As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] Twitch compromised. Like, the whole thing.

17172737476

Posts

  • Zilla360Zilla360 21st Century. |She/Her| Trans* Woman In Aviators Firing A Bazooka. ⚛️Registered User regular
    Thawmus wrote: »
    TelMarine wrote: »
    I had forgotten I created a Twitch account (since I almost never use it). Changed my password, which was simple thanks to having a password manager.

    I personally use KeePass2 / Keepass XC (depending on the OS). You will have to sync the database yourself, but there are plugins for it to work with browsers, etc. Someone wrote a plugin for Keepass that allows you to use a yubikey as a 2-factor authentication mechanism for your master password, which I have added, if you want that extra layer of security. It's too bad more places don't support yubikey. Some banks started supporting it, but their implementation sucks since you can bypass it and downgrade to SMS two factor.

    I think these companies want you to use SMS 2-factor to obtain more information about you. If you read the fine print, it says they can use your number for other reasons (like marketing) so they can fuck off with that. Give the option to use an authenticator app or yubikey.

    Yeah I use Keepass XC on my workstations, keepass2android on my phone, and then I have the database synced via cloud services, a gigantic goddamn master password, and a key file that I have on my phone and 3 flash drives. You need both the key file and the password to access the database, but goddamn do I love not typing in passwords and shit anymore for websites I visit 2 times a year.
    I do all of that, but in my head.

    NH844lc.png | PSN | GACSALB.jpg My Blog |🏳️‍⚧️♥️
  • nexuscrawlernexuscrawler Registered User regular
    Yeah I'm a OnePassword devotee.

  • OrcaOrca Registered User regular
    I'm a happy user of Keepass. I use Strongbox on iOS, which is a KeePass client.

  • CarpyCarpy Registered User regular
    Just make sure you close you close your password manager when not using it.


    Opsec fails:
    - the admin's password manager was open in the browser window

    - the password manager had the password for the ESXi admin account in it

    - two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.

    Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.

    ThawmusTetraNitroCubaneShadowfireBlackDragon480
  • NaphtaliNaphtali Null Registered User regular
    Yeah I'm a OnePassword devotee.

    I wouldn't say I'm at devotee level, but I pay for a standalone license (for one PC, my primary home one) and then sync my keychain to my phone via dropbox, and can access it from there using their free app. Any other PCs that I need to sign into things with I have to type in the passwords, but I don't feel like doing the subscription thing nor do I want to link the password manager to the browser.

    B.net: Naphtali#1830 | Steam | Nintendo ID: Naphtali | PSN: EI-Naphtali | Wish List
  • MugsleyMugsley Registered User regular
    I'm slowly integrating Bitwarden for personal browsing. I wish I could have a manager for work. But alas, the fed won't approve pw managers. I have no idea why.

  • MugsleyMugsley Registered User regular
    Also the MTG community pulled out streamer payout data. I wish the FF community would do that. Or the WoW community.

  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    Twitch decided to deactivate all issued streamer keys and reissue them, to prevent shenanigans.

    Though apparently the shitheadery has begun over on Twitch, as a number of background images on the pages of popular video games on Twitch were replaced with creepy zoomed-in photos of Jeff Bezos for a few hours this morning.

    I get the feeling we’re going to see a lot more of this shit for a good long while, and I only hope this is as bad as it’s going to get (though let’s face it, the 4channers will always live down to their reps, so this is just the tip of the shitberg).

    steam_sig.png
    I can has cheezburger, yes?
    Thawmus
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.

    Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.

    VuIBhrs.png
    autono-wally, erotibot300Zilla360
  • autono-wally, erotibot300autono-wally, erotibot300 love machine Registered User regular
    The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.

    Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.

    Oh God this is amazing. Amazingly bad

    kFJhXwE.jpgkFJhXwE.jpg
    TetraNitroCubanekimeOrcaShadowfireZilla360furlionschuss
  • bowenbowen How you doin'? Registered User regular
    The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.

    Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.

    Oh God this is amazing. Amazingly bad

    it's wild how insecure 90% of websites actually are

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
    TetraNitroCubanezagdrobThawmusShadowfireZilla360schuss
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    bowen wrote: »
    The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.

    Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.

    Oh God this is amazing. Amazingly bad

    it's wild how insecure 90% of websites actually are

    A shockingly high number of large, very integral websites apparently have opted for the "security through obscurity" method.

    Which doesn't hold up too well when the entirety of your source code gets dumped and leaked.

    VuIBhrs.png
    DrovekbowenZilla360
  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    I’m pretty much staying away from Twitch forever, I suppose, then. Because with the source code out, the only way this is ever going to end is that they’re going to have to nuke the entire site from orbit- source code, libraries, graphics, clients, associated sites, everything- and just rebuild it all from scratch with a new source code and everything. You might as well treat Twitch like a computer that was compromised- yeah, it might look like it's still working, but who knows if you missed anything?

    steam_sig.png
    I can has cheezburger, yes?
  • bowenbowen How you doin'? Registered User regular
    bowen wrote: »
    The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.

    Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.

    Oh God this is amazing. Amazingly bad

    it's wild how insecure 90% of websites actually are

    A shockingly high number of large, very integral websites apparently have opted for the "security through obscurity" method.

    Which doesn't hold up too well when the entirety of your source code gets dumped and leaked.

    Every time security through obscurity comes up I always remember that dude that railed on me for using mysql in our software because it was open source and thusly less secure than mssql.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
    LD50Zilla360ThawmusMvrck
  • BahamutZEROBahamutZERO Registered User regular
    on the bright side, due to twitch's code's new lack of obscurity, they're going to have all their security problems in their code pointed out to them really quickly! how helpful!

    BahamutZERO.gif
    autono-wally, erotibot300Zilla360Shadowfirewebguy20furlionschussThawmusboogedybooMechMantis
  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.

    The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?

    steam_sig.png
    I can has cheezburger, yes?
  • MugsleyMugsley Registered User regular
    There were already people pushing malware through WoW mods on Curseforge in 2015

    NaphtaliThawmus
  • Banzai5150Banzai5150 Registered User regular
    Orca wrote: »
    I'm a happy user of Keepass. I use Strongbox on iOS, which is a KeePass client.

    Thank you for this tidbit of info. I was just coming to ask about Keepass as I've used it forever and when I switched to iThings I had used a keepass app that no longer works and wanted to know if I should move to another app. This was easy to download and setup and I switched from DropBox as my cloud method to iCloud just for giggles. Is there any reason to get the paid Pro version of Strongbox?

  • OrcaOrca Registered User regular
    The paid pro version makes your life much easier since it allows you to unlock the key store with your fingerprint (and presumably Face ID), and offers integration with cloud services (historically a pain in the ass on iOS).

    You can use it without the paid perks and it works like your classic Keepass clients that need a password and you need to manually manage the key store between your phone and PC.

    Banzai5150
  • LD50LD50 Registered User regular
    JaysonFour wrote: »
    Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.

    The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?

    Curse was sold to overwolf last year.

    Thawmus
  • bowenbowen How you doin'? Registered User regular
    LD50 wrote: »
    JaysonFour wrote: »
    Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.

    The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?

    Curse was sold to overwolf last year.

    Overwolf, aka how to push malware to users and claim it's a service.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
    ThawmusLD50Phoenix-D
  • LD50LD50 Registered User regular
    bowen wrote: »
    LD50 wrote: »
    JaysonFour wrote: »
    Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.

    The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?

    Curse was sold to overwolf last year.

    Overwolf, aka how to push malware to users and claim it's a service.

    I didn't even realize that overwolf still existed until the only useful part of the twitch app was sold to them. I then quickly found workarounds for managing minecraft modpacks hosted on curseforge.

    bowenThawmus
  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…

    steam_sig.png
    I can has cheezburger, yes?
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    JaysonFour wrote: »
    Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…

    No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • BlackDragon480BlackDragon480 Bluster Kerfuffle Master of Windy ImportRegistered User regular
    Carpy wrote: »
    Just make sure you close you close your password manager when not using it.


    Opsec fails:
    - the admin's password manager was open in the browser window

    - the password manager had the password for the ESXi admin account in it

    - two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.

    Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.

    Isn't that how Joey and Lucy hacked the Gibson?

    First they came for the Muslims and we said...NOT TODAY MOTHERFUCKERS!
  • JazzJazz Registered User regular
    Carpy wrote: »
    Just make sure you close you close your password manager when not using it.


    Opsec fails:
    - the admin's password manager was open in the browser window

    - the password manager had the password for the ESXi admin account in it

    - two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.

    Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.

    Isn't that how Joey and Lucy hacked the Gibson?

    Poor phorgotten Phreak.

  • nexuscrawlernexuscrawler Registered User regular
    bowen wrote: »
    bowen wrote: »
    The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.

    Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.

    Oh God this is amazing. Amazingly bad

    it's wild how insecure 90% of websites actually are

    A shockingly high number of large, very integral websites apparently have opted for the "security through obscurity" method.

    Which doesn't hold up too well when the entirety of your source code gets dumped and leaked.

    Every time security through obscurity comes up I always remember that dude that railed on me for using mysql in our software because it was open source and thusly less secure than mssql.

    Its like my dude there's literally dozens of automated tools that will find any known vulnerability in your server in minutes.

    bowenBlackDragon480V1m
  • DisruptedCapitalistDisruptedCapitalist screaming Registered User regular
    Carpy wrote: »
    Just make sure you close you close your password manager when not using it.


    Opsec fails:
    - the admin's password manager was open in the browser window

    - the password manager had the password for the ESXi admin account in it

    - two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.

    Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.

    I don't quite get how the attackers had access to the password manager in the browser in the first place? Wouldn't you need physical access to the computer running the browser? Was this person accessing their Teamviewer account in a public library or something? Or alternatively, did they already hack into that users computer with a key logger or something?



