Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«126 »
  • Post
  • Reply
EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Dex posted:

his application isn't involved in this part of the chain, it's all rsa securid and their client software. i'd suggest reading their docs if you're curious about the how and why of it

You are right. I remember one place where I used a personal pin plus token to log into the vpn. Then I moved a place that connected your password (really the hash I think) from your ad creds to the token device. The apparent usefulness this got was that this place was on the ball in removing people from ad so that removing the user meant their token could no longer be used because they no longer existed. Plus the other bonus is that the user password follows the password policy is also applied to the pin.

I had a pin for the token for about 24 months and I only changed it when I lost the drat thing.

Edit: of course you need to keep the ad and the rsa servers

Adbot
ADBOT LOVES YOU

sarehu
Apr 20, 2007

(call/cc call/cc)

So the Apple thing is basically that on the iPhone 5C they're getting ordered to provide a signed firmware that'll let unlimited passcode attempts (or just reveal the password, or whatever). And this is something which would be technically impossible on later models. Right?

Diva Cupcake
Aug 15, 2005



sarehu posted:

So the Apple thing is basically that on the iPhone 5C they're getting ordered to provide a signed firmware that'll let unlimited passcode attempts (or just reveal the password, or whatever). And this is something which would be technically impossible on later models. Right?
Correct. The 5C lacks the Secure Enclave of later models. Good rundown here...

https://blog.trailofbits.com/2016/0...bi-court-order/

http://blog.cryptographyengineering...our-iphone.html

RISCy Business
Jun 17, 2015

neon lights and beautiful sights


Fun Shoe

MrMoo posted:

There is a pretty awful Cisco appliance that has a SSL portal that works like this.

can confirm that it's awful, we have one in place where i work now.

i hate it.

RISCy Business
Jun 17, 2015

neon lights and beautiful sights


Fun Shoe

also, there's a new bug. in glibc.

http://www.zdnet.com/article/patch-...ical-glibc-bug/

quote:

Google and Red Hat have linked up to deliver a patch for a serious bug in the GNU C Library, or glibc, which is widely used in Linux applications, distributions and devices.

Anyone running a Linux server is likely to need to install the jointly-developed patch that fixes a critical flaw in the getaddrinfo function in glibc.

The vulnerability had until recently gone unnoticed but was actually introduced in version 2.9 of the open-source library, which was released in May 2008.

Google has detailed that the bug is a stack buffer overflow flaw in the function, which can be remotely exploited by causing a machine to run a DNS lookup and delivering a response in the form of UDP or TCP packets that exceed 2,048 bytes.

Google engineers said any software using getaddrinfo, "May be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack".

Like previous open-source bugs, this one also affects a wide range of Linux distributions, software and devices.

"Pretty much any Linux system uses glibc, and getaddrinfo is typically used to resolve IP addresses. Which means Linux servers as well as workstations, are vulnerable unless it runs an old version of glibc (pre 2.9)," noted Johannes Ullrich, CTO of the SANS Internet Storm Center.

Ullrich initially believed Android devices are probably also affected by the bug. However, security researcher Kenn White has since pointed out Google opted for the glibc alternative Bionic C software for Android.

White also said there is a possibility that CentOS, Oracle, and Amazon Linux may be vulnerable to the glibc vulnerability.

Although Google engineers discovered the flaw independently, when they began assessing it they discovered the issue had been previously reported to glibc's maintainers and that engineers at Red Hat were also investigating the issue.

The two companies collaborated on the development and testing of the patch that was released on Tuesday.

Red Hat has confirmed that affected products include multiple versions of RHEL server, workstation and desktop products.

Google has developed exploit code for the flaw but is not making that software publicly available. However, it has published a proof of concept that can be used to test if systems are vulnerable.

"When code crashes unexpectedly, it can be a sign of something much more significant than it appears; ignore crashes at your peril," Google's engineers said.

They also noted that while remote code execution is possible, it would still require bypassing exploit mitigations such as address-space layout randomization.

emdash
Oct 19, 2003

and?


http://www.ibtimes.co.uk/john-mcafe...enemies-1544651

John McAfee posted:

I will, for free, decrypt the information on the San Bernardino iPhone with my team. We will primarily use social engineering and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a backdoor in their product, which will be the beginning of the end of America.

If you doubt my credentials, Google "Cybersecurity legend" and see whose name is the only name that appears in the first ten out of over a quarter of a million results.


Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender


I don't think that he's worthy talking about here. With that said, I have met him when I was last at DEFCON and he smelt like smokes and bourbon yet not an ounce of regret was on him.

