An emergency patch Microsoft issued on Tuesday fails to fully fix a critical security vulnerability in all supported versions of Windows that allows attackers to take control of infected systems and run code of their choice, researchers said.
The threat, colloquially known as PrintNightmare, stems from bugs in the Windows print spooler, which provides printing functionality inside local networks. Proof-of-concept exploit code was publicly released and then pulled back, but not before others had copied it. Researchers track the vulnerability as CVE-2021-34527.
It is HIGHLY recommended that anyone running a Windows Operating system go into Services, and disable the print spooler until this is properly fixed.
And apparently it was fixed again, and the fix didn't fix it again.
Really dumb question: can I still print stuff without using the print spooler? I'm just a home user with one daily-driver PC, a smartphone and a wireless Canon printer/scanner/etc (which I can run wired if need be but it's far from ideal since it's in another room). Not like I need to often, but it'd be good to know.
I can't find any recent info. Has GOG Galaxy 2.0 local privilege escalation vulnerability been patched yet? I can't seem to find any info on it since about Aug 2020.
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.
Entities using the name and iconography of Anonymous (EUTNAIOA) claim to have leaked server disk images extracted from Epik – the controversial US outfit that has provided services to far-right orgs such as the Oath Keepers and Gab, provided a home to social-network-for-internet-outcasts Parler, and hosted hate-hole 8chan.
Epik made a virtue of providing such services. In a blog post defending its decision to operate Gab’s domain name after GoDaddy declined to do so, Epik CEO Rob Monster argued it was a free speech issue, and said deplatforming companies is both censorship and a violation of inalienable rights.
EUTNAIOA earlier leaked 180GB of data it said it siphoned from Epik servers, plenty of it detailing the activities of far-right groups such as The Proud Boys and the ridiculous QAnon mob. This included personally identifiable information, domain ownership records, account credentials and SSH keys, internal Git repos, payment histories, and more.
We're told the dump is a 70GB archive of files and “several bootable disk images of assorted systems” that represent Epik's server infrastructure. Journalist Steve Monacelli, who broke the news of the first data release, said the latest leak expands to 300GB.
"This leak appears to be fully bootable disk images of Epik servers, including a wide range of passwords and API tokens," he added.
Apparently names, addresses, credit card information, and other sensitive and identifiable data were all stored on the server... in plaintext!
What's the terchincal term for this situation? Oh yeah.
Entities using the name and iconography of Anonymous (EUTNAIOA) claim to have leaked server disk images extracted from Epik – the controversial US outfit that has provided services to far-right orgs such as the Oath Keepers and Gab, provided a home to social-network-for-internet-outcasts Parler, and hosted hate-hole 8chan.
Epik made a virtue of providing such services. In a blog post defending its decision to operate Gab’s domain name after GoDaddy declined to do so, Epik CEO Rob Monster argued it was a free speech issue, and said deplatforming companies is both censorship and a violation of inalienable rights.
EUTNAIOA earlier leaked 180GB of data it said it siphoned from Epik servers, plenty of it detailing the activities of far-right groups such as The Proud Boys and the ridiculous QAnon mob. This included personally identifiable information, domain ownership records, account credentials and SSH keys, internal Git repos, payment histories, and more.
We're told the dump is a 70GB archive of files and “several bootable disk images of assorted systems” that represent Epik's server infrastructure. Journalist Steve Monacelli, who broke the news of the first data release, said the latest leak expands to 300GB.
"This leak appears to be fully bootable disk images of Epik servers, including a wide range of passwords and API tokens," he added.
Apparently names, addresses, credit card information, and other sensitive and identifiable data were all stored on the server... in plaintext!
What's the terchincal term for this situation? Oh yeah.
Whomp whomp.
I'm not gonna take the "it's okay if it happens to them because I disagree with them" route. No excuse for keeping all information in plaintext though. Every time I have to create an account somewhere, I'm thinking, this will eventually leak and probably not be secured well, ugh.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited October 2021
They're crypto-fascists who decided to roll their own crypto (in this case - none).
You know. Morons.
