TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2017
So a security bug in the Cloudflare hosting system may have compromised loads of sensitive information from a LOT of relevant websites. This includes Reddit, Discord, and even our very own Penny Arcade forums.
It is highly recommended that you change your passwords for all afflicted sites.
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
That's suboptimal.
+4
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2017
Apparently a very small percentage of all data being transferred through Cloudflare became public via this vulnerability, but it has the potential to impact ALL data traveling through Cloudflare during the duration in question. AND that data may be cached and visible via google currently.
Passwords, SSL certs, even two-factor authentication secrets could be compromised and visible via plaintext on randomly cached websites.
Here's a list of impacted sites that is currently evolving.
Bonus note: This was all caused by a single-character coding bug, apparently.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used.
Not a good time for internet security right now, to say the least.
+2
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
And this is why IoT remains dead to me.
Security is hard and all it takes is a one fuckup anywhere in the chain to compromise things. Do I really need my pacemaker to be able to sync with my phone, or internet-enabled doorlocks? Aside from the software development cycle level of obsolescence. A furnace can easily last 20 years or more--give me the dead simple thermostat to control it and call it a day. Yeah, it would be nice to have remote start and the rest of it, but I don't want someone to be able to infiltrate my network because my 20 year old unpatched thermostat has a bloody vulnerability!
I, for one, want my furnace to shut off and my doors to unlock when my pacemaker has to kick in. This way my body is preserved and the help doesn't have to bust the door down.
I am between wanting to tell IoT to go to hell and realizing that with my wife's current health status anything I can do to make life easier for her is a thing I am going to do even with the associated risks.
Mostly just huntin' monsters.
XBL:Phenyhelm - 3DS:Phenyhelm
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
So how does the dermatologist confirm he's their dermatologist and just some random weirdo? Authentication has to go both ways for trust to be established properly dammit!
Welp. I went and updated my passwords for Patreon (which I don't use anymore), Betterment, and Uber. I still need to do Curse, even though I don't use my login anymore. Are there other financial sites that had a potential leak, that I should handle as a course of due diligence? I'm trying to not scrub the entire list.
Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.
I always thought 10 minutes was the general best practice. 5 seems like it would be interfereing with people who are actually still at their desk working and just using whatever is on the screen as reference.
A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Security best practice is training people to lock their workstations when not at their desks, and disciplining them for failing to do so. Or possibly fitting their seats with a dead-man switch that activates the screen lock when they get up. Let HR figure out the cost differential between those.
Screen savers are obsolete; they are resource parasites that should have gone extinct when the CRT did but managed to change hosts.
I always thought 10 minutes was the general best practice. 5 seems like it would be interfereing with people who are actually still at their desk working and just using whatever is on the screen as reference.
A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.
So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?
Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)
So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?
Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)
Encrypting as much of your traffic as you can will prevent anyone (including your ISP) from knowing anything more than the domains you visit on encrypted sites (IE they don't actually see the subdomains you're requesting).
Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.
I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.
Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?
Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)
Regarding your home router, just look for a router that can be a VPN client. All Asus routers have this feature out of the box.
Other routers you might need to flash with custom firmware like DD-WRT, but that's a can of worms in and of itself.
Keep in mind that pushing all of your traffic all of the time through a VPN may have unforeseen side effects. For example, it might impact your latency for online gaming, or one of your streaming media services (Netflix, Hulu, etc) may decide that it doesn't like your VPN service and just block your login.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Yeah, I have a friend who's been huge (YUUUGE) on this whole VPN/Privacy discussion. He talks about using Signal a lot for SMS/MMS and has ramped up the VPN discussion. I haven't jumped, yet, but I thought it would be worth the cursory research now, whlie we wait for things to fall out.
Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.
I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.
Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.
oh yeah, it's a complete shitstorm. The screensaver is just your standard "I want everyone to see my vision and mission statement of regulations are bad mmkay, and misuse the word efficiency when I really mean cheap"
The timeout came directly from the governor, but instead of someone quietly telling him that a 5 minute inactivity timeout is a bad idea, his chief information officer (head IT/technology officer) made an announcement that claimed it was a best practice (of course, he never cited which best practice) so which leads myself to believing he's talking out his ass and just sucking up to the gov.