KillHour
Oct 28, 2007



John McAfee is the answer to "What if Tony Stark was a real person?" and it's glorious.

I would eat my shoe live on national television if we could not break the encryption on the San Bernardino iPhone.
- John McAfee

Inspector_666
Oct 7, 2003

benny with the good hair



He's gonna social engineer the password out of a dead guy? poo poo, McAfee is running his own little Fringe division now, isn't he.

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


deep impact on vhs posted:

can confirm that it's awful, we have one in place where i work now.

i hate it.

I found a Cisco device where, without any creds on the login page, could run commands on the server, as root, through the password field.

I use it for a demonstration (while not mentioning the product or model) of why you sanitization is a thing when dealing with user input.

Same box also allowed me to change a password without knowing the previous password by making sure the pass auth response was changed a "false" to "true" (easy to do with Burp Suite) to submit back to the server.

In summary, it is like saying I give the guy that checks my previous password garbage and he tells me to gently caress off. I step to the next guy in the process who asks me what the previous guy said about me and I tell him the other guy just loved me.

"Everything checks out, your password is changed."

invision
Mar 2, 2009

I DIDN'T GET ENOUGH RAPE LAST TIME, MAY I HAVE SOME MORE?


EVIR Gibson posted:

I found a Cisco device where, without any creds on the login page, could run commands on the server, as root, through the password field.

I use it for a demonstration (while not mentioning the product or model) of why you sanitization is a thing when dealing with user input.

Same box also allowed me to change a password without knowing the previous password by making sure the pass auth response was changed a "false" to "true" (easy to do with Burp Suite) to submit back to the server.

In summary, it is like saying I give the guy that checks my previous password garbage and he tells me to gently caress off. I step to the next guy in the process who asks me what the previous guy said about me and I tell him the other guy just loved me.

"Everything checks out, your password is changed."

Which device?

ming-the-mazdaless
Nov 30, 2005

Whore funded horsepower

A year ago, I did a Proof of Concept for insider threat detection in a hospital group.
By creating a user behaviour index, I was able to identify a few misuse events, that pointed to a potential auth issue.

After playing around a bit, I found the following:
billing system
patient management for ICU, Pre/post natal, Surgical and Ward
Dispensary
Practitioner management

I was able to add myself as a medical practitioner, prescribe medication, assign patients to my roster, order a transfer and ultimately kidnap children from their hospitals by co-opting their ambulance service.

None of the above had any form of authentication in place.
All of the above are hosted in a lovely server farm in a consumer isp.


As of yesterday, nothing had been done to resolve this clusterfuck. What is everyone's opinion on the matter? Full public disclosure?

cheese-cube
May 28, 2007

OMNIA SUNT COMMUNIA





ming-the-mazdaless posted:

A year ago, I did a Proof of Concept for insider threat detection in a hospital group.
By creating a user behaviour index, I was able to identify a few misuse events, that pointed to a potential auth issue.

After playing around a bit, I found the following:
billing system
patient management for ICU, Pre/post natal, Surgical and Ward
Dispensary
Practitioner management

I was able to add myself as a medical practitioner, prescribe medication, assign patients to my roster, order a transfer and ultimately kidnap children from their hospitals by co-opting their ambulance service.

None of the above had any form of authentication in place.
All of the above are hosted in a lovely server farm in a consumer isp.


As of yesterday, nothing had been done to resolve this clusterfuck. What is everyone's opinion on the matter? Full public disclosure?

Have you followed responsible disclosure and who did you disclose to originally?

Edit: actually just listen to OSI Bean Dip vvv

cheese-cube fucked around with this message at Mar 4, 2016 around 15:59

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

ming-the-mazdaless posted:

A year ago, I did a Proof of Concept for insider threat detection in a hospital group.
By creating a user behaviour index, I was able to identify a few misuse events, that pointed to a potential auth issue.

After playing around a bit, I found the following:
billing system
patient management for ICU, Pre/post natal, Surgical and Ward
Dispensary
Practitioner management

I was able to add myself as a medical practitioner, prescribe medication, assign patients to my roster, order a transfer and ultimately kidnap children from their hospitals by co-opting their ambulance service.

None of the above had any form of authentication in place.
All of the above are hosted in a lovely server farm in a consumer isp.


As of yesterday, nothing had been done to resolve this clusterfuck. What is everyone's opinion on the matter? Full public disclosure?