To be fair, though, I have the same worry about any time I have to make a new account. Client security doesn't matter for shit if the server itself isn't secured, and more and more these days we're finding that the server is never secured.
Entities using the name and iconography of Anonymous (EUTNAIOA) claim to have leaked server disk images extracted from Epik – the controversial US outfit that has provided services to far-right orgs such as the Oath Keepers and Gab, provided a home to social-network-for-internet-outcasts Parler, and hosted hate-hole 8chan.
Epik made a virtue of providing such services. In a blog post defending its decision to operate Gab’s domain name after GoDaddy declined to do so, Epik CEO Rob Monster argued it was a free speech issue, and said deplatforming companies is both censorship and a violation of inalienable rights.
EUTNAIOA earlier leaked 180GB of data it said it siphoned from Epik servers, plenty of it detailing the activities of far-right groups such as The Proud Boys and the ridiculous QAnon mob. This included personally identifiable information, domain ownership records, account credentials and SSH keys, internal Git repos, payment histories, and more.
We're told the dump is a 70GB archive of files and “several bootable disk images of assorted systems” that represent Epik's server infrastructure. Journalist Steve Monacelli, who broke the news of the first data release, said the latest leak expands to 300GB.
"This leak appears to be fully bootable disk images of Epik servers, including a wide range of passwords and API tokens," he added.
Apparently names, addresses, credit card information, and other sensitive and identifiable data were all stored on the server... in plaintext!
What's the terchincal term for this situation? Oh yeah.
Whomp whomp.
I'm not gonna take the "it's okay if it happens to them because I disagree with them" route. No excuse for keeping all information in plaintext though. Every time I have to create an account somewhere, I'm thinking, this will eventually leak and probably not be secured well, ugh.
I'm going to take the "It's OK if it happens to them because they're actively and violently hostile to every value I hold dear" route though. These aren't people who like cherry pie more than apple pie or think that Big Bang Theory is better than the IT Crowd. These are people who actively want to exterminate or reduce to sub-humanity a large fraction of the population.
This has happened because they're determined to believe that people who enable their hateful beliefs are the most bestest. I hope this is the least that happens to them as a result of their credulous determination to be "owning the libs".
+6
Options
NEO|PhyteThey follow the stars, bound together.Strands in a braid till the end.Registered Userregular
Just had an odd email turn up in my inbox, I have no clue who the sender is, they sent it to a bunch of emails, and the body of the email is a bunch of capitalized letters with hyphens between them at irregular intervals, I have no clue what the formatting of it indicates, and an attached HTML file that the file name was truncated by my phone but with something about Elon Musk. I am absolutely not stupid enough to try and open that attached file, any idea what I'm looking at?
It was that somehow, from within the derelict-horror, they had learned a way to see inside an ugly, broken thing... And take away its pain.
Warframe/Steam: NFyt
Looks pretty legitimate to me. Time to change passwords and set up 2FA.
I can has cheezburger, yes?
+5
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Seeing this echoed and confirmed from more than one source. The extent of the breach looks comprehensive.
Be sure to change the following:
Your password
Your stream key
Any password that might be similar on an associated account (i.e. email or twitter, etc)
Banking info associated with the account (i.e. credit card information used to make payments)
Anything else that you can change that was associated with your account
Unfortunately, Twitch recently made a push for phone verification, and requires you to use SMS to establish 2FA before you can fall back onto an authenticator App. Which means a LOT of people's phone numbers just got compromised.
The fact that the breach also includes complete source code not just for Twitch but also other things, and how much streamers get paid, really makes the scope of this huge. But hey, we'll get free credit monitoring and Twitch / Amazon will still make billions.
Tomanta on
+8
Options
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
Don’t use similar passwords. use a password manager.
The fact that the breach also includes complete source code not just for Twitch but also other things, and how much streamers get paid, really makes the scope of this huge. But hey, we'll get free credit monitoring and Twitch / Amazon will still make billions.
And the lawsuits and fines will probably amount to millions. Cost of doing business!
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Also, don't use SMS for 2FA if you can help it.
