Alereon posted:

seriously though people dont post anything that would allow a lurker from gbs to gently caress with anything

prefect posted:

i think it's from this?

quote:

Namecheap live chat social engineering leads to loss of 2 VPS

On April 9, 2016 I had an email address compromised, with the attacker brute-forcing a weak password. The hacker then attempted to do password resets on several services which had an account with this email, including AWS, and a couple of Bitcoin exchanges; all of which had 2factor authentication enabled so attacker had no luck.

I’m pretty careful to use 2FA for any service that I consider important, so that in just this scenario there is really nothing much the attacker can do.

Then they came to Namecheap where I have a couple of VPS servers, this account also had 2factor SMS authentication required for login. However the hacker opened up a live chat with Namecheap and requested a password reset for the SolusVM VPS panel, at which point, in a massive breach of their security protocols, they sent a plain text email to the comprised address containing both the VPS panel username (previously unknown to the attacker) and a new password. Normally Namecheap is supposed to ask for your “support PIN” before doing anything related to account… and the support PIN can only be obtained by logging in using 2FA.

Despite having 2factor on the Namecheap account, the VPS panel itself requires no 2factor and allows full serial console to the servers.

At this point I was at the computer and saw a “Thanks for our chat here’s your login/password” email and VPS panel login notifications, and knew right away this was bad.

Immediately I SSHed to the servers and shut them down so the attacker could not gain access to anything via serial console. Every time he tried to boot them up I immediately shut them down again. I got into the VPS panel and changed the password however this does not kill open sessions so there was no way to lock the hacker out.

At the same time I was on live chat with Namecheap informing them of the situation, and finally after 45 minutes they locked the VPS servers so that they could no longer be accessed via the VPS panel.

When Namecheap had changed all passwords and email they opened up access to the VPSs and the extent of the damage was revealed. Looking at the panel logs it appears the hacker got bored of playing the “You boot up, I boot down” game with me and decided they were probably not going to get anything, so 30 minutes after I’d reported the situation to Namecheap (and panel was still not locked), the hacker decided to give up, but on the way out decided to click the conveniently located “Re-install” button next to each VPS. This instantly wipes everything and installs a new OS. Again this action requires no 2FA authentication or any other form of confirmation.

When I realized this damage I was very bummed, but figured at least Namecheap must keep some backups in case of massive hardware failure that they can restore and maybe I’ll lose a weeks worth of data.

Wrong; they have absolutely zero backups, so I guess if a couple of disks on your RAID fail (assuming they even use RAID), or they happen to let someone reformat your server you are totally screwed.

Namecheap responded with “oops we’re very sorry” and “you can have free hosting for 1 year for 1 of the servers”…and that they are “investigating further”…but despite 4 days worth of requests they have failed to give me a copy of the chat transcript with the hacker (so that I can see what was actually said and what other information of mine the hacker may have).

And the 1 year worth of hosting is pretty much a joke as I’d be crazy to host anything else with Namecheap given this terrible security; looking back now I can see the security has always been woefully inadequate even without the social engineering.

Think about the glaring security flaws:

1. The VPS panel allows full serial console with only a login/password (no 2FA required or possible)
   
2. They send out your VPS panel login/password in plain text emails when you sign up, and when you reset the password. So if you ever failed to delete one of those emails completely and someone gets into your email…your totally screwed…
   
3. VPS can be irrevocably wiped within seconds without any prompts or confirmations just by the click of one button; whether the server is turn on/off it doesn’t matter.
   
4. They keep no backups, even to cover hardware or security failure.
   
5. And of course the icing on the cake is that they ignore 2FA and are willing to send out your username/password to anyone that asks.
   
6. My personal take away is that I should have had better local backups or synced to another service, but I have gotten complacent after so many years without any issues. I had only kept backups on the server itself and had discounted the possibility of the server just completely going “poof” with no backups kept by the host. I thought they must have something internally to cover a major screw up like this.
   

Although the email password was fairly weak I think you have to assume that your email could be compromised at any time, so I find it only fair that you should be able to rely on 2FA provided by services.

Bottom line is that without the social engineering the hacker would have not been able to get into these servers, and I can’t believe Namecheap fell for this hacker trick 101, really poor security.

Wiggly Wayne DDS posted:

http://badlock.org/

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.

