Weird thing I noticed at work the last few days. A lot of our clients who normally use AWS VPNs have been logging in suddenly via Linode VPNs. All of them are Mac users. At first I thought something fishy was up and someone with a Mac was attacking our clients somehow, then I went through log in histories and yep, every one of them have been using a Mac for years. I wonder if there was a sale through Apple on Linode services or something,
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited November 2019
Oh hey, who else was baffled when they got logged out and couldn't log back in without a password reset?
It was because vanilla had a vulnerability! (Edit: There's a forum banner for this now, so this post is highly redundant.)
Some Background
Vanilla stores records of user information in its databases, for display and authentication purposes. The full record is generally not visible to the public and is guarded by various permission checks through Vanilla's controllers and API endpoints.
With Vanilla's APIv2 endpoints additional validation exists to ensure that only certain, predefined fields are returned from any particular endpoint. This is called a Schema.
What happened
A bug in sanitization logic caused the schema not to be applied to 1 APIv2 endpoint. This caused full user records to outputted to browser while quoting comments and discussions. While this data was not visible to the eye, it could be accessed by:
Inspecting the network requests while quoting some user content.
Calling the /api/v2/media/scrape endpoint directly (with permission to view the scraped discussion or comment).
Inspecting the HTML of rich comment or discussion quotes.
Honestly, comparatively speaking it looks like small potatoes. And really, Vanilla responded quite quickly and efficiently, with seriously good levels of detail. That's a rarity these days!
TetraNitroCubane on
+7
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Yeah. I was confused until Tube put up the banner, at which point I followed the link and was frankly impressed at the detail of the timeline and how quickly they responded and how up-front they are with how to change the process to avoid such failures in the future. If only everybody would be that detailed.
Dang son. Most google and Samsung phones have/had a vulnerability which let a rouge app access all photos and stored gps locations, as well as activate the camera and microphone whenever they wanted and without notifying the user, including when the phone was locked. All remotely. All that was required was to give the rogue app storage permissions.
That seems like a pretty much a worst case scenario for a cell phone.
For a bunch of reasons entirely unrelated to google or apple, you shouldn't trust your phone to be entirely secure. Even in the best-case scenario, cell phones are incredibly complicated pieces of tech with huuuuuuuge attack surfaces. Your best bet is to select apps defensively and keep everything up to date.
+10
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
For a bunch of reasons entirely unrelated to google or apple, you shouldn't trust your phone to be entirely secure. Even in the best-case scenario, cell phones are incredibly complicated pieces of tech with huuuuuuuge attack surfaces. Your best bet is to select apps defensively and keep everything up to date.
And for the love of $Deity, don't use a mobile banking app. Ever.
For a bunch of reasons entirely unrelated to google or apple, you shouldn't trust your phone to be entirely secure. Even in the best-case scenario, cell phones are incredibly complicated pieces of tech with huuuuuuuge attack surfaces. Your best bet is to select apps defensively and keep everything up to date.
And for the love of $Deity, don't use a mobile banking app. Ever.
Hi I work at a bank and am in charge on fraud for mobile banking. Its not all that bad, however do expect we might call you to check on thing if your using 4 different VPNs every time you log in.
For a bunch of reasons entirely unrelated to google or apple, you shouldn't trust your phone to be entirely secure. Even in the best-case scenario, cell phones are incredibly complicated pieces of tech with huuuuuuuge attack surfaces. Your best bet is to select apps defensively and keep everything up to date.
And for the love of $Deity, don't use a mobile banking app. Ever.
Hi I work at a bank and am in charge on fraud for mobile banking. Its not all that bad, however do expect we might call you to check on thing if your using 4 different VPNs every time you log in.
It's more that you should never protect your financial accounts with a single factor.
If you are using your mobile device to log into your bank, once your phone is compromised, oops! That's it. It's over.
If you're using your phone as a secondary device to get One Time Codes, and logging in through a different machine, now if either gets compromised you've still got a layer of security.
Also, didn’t that unpatchable boot rom exploit for iOS just hit? Checkmate? Checkm8?
Things might be a little different going forward.
Google's Project Zero has really in-depth write-ups on a group that did the same thing on iPhones for years with different sets of exploit chains. Some of which merely required navigating to an attacker controlled site.
Also, didn’t that unpatchable boot rom exploit for iOS just hit? Checkmate? Checkm8?
Things might be a little different going forward.
Google's Project Zero has really in-depth write-ups on a group that did the same thing on iPhones for years with different sets of exploit chains. Some of which merely required navigating to an attacker controlled site.
Yeah that was a pretty fantastic write up. If I remember correctly the website based exploit had to live in active memory so a restart could flush it out but people actually restart their phones very rarely.