+1
Options
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
Is there any risk to our Amazon account info with this if it’s linked but a different password?
Twitch didn’t have my phone number that I know of, but Amazon does.
LostNinja on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The extent of the breach isn't fully understood at this point, but it's limited to data stored on Twitch.
The linking of your Amazon account to your Twitch account shouldn't expose your Amazon information, from what I can gather.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Oh hey, the hits just keep on coming lately.
It was revealed yesterday that Syniverse, perhaps the most major router of SMS text messages, has been compromised since 2016.
Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers' text messages.
A filing with the Securities and Exchange Commission last week said that "in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse's detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals."
Syniverse said that its "investigation revealed that the unauthorized access began in May 2016" and "that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer ('EDT') environment was compromised for approximately 235 of its customers."
I'm also hearing that passwords and other account-identifying information weren't apparently part of the leaked info- apparently the person who did the leaking went ahead and stripped all that stuff out before releasing the torrent on 4chan, so it might not be as uber-terrible as it could have been.
The list is purportedly:
- The entirety of Twitch’s source code with comment history “going back to its early beginnings”
- Creator payout reports from 2019
- Mobile, desktop and console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- “Every other property that Twitch owns” including IGDB and CurseForge
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
But still, Twitch still got hacked, so changing all your stuff and activating 2FA on an encryption app is still the best thing to do.
JaysonFour on
I can has cheezburger, yes?
+3
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited October 2021
Ostensibly the hacker has the passwords, even if they decided not to leak them. That's the kind of thing that you sell, rather than leak to 4chan.
That being said, those passwords should be salted AND hashed - effectively encrypted. I would hope Twitch uses fairly strong encryption.
The extent of the breach isn't fully understood at this point, but it's limited to data stored on Twitch.
The linking of your Amazon account to your Twitch account shouldn't expose your Amazon information, from what I can gather.
If things are done properly, at most it would be an auth token that * may * grant some API based access, though if you're lucky it's on an Allow-List based API.
So, I don't know anything about password managers. What's worth my time, how hard is the process of migrating everything, can info be shared between a PC and Android?
Sorry for the very broad question, I just figured it was about time to start on them
0
Options
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
So, I don't know anything about password managers. What's worth my time, how hard is the process of migrating everything, can info be shared between a PC and Android?
Sorry for the very broad question, I just figured it was about time to start on them
I use LastPass. There are a few good ones. Most have browser plugins and mobile apps to make it easy to use all your devices. Many have tools to easily migrate your current browser store in, like if you use Chrome to store all your passwords. Then it’s a matter of changing them all, ideally to something unique, long, and random. I have no idea what any of my passwords are except for my master password to LastPass and one or two more that I keep easy to remember for a very specific reason. for instance, my Peloton password is long and unique but easy to remember so I’m not typing in gibberish into a Peloton I’m using at a hotel.
The process of changing them all can take a while. Lastpass has a tool that will analyze your vault and let you know how many are weak or identical to others so you know which ones to change. It took me a few hours to get set up. Now I just let the browser plug-in auto fill or the biometric on my device (faceid for me) to authenticate and fill in the password. It’s way easier, more convenient, and secure.
Edit: Also, to handle an objection that sometimes comes up, “What if my Lastpass gets hacked?” LastPasss doesn’t have my passwords. It has an encrypted vault that gets synced to different devices. You’d need to authenticate on that device to get access to the vault, and if you can authenticate to the device, then you’d already have access to a similar, far less secure vault if I were saving my passwords in chrome or something. It’s a much better and easier to use system. All my devices require biometric ID, be it a fingerprint or a face.
So, I don't know anything about password managers. What's worth my time, how hard is the process of migrating everything, can info be shared between a PC and Android?
Sorry for the very broad question, I just figured it was about time to start on them
I use BitWarden, it has browser plugins and phone apps. I switched because LastPass was making users pay to use more than one device (e.g. a PC and a phone).
I had forgotten I created a Twitch account (since I almost never use it). Changed my password, which was simple thanks to having a password manager.