A few months later, Ricketts' office then later dictated that everyone have the same wallpaper, which basically said the same thing as the screensaver, but again, he must have gotten major pushback because a couple weeks later he rescinded that....though we still have to make the wallpaper the default wallpaper, but users are allowed to change it.
So, my girlfriend followed a bad flash download and picked up some malware on her Mac. Is Malwarebytes on mac as good as it is on PC? I don't really have much experience with Macs and know it's a newer program, but they've always been great for me.
PAD ID - 328,762,218
0
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
Apparently Intel has some bad firmware. Their Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware has had a critical vulnerability that allows root access for the past several years. Intel link that has a download to test if your computer is affected, but supposedly it's mostly business systems? Not really clear on the details, but it seems worth checking out.
Jebus314 on
"The world is a mess, and I just need to rule it" - Dr Horrible
I saw this floating around a lot, and it feels a bit like alarmist talk. I mean, I understand the vulnerability needs to be handled, but -- similar to stagefright -- the vulnerability has been there for a while and "you" (i.e. average homebody who just heard about it) have been vulnerable for years without even knowing.
I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.
I saw this floating around a lot, and it feels a bit like alarmist talk. I mean, I understand the vulnerability needs to be handled, but -- similar to stagefright -- the vulnerability has been there for a while and "you" (i.e. average homebody who just heard about it) have been vulnerable for years without even knowing.
I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.
I mostly look at it the other way. I'm not a high value target so zero day exploits are unlikely to get used on me. But once that shit is published it will probably get incorporated into a lot of general malware to catch lazy people who don't get patched. So getting the patch quickly after the release is probably a good idea.
"The world is a mess, and I just need to rule it" - Dr Horrible
I saw this floating around a lot, and it feels a bit like alarmist talk. I mean, I understand the vulnerability needs to be handled, but -- similar to stagefright -- the vulnerability has been there for a while and "you" (i.e. average homebody who just heard about it) have been vulnerable for years without even knowing.
I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.
Well, AMD is immune to this specific exploit, as they don't use Active Management Technology, because AMT is Intel's proprietary out-of-band solution. I think AMD uses DASH and ASF, which are open standards, so while they could potentially have vulnerabilities, it's not exactly the same set of worries.
The average homebody hasn't even been vulnerable to this (as it mostly just affects business hardware), but finding out that the vulnerability has been around for awhile makes things worse, not better.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I'd be much less worried about end-user vulnerability here, and much more worried about enterprise and web-facing systems that can be exploited. It doesn't matter if your personal system is impenetrable, if the businesses you trust with your financial and personal information can be cracked wide open on their side.
Also, has there been any followup word on that "worst remote code exex in recent memory"? They claim it is wormable. I can't remember the last high profile worm we've seen in the wild, except maybe Blaster.
I'd be much less worried about end-user vulnerability here, and much more worried about enterprise and web-facing systems that can be exploited. It doesn't matter if your personal system is impenetrable, if the businesses you trust with your financial and personal information can be cracked wide open on their side.
Also, has there been any followup word on that "worst remote code exex in recent memory"? They claim it is wormable. I can't remember the last high profile worm we've seen in the wild, except maybe Blaster.
Microsoft has a patch out for it, so that's good news, but we probably aren't going to get official word on the details of the vulnerability until after the patch has had time to get fully rolled out.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The Project Zero team says the vulnerability can be leveraged against victims by only sending an email to users -- without the need for the message to be opened or any attachments to be downloaded. An attack leveraging the exploit could also be conducted through malicious website visits or instant messaging.
...
"If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned," Microsoft said.
So basically, the Windows antimalware engine (Defender, etc.) can be exploited, just by it scanning a payload file. No need for execution by the end user, or opening a suspicious file. I've seen this morning that this can even be leveraged via Tweet. Yeah, that's seriously bad. Seems like the exploit has been patched, but it's worth a discussion at this point for a reason that makes me uncomfortable:
Antimalware software is, in essence, another vector of attack.