Impact examples of intercepting administrator network traffic:
Samba AD server - view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server - modify user permissions on files or directories.

Denial-of-Service (DoS) attacks:
Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.

booooooooooooooooooring

Shaggar posted:

so when they say samba do they really mean SMB or is this actually a samba only bug?

anthonypants posted:

https://twitter.com/webster/status/720758545688477696

pr0zac posted:

I think im missing something

e: oh god dammit there's the pass's barcode

FopeDush posted:

Rathlord posted:

A couple of people mention the whole "what's the point of having an AV, we're all screwed anyways!" deal and I'm not sure they got a perfect answer for it. Here's what I tell my friends:

There's basically two kinds of threats here. One is people who throw a huge net and hope to pull up a couple of fish. The other is people who are attacking a specific target for a specific reason. The first is much, much more common (and relevant) for every day computer users. These "big net" attacks are what AV's do a reasonably decent job protecting you from. The other attack- a targeted one- nothing will protect you from. So, yes, we're all screwed if someone wants us bad enough, but that doesn't mean you shouldn't protect yourself from all the lazy slop out there.



In general it (malware design and security) is a very unlevel/asymmetrical playing field. It's like if in football one team got to be offense the whole game, no matter how many downs they used. Sure, sometimes the defense will stop them and occasionally you might even push them back a bit. But you're still always, always giving ground and nothing's going to change that. All you can try to do is try to read their plays, celebrate your victories, and grit your teeth and fight harder when you lose.

Rathlord posted:

I'm well aware of that, but you've sidestepped my point massively. First, there's plenty of old malware floating around out there, and second heuristic analysis is... extant, if not necessarily effective in the vast majority of cases. The reality is, AV's will save casual users infinitely more than not having one will save them (assuming the same usage). That alone is enough to merit having and using one. The "don't be an idiot and you'll never get a virus" (doesn't particularly matter to the end user whether it's old or not) by-line is all good and well, except even the pretentious asshats who feel the need to say it all the time know it's not true. There's plenty of examples in this very thread that disprove that idea. For casual users (and even to a certain extent power users), a combination of not being a dipshit and using an AV is by far the optimal solution. Neither will work perfectly on their own. The unfortunate reality is that the crappy advice/attitude mentioned in your post (and found smeared well over the internet by presumptuous power users) can have a negative impact on people's lives. If someone is asking if they should have an AV or not, the unequivocal answer is "yes," because if they're not educated enough to know the answer, they need it. I realize you don't quite stand behind the point you're bringing up ("the people who say"), but I believe wholeheartedly that it's worth disproving those people's arguments.

E: And also, no, to your first sentence. There's plenty of people (mostly uninitiated neophytes) who read threads like this and their takeaway is that security doesn't work and isn't worth having. It's not a smart opinion, but it's demonstrably extant and encouraged by the continuous poo poo talking all AVs (deserved, admittedly) take.

EE: It's also worth nothing that "Antivirus's are terrible" and "you should have an antivirus" are not mutually exclusive statements. They're both true.

Rathlord posted:

Some security is always better than no security. While you're right that security theater doesn't help anyone, really, your answer to someone asking you "Should I install an antivirus" is still always "yes." Again, unequivocally. Sure, always try to educate people. Yes, absolutely inform them that AV's aren't panaceas. But for sake of all that's good and holy please don't tell casual users not to use an AV unless you're going to sit down and teach them cyber (lol) security and ensure that they've learned it well enough to rely on that information (and update it) for the rest of their lives. Spoiler: most of the general population isn't going to do this. They should use AVs. Your weird strawman assuming that you can either tell people to never use AVs or tell them that all AVs are magical cure-alls doesn't add to this conversation.

The tl;dr here is that you're a bad person if you're telling casual users AVs are pointless or not to use them. Don't.

e: And yes, if you can prove that for a certain user having an AV is less secure than not having one at all, don't have one. But that's generally the case for power users, NOT casual users. Security is 100% proportional to the literacy of the person behind the keyboard. Optimal security varies depending on the user.

Rathlord posted:

And you honestly believe that the holes AV's have are more of a risk for a casual user than leaving them open to years worth of malware that not having the AV would leave them vulnerable to? I'd venture a guess that if you're being honest, you don't. Let's not pretend this is some perfect world where we can educate every user. 95% of people with computers do not and will not learn. You're using fringe (if major) issues with AV's to justify leaving end users open to exponentially more vulnerabilities.

