So I've received a few emails from a website called Hash Nest saying my login has failed from too many attempts. I don't have an account there so I'm guessing some other website where I have an account was breached and these guys are trying to brute force to get my (and a few thousand other people's) bitcoins or some shit? I use unique passwords but should I be concerned about anything else?
So I've received a few emails from a website called Hash Nest saying my login has failed from too many attempts. I don't have an account there so I'm guessing some other website where I have an account was breached and these guys are trying to brute force to get my (and a few thousand other people's) bitcoins or some shit? I use unique passwords but should I be concerned about anything else?
It's not an uncommon tactic. Don't click any links from the e-mail threat itself, instead, open a new browser window and manually search for what they're trying to send you too. Alternately, copy the link in the e-mail and do a bit of open source intelligence research on it for validity. Websites like: https://www.talosintelligence.com/reputation_center - that ties into Cisco's web based reputation system. Might be of some help.
It's a malicious popup/tab with the usual dire warnings about "you must do this or else!". I had it once, reset windows 10 (without erasing user data) and have got it again afterwards without actively doing anything at the time. I'd suspect a malicious ad perhaps? Triggering on automatic ad refresh? Or at least that's what I'd hope.
I'm getting paranoid about having something more malicious lurking and triggering it though. I've used Malwarebytes and it registered nothing. Any other suggestions or thoughts?
Edit: Seems one of the sites I browse regularly has ad issues that match this pretty closely. Back to running firefox + noscript/adblock there then.
altid on
0
ShadowfireVermont, in the middle of nowhereRegistered Userregular
Yeah, that's just an ad. Close the browser, maybe clear settings, start over. No need to refresh Windows.
It's a malicious popup/tab with the usual dire warnings about "you must do this or else!". I had it once, reset windows 10 (without erasing user data) and have got it again afterwards without actively doing anything at the time. I'd suspect a malicious ad perhaps? Triggering on automatic ad refresh? Or at least that's what I'd hope.
I'm getting paranoid about having something more malicious lurking and triggering it though. I've used Malwarebytes and it registered nothing. Any other suggestions or thoughts?
Edit: Seems one of the sites I browse regularly has ad issues that match this pretty closely. Back to running firefox + noscript/adblock there then.
It's a malicious popup/tab with the usual dire warnings about "you must do this or else!". I had it once, reset windows 10 (without erasing user data) and have got it again afterwards without actively doing anything at the time. I'd suspect a malicious ad perhaps? Triggering on automatic ad refresh? Or at least that's what I'd hope.
I'm getting paranoid about having something more malicious lurking and triggering it though. I've used Malwarebytes and it registered nothing. Any other suggestions or thoughts?
Edit: Seems one of the sites I browse regularly has ad issues that match this pretty closely. Back to running firefox + noscript/adblock there then.
Yeah running noscript + ublock origin. I'd ran noscript + adblock for years but drifted back into just browsing 'normally' with edge because I got fed up with half the internet being a puzzle of "which javascript makes this work?". If that's the way it has to be these days though, I guess I have little choice.
altid on
+1
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2019
Question regarding browser virtualization and sandboxing:
I've been relying on Sandboxie for years now. It's a pretty lightweight way to keep whatever browser I want to use isolated from my system, while still allowing me the ability to save files and migrate them selectively outside of the sandbox. While it was in its prime, it was pretty fantastic.
Sandboxie is having... issues, lately. Primarily, they were purchased by Sophos a while back, and it's clear that Sophos has zero interest in maintaining the software at all. There have been license issues, lack of tech support, and generally slow responses. This morning Sandboxie starting throwing some concerning errors at me, and I figure it's time to retire it.
Does anyone have a suggestion for an alternative browser isolation solution? I realize it sounds excessive, but it's really the best option to avoid drive-bys and other undisclosed vulnerabilities - Even if the browser gets hit hard, it's still isolated. I'm hoping I can avoid having to browse in a virtual machine, but it looks more and more like that might have to be the option.
I'm not familiar with that space, but if you have a modern (2015+) CPU with various Virtualization extensions, something like a Docker container with your browser of choice and nothing else might work.
You lose the automated neatness of a Sandboxie-ish thing, but Docker is going to be well-supported on the app and OS side for the foreseeable future due to its enterprise penetration...