In this situation, my antimalware setup would be essentially worthless. Sandboxie wouldn't defend against this, because even if my browser is sandboxed, MsMpEng still reaches inside of the sandbox to scan potentially malicious files. Even if those files themselves can't break out of the sandbox, MsMpEng (which is outside of the sandbox and has the highest privileges on the system) is still compromised.
I still like having a Sandbox environment for browsing, because it defends against drive-by and other malicious things that are everpresent on the web. But in this case, someone running Windows Defender would be compromised, and someone not running it would be safe. I still don't really buy into the theory that "Antimalware software is useless and you shouldn't run it", but if these kinds of attacks become more prevalent (and this is certainly not the first one), I can certainly understand the perspective more.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
It's a Ransomeware Firestorm out there today. The UK's NHS and Spain's Telefonica have been hit with a nasty worm dubbed "Wcry" (and sometimes "Wanna cry"). Notably this worm is using an exploit in Windows SMB rumored to be part of the NSA's Eternalblue zero-day exploit package (MS7-010).
The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.
It's a Ransomeware Firestorm out there today. The UK's NHS and Spain's Telefonica have been hit with a nasty worm dubbed "Wcry" (and sometimes "Wanna cry"). Notably this worm is using an exploit in Windows SMB rumored to be part of the NSA's Eternalblue zero-day exploit package (MS7-010).
The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.
It's a Ransomeware Firestorm out there today. The UK's NHS and Spain's Telefonica have been hit with a nasty worm dubbed "Wcry" (and sometimes "Wanna cry"). Notably this worm is using an exploit in Windows SMB rumored to be part of the NSA's Eternalblue zero-day exploit package (MS7-010).
The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.
Posting this in this thread too since it's relevant to both.
Turns out the current wave of WannaCrypt was stopped by its own shitty coding. This doesn't save those already victimized but it does stop further spread of this version of the malware. This doesn't mean the author can't release an updated version so obviously make sure your shit is patched.
Posts
It is highly recommended that you change your passwords for all afflicted sites.
Passwords, SSL certs, even two-factor authentication secrets could be compromised and visible via plaintext on randomly cached websites.
Here's a list of impacted sites that is currently evolving.
Bonus note: This was all caused by a single-character coding bug, apparently.
Not a good time for internet security right now, to say the least.
Security is hard and all it takes is a one fuckup anywhere in the chain to compromise things. Do I really need my pacemaker to be able to sync with my phone, or internet-enabled doorlocks? Aside from the software development cycle level of obsolescence. A furnace can easily last 20 years or more--give me the dead simple thermostat to control it and call it a day. Yeah, it would be nice to have remote start and the rest of it, but I don't want someone to be able to infiltrate my network because my 20 year old unpatched thermostat has a bloody vulnerability!
XBL:Phenyhelm - 3DS:Phenyhelm
Someone used the SHA-1 collision to hose the WebKit SVN repo. So that's fun.
Edit: Apparently it was one of the devs uploading the files to create a testcase for WebKit that busted the repo. But hopefully Apache fixes SVN soon.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
Enlist in Star Citizen! Citizenship must be earned!
A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.
that could become a more substantial security issue.
Screen savers are obsolete; they are resource parasites that should have gone extinct when the CRT did but managed to change hosts.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
Also, Flash itself is a security risk.
Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)
One easy thing you can do is use this: https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en
Encrypting as much of your traffic as you can will prevent anyone (including your ISP) from knowing anything more than the domains you visit on encrypted sites (IE they don't actually see the subdomains you're requesting).
I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.
Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.
the "no true scotch man" fallacy.
Any of these VPN services are fine: http://www.pcmag.com/article2/0,2817,2403388,00.asp
Regarding your home router, just look for a router that can be a VPN client. All Asus routers have this feature out of the box.
Other routers you might need to flash with custom firmware like DD-WRT, but that's a can of worms in and of itself.
Keep in mind that pushing all of your traffic all of the time through a VPN may have unforeseen side effects. For example, it might impact your latency for online gaming, or one of your streaming media services (Netflix, Hulu, etc) may decide that it doesn't like your VPN service and just block your login.
the "no true scotch man" fallacy.
Besides the encryption features (which are great) it is also one of the least-bullshit messaging apps I've used.
the "no true scotch man" fallacy.
oh yeah, it's a complete shitstorm. The screensaver is just your standard "I want everyone to see my vision and mission statement of regulations are bad mmkay, and misuse the word efficiency when I really mean cheap"
The timeout came directly from the governor, but instead of someone quietly telling him that a 5 minute inactivity timeout is a bad idea, his chief information officer (head IT/technology officer) made an announcement that claimed it was a best practice (of course, he never cited which best practice) so which leads myself to believing he's talking out his ass and just sucking up to the gov.
A few months later, Ricketts' office then later dictated that everyone have the same wallpaper, which basically said the same thing as the screensaver, but again, he must have gotten major pushback because a couple weeks later he rescinded that....though we still have to make the wallpaper the default wallpaper, but users are allowed to change it.
If you've forgotten, our gov is this guy:
Enlist in Star Citizen! Citizenship must be earned!
I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.
I mostly look at it the other way. I'm not a high value target so zero day exploits are unlikely to get used on me. But once that shit is published it will probably get incorporated into a lot of general malware to catch lazy people who don't get patched. So getting the patch quickly after the release is probably a good idea.
Well, AMD is immune to this specific exploit, as they don't use Active Management Technology, because AMT is Intel's proprietary out-of-band solution. I think AMD uses DASH and ASF, which are open standards, so while they could potentially have vulnerabilities, it's not exactly the same set of worries.
The average homebody hasn't even been vulnerable to this (as it mostly just affects business hardware), but finding out that the vulnerability has been around for awhile makes things worse, not better.
Alarmist talk would be pointing out that Google security researchers have discovered what they call the worst Windows remote code exec in recent memory, and then telling people that they need to immediately stop using their Windows installs and switch to Linux until the debacle gets resolved.
Also, has there been any followup word on that "worst remote code exex in recent memory"? They claim it is wormable. I can't remember the last high profile worm we've seen in the wild, except maybe Blaster.
Microsoft has a patch out for it, so that's good news, but we probably aren't going to get official word on the details of the vulnerability until after the patch has had time to get fully rolled out.
So basically, the Windows antimalware engine (Defender, etc.) can be exploited, just by it scanning a payload file. No need for execution by the end user, or opening a suspicious file. I've seen this morning that this can even be leveraged via Tweet. Yeah, that's seriously bad. Seems like the exploit has been patched, but it's worth a discussion at this point for a reason that makes me uncomfortable:
Antimalware software is, in essence, another vector of attack.
In this situation, my antimalware setup would be essentially worthless. Sandboxie wouldn't defend against this, because even if my browser is sandboxed, MsMpEng still reaches inside of the sandbox to scan potentially malicious files. Even if those files themselves can't break out of the sandbox, MsMpEng (which is outside of the sandbox and has the highest privileges on the system) is still compromised.
I still like having a Sandbox environment for browsing, because it defends against drive-by and other malicious things that are everpresent on the web. But in this case, someone running Windows Defender would be compromised, and someone not running it would be safe. I still don't really buy into the theory that "Antimalware software is useless and you shouldn't run it", but if these kinds of attacks become more prevalent (and this is certainly not the first one), I can certainly understand the perspective more.
The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.
Refer to https://technet.microsoft.com/en-us/library/security/ms17-010.aspx to find the KB for your version.
Posting this in this thread too since it's relevant to both.
Just FYI
Turns out the current wave of WannaCrypt was stopped by its own shitty coding. This doesn't save those already victimized but it does stop further spread of this version of the malware. This doesn't mean the author can't release an updated version so obviously make sure your shit is patched.
Microsoft has put up an article listing hardening steps and windows updates you can follow to help prevent infection, including taking the rather significant step of providing support for Windows XP and Server 2003. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Round 2 begins now
Hopefully the patching and definition updating everyone did tomorrow will help kill this one.