Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Winkle-Daddy
Mar 10, 2007
hell yeah, back to working on infosec software after a year and a half at Oracle getting my rear end kicked working on boring non-infosec trash! I missed poo poo posting with you guys.

Adbot
ADBOT LOVES YOU

Winkle-Daddy
Mar 10, 2007
probably not tbh

Winkle-Daddy
Mar 10, 2007
the intent to crime develops in the gonads

Winkle-Daddy
Mar 10, 2007

geonetix posted:

doesnt every Oracle agreement disallow any posts or comparison about their products? be careful before their army of lawyers take all of lowtax’s spine cash

I'd tell you about how they're trying to be hip and cool and cloudy and embrace open source but I'd probably get sued for that too ¯\_(ツ)_/¯

Winkle-Daddy
Mar 10, 2007

D. Ebdrup posted:

So far as I can tell, this also means that firmware runtime attestation is completely impossible, so you cannot know if the firmware that's on the system messes with any future firmware, unless you JTAG the system and push the firmware to it in a way that the firmware runtime cannot know about.

And the best part is, that basically no vendor has a solution for this particular problem if they ever get hit by it - the closest work is described in my last post in the video titled Securing Bare Metal Hardware at Scale, and that was a year ago and I haven't heard much news about it yet.

And since the trust root is apparently in the FGPA, we're truly hosed. :munch:

doesn't sound terrible to fix:

quote:

They discovered that when Cisco’s secure boot detected a breach of trust in a system, it would wait 100 seconds—a pause programmed by Cisco engineers, perhaps to buy enough time to deploy a repair update in case of a malfunction—and then physically kill the power on the device. The researchers realized that by modifying the part of the bitstream that controlled this kill switch, they could override it. The device would then boot normally, even though secure boot accurately detected a breach.

Sounds like this bit of logic just needs to be thought through again...but as they didn't release the specifics yet, it's hard to say ¯\_(ツ)_/¯

e: lmaorf

quote:

They also broke two of their routers during the process of physically manipulating and soldering on the boards to look for the reset pin.

Winkle-Daddy
Mar 10, 2007

Jabor posted:

my read of that is that the code that decides what to do when secure boot can't verify the firmware can itself be modified, so all you need to do is modify it to just boot anyway.

maybe, hard to tell if they have a real novel approach to fpga reverse engineering and if it can be generalized.

Winkle-Daddy
Mar 10, 2007

this post has inspired me to visit a pawn shop on my lunch break, thanks!

Winkle-Daddy
Mar 10, 2007
I'd reinstall from USB to get rid of the hp poo poo and also swap the drive to cover the very unlikely event there is some latent malware on the drive as well as the very likely scenario he will want something bigger and faster as storage is always getting cheaper.

Winkle-Daddy
Mar 10, 2007

Tankakern posted:

what fud is this, "latent malware" if you flatten and reinstall?

You spelled common knowledge wrong? NSA has been installing malware into HD firmware since at least 2001, and did it for 14 years undetected until that whole Kaspersky thing on equation group malware back in '15.

e: I mean, it's really rare, but HDs are cheap, just get a new one and re-install from USB. If your threat model requires you to be any more paranoid, don't buy used, I guess?

e2: a link https://www.kaspersky.com/blog/equation-hdd-malware/7623/

Winkle-Daddy
Mar 10, 2007

Subjunctive posted:

Serious Hardware / Software Crap > YOSPOS > Security Fuckup Megathread v18.2 - of course it was Lenovo

Winkle-Daddy
Mar 10, 2007

graph posted:

is that really better than the current tho

gonna be honest, it isn't.

Winkle-Daddy
Mar 10, 2007

Vomik posted:

if you're worried the nsa installed malware into hard drive firmware then how would you get around it by buying a new hard drive

where do you think the firmware on the HD lives?

quote:

Let’s start with explaining what “hard drive firmware reprogramming” means. A hard drive consists of two important components – a memory medium (magnetic discs for classic HDDs or flash memory chips for SSD) and a microchip, which actually controls reading and writing to the disk, as well as many service procedures, e.g. error detection and correction. These service procedures are numerous and complex, so a chip executes its own sophisticated program and, technically speaking, this is a small computer by itself. The chip’s program is called a firmware and a hard drive vendor may want to update it, thus correcting discovered errors or improving performance.

e: afict this was not done as a supply chain attack

Winkle-Daddy fucked around with this message at 23:12 on Jun 5, 2019

Winkle-Daddy
Mar 10, 2007

mystes posted:

A flash chip and/or the platter but how does it make the slightest difference with respect to what we're talking about?

because replacing the drive with a totally different one as well as re-installing the OS will remove this kind of malware as described that previously called fud?