Rathlord posted:

There's an exception to everything in computer security. Glad you see my overall point, though.

Kaal posted:

Ah, now the explanation for the sudden change of pace in this thread becomes clear. I'm not going to recommend that the average user just teach themselves to be safer (because lol) and I'm not going to tell them to install fourteen different "community-supported" GitHub projects with half-baked GUIs either. I don't care if Snowden and Assange think that NSA could hack Symantec, that doesn't affect the average user. Most people don't need to encrypt all of their data and disable their radio antennae - they need to stop saving all three of their passwords on their phone's notepad. Debating about the merits of paying for AV or using a free-version versus using the onboard AV is one thing - that's always a worthwhile discussion, and the balance changes (slightly) every few years - arguing that all anti-virus programs are bad is another.

Kaal posted:

The idea that the average user needs to deal with "zero-days" is complete nonsense. That thread is useful for the bored computer tech who wants to lock down their Steam games and Google photos tighter than Fort Knox and seriously discusses things like "state-level adversaries", and is willing to deal with all the inconvenience that goes with that, but realistically that just isn't that practical. For most people, it's a lot more useful to have software that will react when they ignore five different safety complaints by their un-updated browser/OS as they strive to click a link posted by their niece's "hacked" Facebook account.

Rufus Ping posted:

hrm

Wheany posted:

that's another advantage of using a password manager. even if you gently caress up, it only affects that one site.

Segmentation Fault posted:

that looks like one of those passwords SA automatically generates for you when you make a new account, I'd assume he didn't use it anywhere else

anthonypants posted:

where else did you use your sa password

akadajet posted:

if you used lastpass it wouldn't be a problem bro

Parallel Paraplegic posted:

so wait your password is only 6 characters?

i think you need to step down as thread ruler.

akadajet posted:

somebody acting like they trying to save face

BiohazrD posted:

lmao osi, i saw that and was going to pm you about it but i just figured it was a hash or something


my train of thought was literally "theres no way, he's not that stupid"

uncurable mlady posted:

someone ought to change 'P4ssword' to 'kjs500' in the thread title tho

uncurable mlady posted:

today I learned that I'm a more competent security professional than a team at $very_large_financial_institution and it's not even my job

Cocoa Crispies posted:

eh, ever have some crook run up a $400 AWS bill mining bitcoins on your behalf?

Subjunctive posted:

yes, let's encrypt makes it trivial to enable SSL, since it automates server config, request generation, signature submission and cert/key installation. it is explicitly about making it too easy to not bother, because laziness/complexity is the big remaining barrier.

Shaggar posted:

any reason, or just standard goon hatred?

Vlad the Retailer posted:

suffix posted:

lol at exposing anything written in php to the internet

quote:

Dojo actually learns. It gets to know devices and finds patterns in their behavior that define their level of security and common vulnerabilities. It’s a sophisticated defense system that utilizes pattern recognition to learn to detect threats. Without even having to look at the data or knowing what’s attacking, Dojo can block them. It listens to patterns, not your data.

quote:

We’re a team of security experts and hackers on a mission to build a security net around the connected home. And we're building products that we actually enjoy having protect us – keeping our devices in check and ensuring we are the ones in control of our privacy.

Segmentation Fault posted:

it's a pet rock AND a firewall! Genius

shinmai posted:

crosspissing from the pics thread


e: I'm the "allow once" on someone hacking my home alarm system

flakeloaf posted:

more aesthetically pleasing than a garbage can inside another garbage can, i'll give them that much

Trabisnikof posted:

Atias also told Engadget that it designed the Dojo from scratch so that no legacy security issues from off-the-shelf components will compromise it. But he and the company acknowledge that nothing is completely hacker proof. It's really about setting up the best wall to stop most threats. "There's nothing that's 100 percent secure. It's always effort versus value. This is very high effort for the value of hacking a consumer," Atias said.

pr0zac posted:

You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it.

Like, this isn't something that you have to decide based on your personal biases against a company, you can just go check it for yourself. Theres a reason you don't hear any real security professionals saying dumb poo poo like this.

ohgodwhat posted:

It doesn't have to do anything obviously nefarious if the protocol is poo poo and/or improperly or poorly implemented.