Talk to a lawyer; health care is one of those things that could get you sued to all hell. Are you American? Did you do this as an individual or are you working for a firm that was hired to do the PoC? Do you have any NDAs with them?

As much as health care organizations need reform, full public disclosure may work very much against your favour.

Loving Africa Chaps
Dec 3, 2007


We had not left it yet, but when I would wake in the night, I would lie, listening, homesick for it already.



ming-the-mazdaless posted:

A year ago, I did a Proof of Concept for insider threat detection in a hospital group.
By creating a user behaviour index, I was able to identify a few misuse events, that pointed to a potential auth issue.

After playing around a bit, I found the following:
billing system
patient management for ICU, Pre/post natal, Surgical and Ward
Dispensary
Practitioner management

I was able to add myself as a medical practitioner, prescribe medication, assign patients to my roster, order a transfer and ultimately kidnap children from their hospitals by co-opting their ambulance service.

None of the above had any form of authentication in place.
All of the above are hosted in a lovely server farm in a consumer isp.


As of yesterday, nothing had been done to resolve this clusterfuck. What is everyone's opinion on the matter? Full public disclosure?

Have you informed the hospital? If they've had a year to sort their poo poo out and still failed to do anything then i'd talk to a lawyer and disclose it.

As a doctor i'd be super interested in seeing that though. Hospital IT is insanely bad. At my hospital no one can connect to the staff wifi so all the consultants connect their laptops to the open guest wifi to send emails about patients to one another.

Sharktopus
Aug 9, 2006



do you think that patient safety will be increased more by you politely asking the hospital to spend resources, or by forcing them to fix these very real problems?


click to chat | sourcecode

andrew smash
Jun 26, 2006

smooth soul

Loving Africa Chaps posted:


As a doctor i'd be super interested in seeing that though. Hospital IT is insanely bad. At my hospital no one can connect to the staff wifi so all the consultants connect their laptops to the open guest wifi to send emails about patients to one another.

Seconded, also I would like to know if I have ever worked for this place.

ming-the-mazdaless
Nov 30, 2005

Whore funded horsepower

OSI bean dip posted:

Talk to a lawyer; health care is one of those things that could get you sued to all hell. Are you American? Did you do this as an individual or are you working for a firm that was hired to do the PoC? Do you have any NDAs with them?

As much as health care organizations need reform, full public disclosure may work very much against your favour.

Thanks for the advice. Lawyers have been approached.

ming-the-mazdaless fucked around with this message at Mar 7, 2016 around 15:55

ming-the-mazdaless
Nov 30, 2005

Whore funded horsepower

Sharktopus posted:

do you think that patient safety will be increased more by you politely asking the hospital to spend resources, or by forcing them to fix these very real problems?
The latter and only the latter.

ming-the-mazdaless fucked around with this message at Mar 7, 2016 around 15:55

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


So here's a random tool I always use when scoping out a target; Bing.

Stop laughing.

But really, Bing has a feature no other search engine out there has including Google. It gives the user the ability to search for domains by IP.

Why is this useful? It gives possible ways to get into the target domain via another vulnerable domain.

So the sequence of events that have to happen is

1) The target site is fully patched
2) The target site is on a shared-host with a site (it could be a firewall rule giving the sites the same IP remember), let's call it the side-target, that is not fully patched (Wordpress, Drupal are super good targets)
3) The side-target installation has a path traversal issue or the ability to run remote commands via the site
4) If there is no virtualization or weak very sandboxing.
5) Compromising the side-target can allow for access to the host all the sites are served on including your target


Bing lets you get a bit of Shodan functionality for free.

Type the following to Bing search for where SA is hosted at.

code:
ip:104.25.246.12
Now admire how many gambling site and dentists sites are hosted on the same IP as Senor Lowtax

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


That's cloudflare you idiot

mod saas
May 4, 2004
The Burger King Bows To Ugoff


Grimey Drawer

EVIR Gibson posted:

So here's a random tool I always use when scoping out a target; Bing.

Stop laughing.

But really, Bing has a feature no other search engine out there has including Google. It gives the user the ability to search for domains by IP.

Why is this useful? It gives possible ways to get into the target domain via another vulnerable domain.

So the sequence of events that have to happen is

1) The target site is fully patched
2) The target site is on a shared-host with a site (it could be a firewall rule giving the sites the same IP remember), let's call it the side-target, that is not fully patched (Wordpress, Drupal are super good targets)
3) The side-target installation has a path traversal issue or the ability to run remote commands via the site
4) If there is no virtualization or weak very sandboxing.
5) Compromising the side-target can allow for access to the host all the sites are served on including your target


Bing lets you get a bit of Shodan functionality for free.