Winkle-Daddy
Mar 10, 2007

mystes posted:

Oh I see, I misunderstood what you're saying. Yeah if you think your specific single computer was compromised in transit
this was not a supply chain attack

quote:

throw it out and get a new one at a store or whatever if you think that will protect you from the NSA.

you're buying a used computer from somewhere you have zero idea what the user's behavior was and if it made them a target of state surveillance for some reason. 4 years ago NSA could re-write firmware for 12 different “categories” (vendors/variations) according to the article. With the increasing complexity on the hw engineering side, this number must have gone up. knowing what we know, and how cheap drives are, you can call it fud if you want, but I'll spend the hundred bux ¯\_(ツ)_/¯

This does leave me with a couple of questions though...
HD manufacturers gotta go fast and will that lead to the same bad decisions of chip makers (lol speculative execution)?
Is there going to be a temptation by HD manufacturers to basically stick an IoT computer on your HD, I have no idea how close it is to that now?

Cocoa Crispies posted:

how’s a picture of aatrek going to help with that

lmbo

Winkle-Daddy
Mar 10, 2007

god I hope there's a disclosure timeline with receipts.

Winkle-Daddy
Mar 10, 2007

Winkle-Daddy
Mar 10, 2007
^^that's phishing not mitm, good idea though

Winkle-Daddy
Mar 10, 2007

tavis posted:

Bonus... can you pop calc in calc?
In Windows 10, Calculator uses AppContainer isolation, just like Microsoft Edge. However the kernel still forces AppContainer processes to join the ctf session.
code:
ctf> scan
Client 0, Tid 2880 (Flags 0x08, Hwnd 00000B40, Pid 3048, explorer.exe)
Client 1, Tid 8560 (Flags 0x0c, Hwnd 00002170, Pid 8492, SearchUI.exe)
Client 2, Tid 11880 (Flags 0x0c, Hwnd 00002E68, Pid 14776, Calculator.exe)
Client 3, Tid 1692 (Flags 0x0c, Hwnd 0000069C, Pid 15000, MicrosoftEdge.exe)
Client 4, Tid 724 (Flags 0x0c, Hwnd 00001C38, Pid 2752, MicrosoftEdgeCP.exe)
This means you can compromise Calculator, and from there compromise any other CTF client.. even non AppContainer clients like explorer.
On Windows 8 and earlier, compromising calc is as simple as any other CTF client.
So yes, you can pop calc in calc

lmbo

Winkle-Daddy
Mar 10, 2007

CommieGIR posted:

:shrug: Welp. I gotta internalize your criticism, you guys do have some very valid points. Still feels like a gut punch, but peer review often does. I'll roll with it.

I just wanted to say this is a cool and good post and you are a cool and good poster for making it!

Winkle-Daddy
Mar 10, 2007

the article doesn't mention the contract at all. My experience has been that pentesters (especially in the last 5-ish years) are not one to invent scope. I would be shocked if physical access was not spelled out in the contract the SCA signed, agreed to and failed to read. But I guess we'll have to wait and see.

Winkle-Daddy
Mar 10, 2007
i... think we agree? also, I didn't realize this was tinkersec, he's usually incredibly careful.

Winkle-Daddy
Mar 10, 2007
my p curve is just fine tyvm

:colbert:

Winkle-Daddy
Mar 10, 2007

ewiley posted:

I'm not a developer but is it normal to include credentials inline in PHP?

Yes, this is very normal in PHP and one of the reason doing a Google dork for download.php?file= will yield so many juicy DB creds (when you edit the url to file=../config.php or w/e). When I was at Yahoo! we had developed an in house solution to read credentials out of a service at runtime. I haven't used PHP since then so I don't know if they have a better solution, but this isn't unique to you, but it is somewhat unique to PHP!

Winkle-Daddy
Mar 10, 2007

Partycat posted:

When you're doing k8s and containers , do you trust that infra enough to put your creds and secrets in environment variables? Do you go with file mounts and encrypted vaults or ...? I honestly don't know if a traversal or a variable dump are more likely exploits, but I feel like either of those things means in you're in a bad place. I don't really want to go down the slippery slope of having the app pull the cred into memory via an API call behind 7 proxies and 512 bit EC certs

You should used the built in K8s secrets management with a host that isn't a dumpster fire.

