Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
sb hermit
Dec 13, 2016





mystes posted:

Excuse me while I buy the rights to old IOT thermostats so I can sell extended service as a subscription for $20/month

"We have been trying to contact you about your thermostat's extended support plan."

Adbot
ADBOT LOVES YOU

sb hermit
Dec 13, 2016





Hed posted:

I also vote QUIC because Iím going to have to build something involving it soon and I need to understand QUIC guts better.

sb hermit
Dec 13, 2016





If I were a person that only watches porn, then I could see no other conceivable reason to convert and remaster video streams except for porn.

The reality is that I only watch anime.

sb hermit
Dec 13, 2016





Hed posted:

interesting. Iím pretty familiar with the Secure Enclave on the Apple side but I need to check out how Windows is doing it and the whole hello thing. also curious what this does for Yubikeys used as a simple FIDO/2 token.

Yubikeys would still be useful as an alternative to carrying around an entire smartphone. Like as an emergency "break glass" second factor or login token.

Yubikeys can also be used as a mechanism to encrypt FDE passwords, or at other times when it's not really feasible to connect to a computer to fetch the password.

sb hermit
Dec 13, 2016





tired: using a bash script and awk to comb through git repositories for ssh keys and api tokens
wired: using an AI to comb through twitch live and archive streams of people programming and automatically guessing passwords based on typing heuristics and totp qr code screenshots

sb hermit
Dec 13, 2016





dang man, all my health insurance gives me is a free $10K in life insurance

or was that my credit union?

sb hermit
Dec 13, 2016





I find that older businesses that should have tighter security are usually the ones that have the most conservative and outdated security models and controls.

  • Logging into the us treasury website uses a virtual keyboard (if javascript is detected) even though it precludes the ability to use a password manager
  • My credit union still uses password expiration, even though it's known to make things more insecure
  • My bank requires 2fa to be done only through SMS, even though there are constant examples of how that is among the least secure 2fa mechanisms (due to sim swapping, sim duplication, or just sms forwarding)
  • All of this "death of password" stuff is nice, but it won't make a difference if these places don't implement fido2 or a near equivalent.
  • And I still encounter the occasional website that doesn't allow you to paste your password.

At least, in the wider sense, password expiration is going away. I hope password complexity goes with it. I think account security should just require a six character password minimum that isn't your username, and a second factor.

sb hermit
Dec 13, 2016





CMYK BLYAT! posted:

still higher than when i sold off my options in april 2020 lol

look, i was correct on tech stocks and the economy in general taking a dive, just like 2 years early

i wish i were a fly on the wall privy to these security discussions but i don't know why im expecting vigorous debate or w/e. most of my brain tells me "no, it's exactly like what you saw recently": there's a mid-50s management person who is driven to show that THEY ARE EXPERIENCED AND KNOW THINGS, so they take personal control over dictating what the contractors implement, so they recommend the state of the art in password security circa 1992 without consulting anyone with actual domain knowledge, and don't bother changing this when subordinates inform them it's outdated af because THERE ARE MORE IMPORTANT THINGS TO DO, LIKE ADDING MORE OUTDATED poo poo TO THE DESIGN. the idiot idealist parts of my brain continue to shout that this can't be the case.

anyway, i am thankful my small CU is inexplicably way ahead of the curve on this; ask me why the passwords to our very needfully highly secure support ticket portal requires 4 classes of characters in passwords that expire monthly

The hilarious thing is that NIST, who gathers and verifies and disseminates standards, specifically changed the standard so that arbitrary password expiration (including periodic expiration) is not recommended. Password expiration should instead be done only when there is evidence of compromise (such as malicious activity or if someone steals the hash). They also specifically say that password complexity is not recommended and a blacklist of common passwords is a better alternative.

They also recommend that users be able to paste passwords in order to use password managers.

sb hermit
Dec 13, 2016





https://pages.nist.gov/800-63-FAQ/

Here's a faq with more info. I like to forward this information to people so that they know that their security theater policies are actively harming user security.

sb hermit
Dec 13, 2016





Funny enough, I use keepass because it doesn't integrate with my browser. That way, I know how to backup, migrate, and test my password databases.

Also, if there's some insane 0day that completely breaks firefox and chrome and forwards all passwords to a website using a watering hole attack, I'll still be ok because keepass would be in a completely separate process.

sb hermit
Dec 13, 2016





Penisface posted:

cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security

this is a tinfoil hat take but i am sure people think like this in countries other than the us

otoh did the same org not recommend those weakened ecc curves?

Yes. That was the insane dual ecc backdoor. Although I have hardly ever seen it used in practice, even when it was part of the standard (and yes, it has already been withdrawn).

https://en.m.wikipedia.org/wiki/Dual_EC_DRBG

It is an incredibly big black eye for NIST, who recommended it based on guidance from NSA. Given that NSA is responsible for other lapses including the accidental release of their EternalBlue exploit (which lead to the WannaCry worm: https://en.m.wikipedia.org/wiki/WannaCry_ransomware_attack), they seem to be more interested in finding and fixing vulnerabilities than hoarding them (see: https://en.m.wikipedia.org/wiki/Ghidra)

You don't have to trust NIST, but a lot of US based organizations have to follow their guidance and they have a lot of good common sense suggestions that are backed by a lot of analysis. If you have to convince someone of something, and NIST already backs that position, then it's not a bad idea to crib their work and save you some time.

One last point. NIST is pretty clear and public about requirements for systems that require high security. This is because they want to encourage use of commercial tech instead of expensive custom built solutions (see: csfc). So it makes little sense to require use of insecure curves or algorithms if other countries would be able to find any flaws.

sb hermit
Dec 13, 2016





I mean, there's little point to thinking that there's a conspiracy afoot when NIST recommends against arbitrary password expiration. A lot of it is just reasonable stuff, although quite exhaustive.

It's the inscrutable stuff, like crypto algorithms, that would rightly tend to attract a more jaundiced eye. Probably why wireguard doesn't use any of the NIST approved algorithms (as far as I know).

But as another poster said before, NIST generally just picks whatever makes sense. It should be pointed out that AES was not initially developed in the states, but in Belgium. Same with the SHA-3 family. If there was a flaw introduced, then surely the original developers would have spoken up.

EDIT: fix misspelling

sb hermit fucked around with this message at 07:22 on May 8, 2022

sb hermit
Dec 13, 2016





Penisface posted:

i guess the real question is: how much are nist a tool of united states foreign policy? and will their quality of service suffer if its needed for us global hegemony? idk

this is probably not so relevant for information security either, so sorry about the derail

Other countries will likely have their own standards, likely written in their own language, so on the surface, the effect is minimal. Businesses will likely only implement the minimum needed to fulfill legal requirements and insurance requirements and whatever will ultimately save enough money to be worth the time to implement.

However, for companies providing services to the US government or are otherwise subject to US laws (like HIPAA), or even companies providing services to US government contractors, may need to implement NIST guidance to be able to sell their wares. For example, if you do any encryption of certain kinds of data, you'll need to provide documentation that your cryptographic modules are FIPS 140-2 certified. It's why Samsung phones and the Ubuntu Linux OS have spent a large amount of time and money to be certified.

But at any rate, the NIST standards are generally gold, and provide exhaustive coverage on a lot of expansive topics that simply aren't available elsewhere. Unless your requirements demand their use, however, nothing stops you (or anyone else) from just ignoring them.

It should be pointed out that weakened standards will be pointed out by researchers and further undermine trust in the organization. Not to mention potential leaks if another backdoored algorithm is shipped. No one wants to buy american products with state mandated back doors and vulnerabilities, so international trust in NIST is key.

sb hermit
Dec 13, 2016





Ulf posted:

it's no surprise that pretty much everyone ignores the NIST curves and key exchange in any popular TLS / QUIC library is using djb's curve25519 or stronger curves like curve448 that copy his work.

And the kicker to all of this is that using just EC for asymmetric crypto is not quantum resistant, so we'll be seeing new algorithms in the next decade that replace all of this. Hopefully it'll be an open process so that, internationally, we won't be seeing any algorithms that give architects any pause before using them. It already sucks balls to have to modify good implementations because they don't work with standards you are contractually obliged to work with.

On the other hand, being able to negotiate algorithms would lead to some seriously overengineered crap like IKEv1.

Just having a default set that everyone accepts would be much better. Preferably with a hardware accelerated symmetric crypto algorithm, hash algorithm, and deterministic random bit generator.

sb hermit
Dec 13, 2016





CommieGIR posted:

Yeah but, ironically, I get why they did it. I disagree with it, but the reality is a lot of people absolutely refuse to install actually Multifactor apps on their phones or might have phones old enough not to be able to do so.

This has been an issue with our stores that my company owns, I think as long as you understand SMS 2FA should not be the standard, but the exception, its fine. We also wrote requirements around no exceptions for people with Admin or Domain Admin when it comes to MFA.

I don't see smartphones as a good mechanism for passwordless logins in high security situations. Heck, for certain areas, having a powered-on smartphone itself would be an auditable event. Much better to have a smartcard or yubikey, paired with a reasonable password, for secure mfa authentication.

And yeah, for better or for worse, sms 2fa is better than no mfa, but not good enough for domain admins or accounts that require reasonable confidentiality.

sb hermit
Dec 13, 2016





Real talk. All the NFC usb stuff that's good for desktops is like $100, maybe $50 for sketchy stuff. Does anyone have a recommendation from a reputable vendor? Or are all the $20 readers only available on aliexpress or something?

I would be very mad if there was just a cheap hp or dell or microsoft thing that everyone uses but I somehow overlook.

EDIT: I'm just talking about something that can read NFC on a yubikey or an NFC tag or something, nothing too complicated.

sb hermit
Dec 13, 2016





Guy Axlerod posted:

If you're after a cheap solution, I'm not sure why you'd use a USB nfc reader for a yubikey. You can just plug it in? Get a USB hub or extension to put it on top of your desk if that's what you're missing and price sensitive.

If you're just after a fun project, then go for it. I think it could be cool to have it built-in under your desk top, or integrated into the keyboard.

I'm asking for suggestions for which usb based nfc reader to buy.

EDIT: I somehow misread this. I'm testing out security solutions and it's easier for users to just use nfc than to try plugging stuff in. I mentioned yubikeys because they're the easiest thing I have on hand to try out.

sb hermit fucked around with this message at 15:53 on May 10, 2022

sb hermit
Dec 13, 2016





Hed posted:

I bought this HID reader a couple months ago and 3M stripped it to the underside of my desk. https://www.amazon.com/gp/aw/d/B079T2FKN1

at $67 itís a slight premium to your sketch tier but works for me. I bought it so I didnít have to go all the way to the USB port on my compy

Midjack posted:

the scl3711 is a fairly competent reader that also works with libnfc if that's something you need. there are a couple of formats it can't handle (don't think it does iclass for example) but it's a good general purpose hf rfid reader.

Sweet! Thank you!

sb hermit
Dec 13, 2016





El Mero Mero posted:

$30-50 is cheap as hell. Alternatively, do people not get security badges issued? You can always make those more expensive and turn them into nfc-enabled cards.

It's probably way more expensive, but maybe it comes from an existing budget line item rather than a new one lol.

the yubikey security key nfc is $25 and at times has been as low as $10 (in a $100 10-pack)

sb hermit
Dec 13, 2016





Beeftweeter posted:

...guys, the CEO says he lost his yubikey and i locked myself out of the AD console. guys?

As long as you have physical access to the computer, you can change anything.

Wait, you were being serious about the AD being Azure?

Seriously, though, this is the time to break out the disaster plans. You ... did ... make disaster plans, right? And you tested them?

sb hermit
Dec 13, 2016






why is there always a dave in an infosec group of sufficient size?

sb hermit
Dec 13, 2016





mystes posted:

What you want is a piv card and reader

I want something that users can just tap. Something on a keychain would be preferable. Or maybe even let users use their phone if they want.

If they have to insert anything then might as well just do usb security keys.

sb hermit
Dec 13, 2016





Volmarias posted:

Ok, but where does this reader live? Are you inserting it into everyone's computers? Will people with laptops have to carry it with them? If users potentially just leave their security key in the device at the end of the day, what's the specific concerns and how do you remediate them? What makes this better than using the device itself for authentication?

It really does seem like you're reinventing smart cards and I think we're all trying to figure out what exactly you're going for here. What makes this better than a security key that lives on a lanyard?

I just asked for cheap nfc readers to test out new mfa scenarios. This is initially for personal use so that I can get a feel for how easy it is to use. If I was pricing something out for a larger userbase, I certainly won't be asking YOSPOS, I would be getting a buyer to do that research.

I know that smartcards exist (I have about a half dozen, I think). I know that security keys exist, and I talk a lot about yubico keys in yospos. I also know that NFCs in phones are getting more prevalent and NFCs in laptops are not uncommon. I'm simply trying to get ahead of the curve. Smartcards are nice but they don't really work well with phones if you have to get an external reader.

The fact of the matter is that I just want to try out NFCs for the desktop. It probably has limitations and whatnot, and I won't know how much they matter in a practical sense until I actually get hands on.

sb hermit
Dec 13, 2016





Beeftweeter posted:

speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though?

e: i guess what i'm asking, since i'm also unfamiliar with bitlocker, is basically "is that seriously the only limitation?"

Resetting the TPM will clear its registers, making it unable to provide the correct values needed to unlock the PC. at which point, you'll need a bitlocker recovery key. However, you could potentially setup LUKS or other encryption systems to be less stringent about how much tpm deviation is acceptable.

Dylan16807 posted:

the TPM code is on your motherboard maker

which might be worse

I've seen motherboard bioses that let you disable the onboard TPM so that you can use a different TPM chip.

sb hermit
Dec 13, 2016





I don't bother trying to connect a smartcard to a linux computer unless it's an explicit use case that supports it.

The usb reader might work, ok, but you still need drivers to communicate with the firmware on the card, and I'm not going to risk bricking a smartcard today if I need to use it to auth tomorrow.

The vendor that sold me my smartcard also sold me the reader and also provides the software to put it all together. It's janky as all hell (and previously required MSIE to work at all) but it's what the job wants and is definitely not some sketch "dod military usb amazon sponsored" gadget.

sb hermit
Dec 13, 2016





Midjack posted:

saicoowned

saicoomed

sb hermit
Dec 13, 2016





nudgenudgetilt posted:

that's true of every os, not just linux. if you're using a card that implements an interface other than those already implemented in opensc (mac or linux) or windows, opensc will have no clue what to do.

fortunately it seems like most cards that actually get used for authentication implement piv or openpgp interfaces and Just Work.

well, yeah, but what kind of vendor sells user-facing authentication solutions that don't work in windows? Or actually supply a linux driver?

I'm just pointing out that this sort of use case instills a bit of artificial requirement for Windows (maybe Mac). Sure, future versions of the authentication solution might work under linux and I look forward to it.
For now, I have to keep a windows laptop patched and raring to go in case I have to use this smartcard.

sb hermit
Dec 13, 2016





are pictures of trees better or worse than pictures of animals on o'reilly books (or pictures of overly enthusiastic millennials on their head start series)

sb hermit
Dec 13, 2016





maybe if they had pictures of trees then I would finally remember the difference between a eucalyptus tree and an oak tree

sb hermit
Dec 13, 2016





Crime on a Dime posted:

oak: acorns
eucalyptus: gumnuts

trap sprung

sb hermit
Dec 13, 2016





dpkg chopra posted:

calculate all the factors of 2, record your brain output, make that your password. now you have true two-factor authentication

I wonder how effective this would be as an actual authentication mechanism. Like, somehow deriving a code with a sufficient bit length with enough entropy by converting brainwaves at a specific point in time or a shifting window when instructed to remember a memory or scent. Or just trying to empty your mind entirely.

sb hermit
Dec 13, 2016





with good hardware randomizers being standard, at least no one is going to bother with emphasizing nonce generation

sb hermit
Dec 13, 2016





nonces are heavily used in IKE. In fact, they can be used to generate cookies.

sb hermit
Dec 13, 2016





ate poo poo on live tv posted:

BGP is actually a poor example in this case because things like BGP Flow-spec can actually be used by people running their ancient mainframe internet access through an EoL Cisco box, they can also implement a number of BCP's such as BGP TTL Security, or anti-spoofing measures. All of those are relatively recent improvements that were designed to be compatible with BGP Speakers that are running on ancient hardware.

Anyway, NANOG is cool.

the bgp speakers of the 3rd tier NANOG

sb hermit
Dec 13, 2016





an ancient company selling paper supplies that was an early adopter of the internet and has an entire class B of the public ipv4.

the network operators trying to justify to iana that they need all that space, but are secretly using it for their own purposes

the c-suite executives trying to find a way to sell off the class B but get thwarted by the network operators

the independent tech journalists trying to find out the real truth behind everything

sb hermit
Dec 13, 2016





The fact that you can run arbitrary commands is enough of an exploit to make it critical.

sb hermit
Dec 13, 2016





run a cryptominer

install malicious browser extensions

perhaps even tap the mic and camera and/or steal keystrokes

force them to watch anime to unlock their files

sb hermit
Dec 13, 2016





the uwu will continue until compliance is satisfactory

sb hermit
Dec 13, 2016





Obviously a lot of it is bad advice, but there's a nugget in there. If you were consulting and fishing for work then it would make sense to just take an hour of time to do a sales pitch and a boilerplate security regime and hit them with contracts for periodic security assessments or priority alerts. Like lifelock but for cyber and for businesses (I have never used lifelock but identity protection in general sounds like a scam)

Lawyers do this all the time. Heck, they'll even buy you a nice dinner and give you free literature if you're the right client and just willing to listen. It's just a business decision.

I also get a crapload of spam e-mails from local tech outsourcing firms (as in, the work is remote but the reps are local) to talk about organizing development teams or free developer time plus coffee. Not worth the time.

Most real businesses would not have the time or the inclination to take up such an offer, especially if it's free. If it was required by regulation or insurance or other sound business decision then maybe.

Adbot
ADBOT LOVES YOU

sb hermit
Dec 13, 2016





User notifications of audit events seems to be pretty standard. I get them all the time while logging into netflix, or gmail, or my bank, or ebay, etc. They just let you in but they also e-mail you about it. That way, if it wasn't you, you can do something about it.

It's part of the "don't force users to change their passwords willy nilly but make sure the access is not weird like from china or russia if they haven't logged in from there before" that modern cybersecurity strategies are adopting since being championed by NIST and etc. Getting users in the loop may be annoying for users but it lowers IT cost and risk if done right.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply