also are too cool to use the shift key.

This is a good post. I like it because it demonstrates three variants of tribalism in only a single sentence: the Boomer xenophobia about avoiding the shift key, Gen-X angst over people who think they're cool, and the Millennial attitude that an echo chamber is objectively better than differences in belief. Forums poster sarehu, thank you for this gift.

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork


Fun Shoe

Researchers investigate North Korea's Red Star OS 3

and the presentation from 32c3:

https://www.youtube.com/watch?v=KTBemKiSgWI

Magnetic North
Dec 14, 2008

Which way is magnetic north?


Since you were talking password managers, and I asked in the android thread with no luck, I figured I'd ask here.

I use Password Safe. I started keeping my safe on my Android phone because I needed to access my passwords on multiple computers. I used to be able to just hook it up, use USB Mass Storage to access the phone like a drive, and open my safe. That doesn't work the same way with my new phone, since it uses MTP; Password Safe doesn't want to access it from the phone, possibly because it's a device and not a drive, so there is no path? I'm not honestly sure. I could copy it each time I wanted to use it, but the idea is to consolidate the location so I don't accidentally overwrite some new entry by mistake.

Is there a way to restore or replicate my old functionality with Password Safe? While I would like to avoid migrating, I will if I have to, and would appreciate any suggestions for what to migrate to. (I see mention of KeePass as an open source option, which I will look into.)

DeaconBlues
Nov 8, 2011


Is the Password Safe file encrypted?

Could always Google Drive it for access across devices.

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Switchblade Switcharoo

Magnetic North posted:

Since you were talking password managers, and I asked in the android thread with no luck, I figured I'd ask here.

I use Password Safe. I started keeping my safe on my Android phone because I needed to access my passwords on multiple computers. I used to be able to just hook it up, use USB Mass Storage to access the phone like a drive, and open my safe. That doesn't work the same way with my new phone, since it uses MTP; Password Safe doesn't want to access it from the phone, possibly because it's a device and not a drive, so there is no path? I'm not honestly sure. I could copy it each time I wanted to use it, but the idea is to consolidate the location so I don't accidentally overwrite some new entry by mistake.

Is there a way to restore or replicate my old functionality with Password Safe? While I would like to avoid migrating, I will if I have to, and would appreciate any suggestions for what to migrate to. (I see mention of KeePass as an open source option, which I will look into.)

Drive will work. Each time you access your file from drive it makes a temp file of the latest version of the file. The issue is then you can't save it because its temp. I am not sure you can save back to drive on Android.

In my case, I don't change my passwords fast enough that when I do its on my pc. I save the new file there and then I have access to the new one.

Does your password storage app use certs as well along with password auth?

Magnetic North
Dec 14, 2008

Which way is magnetic north?


I guess I will mess with Drive to see if Password Safe will play nice with it.

DeaconBlues posted:

Is the Password Safe file encrypted?

I believe Password Safe encrypts by default? I mean, I don't see an option that says "encrypt vault" but Wikipedia says it encrypts.

EVIR Gibson posted:

Does your password storage app use certs as well along with password auth?

I'm sorry, but I don't fully understand what this means.

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Switchblade Switcharoo

Magnetic North posted:

I guess I will mess with Drive to see if Password Safe will play nice with it.


I believe Password Safe encrypts by default? I mean, I don't see an option that says "encrypt vault" but Wikipedia says it encrypts.


I'm sorry, but I don't fully understand what this means.

It means you can make it so it also requires your private keyfile that you manually configure on the clients since it is also encrypted with your public

Dixie Cretin Seaman
Jan 22, 2008

all hat and one catte


Hot Rope Guy

OSI bean dip posted:

How can we have this discussion about "people who play as a security professionals on the Internet" yet then turn around and go on about "convenience [trumping] security"?

Here's what we can easily tell about KeePass and a cloud-based file distribution service:

  • The source code is readily available
    • This means we know how the data is encrypted
    • This also means we can audit the source code ourselves
    • This also means that it is hard to change the source code without a third party becoming aware
  • It's easy to add an extra layer of security to your password vault
  • It's extensible with plugins that permit the use of most popular off-site cloud services

Now that we have established the things we know about KeePass, what can we say about LastPass?

  • It is not open source
    • This means we cannot know how the data is encrypted without trusting a third party to perform an audit
    • This means we cannot audit the source code ourselves
    • This also means that it is possible to change the source code without its userbase ever knowing
    • It also means that we have to trust LastPass that they'll disclose every breach
  • The other two points from the KeePass list aren't important here

If you think that your accounts are not important, then fine, use LastPass. But don't go around saying that it has adequate security because as I have already demonstrated it has been rife with problems that would otherwise not exist if we were to just use a file-based password manager.

Hold on, in the other thread you personally vouch for 1Password, which as far as I can tell is also closed-source and also not routinely audited by 3rd parties. And Lastpass seems to subscribe to a paranoid, transparent philosophy in their blog posts about data breaches, where they disclose and advise password changes even for suspicious activity where they have no reason to think user vaults were exposed. If you use a 3rd party host like Dropbox are you really expecting to get full disclosure of potential breaches? By these arguments, shouldn't you be against everything except Keepass vaults, only stored locally?

If you want to argue against any kind of cloud vault storage then do it, and acknowledge that you're leaving out a lot of users who just won't use a password manager that can't easily sync between multiple devices, including phones. But it sounds very disingenuous to ding one company for server security that is equally problematic for your preferred solutions (that is: not very problematic, as long as you use a strong password, right?)

Wiggly Wayne DDS posted:

If your password manager, by default, has an unencrypted key stored (dOTP) that can be used to authenticate, obtain the encrypted vault key, decrypt the vault key, bypass IP restrictions, bypass 2FA and relies on local storage being impenetrable then you've got a bit of a design flaw. We've seen the damage in the past when Lastpass had an XSS problem that let an attacker grab any plaintext passwords from a vault silently. You're not storing your vault on a single system by virtue of using Lastpass so that is not the only possible angle of attack, and based on prior issues I can't comfortably advise people to use it for secure password storage. Especially given their response to the issues presented.

This, on the other hand, is a reasonable argument that they have exhibited some questionable security judgement w/r/t local attacks, and given their past transparency about possible server-side breaches, I was very disappointed in the detail of that response and exactly what mitigation strategies were put into place since being notified of the issues. Only tangentially related, but I've also always been uncomfortable with Lastpass' suggestion that they can keep your vault and passwords safe on questionable computers, like those at an internet cafe, using OTPs. I don't know if anyone's directly tested how much of your info some malware could grab in this scenario, but the assertion seems wildly naive and liable to give users a false sense of security.

I've been using Lastpass for a few years and I'm not imminently terrified, but between this and the uncertainty surrounding the LogMeIn acquisition, I am looking at alternatives. I just tried installing 1Password for OS X and it errors out immediately upon opening it. Not exactly inspiring confidence here..

GTO
Sep 16, 2003



AVG seem to basically be a malware vendor these days:

https://code.google.com/p/google-se...s/detail?id=675

Redshifted Ghost
Jan 12, 2016


Jeesis posted:

Anyhoo, any advice for someone trying to get into the security field?

Is there a particular area in security that you are interested in? I can't help much on the pentesting/red team front but I can offer suggestions in the incident response and forensics area. This post will have a very heavy slant towards investigating targeted threats since that's what I do for my day job.

If you want to get into incident response and forensics, I recommend picking up a copy of Incident Response & Computer Forensics which is written by several Mandiant guys. "Chapter 12: Investigating Windows Systems" has a very good primer on Windows forensics. It doesn't touch on everything but covers a lot of the main areas. Overall, some general areas that I recommend starting to be familiar with in order to be successful in incident response and forensics are:

Malware Persistence
Understand at a minimum the main ways malware can persist on a system across reboots on a Windows box. The most commonly used methods for persistence are Windows services followed by registry "Run" keys. Other ways malware can persist is through the Windows startup folders, the "UserInit" registry key, "Active Setup\Installed Components" registry key, scheduled task, WMI event, DLL search order hijacking, and a stupid number of other ways. If you want to get a pretty good idea on ways malware can persist, grab a copy of the Sysinternals tool Autoruns and just run it on your local system to see ways legitimate binaries are persisting on the system. Autoruns does a great job of showing where the persistence mechanism actually sits such as the full registry key paths or the full file path for say the startup folder.

