Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

[Shields Up] Computer Security Thread

13839404143

Posts

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited February 24
    So a security bug in the Cloudflare hosting system may have compromised loads of sensitive information from a LOT of relevant websites. This includes Reddit, Discord, and even our very own Penny Arcade forums.

    It is highly recommended that you change your passwords for all afflicted sites.

    TetraNitroCubane on
    VuIBhrs.png
  • OrcaOrca Registered User regular
    That's suboptimal.

    evilthecat wrote: »
    "Bioware I want to suck on your teets of gamingness".

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    TetraNitroCubaneLostNinjaShadowfireNightslyr
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited February 24
    Apparently a very small percentage of all data being transferred through Cloudflare became public via this vulnerability, but it has the potential to impact ALL data traveling through Cloudflare during the duration in question. AND that data may be cached and visible via google currently.

    Passwords, SSL certs, even two-factor authentication secrets could be compromised and visible via plaintext on randomly cached websites.

    Here's a list of impacted sites that is currently evolving.

    Bonus note: This was all caused by a single-character coding bug, apparently.

    TetraNitroCubane on
    VuIBhrs.png
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    Oh, and just to heap some gasoline onto the fire: SHA-1 is now officially broken, joining the ranks of MD5.
    Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used.

    Not a good time for internet security right now, to say the least.

    VuIBhrs.png
    EntaruNightslyr
  • OrcaOrca Registered User regular
    And this is why IoT remains dead to me.

    Security is hard and all it takes is a one fuckup anywhere in the chain to compromise things. Do I really need my pacemaker to be able to sync with my phone, or internet-enabled doorlocks? Aside from the software development cycle level of obsolescence. A furnace can easily last 20 years or more--give me the dead simple thermostat to control it and call it a day. Yeah, it would be nice to have remote start and the rest of it, but I don't want someone to be able to infiltrate my network because my 20 year old unpatched thermostat has a bloody vulnerability!

    evilthecat wrote: »
    "Bioware I want to suck on your teets of gamingness".

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    TetraNitroCubaneSynthesisBolthornFencingsaxamnesiasoftjmcdonaldVoodooVNightslyrCaptain MarcusDoctorArchDrake
  • MugsleyMugsley Registered User regular
    I, for one, want my furnace to shut off and my doors to unlock when my pacemaker has to kick in. This way my body is preserved and the help doesn't have to bust the door down.

  • EntaruEntaru Registered User regular
    I am between wanting to tell IoT to go to hell and realizing that with my wife's current health status anything I can do to make life easier for her is a thing I am going to do even with the associated risks.

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • a5ehrena5ehren AtlantaRegistered User regular
    edited February 24
    Oh, and just to heap some gasoline onto the fire: SHA-1 is now officially broken, joining the ranks of MD5.
    Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used.

    Not a good time for internet security right now, to say the least.

    Someone used the SHA-1 collision to hose the WebKit SVN repo. So that's fun.

    Edit: Apparently it was one of the devs uploading the files to create a testcase for WebKit that busted the repo. But hopefully Apache fixes SVN soon.

    a5ehren on
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    Do you ever feel like maybe two-factor authentication just isn't enough?

    VuIBhrs.png
    PMAversDizzen
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    So how does the dermatologist confirm he's their dermatologist and just some random weirdo? Authentication has to go both ways for trust to be established properly dammit!

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
    TetraNitroCubane
  • MugsleyMugsley Registered User regular
    Welp. I went and updated my passwords for Patreon (which I don't use anymore), Betterment, and Uber. I still need to do Curse, even though I don't use my login anymore. Are there other financial sites that had a potential leak, that I should handle as a course of due diligence? I'm trying to not scrub the entire list.

  • VoodooVVoodooV Registered User regular
    Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.

  • LostNinjaLostNinja Registered User regular
    I always thought 10 minutes was the general best practice. 5 seems like it would be interfereing with people who are actually still at their desk working and just using whatever is on the screen as reference.

    A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.

    camo_sig2.png
    XBox Live: LostNinja05
    TofystedethBahamutZERO
  • DizzenDizzen Registered User regular
    edited March 26
    I don't know anything about the best practices and such, but hopefully the screensaver has the flash menu turned off, or
    that could become a more substantial security issue
    .

