|
Internet Explorer posted:I know most people in this thread probably already know this, but it is one of my favorite things to show people to get them to understand security is important and non-trivial. If you open a debug console in your browser you can change the type of the input field from password to text and them be able to see / copy out the password if someone has already typed it in or saved it in the browser. I used to have this on a flash drive on my key chain: http://www.nirsoft.net/utils/web_browser_password.html Nothing like running a 2 second utility to show a user their passwords for 20 different websites to scare them into thinking about security. Until about 2 minutes after I leave the room, then they forget everything
|
# ¿ Mar 8, 2017 18:05 |
|
|
# ¿ Apr 27, 2024 03:55 |
|
We are currently evaluating Filecloud (https://www.getfilecloud.com/) as a method to share files with external users. They offer an on prem version and a hosted version, we're testing the hosted version. Guess who just discovered that you can go through the entire login process as a user without seeing https anywhere.
|
# ¿ May 12, 2017 21:19 |
|
Levitate posted:People using KeePass for password management, do you just open up the database and copy your password every time you need to login to a site or is there an easier method? Ctrl-v
|
# ¿ May 19, 2017 20:42 |
|
milk milk lemonade posted:
This. The dod runs its own ca and gives zero fucks about public root ca's
|
# ¿ May 23, 2017 05:23 |
|
Avenging_Mikon posted:What's a good free program to use to encrypt USB sticks being sent through the mail? Security is paramount, but something relatively easy for non-techies to use would be a huge plus. Bitlocker.
|
# ¿ Jun 8, 2017 16:25 |
|
In regards to point a, bitlocker fde can be enabled and managed via GPO and/or MBAM with no need for the end user to have any input at all. edit: That being said, I just confirmed on my workstation that using bitlocker on removable devices does not require admin.
|
# ¿ Jun 8, 2017 20:15 |
|
If you use docker this probably affects you.
|
# ¿ Jun 26, 2017 16:20 |
|
Thermopyle posted:Isn't rundll32.exe part of windows? https://twitter.com/0x09AL/status/879744664974360576
|
# ¿ Jun 27, 2017 18:09 |
|
mewse posted:One of them is really determined. Emails below + one or two phone calls that I ignored
|
# ¿ Jun 28, 2017 17:35 |
|
SnatchRabbit posted:Probably a dumb question but here goes. I run a AWS EC2 instance running Moodle. I want to enable HTTPS with SSL cert. I've consulted the documentation for my image. Now, the simplest route that I can see is to buy a yearly SSL cert from something like this and then follow the directions in the docs to copy the cert, enable permissions, etc. Is this correct? Is there another option I should be looking at? https://letsencrypt.org/ e: Specifically, certbot should help with the installation of the certificate and automating renewals. Plus it's free.
|
# ¿ Jun 30, 2017 19:35 |
|
vOv posted:This is unironically good though. Digital cultural archiving is a big thing and it'd be lovely if it all got lost. Because virtual machines and archived installers don't exist.
|
# ¿ Aug 5, 2017 00:15 |
|
CLAM DOWN posted:What does? https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8620 quote:A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
|
# ¿ Aug 9, 2017 17:49 |
|
Purse dogs are good dogs with bad owners.
|
# ¿ Sep 13, 2017 18:21 |
|
Volguus posted:I have a small question about the WiFi security (or lack of). Any benefit to security by having a hidden ssid (almost none) is far outweighed by the added inconvenience of trying to use an AP with a hidden SSID.
|
# ¿ Sep 15, 2017 18:51 |
|
Potato Salad posted:Heh, almost everyone on virustotal misses it. Who didn't?
|
# ¿ Sep 18, 2017 19:44 |
|
Potato Salad posted:ClamAV; I am not familiar with it I've never used it, but it's gimmick is that it is open source and community managed. AFAIK, it's signature based.
|
# ¿ Sep 18, 2017 19:50 |
|
Furism posted:For gently caress's sake. The article that I just read said the account in question was an Azure Service Admin account.
|
# ¿ Sep 25, 2017 21:02 |
|
CCleaner incident keeps giving. https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident quote:That is, despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data; instead, the CCleaner customers were used to gain access to corporate networks of select large enterprises. quote:The main findings from the complete database are as follows: Among those 40 are PC's owned by the following companies: vmware, intel, sony, asus, samsung and o2
|
# ¿ Sep 25, 2017 23:38 |
|
murex posted:Hold on to your The Fool fucked around with this message at 00:00 on Sep 26, 2017 |
# ¿ Sep 25, 2017 23:58 |
|
https://twitter.com/s7ephen/status/701488719795060736
|
# ¿ Sep 28, 2017 20:20 |
|
password_requirements.txt
|
# ¿ Sep 29, 2017 23:38 |
|
I feel the same way about citrix.