I personally use KeePass2 / Keepass XC (depending on the OS). You will have to sync the database yourself, but there are plugins for it to work with browsers, etc. Someone wrote a plugin for Keepass that allows you to use a yubikey as a 2-factor authentication mechanism for your master password, which I have added, if you want that extra layer of security. It's too bad more places don't support yubikey. Some banks started supporting it, but their implementation sucks since you can bypass it and downgrade to SMS two factor.
I think these companies want you to use SMS 2-factor to obtain more information about you. If you read the fine print, it says they can use your number for other reasons (like marketing) so they can fuck off with that. Give the option to use an authenticator app or yubikey.
3ds: 4983-4935-4575
+2
Options
Zilla36021st Century. |She/Her|Trans* Woman In Aviators Firing A Bazooka. ⚛️Registered Userregular
There's a random person on Twitter with a redacted screenshot purporting to show that the Twitch source code has a ton of hardcoded secrets/passwords. If that's true, see, secrets management sucks...
I had forgotten I created a Twitch account (since I almost never use it). Changed my password, which was simple thanks to having a password manager.
I personally use KeePass2 / Keepass XC (depending on the OS). You will have to sync the database yourself, but there are plugins for it to work with browsers, etc. Someone wrote a plugin for Keepass that allows you to use a yubikey as a 2-factor authentication mechanism for your master password, which I have added, if you want that extra layer of security. It's too bad more places don't support yubikey. Some banks started supporting it, but their implementation sucks since you can bypass it and downgrade to SMS two factor.
I think these companies want you to use SMS 2-factor to obtain more information about you. If you read the fine print, it says they can use your number for other reasons (like marketing) so they can fuck off with that. Give the option to use an authenticator app or yubikey.
Yeah I use Keepass XC on my workstations, keepass2android on my phone, and then I have the database synced via cloud services, a gigantic goddamn master password, and a key file that I have on my phone and 3 flash drives. You need both the key file and the password to access the database, but goddamn do I love not typing in passwords and shit anymore for websites I visit 2 times a year.
Posts
And apparently it was fixed again, and the fix didn't fix it again.
Really dumb question: can I still print stuff without using the print spooler? I'm just a home user with one daily-driver PC, a smartphone and a wireless Canon printer/scanner/etc (which I can run wired if need be but it's far from ideal since it's in another room). Not like I need to often, but it'd be good to know.
Steam | XBL
I can't find any recent info. Has GOG Galaxy 2.0 local privilege escalation vulnerability been patched yet? I can't seem to find any info on it since about Aug 2020.
Well that's a yikes. That's a very much yikes.
"can you explain to the Marketing Director how this makes us money please"
And this is why 90 percent of the attacks will succeed this weekend.
I'm reminded of a quote from the landmark film Showdown In Little Tokyo:
"Roughly translated: 'Out of the frying pan and boned up the ass with a red hot poker'"
~ Buckaroo Banzai
In an ongoing story Anonymous has dumped the entirety of webhosting provider and far-right-shithead-haven Epik.
Apparently names, addresses, credit card information, and other sensitive and identifiable data were all stored on the server... in plaintext!
What's the terchincal term for this situation? Oh yeah.
Whomp whomp.
I'm not gonna take the "it's okay if it happens to them because I disagree with them" route. No excuse for keeping all information in plaintext though. Every time I have to create an account somewhere, I'm thinking, this will eventually leak and probably not be secured well, ugh.
3DS Friend Code: 3110-5393-4113
Steam profile
You know. Morons.
To be fair, though, I have the same worry about any time I have to make a new account. Client security doesn't matter for shit if the server itself isn't secured, and more and more these days we're finding that the server is never secured.
I'm going to take the "It's OK if it happens to them because they're actively and violently hostile to every value I hold dear" route though. These aren't people who like cherry pie more than apple pie or think that Big Bang Theory is better than the IT Crowd. These are people who actively want to exterminate or reduce to sub-humanity a large fraction of the population.
This has happened because they're determined to believe that people who enable their hateful beliefs are the most bestest. I hope this is the least that happens to them as a result of their credulous determination to be "owning the libs".