  • nexuscrawlernexuscrawler Registered User regular
    I always have my OnePass lock itself after like 10 minutes

  • CarpyCarpy Registered User regular
    Carpy wrote: »
    Just make sure you close you close your password manager when not using it.


    Opsec fails:
    - the admin's password manager was open in the browser window

    - the password manager had the password for the ESXi admin account in it

    - two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.

    Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.

    I don't quite get how the attackers had access to the password manager in the browser in the first place? Wouldn't you need physical access to the computer running the browser? Was this person accessing their Teamviewer account in a public library or something? Or alternatively, did they already hack into that users computer with a key logger or something?

    Earlier tweet mentions that they got initial access through a non-MFA'd valid TeamViewer account.
    Opsec fail:
    - initial access came via a (legit) TeamViewer account
    -- the account didn't have MFA enabled
    -- they obtained the correct credentials prior to attacking

    So now they're on the admin's computer.

    What's open on the browser? https://t.co/yVpLVuNvjN

  • zagdrobzagdrob Registered User regular
    That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.

    About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?

    ThawmusNaphtaliOrcaSoggybiscuitLostNinjaJazzShadowfireCarpyIanatorInquisitor77Banzai5150MugsleyBlackDragon480MechMantistsmvengyDisruptedCapitalistMvrckfurlionTelMarineV1mFrem
  • bowenbowen How you doin'? Registered User regular
    Shadowfire wrote: »
    JaysonFour wrote: »
    Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…

    No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.

    It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.

    There are better tools to handle mods.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    bowen wrote: »
    Shadowfire wrote: »
    JaysonFour wrote: »
    Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…

    No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.

    It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.

    There are better tools to handle mods.

    My only problem is that Curseforge and Overwolf are the only ways to get mods easily for a lot of games. I'd love to use another one, but the problem is that they seem to be the only way possible to get hold of certain mods for various MMOs and such. If there's a safer app to get the same mods, I'll not reinstall either of them. But at this point, well, it's like I'd have to at least go on their site to get the mods and check to see if they were updated.

    steam_sig.png
    I can has cheezburger, yes?
  • SixSix Older Than Chanus Registered User regular
    edited October 14
    zagdrob wrote: »
    That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.

    About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?

    Was it “12345678?”

    Six on
    Friend codes are stupid
  • bowenbowen How you doin'? Registered User regular
    edited October 14
    JaysonFour wrote: »
    bowen wrote: »
    Shadowfire wrote: »
    JaysonFour wrote: »
    Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…

    No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.

    It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.

    There are better tools to handle mods.

    My only problem is that Curseforge and Overwolf are the only ways to get mods easily for a lot of games. I'd love to use another one, but the problem is that they seem to be the only way possible to get hold of certain mods for various MMOs and such. If there's a safer app to get the same mods, I'll not reinstall either of them. But at this point, well, it's like I'd have to at least go on their site to get the mods and check to see if they were updated.

    There are probably a few managers for your mmos, for instance wow/wow-classic has:

    https://wowup.io

    TESO has:

    https://minion.mmoui.com/

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    I actually already use Minion for TESO stuff, and I'm likely to configure it to handle WoW (if I ever go back to it).

    It's just that a number of older mods for older games don't seem to have a home anywhere else on the net besides CurseForge... so I'm either going to have to rely on it or to figure out how to install them manually and hope I don't fuck up my install. Which sucks if the program and loader is as bad as everyone says it is, but they have a stranglehold on a lot of the mods for games that the Twitch client used to handle pretty seamlessly.

    steam_sig.png
    I can has cheezburger, yes?
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    In news that is very sad and terrible for everyone, Sinclair has been hit by ransomware.

    Very sad. Hate to see it. Shucks.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    BlackDragon480DisruptedCapitalistJazzthatassemblyguyfurlionThawmusJaysonFour
  • IncenjucarIncenjucar VChatter Seattle, WARegistered User regular
    Shadowfire wrote: »
    In news that is very sad and terrible for everyone, Sinclair has been hit by ransomware.

    Very sad. Hate to see it. Shucks.

    Fetch me a tiny violin.

    No, tinier!

    BlackDragon480bowennexuscrawlerJazzOrcafurlionJaysonFourFremTamerBill
  • JazzJazz Registered User regular
    Six wrote: »
    zagdrob wrote: »
    That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.

    About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?

    Was it “12345678?”

    That's amazing, I have the same combination on my luggage!

    DisruptedCapitalistTelMarineSixschussBlackDragon480
  • zagdrobzagdrob Registered User regular
    Jazz wrote: »
    Six wrote: »
    zagdrob wrote: »
    That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.

    About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?

    Was it “12345678?”

    That's amazing, I have the same combination on my luggage!

    No it was a Purple3Monkey6Dish9washer12 type of fairly easy to remember but incredibly solid and basically uncrackable password. It was used for the master password file which like three people knew at any time.

    It was actually good and solid security practices until some dumbass decided to take 'I am giving you the crown jewels of our corporate security' without thinking about being on a public speakerphone. I probably should have double checked too, but he was 500 miles away and I assumed better.

Sign In or Register to comment.