    Dizzen on
    Dichotomy wrote: »
    it'd be like Jurassic Park, but with bananas
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    Security best practice is training people to lock their workstations when not at their desks, and disciplining them for failing to do so. Or possibly fitting their seats with a dead-man switch that activates the screen lock when they get up. Let HR figure out the cost differential between those.

    Screen savers are obsolete; they are resource parasites that should have gone extinct when the CRT did but managed to change hosts.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
    ShadowfireTetraNitroCubaneVoodooVTofystedethBahamutZERO
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    LostNinja wrote: »
    I always thought 10 minutes was the general best practice. 5 seems like it would be interfereing with people who are actually still at their desk working and just using whatever is on the screen as reference.

    A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.

    Also, Flash itself is a security risk.

    steam_sig.png
    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    LostNinjaTetraNitroCubaneamnesiasoftDizzenVoodooVDrake
  • MugsleyMugsley Registered User regular
    So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?

    Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)

  • LD50LD50 Registered User regular
    Mugsley wrote: »
    So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?

    Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)

    One easy thing you can do is use this: https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en

    Encrypting as much of your traffic as you can will prevent anyone (including your ISP) from knowing anything more than the domains you visit on encrypted sites (IE they don't actually see the subdomains you're requesting).

  • FeralFeral That's what I do. I drink, and I know things. Location: ByakkoyaRegistered User regular
    VoodooV wrote: »
    Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.

    I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.

    Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • FeralFeral That's what I do. I drink, and I know things. Location: ByakkoyaRegistered User regular
    Mugsley wrote: »
    So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?

    Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)

    Any of these VPN services are fine: http://www.pcmag.com/article2/0,2817,2403388,00.asp

    Regarding your home router, just look for a router that can be a VPN client. All Asus routers have this feature out of the box.

    Other routers you might need to flash with custom firmware like DD-WRT, but that's a can of worms in and of itself.

    Keep in mind that pushing all of your traffic all of the time through a VPN may have unforeseen side effects. For example, it might impact your latency for online gaming, or one of your streaming media services (Netflix, Hulu, etc) may decide that it doesn't like your VPN service and just block your login.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • LD50LD50 Registered User regular
    Also, by going with a VPN you're just trusting someone else not to sell your data.

    TetraNitroCubaneEntarua5ehrenShadowfireTofystedeth
  • MugsleyMugsley Registered User regular
    Yeah, I have a friend who's been huge (YUUUGE) on this whole VPN/Privacy discussion. He talks about using Signal a lot for SMS/MMS and has ramped up the VPN discussion. I haven't jumped, yet, but I thought it would be worth the cursory research now, whlie we wait for things to fall out.

  • FeralFeral That's what I do. I drink, and I know things. Location: ByakkoyaRegistered User regular
    I'm a huge fan of Signal.

    Besides the encryption features (which are great) it is also one of the least-bullshit messaging apps I've used.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • VoodooVVoodooV Registered User regular
    edited March 28
    Feral wrote: »
    VoodooV wrote: »
    Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.

    I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.

    Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.

    oh yeah, it's a complete shitstorm. The screensaver is just your standard "I want everyone to see my vision and mission statement of regulations are bad mmkay, and misuse the word efficiency when I really mean cheap"

    The timeout came directly from the governor, but instead of someone quietly telling him that a 5 minute inactivity timeout is a bad idea, his chief information officer (head IT/technology officer) made an announcement that claimed it was a best practice (of course, he never cited which best practice) so which leads myself to believing he's talking out his ass and just sucking up to the gov.

    A few months later, Ricketts' office then later dictated that everyone have the same wallpaper, which basically said the same thing as the screensaver, but again, he must have gotten major pushback because a couple weeks later he rescinded that....though we still have to make the wallpaper the default wallpaper, but users are allowed to change it.

    If you've forgotten, our gov is this guy:

    VoodooV on
    Feral
  • MugsleyMugsley Registered User regular
    I haven't even hit play, and that guy is not someone I want to listen to. He looks like a Bond villain.

    ShadowfirefurlionVoodooV3clipseschussTofystedeth
  • TheBlackWindTheBlackWind Registered User regular
    So, my girlfriend followed a bad flash download and picked up some malware on her Mac. Is Malwarebytes on mac as good as it is on PC? I don't really have much experience with Macs and know it's a newer program, but they've always been great for me.

    PAD ID - 328,762,218
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Yeah, MBAM on Mac is totally fine.

    steam_sig.png
    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    TheBlackWind
  • Jebus314Jebus314 Registered User regular
    edited May 7
    Apparently Intel has some bad firmware. Their Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware has had a critical vulnerability that allows root access for the past several years. Intel link that has a download to test if your computer is affected, but supposedly it's mostly business systems? Not really clear on the details, but it seems worth checking out.

    Jebus314 on
    "The world is a mess, and I just need to rule it" - Dr Horrible
    VoodooV
  • MugsleyMugsley Registered User regular
    I saw this floating around a lot, and it feels a bit like alarmist talk. I mean, I understand the vulnerability needs to be handled, but -- similar to stagefright -- the vulnerability has been there for a while and "you" (i.e. average homebody who just heard about it) have been vulnerable for years without even knowing.

    I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.

    Feral
  • Jebus314Jebus314 Registered User regular
    Mugsley wrote: »
    I saw this floating around a lot, and it feels a bit like alarmist talk. I mean, I understand the vulnerability needs to be handled, but -- similar to stagefright -- the vulnerability has been there for a while and "you" (i.e. average homebody who just heard about it) have been vulnerable for years without even knowing.

    I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.

    I mostly look at it the other way. I'm not a high value target so zero day exploits are unlikely to get used on me. But once that shit is published it will probably get incorporated into a lot of general malware to catch lazy people who don't get patched. So getting the patch quickly after the release is probably a good idea.

    "The world is a mess, and I just need to rule it" - Dr Horrible
  • DizzenDizzen Registered User regular
    edited May 8
    Mugsley wrote: »
    I saw this floating around a lot, and it feels a bit like alarmist talk. I mean, I understand the vulnerability needs to be handled, but -- similar to stagefright -- the vulnerability has been there for a while and "you" (i.e. average homebody who just heard about it) have been vulnerable for years without even knowing.

    I'm not dismissing it; I've just got issue with people I know who will start saying shit like, "I'm not doing Intel again because who knows what else is vulnerable?" when they go to build a computer. Motherfucker, AMD isn't immune to this, either. And you're only going by what your friends shared on Facebook.

    Well, AMD is immune to this specific exploit, as they don't use Active Management Technology, because AMT is Intel's proprietary out-of-band solution. I think AMD uses DASH and ASF, which are open standards, so while they could potentially have vulnerabilities, it's not exactly the same set of worries.

    The average homebody hasn't even been vulnerable to this (as it mostly just affects business hardware), but finding out that the vulnerability has been around for awhile makes things worse, not better.

    Alarmist talk would be pointing out that Google security researchers have discovered what they call the worst Windows remote code exec in recent memory, and then telling people that they need to immediately stop using their Windows installs and switch to Linux until the debacle gets resolved.

    Dizzen on
    Dichotomy wrote: »
    it'd be like Jurassic Park, but with bananas
    Feral
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    I'd be much less worried about end-user vulnerability here, and much more worried about enterprise and web-facing systems that can be exploited. It doesn't matter if your personal system is impenetrable, if the businesses you trust with your financial and personal information can be cracked wide open on their side.

    Also, has there been any followup word on that "worst remote code exex in recent memory"? They claim it is wormable. I can't remember the last high profile worm we've seen in the wild, except maybe Blaster.

    VuIBhrs.png
  • DizzenDizzen Registered User regular
    I'd be much less worried about end-user vulnerability here, and much more worried about enterprise and web-facing systems that can be exploited. It doesn't matter if your personal system is impenetrable, if the businesses you trust with your financial and personal information can be cracked wide open on their side.

    Also, has there been any followup word on that "worst remote code exex in recent memory"? They claim it is wormable. I can't remember the last high profile worm we've seen in the wild, except maybe Blaster.

    Microsoft has a patch out for it, so that's good news, but we probably aren't going to get official word on the details of the vulnerability until after the patch has had time to get fully rolled out.

    Dichotomy wrote: »
    it'd be like Jurassic Park, but with bananas
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    The Project Zero team says the vulnerability can be leveraged against victims by only sending an email to users -- without the need for the message to be opened or any attachments to be downloaded. An attack leveraging the exploit could also be conducted through malicious website visits or instant messaging.