Warframe/Steam: NFyt
https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/
Looks pretty legitimate to me. Time to change passwords and set up 2FA.
I can has cheezburger, yes?
Be sure to change the following:
Unfortunately, Twitch recently made a push for phone verification, and requires you to use SMS to establish 2FA before you can fall back onto an authenticator App. Which means a LOT of people's phone numbers just got compromised.
Stay safe everyone. This thing's huge.
Your daily/weekly/monthly/yearly reminder.
And the lawsuits and fines will probably amount to millions. Cost of doing business!
Also use 2FA
Twitch didn’t have my phone number that I know of, but Amazon does.
The linking of your Amazon account to your Twitch account shouldn't expose your Amazon information, from what I can gather.
It was revealed yesterday that Syniverse, perhaps the most major router of SMS text messages, has been compromised since 2016.
The list is purportedly:
- The entirety of Twitch’s source code with comment history “going back to its early beginnings”
- Creator payout reports from 2019
- Mobile, desktop and console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- “Every other property that Twitch owns” including IGDB and CurseForge
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
But still, Twitch still got hacked, so changing all your stuff and activating 2FA on an encryption app is still the best thing to do.
I can has cheezburger, yes?
That being said, those passwords should be salted AND hashed - effectively encrypted. I would hope Twitch uses fairly strong encryption.
I swear to god if we find out they use MD5...
If things are done properly, at most it would be an auth token that * may * grant some API based access, though if you're lucky it's on an Allow-List based API.
Sorry for the very broad question, I just figured it was about time to start on them
I use LastPass. There are a few good ones. Most have browser plugins and mobile apps to make it easy to use all your devices. Many have tools to easily migrate your current browser store in, like if you use Chrome to store all your passwords. Then it’s a matter of changing them all, ideally to something unique, long, and random. I have no idea what any of my passwords are except for my master password to LastPass and one or two more that I keep easy to remember for a very specific reason. for instance, my Peloton password is long and unique but easy to remember so I’m not typing in gibberish into a Peloton I’m using at a hotel.
The process of changing them all can take a while. Lastpass has a tool that will analyze your vault and let you know how many are weak or identical to others so you know which ones to change. It took me a few hours to get set up. Now I just let the browser plug-in auto fill or the biometric on my device (faceid for me) to authenticate and fill in the password. It’s way easier, more convenient, and secure.
Edit: Also, to handle an objection that sometimes comes up, “What if my Lastpass gets hacked?” LastPasss doesn’t have my passwords. It has an encrypted vault that gets synced to different devices. You’d need to authenticate on that device to get access to the vault, and if you can authenticate to the device, then you’d already have access to a similar, far less secure vault if I were saving my passwords in chrome or something. It’s a much better and easier to use system. All my devices require biometric ID, be it a fingerprint or a face.
I use BitWarden, it has browser plugins and phone apps. I switched because LastPass was making users pay to use more than one device (e.g. a PC and a phone).
I use keepass at work because we can't have our creds stored with a 3rd party, I use bitwarden at home for the convenience.
I personally use KeePass2 / Keepass XC (depending on the OS). You will have to sync the database yourself, but there are plugins for it to work with browsers, etc. Someone wrote a plugin for Keepass that allows you to use a yubikey as a 2-factor authentication mechanism for your master password, which I have added, if you want that extra layer of security. It's too bad more places don't support yubikey. Some banks started supporting it, but their implementation sucks since you can bypass it and downgrade to SMS two factor.
I think these companies want you to use SMS 2-factor to obtain more information about you. If you read the fine print, it says they can use your number for other reasons (like marketing) so they can fuck off with that. Give the option to use an authenticator app or yubikey.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
Yeah I use Keepass XC on my workstations, keepass2android on my phone, and then I have the database synced via cloud services, a gigantic goddamn master password, and a key file that I have on my phone and 3 flash drives. You need both the key file and the password to access the database, but goddamn do I love not typing in passwords and shit anymore for websites I visit 2 times a year.