Also, didn’t that unpatchable boot rom exploit for iOS just hit? Checkmate? Checkm8?
Things might be a little different going forward.
Google's Project Zero has really in-depth write-ups on a group that did the same thing on iPhones for years with different sets of exploit chains. Some of which merely required navigating to an attacker controlled site.
Yeah that was a pretty fantastic write up. If I remember correctly the website based exploit had to live in active memory so a restart could flush it out but people actually restart their phones very rarely.
I think that might be a different one, or if it's the same I missed the in-memory bit in all the RE talk . These went up last month and were about 5 different exploit chains seen in the wild since 2015 that were all used to deliver the same implant.
So I'll probably be re-building my computer (case swap) over the next few weeks, and I figured i'd take the time and update my BIO's. I'm basically on the first release of my motherboards BIO's, which is from... 2015ish? I haven't ever felt a need to, but I figure I'd do it anyways. My main curiosity is how much I might need to worry about doing a FULL update of it, as it's an Intel (Z170), so the full updates would be patching the intel exploits found a couple years back. I'd certainly hate to lose much performance, although what I do these day's probably wouldn't be too effected honestly.
Just wanted to get some opinions on this kind of thing, and if anyone's seen any major performance hits.
Personally I think there's zero reason to update your bios unless you've bought a cpu that requires it.
That's largely been what I follow, if it's not broken, don't fix. Although I will say, I built it with an i7-6700, and there was some random thoughts about trying to upgrade to a 7700, but prices are over what a much better CPU would cost, so I'm not sure if that will ever happen. There are a few updates I've seen that update some M.2 and memory support, along with the update for 7th gen CPU's.
I had considered building a completely new computer as well, but I really don't see that happening right now, as much as i'd like a new one.
Are there any issues with the Edge Adblock, or should I go with a Chrome Adblock combo? I’m setting up a new laptop, and I have used Firefox in the past but it just feels dated now.
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
Why does Firefox feel dated? Works just as good as any other browser... I'd recommend using Firefox + UBlock Origin. Alternatively, you can also use Brave + UBlock Origin if you want to use a Chrome-based browser that has working adblocking.
Notice how I don't mention Adblock anywhere. :P
+1
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
Why does Firefox feel dated? Works just as good as any other browser... I'd recommend using Firefox + UBlock Origin. Alternatively, you can also use Brave + UBlock Origin if you want to use a Chrome-based browser that has working adblocking.
You shouldn't use edge as it's sunsetted already. I'd stay away from chrome due to their changes to adblocking addons. Firefox has been working well for me.
I use Firefox with noscript. It's really illuminating to see how many scripts and where they come from on every website. (Also disappointing to discover a lot of broken webpages that just can't function without Javascript.)
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
Bitdefender paid can be found very cheap, for something like $25 a year if you look around. Otherwise Windows Defender works great as a free solution.
Malwarebytes is still trying to become a "full endpoint protection suite" but by-and-large is mostly useful as an on-demand supplemental scanner (i.e. the free functionality).
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
"But TetraNitroCubane," you say, "credit card skimmers are nothing new. Particularly at gas stations. And what does this have to do with computer security anyway?"
Correct! But this new vector doesn't even have to be installed on the pump to skim your card. It's actually something far different, and doesn't involve a physical component. Details can be found in Visa's report on the issue (Link goes to a PDF report).
In the first incident, PFD analyzed the compromise of a North American fuel dispenser merchant. The threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access. The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment. There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data.
Malicious parties have essentially phished gas station employees (unclear what employees, or at what level), and from there have managed to get into the Point Of Sale system (which really should be an isolated network). And because just about everydamn gas station (in the US) uses magstripe instead of Chip and Pin for transactions, the data for every Credit Card that gets swiped is transmitted through the POS system unencrypted. Changes to POS systems to eliminate magstripe readers are being mandated by Visa, but will take until October of 2020 to roll out.
So once again, a case of the greatest modern vulnerability to user data: Companies not giving two shits about your privacy and security.
The functional problem with gas pumps is you need to authorize the card first to activate the pumps to prevent drive offs, but you also don't know how much the transaction will be until it's done pumping. So for a chip card you'd have to leave the card in for the entire duration, which can cause problems for shared card readers and allow physical card theft.
Just remember that half the people you meet are below average intelligence.
I keep waiting for gas pumps to get NFC so that I can use phone payments instead, but it still hasn't happened.
Byrne Dairy here in NY uses them, it's great, I am almost exclusively using them for gas now. I'm not sure if they're phone compatible but it works my waving my wallet at it so there's that.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
The functional problem with gas pumps is you need to authorize the card first to activate the pumps to prevent drive offs, but you also don't know how much the transaction will be until it's done pumping. So for a chip card you'd have to leave the card in for the entire duration, which can cause problems for shared card readers and allow physical card theft.