+1
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2019
Here's a bit of an odd one, and hopefully cause for good discussion (I'd recommend going over it all before taking action, too).
So recently German security research firm CERT-Bund disclosed what they considered to be a critical security flaw in VLC. By playing a specifically crafted MKV file, it is apparently possible for a remote attacker to take control of your machine via buffer over-read.
The vulnerability was classified as CVE-2019-13615 by the NIST, and given the rating of 9.8 - CRITICAL (that's out of a potential 10, with 10 being the highest critical vulnerability).
Well, if you actually check the bug tracker on VLC's page (referenced in the aforementioned articles), you can see that apparently VLC doesn't think so. They just up and can't reproduce the issue whatsoever, as is evidenced by the latest update on this bug:
Changed 8 hours ago by Jean-Baptiste Kempf
Sorry, but this bug is not reproducible and does not crash VLC at all.
VLC then proceeds to take their beef to Twitter, because this is 2019 and of course they did:
So what's actually going on? Hard to say at this point if a vulnerability exists that the VLC devs can't reproduce, or if the researchers in question missed the mark. But still, Gizmodo throwing around a headline like that feels scaremongering at BEST.
And that's the bigger issue I've been struck by this afternoon, is that regardless of the veracity of this flaw, I've seen this article boosted and echoed across the social media space tremendously. And most folks are taking that headline at face value and screaming about how everyone needs to uninstall VLC RIGHT NOW.
Social media is sure good for rapid response, but boy howdy can it also amplify FUD.
Apparently VLC annoys a lot of media player companies a hell of a lot because the dude who owns and operates the project absolutely refuses to play ball with adware and other bullshit.
It would not surprise me if this is a targeted thing to discredit VLC at all, not that it'd matter, even if VLC was vulnerable literally ever other media player is hot garbage.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
It's also Gawker (I'm pretty sure), but Dave Murphy wrote an article about the situation on Lifehacker. Normally, Lifehacker's articles should be taken with a grain of salt, but Murphy is a pretty good tech journalist who isn't quick to hyperbole (I'm paraphrasing, but the title of his article is "Maybe Don't Uninstall VLC Media Player").
I don't really have a stance either way because I don't use the platform, but it certainly sounds a bit like scaremongering to me.
Well, IMO, the vulnerability shouldn't be rated so high as even if it is vulnerable it's not like VLC is going to automatically download and execute a bad MKV.
The NIST seriously sucks. They provide a good service but VLC is right to bitch about this. They do nothing to work with developers to determine if they're all washed up or not, yet the information they provide can stimulate drastic changes around the world. They're also heavily resistant to withdrawing recommendations or scores. I've had lengthy discussions with the NIST before that made me want to pull my hair out, because they'd acknowledge their scores were too sharp, but they refused to understand how that was fucking people.
Like, this is just VLC, but the NIST does this with Apache and other tremendously important, used-the-world-over software all the time. I've had to rebuild a web server from the ground up with an awkward configuration for 3 months, simply because Apache didn't think something was a big enough deal to fix, had ample proof that they were right, and the NIST still scored it severe. That fucks over a lot of guys in the middle of that mess, especially if your PCI compliance provider just looks at NIST scores and doesn't take anything into context (it should be noted that this is pretty usual!).
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2019
Agreed. It's not as if the flaw can be exploited remotely without user intervention. Very specific user intervention.
There's been an update on this situation. The long and short of it is this: The researcher who found this flaw was using Ubuntu version 18.04, which happened to have had an outdated version of some libraries installed despite being the current Ubuntu version. One of those libraries, libebml, had a critical flaw in it - which was patched 16 months ago.
For some reason, this researcher claimed the flaw was operative on Windows, Linux, and Unix. It was taken up by NIST and classified as a 9.8 based exclusively on the fact that it was a buffer overrun. This was done without verification.
Once the flaw was published (incorrectly), news media grabbed it and ran with it. And blew it out of proportion even if the reported flaw WAS accurate.
VLC weighs in here (spoilering the thread for long and huge):
Slight quibble: 18.04 is technically the current version of Ubuntu. The non-LTS releases are not recommended for production use. If there are old libraries on 18.04 (this seems to be happening more and more, which is frustrating), that needs to be corrected. Ubuntu's upstream has been terrible for years now.