Lateral Movement
You'll want to understand the ways an attacker can laterally move within an environment from system to system. Protip, 95% of the time an attacker will laterally move the same way a legitimate admin would. Quite literally, WMI, Powershell, PsExec, Windows scheduled task (named and unnamed), and RDP cover most cases. You'll want to be familiar with the forensic artifacts on the source, destination, and on the network (at a minimum being familiar with what ports each of those use) for those methods of lateral movement. If you want some hands on experience with investigating lateral movement forensic artifacts, then grab VMWare player (free), create a Windows VM, perform one of the ways you can laterally move to the VM from your localhost then grab a copy of Mandiant's Redline to create a collector that collects at a minimum a file listing, registry listing, and event log listing. Run the collector in your VM and analyze the data on your local host with either Redline or if you hate Redline, parse the Redline XML output documents to csv. You'll be able to timeline the event logs, registry, and file system around the time of your lateral movement test to see what it does on the target system.

The Attack Lifecycle
The attack lifecycle is the general overview of the what an attacker will do in an environment at a high level. It's good to know since you can use it as a predictor of what the attacker has done to get to where he is if the discovery of the breach is late in the lifecycle or what to expect the attacker to do if the discovery is early in the attack lifecycle. FireEye had a decent webinar on this topic.


Frankly, if you are knowledgeable in the three above topics you'd be a good pick for an entry level incident response analyst regardless of your education background.

If malware analysis is your interest, Practical Malware Analysis is a very good book, though as a heads up, the learning curve gets very steep several chapters in. If you want to learn more about assembly, I recommend some of the Open Security Training videos, specifically Introductory Intel x86

If anyone else has any questions about incident response or forensics let me know, I'm happy to answer them.

Adbot
ADBOT LOVES YOU

co199
Oct 28, 2009

I AM A LOUSY FUCKING COMPUTER JANITOR WHO DOES NOT KNOW ANYTHING ABOUT CYBER COMPUTER HACKER SHIT.

PLEASE DO NOT LISTEN TO MY FUCKING AWFUL OPINIONS AS I HAVE NO FUCKING IDEA WHAT I AM TALKING ABOUT.


To expand on the Practical Malware Analysis front, this popped up on github the other day: https://github.com/RPISEC/Malware

quote:

About the Course

The Practical Malware Analysis (PMA) book is where many RPISEC members and alumn started. The book reads very well, is full of information, and the lab walkthroughs in the back are invaluable. We didn't want to re-invent the wheel so we structured most of the class around the book. Students were expected to have read the relevant PMA book chapters before class, allowing us to spend much more class time demonstrating skills and techniques and walking through hands-on examples with the students.

Syllabus: http://security.cs.rpi.edu/courses/...15/Syllabus.pdf

Note: Most of the samples used in this course are malicious in nature, treat them carefully!

To help protect people from accidentaly running samples on an important machine, and to prevent anti-malware suites from blocking the course material, all of the samples are compressed and encrypted with a password of 'infected'.
Course Abstract

With the increased use of the Internet and prevalence of computing systems in critical infrastructure, technology is undoubtedly a vital part of modern daily life. Unfortunately, the increasingly networked nature of the modern world has also enabled the spread of malicious software, or “malware”, ranging from annoying adware to advanced nation-state sponsored cyber-weaponry. As a result, the ability to detect, analyze, understand, control, and eradicate malware is an increasingly important issue of economic and national security.

This course will introduce students to modern malware analysis techniques through readings and hands-on interactive analysis of real-world samples. After taking this course students will be equipped with the skills to analyze advanced contemporary malware using both static and dynamic analysis.

Prerequisite Knowledge

This course carried a prereq of Computer Organization - CSCI 2500 at RPI. Computer Organization is RPI's basic computer architecture course that teaches things like C, MIPS assembly, x86 assembly, Datapaths, CPU Pipelining, CPU Caching, Memory Mapping, etc.

Our expected demographic for Malware Analysis was students with zero reverse engineering experience. That said, to be able to take this course you will probably need at least the following skills.

Working knowledge of C/C++
Any assembly level experience

Might be a worthwhile place to start if you have some interest in reversing.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«168 »