That's not how it works up here (Canada). It does ask you to enter the cash amount you want to purchase, pre-authorizes for that amount (after you enter your pin), and then gives you your card back before dispensing fuel from the pump. You're only actually charged for the amount you pump. It's a smooth, quick process that only sucks because being outside in winter sucks. :P
The shell pumps at the service plazas along the FL turnpike had those NFC things, but it declined the transaction when I waved my phone. Wish I had one of those NFC credit cards.
Posts
It was because vanilla had a vulnerability! (Edit: There's a forum banner for this now, so this post is highly redundant.)
Honestly, comparatively speaking it looks like small potatoes. And really, Vanilla responded quite quickly and efficiently, with seriously good levels of detail. That's a rarity these days!
That seems like a pretty much a worst case scenario for a cell phone.
Link.
I hate how over priced Apple stuff is, but I respect their security, even if they have to establish their walled garden to do so.
Things might be a little different going forward.
And for the love of $Deity, don't use a mobile banking app. Ever.
Hi I work at a bank and am in charge on fraud for mobile banking. Its not all that bad, however do expect we might call you to check on thing if your using 4 different VPNs every time you log in.
It's more that you should never protect your financial accounts with a single factor.
If you are using your mobile device to log into your bank, once your phone is compromised, oops! That's it. It's over.
If you're using your phone as a secondary device to get One Time Codes, and logging in through a different machine, now if either gets compromised you've still got a layer of security.
Google's Project Zero has really in-depth write-ups on a group that did the same thing on iPhones for years with different sets of exploit chains. Some of which merely required navigating to an attacker controlled site.
Yeah that was a pretty fantastic write up. If I remember correctly the website based exploit had to live in active memory so a restart could flush it out but people actually restart their phones very rarely.
I think that might be a different one, or if it's the same I missed the in-memory bit in all the RE talk . These went up last month and were about 5 different exploit chains seen in the wild since 2015 that were all used to deliver the same implant.
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1
Class: This is pretty sweet!
School: Now that you have the basics of Powershell, we have to teach you WMIC
Class: WTF IS THIS SHIT, I JUST WANNA DIE
Just wanted to get some opinions on this kind of thing, and if anyone's seen any major performance hits.
That's largely been what I follow, if it's not broken, don't fix. Although I will say, I built it with an i7-6700, and there was some random thoughts about trying to upgrade to a 7700, but prices are over what a much better CPU would cost, so I'm not sure if that will ever happen. There are a few updates I've seen that update some M.2 and memory support, along with the update for 7th gen CPU's.
I had considered building a completely new computer as well, but I really don't see that happening right now, as much as i'd like a new one.
You're not wrong, but the growing pains with the X570 chipset almost require regular updates right now.
This is partly the reason I've put off a new build, to allow new stuff time to mature.
Notice how I don't mention Adblock anywhere. :P
Firefox + uBlock Origin + Facebook Container
It feels like a slug compared to chrome.
http://newnations.bandcamp.com
Windows Defender.
If you want something to feel good about that's maybe overzealous but is also great, Malwarebytes continues to be excellent.
Malwarebytes is still trying to become a "full endpoint protection suite" but by-and-large is mostly useful as an on-demand supplemental scanner (i.e. the free functionality).
"But TetraNitroCubane," you say, "credit card skimmers are nothing new. Particularly at gas stations. And what does this have to do with computer security anyway?"
Correct! But this new vector doesn't even have to be installed on the pump to skim your card. It's actually something far different, and doesn't involve a physical component. Details can be found in Visa's report on the issue (Link goes to a PDF report).
Malicious parties have essentially phished gas station employees (unclear what employees, or at what level), and from there have managed to get into the Point Of Sale system (which really should be an isolated network). And because just about everydamn gas station (in the US) uses magstripe instead of Chip and Pin for transactions, the data for every Credit Card that gets swiped is transmitted through the POS system unencrypted. Changes to POS systems to eliminate magstripe readers are being mandated by Visa, but will take until October of 2020 to roll out.
So once again, a case of the greatest modern vulnerability to user data: Companies not giving two shits about your privacy and security.
sighhhhhhhhhhhhh
time to go to cash only.
Byrne Dairy here in NY uses them, it's great, I am almost exclusively using them for gas now. I'm not sure if they're phone compatible but it works my waving my wallet at it so there's that.
That's not how it works up here (Canada). It does ask you to enter the cash amount you want to purchase, pre-authorizes for that amount (after you enter your pin), and then gives you your card back before dispensing fuel from the pump. You're only actually charged for the amount you pump. It's a smooth, quick process that only sucks because being outside in winter sucks. :P