Type the following to Bing search for where SA is hosted at.

code:
ip:104.25.246.12
Now admire how many gambling site and dentists sites are hosted on the same IP as Senor Lowtax

Rufus Ping posted:

That's cloudflare you idiot

whether a poorly executed joke or not this is the best post combo ever

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Rufus Ping posted:

That's cloudflare you idiot

It's an example you idiot.

Meaning, IT WOULDN'T WORK IN THIS CASE

But it's not like anyone sets up other domains such a private github account on the same ip, or maybe a monitoring web app, or everything to add to the stupidity of IoT.

If you do not understand this, sorry!

Dex
May 26, 2006

Quintuple x!!!

Would not escrow again.

VERY MISLEADING!


you clearly know what shodan is, so why not just use it?

Subjunctive
Sep 12, 2006

Careful now


Cybernetic Crumb

EVIR Gibson posted:

private github account on the same ip

If you do not understand this, sorry!

I do not understand this.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Dex posted:

you clearly know what shodan is, so why not just use it?

It is also inexpensive to get access to extra features.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


Subjunctive posted:

I do not understand this.

I think he's suggesting someone might have an exposed e.g. GitLab installation running on their production servers and if it were vulnerable in some way then an attacker could pivot once inside

Subjunctive
Sep 12, 2006

Careful now


Cybernetic Crumb

Rufus Ping posted:

I think he's suggesting someone might have an exposed e.g. GitLab installation running on their production servers and if it were vulnerable in some way then an attacker could pivot once inside

Yeah, I didn't understand how you'd get a private github account on different hosts, but if by "GitHub" he meant "GitLab" and by "account" he meant "installation", I can see it.

AxillaHallux
Mar 28, 2016


Howdy All,

Firstly, I'm pretty stoked to have joined this community. Seems like a very interesting and knowledgable group of people!

Now, to the topic at hand. INFOSEC

This interests me greatly, and whilst I am by no means someone who is "interesting", I still feel it is wise to engage in "Security-In-Depth". From bi-locked doors, passworded / encrypted computers / encrypted communications, I feel that this is the way of the future.

One of the posts in here earlier linked me through to "John McAfee", and his FTC website.

I would love to know if anyone has used these products (Demonsaw - Info Sharing, D-Vasive - Phone monitoring for unauthorised traffic, etc)

http://www.futuretensecentral.com/products

Cheers in Advance

Ax

(USER WAS PUT ON PROBATION FOR THIS POST)

Subjunctive
Sep 12, 2006

Careful now


Cybernetic Crumb

No.

Stanley Pain
Jun 16, 2001

Bit. Trip. RIP.




Kazinsal
Dec 13, 2011



Spambots sure are getting complex these days.

AxillaHallux
Mar 28, 2016


Lol, no spam here dude, just interested.

Did a bit more research after I posted yesterday, seems like there are mixed reviews :S

Might just stick to end-end encryption for now

Dex
May 26, 2006

Quintuple x!!!

Would not escrow again.

VERY MISLEADING!


i encrypt my end, and you encrypt your end, back and forth forever

))<>((

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


Dex posted:

i encrypt my end, and you encrypt your end, back and forth forever

))<>((

I've been thinking about the "back and forth". When can we meet? I would like to share my private key with you.

invision
Mar 2, 2009

I DIDN'T GET ENOUGH RAPE LAST TIME, MAY I HAVE SOME MORE?


I was gonna seriouspost about the OSCP but this page is

Pinch Me Im Meming
Jun 26, 2005


I have nerver ever posted ITT or anywhere in SH/SC I think because I'm a mere user but I think I found somthing you guys might like!

From the Panama Papers thread in D&D:

PBCrunch
Jun 17, 2002

Lawrence Phillips Always #1 to Me

I have a small webserver running on a Raspberry Pi in my house that does some home automation. I have it set up with Apache2 normal authentication and a weird port number, which I know is Not Good Enough. What is the easiest and cheapest way to get SSL working without any of those scary web browser messages about unknown certificates? I don't think I can just put these files on a web host and expect the home automation to keep working.

I have a domain name from AlpsNames that is cname'd to a dynamic dns provider, if that is helpful information.

Subjunctive
Sep 12, 2006

Careful now


Cybernetic Crumb

https://letsencrypt.org/

Adbot
ADBOT LOVES YOU

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender


Seconding this. If you're running a website in 2016 without SSL, you're a buffoon.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«126 »