Slight quibble: 18.04 is technically the current version of Ubuntu. The non-LTS releases are not recommended for production use. If there are old libraries on 18.04 (this seems to be happening more and more, which is frustrating), that needs to be corrected. Ubuntu's upstream has been terrible for years now.
Thank you for the clarification, edit made. I was unaware of this.
That being said, I still have zero idea of why an old, known vulnerability in an unrelated library was classified as a VLC critical flaw - and then said to be active on Windows.
I'm usually good at ignoring email scams but I just noticed in my spam folder multiple similar emails claiming they have all my personal info and passwords. They all ask me to send them bitcoin or else, and all of them tell me to deposit in the same bitcoin wallet.
I would just ignore it but in the title they do show an old password I've used a long time ago for my email address and other stuff. I'm using completely different passwords now but still, how do they know one of my older passswords?? 0_O
Your data was stolen in one of the various high profile hacks that have happened over the years (such as yahoo). They use the passwords that were stolen to scare people into giving them money.
Yeah there's huge databases of email addresses and old passwords floating around the internet from various past breaches, people set up scripts to trawl through these databases and send emails to the addresses in the lists along with their associated password to try to spook people into sending them ransom money. As long as you have changed your email password these are entirely empty threats.
So I got an email, seemingly from gamestop.com saying that my password has changed. I used to have the same password for my "low end" accounts, so it's not that surprising; other than the fact that I don't actually recall having a gamestop account...
Tried to go to their website (direct, not from the email links) to see about verifying this fact and I'm getting a 403 access denied on the homepage. Anyone else seeing this?
Similar to the so-called BlueKeep vulnerability Microsoft patched in May, the four bugs the company patched on Tuesday reside in Remote Desktop Services (RDS), which allow a user to take control of a remote computer or virtual machine over a network connection. The bugs—indexed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226—make it possible for unauthenticated attackers to execute malicious code by sending a specially crafted message when a protection known as Network Level Authentication is turned off, as is often done in large organizations.
In such networks, it’s possible for exploits to ricochet from computer to computer. Leaving NLA on makes it harder for attacks to spread, since attackers must first have network credentials. The growing use of hacking tools such as Mimikatz, however, often enables attackers to surreptitiously obtain the needed credentials.
As it is shockingly familiar, given the BlueKeep vulnerability, researchers have taken to calling this collection of exploitable issues the DejaBlue vulnerabilities.
Patches should be forthcoming soon, if you have not already received them (I had some waiting for me when I got home this evening).
0
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
And in "excuse me, what" news, turns out that Bluetooth isn't secure! Not just one Bluetooth device. Just... Bluetooth in general.
The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.
...
The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack.
And yes, it's called the Key Negotiation of Bluetooth Attack. Or KNOB Attack. Knockin' it out of the park on naming these vulnerabilities.
Other research has revealed vulnerabilities in individual hardware vendor drivers (e.g. ASUS, ASRock, GIGABYTE) that allowed applications with user privileges to read and write with the privileges of kernel. This is obviously a serious escalation of privileges, and we wanted to know if these sorts of vulnerabilities were isolated incidents or examples of a more widespread problem... There are multiple examples of attacks in the wild that take advantage of this class of vulnerable drivers. For example, the Slingshot APT campaign installs a kernel rootkit by exploiting drivers with read/write MSR capabilities in order to bypass driver signing enforcement. And the recent LoJax malware abused similar driver functionality to install malicious implants within the firmware of a victim device and persist even across a complete reinstallation of the operating system.
Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei. However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft. Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers.
No known mitigation has been yet communicated, and this problem appears fairly widespread.
0
Ear3nd1lEärendil the Mariner, father of ElrondRegistered Userregular
edited August 2019
OK, I have a really weird problem. I was one of the first people to sign up for gmail back in the day, so my email address is my first name and last name, no numbers or anything else. I have always used it with a dot between them, although that doesn't really matter. Here's the strange part. Sometime around 2011, I started getting emails addressed to me, but without the dot. I didn't think much of it until they started getting more frequent and for things I never signed up for. This has gone on for eight years now. Recently, I've been getting email verification messages ("You've signed up for our service, click here to verify your account"). The problem is that many of them are for porn. I'm not sure how you guys feel about porn, but it's not really my thing. And I certainly don't want to be getting emails for it.