    ...

    "If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned," Microsoft said.

    So basically, the Windows antimalware engine (Defender, etc.) can be exploited, just by it scanning a payload file. No need for execution by the end user, or opening a suspicious file. I've seen this morning that this can even be leveraged via Tweet. Yeah, that's seriously bad. Seems like the exploit has been patched, but it's worth a discussion at this point for a reason that makes me uncomfortable:

    Antimalware software is, in essence, another vector of attack.

    In this situation, my antimalware setup would be essentially worthless. Sandboxie wouldn't defend against this, because even if my browser is sandboxed, MsMpEng still reaches inside of the sandbox to scan potentially malicious files. Even if those files themselves can't break out of the sandbox, MsMpEng (which is outside of the sandbox and has the highest privileges on the system) is still compromised.

    I still like having a Sandbox environment for browsing, because it defends against drive-by and other malicious things that are everpresent on the web. But in this case, someone running Windows Defender would be compromised, and someone not running it would be safe. I still don't really buy into the theory that "Antimalware software is useless and you shouldn't run it", but if these kinds of attacks become more prevalent (and this is certainly not the first one), I can certainly understand the perspective more.

    VuIBhrs.png
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    It's a Ransomeware Firestorm out there today. The UK's NHS and Spain's Telefonica have been hit with a nasty worm dubbed "Wcry" (and sometimes "Wanna cry"). Notably this worm is using an exploit in Windows SMB rumored to be part of the NSA's Eternalblue zero-day exploit package (MS7-010).

    The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.

    VuIBhrs.png
  • lazegamerlazegamer Registered User regular
    It's a Ransomeware Firestorm out there today. The UK's NHS and Spain's Telefonica have been hit with a nasty worm dubbed "Wcry" (and sometimes "Wanna cry"). Notably this worm is using an exploit in Windows SMB rumored to be part of the NSA's Eternalblue zero-day exploit package (MS7-010).

    The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.

    Refer to https://technet.microsoft.com/en-us/library/security/ms17-010.aspx to find the KB for your version.

    Surprise.
    - Spy
    TetraNitroCubaneVoodooV
  • DonnictonDonnicton Registered User regular
    edited May 13
    It's a Ransomeware Firestorm out there today. The UK's NHS and Spain's Telefonica have been hit with a nasty worm dubbed "Wcry" (and sometimes "Wanna cry"). Notably this worm is using an exploit in Windows SMB rumored to be part of the NSA's Eternalblue zero-day exploit package (MS7-010).

    The malware is spreading fast, and has impacted NHS services in a startling way. The vulnerability was patched by Microsoft in March, but I think I only just received the update myself in a monthly roll-up this week (!!!). Still unsure which KB needs to be installed to know if a system is safe.

    Posting this in this thread too since it's relevant to both.

    Just FYI







    Turns out the current wave of WannaCrypt was stopped by its own shitty coding. This doesn't save those already victimized but it does stop further spread of this version of the malware. This doesn't mean the author can't release an updated version so obviously make sure your shit is patched.

    Microsoft has put up an article listing hardening steps and windows updates you can follow to help prevent infection, including taking the rather significant step of providing support for Windows XP and Server 2003. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

    Donnicton on
    PSN: Donnicton - Switch FC: SW-6944-1374-2020 - Wii/3DS FC: 1633-4230-5354 - Steam: Donnicton - BNet: Donnicton#11763
    TetraNitroCubaneLostNinjaNightslyrShadowfireTofystedethFeral
  • NightslyrNightslyr Registered User regular
    Wcry has been patched to no longer fall for the sinkhole:

    Round 2 begins now

    PA/PSN/XBL/Nintendo/Origin/Steam names are the same. 3DS Friend Code: 1607-1682-2948
    camo_sig2.png
    Stack Exchange | http://www.mpdevblog.blogspot.com | Q'vehn Tia (FF XIV)
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Well shit...

    Hopefully the patching and definition updating everyone did tomorrow will help kill this one.

    steam_sig.png
    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    TetraNitroCubane
  • MugsleyMugsley Registered User regular
    edited May 15
    We kinda saw this coming. I mean, the White Hat community was practically saying, "...is that all you've got?"

    Mugsley on
    NightslyrFeral
Sign In or Register to comment.