|
# ¿ Oct 4, 2017 19:22 |
|
Sms two factor is better than no two factor.
|
# ¿ Oct 8, 2017 01:11 |
|
SMS 2fa is trivial to bypass if you have the right equipment and knowledge set. That being said, it's not something you have to worry about unless you work for an organization that is at a high risk of that type of attack. It's perfectly adequate to protect your lovely cat pictures on Instagram.
|
# ¿ Oct 8, 2017 05:36 |
|
Thermopyle posted:I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?). I don't remember reading anything specific, but in general there is so much other identifying information being broadcast by your web browser, that just using the internet from a different IP address isn't going to do a whole lot to keep you actually anonymous.
|
# ¿ Oct 10, 2017 20:42 |
|
http://www.zdnet.com/article/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers/quote:Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.
|
# ¿ Oct 11, 2017 00:59 |
|
Don't rely on just a vpn for anonymization
|
# ¿ Oct 18, 2017 17:14 |
|
anthonypants posted:Gonna link this again https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa This article links to Streisand, which I had heard about but forgotten the name of. And is one of the coolest bits of technology I've read about in a while.
|
# ¿ Oct 18, 2017 18:22 |
|
Mr. Crow posted:Which payday loan company do you work for? Be honest. That was my first though, but payday loan companies usually don’t bother with credit checks.
|
# ¿ Oct 25, 2017 14:43 |
|
Lain Iwakura posted:Hopped Tripel Toasted Pilsner I see what you’re trying to do, but tripel and Pilsner don’t go together you heathen. Hopped Tripel Toasted Porter would probably be ok
|
# ¿ Nov 3, 2017 00:20 |
|
https://www.v3.co.uk/v3-uk/news/3020946/major-anti-virus-packages-vulnerable-to-exploit-that-can-spring-suspicious-files-from-quarantinequote:In brief, the attack involved taking advantage of the way in which anti-virus software automatically quarantines files that appear malicious, and then use a privilege mismatch vulnerability to move that file to a more dangerous location, such as the root (C:) drive, where it can be executed.
|
# ¿ Nov 15, 2017 20:45 |
|
BangersInMyKnickers posted:https://www.grc.com/dns/benchmark.htm Steve Gibson is a clown
|
# ¿ Nov 17, 2017 20:03 |
|
BangersInMyKnickers posted:His dnsbench tool is fine stop being morons. Or go manually query response time. I've never used it, but when someone has poo poo like this in their features list.. quote:Hand-coded in 100% pure assembly language for highest precision and smallest size: 163 KBytes.
|
# ¿ Nov 17, 2017 21:20 |
|
Volmarias posted:Everything is terrible, throw your computer into a dumpster and jump in after it. https://youtu.be/RD6hPYnR5GM RFC2324 posted:what's wrong with wps? https://nakedsecurity.sophos.com/2011/12/30/most-wi-fi-routers-susceptible-to-hacking-through-security-feature/ WPS PINs are easily brute forced. The Fool fucked around with this message at 05:12 on Dec 8, 2017 |
# ¿ Dec 8, 2017 05:10 |
|
Internet Explorer posted:Happy Friday. I’m getting deja vu
|
# ¿ Dec 8, 2017 16:44 |
|
orange sky posted:Wait.. What? Was the command line open in PXE or something? Did no one notice the server was down? This is a good question, because if it was an RDP session it would have been in his own account. Which means either he left himself logged in, or someone knows his password. I vote prank. And that he left himself logged in to a server. Because that’s the least depressing scenario I can think of.
|
# ¿ Dec 22, 2017 17:10 |
|
Talas posted:Shared admin account on a windows server 2012 r2... yes. Here’s your opportunity to advocate against that terrible policy.
|
# ¿ Dec 22, 2017 17:28 |
|
Except adding all of accounting to a group that doesn't give them any additional access for no reason.
|
# ¿ Dec 22, 2017 22:40 |
|
bobfather posted:Enterprise can defer upgrades for a little while and lacks Cortana and most or all Metro apps. I had to disable Cortana and a ton of metro apps in my enterprise image. My users also used to get “suggested app” notifications until I got that turned off. The only difference between enterprise and pro is that you’re actually able to turn those things off in enterprise.
|
# ¿ Dec 31, 2017 23:24 |
|
|
# ¿ Apr 27, 2024 03:55 |
|
Good write up and fits my understanding of the issue as well. Now imagine how big of the deal this is on something like AWS or Azure with potentially thousands of guests on the same hardware. E: Avenging_Mikon posted:Okay, this is bad, I get that. What I don’t get is, if you’re running VMs for private use and there’s no direct connection to the WAN, they’re ostensibly safe, right? The risk is minimized in your scenario, yes.
|
# ¿ Jan 3, 2018 05:05 |