I have always kind of figured that someone sold my email address to a mailing list, but I can't figure out how it ended up without the dot. I have never used it that way, and I didn't know Gmail ignored dots, plusses, etc in email addresses until after this started. I would think that if someone sold my email address, I would be inundated with emails, but it's usually only 2-3 a month.
Does anyone have any idea what could have happened?
Ear3nd1l on
0
ShadowfireVermont, in the middle of nowhereRegistered Userregular
You might have typed your email address into a site a while ago and missed the period. Then that site sold your email address, and snowball on to a hundred companies having it.
Also, because your email address is your name, it is very possible someone with the same name is making some dumb mistakes re. their own email address.
+6
Ear3nd1lEärendil the Mariner, father of ElrondRegistered Userregular
Y'all are probably right and I'm just being paranoid. Thanks.
I get similar things with my gmail account and my name is not that common. Apparently there is a Doctor named Carl somewhere with my last name that has a large amount of his email that comes to my mailbox instead because he apparently doesn't know what his email address. I just have a rule now that sends anything for Carl to junk.
I've seen his credit card statements, gotten his tickets and vouchers for flights and cruises, gotten his renewal notifications for his licensing, and am on his church mailing list that I'm aware of.
Posts
Middle mouse button becomes a wheel, you move in the direction and select. It's gestures for people like me who are too lazy to learn gestures.
Pluto was a planet and I'll never forget
It's not an uncommon tactic. Don't click any links from the e-mail threat itself, instead, open a new browser window and manually search for what they're trying to send you too. Alternately, copy the link in the e-mail and do a bit of open source intelligence research on it for validity. Websites like: https://www.talosintelligence.com/reputation_center - that ties into Cisco's web based reputation system. Might be of some help.
It's a malicious popup/tab with the usual dire warnings about "you must do this or else!". I had it once, reset windows 10 (without erasing user data) and have got it again afterwards without actively doing anything at the time. I'd suspect a malicious ad perhaps? Triggering on automatic ad refresh? Or at least that's what I'd hope.
I'm getting paranoid about having something more malicious lurking and triggering it though. I've used Malwarebytes and it registered nothing. Any other suggestions or thoughts?
Edit: Seems one of the sites I browse regularly has ad issues that match this pretty closely. Back to running firefox + noscript/adblock there then.
Here's a post where I give a list of good extensions to add to Firefox: https://forums.penny-arcade.com/discussion/comment/41292034/#Comment_41292034
I wouldn't recommend NoScript unless you know what you're doing. And AdBlock has been captured by advertisers for years.
I still bristle about how skeevey this is, but it's 100% true.
uBlock Origin is the adblocker of choice these days. Not to be confused with uBlock, which has it's own sketchy issues.
I've been relying on Sandboxie for years now. It's a pretty lightweight way to keep whatever browser I want to use isolated from my system, while still allowing me the ability to save files and migrate them selectively outside of the sandbox. While it was in its prime, it was pretty fantastic.
Sandboxie is having... issues, lately. Primarily, they were purchased by Sophos a while back, and it's clear that Sophos has zero interest in maintaining the software at all. There have been license issues, lack of tech support, and generally slow responses. This morning Sandboxie starting throwing some concerning errors at me, and I figure it's time to retire it.
Does anyone have a suggestion for an alternative browser isolation solution? I realize it sounds excessive, but it's really the best option to avoid drive-bys and other undisclosed vulnerabilities - Even if the browser gets hit hard, it's still isolated. I'm hoping I can avoid having to browse in a virtual machine, but it looks more and more like that might have to be the option.
You lose the automated neatness of a Sandboxie-ish thing, but Docker is going to be well-supported on the app and OS side for the foreseeable future due to its enterprise penetration...
So recently German security research firm CERT-Bund disclosed what they considered to be a critical security flaw in VLC. By playing a specifically crafted MKV file, it is apparently possible for a remote attacker to take control of your machine via buffer over-read.
The vulnerability was classified as CVE-2019-13615 by the NIST, and given the rating of 9.8 - CRITICAL (that's out of a potential 10, with 10 being the highest critical vulnerability).