Winkle-Daddy
Mar 10, 2007

jre posted:

You shouldn't use the built in for anything important because it's not implemented well

uh...what? It's fine for most use cases.

quote:

Caution: Think carefully before sending your own ssh keys: other users of the cluster may have access to the secret. Use a service account which you want to be accessible to all the users with whom you share the Kubernetes cluster, and can revoke if they are compromised.
Why would you send your own keys? Using a service account for this purpose is best practice so that access can be globally revoked by an operations team.

quote:

Currently, anyone with root on any node can read any secret from the apiserver, by impersonating the kubelet. It is a planned feature to only send secrets to nodes that actually require them, to restrict the impact of a root exploit on a single node.
...which is why you have separate staging secrets...being able to restrict secrets to specific nodes via labels would be v cool tho

But seriously, unless you have a drat good reason not to, I don't see a problem. It's what we used for secret management on the k8s control plane and all things related to it for the K8s provider I used to work for ¯\_(ツ)_/¯

Winkle-Daddy fucked around with this message at 22:40 on Oct 18, 2019

Winkle-Daddy
Mar 10, 2007
like the old infosec joke what's the difference between a VPN and a honeypot? An exploit.

Winkle-Daddy
Mar 10, 2007

Shaggar posted:

I use nordvpn with code lowtaxspine and it works fine for downloading Linux isos.

Winkle-Daddy
Mar 10, 2007

Volmarias posted:

Disable it by default and require admin configuration to enable it?

I think you'll find that might generate calls to support.

Winkle-Daddy
Mar 10, 2007
the worst is when you have to start going to seminars to learn secure coding from places that...don't teach much. "Here, let's exploit winamp with a bitflip in a skin, see how that worked in windbg? good, now, don't code like that!" Hope that was money well spent! It was fun, though, for me, the person not paying to make our software more secure.

Winkle-Daddy
Mar 10, 2007

AARP LARPer posted:

Hi everyone. A few years ago I asked you kind souls for book recommendations about cryptography and a very wise person suggested The Code Book by Simon Singh which rocked and I'm very grateful. There's something about the way that the book was written that really held my interest in a way that few books have. It's weird.

My question: Is there a book written in a similar style/tone about the history of cyberwarfare, or a sort of overview Nation/State activities in the space? Sorry if I'm dropping this in the wrong place and killing the vibe.

I don't know anything about the book you mentioned, unfortunately. But what you're asking for sounds a little bit like @War by Shane Harris. I read it when it first came out and found it to be a really good overview of where we are in terms of a holistic view of "cyber" through the lens of the Military. It was written a little better than most things in this space.

Winkle-Daddy
Mar 10, 2007

guess theo should spend less time bitching about openssl and more time fixing basic openbsd bugs

Winkle-Daddy
Mar 10, 2007

sounds fake and dumb, and their responses to people calling them out make them sound even faker and dumber.

Winkle-Daddy
Mar 10, 2007

chestnut santabag posted:

Bring on the digital security arms race of them exposing one another's exploits to embarrass them.

u should follow tavis on twittere, friend

Winkle-Daddy
Mar 10, 2007
just run keepAss in it's own appVM in QubesOS with no network access, obviously

Winkle-Daddy
Mar 10, 2007
"lol time to put a penny in the 'copilot wrote an SQL injection vulnerability' jar"

spotted in work slack tonight

:cheers:

Winkle-Daddy
Mar 10, 2007
happy 10th birthday, Let's Encrypt :toot:

Winkle-Daddy
Mar 10, 2007
yes, I "rely" on winrar to extract my jrpg roms

Winkle-Daddy
Mar 10, 2007

infernal machines posted:

unrevoking certificates for, uh, compatibility's sake

then again, if you break a bunch of random accounting and LoB software with a cert revocation, you are going to have to do something about it

it's not revoked, it's no longer trusted (or was). minor distinction, but as Microsoft did not issue the certificate they cannot revoke it. reversing a revocation would be a much bigger deal and, I have to imagine would violate the BRs of the CA.

Winkle-Daddy
Mar 10, 2007
in case your grafana stopped updating:
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/

Adbot
ADBOT LOVES YOU

Winkle-Daddy
Mar 10, 2007
lol, lmao even
https://twitter.com/__silent_/status/1698345924840296801

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply