As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."

1232426282995

Posts

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Welp, I've been safe for in excess of 10 years, but AT&T just fired off an email saying that I've been detected connecting to an IRC server associated with botnets. Joy. And all my scans thus far have come up naught, so I don't even know which one of my 4 computers it is.

    Or if it's just AT&T being pissy because I use Efnet.

    All the info they gave was a single time. No server(s) connected to, no ports, nothing that might at least narrow down which possible nasties it might be...or if it's just a false alarm.

    I really don't want to have to reload 4 machines. -_-

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    edited September 2011
    edit: double post hooo!

    Orca on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Orca wrote:
    Welp, I've been safe for in excess of 10 years, but AT&T just fired off an email saying that I've been detected connecting to an IRC server associated with botnets. Joy. And all my scans thus far have come up naught, so I don't even know which one of my 4 computers it is.

    Or if it's just AT&T being pissy because I use Efnet.

    All the info they gave was a single time. No server(s) connected to, no ports, nothing that might at least narrow down which possible nasties it might be...or if it's just a false alarm.

    I really don't want to have to reload 4 machines. -_-

    Ooof. That's a royal pain. What've you been using to scan, if I can ask? I'd do sweeps with TDSSKiller and Hitman Pro to begin with, and think about using a Linux LiveCD or other Rescue CD as well to scan each machine in turn. Otherwise, you might get away with monitoring your router to see if there's any traffic heading toward IRC servers you're unfamiliar with? I don't know the specifics of how to do that, but I know it's possible. I'd assume that running a netstat check on each machine would be fruitless in the event of an actual infection, as the nasty would probably mask open ports. The final thing to do might be to call up AT&T and get more information, like the IP address of the IRC network they're worried about. Then you could see if it is just them getting pissy about connecting to EFNet. But in all honesty, reformatting and reloading four computers might be an easier task than dealing with AT&T tech support.

    That's a really awful way to tell someone they're infected, too. IRC traffic is very ambiguous, and not at all a definitive indicator, if you're someone who frequents IRC. Methinks maybe someone at AT&T has been watching too much CSI.

    VuIBhrs.png
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    I've used MSE and MalwareBytes so far, so Hitman et al. I'll have to do next.

    And I already tried to get info from them. It took about an hour before they finally came out and said more or less "I have no further info for you". Great! You useless sods. :P

  • XeddicusXeddicus Registered User regular
    AT&T can't even set DSL speeds correctly, I'd ignore that if you haven't found anything.

  • Dark ShroudDark Shroud Registered User regular
    edited September 2011
    I've had something poisining my DNS. I've used MSE, Spybot, Super AntiSpyware, & MalwareBytes.

    Edit: Well Hitman found a rootkit.

    Dark Shroud on
  • XeddicusXeddicus Registered User regular
    edited September 2011
    Give TDSSkiller a shot, but it's format time I'd say.

    Xeddicus on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited September 2011
    Had a bit of a heart-stopper this morning when logging out of GMail started to redirect me to a "blocked content" page. Thought for sure I'd been hijacked, until I remembered that I specifically blocked all no-HTPPS versions of GMail quite some time ago, to encourage me to only use HTTPS. I guess they've recently changed things so that logging out spits you to http ://www.google.com/mail/help/somethingorother, rather than the secure login page like it used to.

    The reason I mention it is that before I realized what had happened, I gave myself a quick once-over with Hitman and TDSSKiller. TDSSKiller looks to have gotten a nice little upgrade recently, including some new scanning methods. So everyone be sure to use the additional scanning options when searching for the nasties.

    Also, Shroud, if you've been hit with a rootkit I fear the malware apocalypse is upon us. You're one of the most security-minded people I've interacted with on the forums, so that gives me serious pause for thought. I'd echo Xeddicus, though. Drop a train on `em - Reformat for sure. Also, be sure to reset your router firmware if you saw DNS poisoning - TDL4 tries its hardest to worm into routers these days.

    TetraNitroCubane on
    VuIBhrs.png
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Well, a few days later (now that I've had the time to sit down and run some scans) and I've turned up zilch. I guess I should just chalk this one up to a false positive of some sort. Or a nontrivial threat that the usual parade of software can't detect.

    But I'm still worried. :|

    And I wish AT&T would provide enough information to actually diagnose a threat if they're going to pull this bullshit, because the amount of info they gave me was virtually useless.

  • MuppetmanMuppetman Registered User regular
    I'm looking for some advice with regards to password managers. I need something I can access from multiple PCs and iPhone/iPad support would be good. Even though I do know better I probably only have 5 or 6 passwords for everything I do so am looking for some general advice. I was thinking some sort of encrypted document in DropBox but am clueless. Any help appreciated.

    camo_sig2-400.png
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    KeePass I believe has an android version; there may be an iOS version as well. Synchronization is probably a good idea for backups, but might be less so for security (if you get rooted and your master password is stolen...).

    What's the state of cellphone security these days? Other than the obvious problem of losing the blasted things.

  • TefTef Registered User regular
    edited October 2011
    There was a thread in this subforum not that long ago about password managers and I picked up LastPass as per quite a few peoples' recommendations.

    I paid for a year's premium service (I can't remember how much it was, but it certainly wasn't more than $20) and I couldn't be happier with it. The premium service is required for the LastPass app, which works a treat on Android (dunno about Mango though) and iOS.

    I use LastPass to generate all my passwords now and it autofills all my details for me. Honestly I don't think I could go back to not using a password manager now

    Holy cow, LastPass should pay me a wage :roll:

    Tef on
    help a fellow forumer meet their mental health care needs because USA healthcare sucks!

    Ever tried. Ever failed. No matter. Try again. Fail again. Fail better

    bit.ly/2XQM1ke
  • RBachRBach Registered User regular
    I'm seconding Lastpass. It's fantastic (and available on basically everything).

    [SIGPIC][/SIGPIC]
  • DratatooDratatoo Registered User regular
    Are the TDL Versions also infecting the MBR of other drives? How about SSDs?

  • FuuFuu Registered User regular
    edited October 2011
    Alright, So it is the end of an Era. I've been using TDSS killer for all my rootkit destruction needs, but I have a new master now.

    http://security.symantec.com/nbrt/npe.aspx?

    Norton Power Eraser.
    In the last year Symantec has pulled their heads out of their asses. I've gotten a chance to mess around with Norton 2012 and it is silly good. A buddy of mine installed it on his test box and threw in his flash drive from hell, (lots of nasty malware in one quick installation) and it blocked everything. Pretty neat!

    On the topic of NPE, I'd been struggling with a unit for the past few days and TDSSkiller kept coming back clean, NPE knocked the infection out first scan.

    Fuu on
    deadpoolxmassigzx5.jpgdeadpoolxmassig2tk8.jpg
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Norton not sucking complete ass?

    I thought I was on drugs when I saw the flying pigs...

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Believe it or not, Norton's been turning it around since they released Norton 360. They've consistently been gaining ground in most comparative antivirus tests, and they've done a considerable amount of work to reduce bloat. Of course, no one wants to touch their software regardless of that fact. Bring up Norton on a place like Reddit or even Wilders, and you'll get laughed off the internet. Their reputation is stuck in 2000 still.

    I'm not familiar with Power Eraser, but that's certainly a fantastic tip. Thanks for the testimonial, Fuu. If I could edit the OP to add that to the tools link, I would. We're always better off with another tool to help us with analysis.

    VuIBhrs.png
  • AyulinAyulin Registered User regular
    Thirding Lastpass. If you have a .edu email account, you can get six months premium service free. Works with international accounts too (i.e. .edu.<country> - my uni email is like that and I was able to get in.)

    steam_sig.png
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Oh, nice. Does LastPass let you pull your passwords out? I've already attached a shedload of email addresses to sneakemail; I'm not sure I'm comfortable handing my passwords as well out to something I don't have full control over.

  • AyulinAyulin Registered User regular
    Orca wrote:
    Oh, nice. Does LastPass let you pull your passwords out? I've already attached a shedload of email addresses to sneakemail; I'm not sure I'm comfortable handing my passwords as well out to something I don't have full control over.

    You can delete stored passwords, if that's what you mean. You can also open a site's page in the "vault" and view the stored password (if that's what you mean :P)

    steam_sig.png
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    The latter is kind of what I meant. :]

  • MuppetmanMuppetman Registered User regular
    Thanks for the advice. As far as I can see the only difference between paid and free is the use on your phone? It looks cool, my only real concern is what if they are hacked or go bust...

    camo_sig2-400.png
  • stigweardstigweard Registered User regular
    Last Pass was hacked already this year. They never did divulge exactly how much was lost though they hinted at losing email addresses and master passwords. They supposedly updated their servers and increased the security, but once is too many times for a breach.

  • RBachRBach Registered User regular
    No, all anyone maybe got was the encrypted data on Lastpass' servers, and that information is useless without the master passwords. And the Lastpass folks didn't even think the information got out, they just couldn't explain why there was suddenly a lot of outbound traffic one day and decided to err on the side of caution and warn people to change their passwords.

    [SIGPIC][/SIGPIC]
  • stigweardstigweard Registered User regular
    edited October 2011
    RBach wrote:
    No, all anyone maybe got was the encrypted data on Lastpass' servers, and that information is useless without the master passwords. And the Lastpass folks didn't even think the information got out, they just couldn't explain why there was suddenly a lot of outbound traffic one day and decided to err on the side of caution and warn people to change their passwords.

    I only followed the first day when they were being alarmists and paranoid about it. From what I remember they were saying that the master passwords might have been taken but looking back at the news they said they theoretically could be found with the information taken. The CEO apparently ran damage control the next day but it doesn't matter, at best they told the truth and at worst it was spin control to prevent losing customers in droves. Storing all your passwords on a third party site is a bad idea anyway. I don't agree with using any service that can provide a single point of failure outside of my control.

    stigweard on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    stigweard wrote:
    RBach wrote:
    No, all anyone maybe got was the encrypted data on Lastpass' servers, and that information is useless without the master passwords. And the Lastpass folks didn't even think the information got out, they just couldn't explain why there was suddenly a lot of outbound traffic one day and decided to err on the side of caution and warn people to change their passwords.

    I only followed the first day when they were being alarmists and paranoid about it. From what I remember they were saying that the master passwords might have been taken but looking back at the news they said they theoretically could be found with the information taken. The CEO apparently ran damage control the next day but it doesn't matter, at best they told the truth and at worst it was spin control to prevent losing customers in droves. Storing all your passwords on a third party site is a bad idea anyway. I don't agree with using any service that can provide a single point of failure outside of my control.

    They basically admitted to taking the most extreme measures possible given the situation, and I don't blame them one bit. It was all going on during the Hack-a-palloza fest right around the great PSN breach, and their quick and honest response was in stark contrast to Sony's handling of their own debacle. I can only imagine they wanted to avoid any potential pitfalls.

    I'll admit I have the same feelings about password managers that make me a little distrustful of them. They're a single point of vulnerability. Then again, my head is full of so many passwords currently that it's only a matter of time before I completely lose my mind.

    VuIBhrs.png
  • Dark ShroudDark Shroud Registered User regular
    Yeah I finally started using Last Pass because I just had too many 20+ char passwords to remember.

  • Gigazombie CybermageGigazombie Cybermage Registered User, __BANNED USERS regular
    Why not just get a thumb drive and put your passwords in a text file or something in it? Just guard that puppy with your life.

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Unencrypted? Are you nuts?

  • XeddicusXeddicus Registered User regular
    edited October 2011
    Orca wrote:
    Unencrypted? Are you nuts?

    People write them down in notebooks unencrypted, so really a thumb drive would be a step up!

    Xeddicus on
  • Gigazombie CybermageGigazombie Cybermage Registered User, __BANNED USERS regular
    *Shrugs* I keep all of mine in my head. Keeping it in a thumb drive should be okay as long as you use common sense with it.

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Xeddicus wrote:
    Orca wrote:
    Unencrypted? Are you nuts?

    People write them down in notebooks unencrypted, so really a thumb drive would be a step up!

    These days I'd trust a notebook more than unencrypted files on a thumb drive that's getting plugged into unsanitized computers. :P

  • AnteCantelopeAnteCantelope Registered User regular
    I use the name of the site and a salt, and run them through a memorable algorithm. Gives me a unique password for each site, don't need lastpass or whatever, and all my passwords look like f8w04nc7gakd. I use a different algorithm for different passwords, like my bank one has a unique algorithm too. Works pretty well for me so far.

  • Dark ShroudDark Shroud Registered User regular
    I use the name of the site and a salt, and run them through a memorable algorithm. Gives me a unique password for each site, don't need lastpass or whatever, and all my passwords look like f8w04nc7gakd. I use a different algorithm for different passwords, like my bank one has a unique algorithm too. Works pretty well for me so far.

    I've been doing this for years. After all the breaches this year I had 30+ passwords to change so I got irritated and just went with Last Pass.

  • MuppetmanMuppetman Registered User regular
    Thanks for all the input. I've decided to go with LastPass which seems a good compromise between security and ease of use.

    camo_sig2-400.png
  • grouch993grouch993 Both a man and a numberRegistered User regular
    Keylogging bug infects predator drones

    Saw this one while catching up on news. Wonder if it is a bios, chipset, trojan mouse style infection.

    Steam Profile Origin grouchiy
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited October 2011
    grouch993 wrote:
    Keylogging bug infects predator drones

    Saw this one while catching up on news. Wonder if it is a bios, chipset, trojan mouse style infection.
    “We keep wiping it off, and it keeps coming back,” a source familiar with the network infection told Wired. “We think it’s benign. But we just don’t know.”

    WHAT.

    Look, guys. If the computer controlling your deadly predator drone has a trojan on it, the payload it delivers is secondary because you shouldn't ever allow the thing it's controlling it off the ground once you discover this fact. How'd it get infected in the first place? Because there's your more serious problem. Additionally, full stop. Abort. Eject. Bail out. Go no further. Don't shrug and say "It's probably harmless!".

    The fact that it's not known how it got there in the first place is evidence enough that they don't know exactly what it's doing. Infections like this don't always operate out in the open, and if it keeps 'coming back', then chances are it has a little more control over the afflicted system than just keylogging.

    This is probably just a case of the reporting being amped up a bit, and I'm overreacting. But even so, what the hell. Do military types plug any random USB stick they find into sensitive machines, like the FBI used to?

    TetraNitroCubane on
    VuIBhrs.png
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    edited October 2011
    Yes. Yes they do. I recall they did a study with a bunch of USB keys with a specific "phone home" type payload left in the parks and restaurants around govt. installations and found that something like 80% got pugged into machines with sensitive info within hours.

    Mr_Rose on
    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    It gets worse: http://www.wired.com/dangerroom/2011/10/drone-virus-kept-quiet/
    Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.
    “Nothing was ever reported anywhere. They just didn’t think it was important enough,” says a second source involved with operating the Air Force’s networks. “The incentive to share weaknesses is just not there.”

    Not even when that weakness hits the robotic weapons that have become the lynchpin for American military operations around the planet.

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Orca wrote:
    It gets worse: http://www.wired.com/dangerroom/2011/10/drone-virus-kept-quiet/
    Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.
    “Nothing was ever reported anywhere. They just didn’t think it was important enough,” says a second source involved with operating the Air Force’s networks. “The incentive to share weaknesses is just not there.”

    Not even when that weakness hits the robotic weapons that have become the lynchpin for American military operations around the planet.

    I just facepalmed so hard I think I cleared my sinuses. Crimany. What's the logic here? That the infection can't phone home, and so it's harmless? That still seems like an exceptionally bad way to approach the problem. Particularly when the infection is so serious that it can't be cleaned off and they don't know where it's coming from. Yeeeesh.

    In other news, heads up for all PSN users, via the Official Playstation Blog:
    We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks. We have taken steps to mitigate the activity.

    The update goes on to claim that only a small fraction of users were afflicted, and that CC information is safe. Anyone who was compromised will receive an email and be forced to reset their password. SOE users are similarly going to be notified / reset in the event they were compromised.

    I don't quite understand the reasoning behind this argument, though: "Given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks." Sounds to me like someone just finally got a hold of the PSN leak from last year, and tried to use the info directly. Everyone was forced to change their passwords, so the only people who'd get hit with this would be those who used the same one after the reset.

    More info as it develops, though this sounds like a very minor incident.

    VuIBhrs.png
Sign In or Register to comment.