News outlets have caught wind of this, publishing a number of different articles on the vulnerability. Perhaps none so attention grabbing as Gizmodo's article with the headline "You Might Want to Uninstall VLC. Immediately."
So seems bad, right?
Well, if you actually check the bug tracker on VLC's page (referenced in the aforementioned articles), you can see that apparently VLC doesn't think so. They just up and can't reproduce the issue whatsoever, as is evidenced by the latest update on this bug:
VLC then proceeds to take their beef to Twitter, because this is 2019 and of course they did:
So what's actually going on? Hard to say at this point if a vulnerability exists that the VLC devs can't reproduce, or if the researchers in question missed the mark. But still, Gizmodo throwing around a headline like that feels scaremongering at BEST.
And that's the bigger issue I've been struck by this afternoon, is that regardless of the veracity of this flaw, I've seen this article boosted and echoed across the social media space tremendously. And most folks are taking that headline at face value and screaming about how everyone needs to uninstall VLC RIGHT NOW.
Social media is sure good for rapid response, but boy howdy can it also amplify FUD.
It would not surprise me if this is a targeted thing to discredit VLC at all, not that it'd matter, even if VLC was vulnerable literally ever other media player is hot garbage.
But admittedly, I also use the actual, Windows-bundled WMP back when it was relevant.
I don't really have a stance either way because I don't use the platform, but it certainly sounds a bit like scaremongering to me.
Like, this is just VLC, but the NIST does this with Apache and other tremendously important, used-the-world-over software all the time. I've had to rebuild a web server from the ground up with an awkward configuration for 3 months, simply because Apache didn't think something was a big enough deal to fix, had ample proof that they were right, and the NIST still scored it severe. That fucks over a lot of guys in the middle of that mess, especially if your PCI compliance provider just looks at NIST scores and doesn't take anything into context (it should be noted that this is pretty usual!).
There's been an update on this situation. The long and short of it is this: The researcher who found this flaw was using Ubuntu version 18.04, which happened to have had an outdated version of some libraries installed despite being the current Ubuntu version. One of those libraries, libebml, had a critical flaw in it - which was patched 16 months ago.
For some reason, this researcher claimed the flaw was operative on Windows, Linux, and Unix. It was taken up by NIST and classified as a 9.8 based exclusively on the fact that it was a buffer overrun. This was done without verification.
Once the flaw was published (incorrectly), news media grabbed it and ran with it. And blew it out of proportion even if the reported flaw WAS accurate.
VLC weighs in here (spoilering the thread for long and huge):
So, yeah.
Bottom line: There is no flaw and no one needs to uninstall VLC right now. But boy howdy did this get amplified something fierce.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
Thank you for the clarification, edit made. I was unaware of this.
That being said, I still have zero idea of why an old, known vulnerability in an unrelated library was classified as a VLC critical flaw - and then said to be active on Windows.
I would just ignore it but in the title they do show an old password I've used a long time ago for my email address and other stuff. I'm using completely different passwords now but still, how do they know one of my older passswords?? 0_O
Battle.net: Fireflash#1425
Steam Friend code: 45386507
Tried to go to their website (direct, not from the email links) to see about verifying this fact and I'm getting a 403 access denied on the homepage. Anyone else seeing this?
http://steamcommunity.com/id/pablocampy
http://steamcommunity.com/id/pablocampy
As it is shockingly familiar, given the BlueKeep vulnerability, researchers have taken to calling this collection of exploitable issues the DejaBlue vulnerabilities.
Patches should be forthcoming soon, if you have not already received them (I had some waiting for me when I got home this evening).
And yes, it's called the Key Negotiation of Bluetooth Attack. Or KNOB Attack. Knockin' it out of the park on naming these vulnerabilities.
No known mitigation has been yet communicated, and this problem appears fairly widespread.
I have always kind of figured that someone sold my email address to a mailing list, but I can't figure out how it ended up without the dot. I have never used it that way, and I didn't know Gmail ignored dots, plusses, etc in email addresses until after this started. I would think that if someone sold my email address, I would be inundated with emails, but it's usually only 2-3 a month.
Does anyone have any idea what could have happened?
I would only start worrying if you started getting similar emails from sites you do use.
I've seen his credit card statements, gotten his tickets and vouchers for flights and cruises, gotten his renewal notifications for his licensing, and am on his church mailing list that I'm aware of.