As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."

1636466686995

Posts

  • MugsleyMugsley DelawareRegistered User regular
    Sounds like @Karl has some explaining to do

    >.>

  • Banzai5150Banzai5150 Registered User regular
    Gmail email doesn’t care if there is a dot or not. bob.smith@gmail is the same as bobsmith@gmail

    50433.png?1708759015
  • altidaltid Registered User regular
    As someone with the same problem, it's frustrating the amount of places that don't go to the effort of verifying the damned email address people are registering with. A simple click this email link before we'll let you do anything (ps click here if this is some idiot entering the wrong email address) is all it takes.

  • MugsleyMugsley DelawareRegistered User regular
    I'm not sure how often I'd use it, but I'm becoming more interested in VPNs. Which ones do you guys use and what kind of costs are you paying? Last I checked, PIA and Nord seemed to be the top 2.

  • JazzJazz Registered User regular
    Mugsley wrote: »
    I'm not sure how often I'd use it, but I'm becoming more interested in VPNs. Which ones do you guys use and what kind of costs are you paying? Last I checked, PIA and Nord seemed to be the top 2.

    I'm using Windscribe, for which I got a lifetime sub in a special offer. We'll see if I get that long out of it in due course, I guess, but so far I'm very happy with it.

  • Jebus314Jebus314 Registered User regular
    I use PIA. It's been pretty reliable for me. I had some issues with their app that they made (which tried to include settings to prevent any internet connections except over the VPN), but using openVPN has been pretty solid. And the app was fairly good, but something like 10% of the time I would struggle to get a connection.

    I think I pay something like $50/yr but I would have to check.

    I mostly use it for when I am on public or guest wifi's and I want to check something like my bank account.

    That being said, I think it is easier and easier these days to get something like an openVPN server setup on your at home router, and just VPN to your home internet. With the added benefit of being able to access your networked content (photos, movies, etc). Maybe someday I will do that.

    "The world is a mess, and I just need to rule it" - Dr Horrible
  • CantidoCantido Registered User regular
    edited August 2019
    Is there a guide to getting McAfee gamer friendly?

    The list of programs (for firewall options) is unsorted and has duplicates. Its obnoxious. But even when I find it I don't know what to adjust.

    Cantido on
    3DS Friendcode 5413-1311-3767
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Cantido wrote: »
    Is there a guide to getting McAfee gamer friendly?

    The list of programs (for firewall options) is unsorted and has duplicates. Its obnoxious. But even when I find it I don't know what to adjust.

    I find the McAfee uninstall tool works wonders to get rid of that burden on system resources.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • CantidoCantido Registered User regular
    Shadowfire wrote: »
    Cantido wrote: »
    Is there a guide to getting McAfee gamer friendly?

    The list of programs (for firewall options) is unsorted and has duplicates. Its obnoxious. But even when I find it I don't know what to adjust.

    I find the McAfee uninstall tool works wonders to get rid of that burden on system resources.

    I guess I might as well invest in a change.
    my free two years via the government are up.

    I do like having one plan for all my devices.

    3DS Friendcode 5413-1311-3767
  • a5ehrena5ehren AtlantaRegistered User regular
    edited August 2019
    If you're on Windows 10, there is almost no reason to not just use Defender. The biggest problem it has right now is that the heuristics are a bit too aggressive, so it has a fairly high false-positive rate.

    If you really want to pay for something, Kaspersky or Bitdefender are probably the best.

    a5ehren on
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    a5ehren wrote: »
    If you're on Windows 10, there is almost no reason to not just use Defender. The biggest problem it has right now is that the heuristics are a bit too aggressive, so it has a fairly high false-positive rate.

    If you really want to pay for something, Kaspersky or Bitdefender are probably the best.

    Yeah, Defender is fine for the most part. Antivirus programs are kind of snake oil these days.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • SynthesisSynthesis Honda Today! Registered User regular
    If you really do want to buy something, didn't buying a year of Kaspersky put it on all your devices? It did when I was using a subscription.

  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Synthesis wrote: »
    If you really do want to buy something, didn't buying a year of Kaspersky put it on all your devices? It did when I was using a subscription.

    Usually it's for 3 or 5 devices.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • SynthesisSynthesis Honda Today! Registered User regular
    That's true. I simply don't have more than five things I could install Kasersky on. Or any antivirus client.

  • MugsleyMugsley DelawareRegistered User regular
    Are we trusting Kaspersky again?

  • LD50LD50 Registered User regular
    Depends. Do you trust Russia?

  • SynthesisSynthesis Honda Today! Registered User regular
    edited August 2019
    These don't actually sound like questions.

    Synthesis on
  • Jebus314Jebus314 Registered User regular
    edited August 2019
    Synthesis wrote: »
    These don't actually sound like questions.?

    Fixed that for you?

    Jebus314 on
    "The world is a mess, and I just need to rule it" - Dr Horrible
  • SynthesisSynthesis Honda Today! Registered User regular
    edited August 2019
    Jebus314 wrote: »
    Synthesis wrote: »
    These don't actually sound like questions.?

    Fixed that for you.?

    One good favor....Though mostly I'm annoyed that you've reminded me how poor my vision is that I can't easily see the point of the period.

    Synthesis on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    This is your periodic reminder that SMS is not secure (and neither is your phone number in general).
    Jack Dorsey’s ongoing mission to increase the civility of public discourse suffered a setback Friday, when an anonymous hacker took over his Twitter account for 20 minutes and retweeted @taytaylov3r’s claim that “nazi germany did nothing wrong.”

    ...

    Some of the influencers who got hit in the last two weeks have blamed so-called SIM swap attacks, with a particular focus on AT&T. In a SIM swap, a hacker either convinces or bribes a carrier employee to switch the number associated with a SIM card to another device, at which point they can intercept any two-factor authentication codes sent by text message. (It’s hard to stop a determined SIM swapper, but at the very least you should switch from SMS two-factor to an authenticator app). AT&T did not immediately respond to an inquiry from WIRED about the spate of hacks this month, or whether the @jack incident was related.

    Twitter confirmed that it was a SIM issue in a tweet Friday evening.

    I seriously hate that SIM-jacking is so easy. It's almost impossible to prevent.

    VuIBhrs.png
  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    I don't even know how to avoid SMS 2fa. Seems like it's required most places.

    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
  • Jebus314Jebus314 Registered User regular
    The whole point is that its the 2nd factor though right? It still ups the level of effort required to hack an individual since they have to get your password, and then also hijack your SIM. I don't really understand why the blame on the SIM hacking, since Jack should presumably still have had his password.

    Although I think I read somewhere that he actually had his twitter account linked to some less secure account type somehow. So I think there is more going on here than the regular 2FA attack.

    "The world is a mess, and I just need to rule it" - Dr Horrible
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    My bank gives you two options:

    1.) Use SMS 2FA

    2.) Don't use 2FA

    It continues to make my blood boil.

    VuIBhrs.png
  • JazzJazz Registered User regular
    Jebus314 wrote: »
    The whole point is that its the 2nd factor though right? It still ups the level of effort required to hack an individual since they have to get your password, and then also hijack your SIM. I don't really understand why the blame on the SIM hacking, since Jack should presumably still have had his password.

    Although I think I read somewhere that he actually had his twitter account linked to some less secure account type somehow. So I think there is more going on here than the regular 2FA attack.

    You can fire off an SMS and it comes up as a tweet. Simple. Password not required. The hacker won't have had control of the Twitter account, but could tweet as if they were Jack.

    As I understand it, anyway. Before I had a smartphone and data plan, I used Twitter over SMS/MMS, once upon a time (one country and at least two phone numbers ago). So I assume the same option is in effect. I could be wrong on that point, though - this was many, many years ago when Twitter was quite new and not at all what it is now.

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    It's also notable that some services allow you to reset your password by using your 2FA device. As in, instead of sending a reset email to your email account, they just authorize a password reset after verifying you have 2FA access.

    Which completely defeats the purpose of 2FA.

    VuIBhrs.png
  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    It's also notable that some services allow you to reset your password by using your 2FA device. As in, instead of sending a reset email to your email account, they just authorize a password reset after verifying you have 2FA access.

    Which completely defeats the purpose of 2FA.

    Yes, actually this is what I was thinking of. And you can't even opt out of it.

    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
  • ThawmusThawmus +Jackface Registered User regular
    This is your periodic reminder that SMS is not secure (and neither is your phone number in general).
    Jack Dorsey’s ongoing mission to increase the civility of public discourse suffered a setback Friday, when an anonymous hacker took over his Twitter account for 20 minutes and retweeted @taytaylov3r’s claim that “nazi germany did nothing wrong.”

    ...

    Some of the influencers who got hit in the last two weeks have blamed so-called SIM swap attacks, with a particular focus on AT&T. In a SIM swap, a hacker either convinces or bribes a carrier employee to switch the number associated with a SIM card to another device, at which point they can intercept any two-factor authentication codes sent by text message. (It’s hard to stop a determined SIM swapper, but at the very least you should switch from SMS two-factor to an authenticator app). AT&T did not immediately respond to an inquiry from WIRED about the spate of hacks this month, or whether the @jack incident was related.

    Twitter confirmed that it was a SIM issue in a tweet Friday evening.

    I seriously hate that SIM-jacking is so easy. It's almost impossible to prevent.

    This is a re-run, but Reply All did a great episode that touched on this quite a bit: https://gimletmedia.com/shows/reply-all/49ho5a/130-the-snapchat-thief

    Twitch: Thawmus83
  • MugsleyMugsley DelawareRegistered User regular
    FWIW, I've even dropped Chrome on my Android phone (for Kiwi; for now). Firefox best browser boi.

  • MugsleyMugsley DelawareRegistered User regular
    I am lowkey looking into cybersecurity programs. I heard on a podcast earlier this morning that Tulsa U and Idaho State have some of the better programs. I'm interested in online programs (and there's a reasonable chance I can get work to pay for tuition and some materials) so I'm not sure which universities offer that.

    I'm a decently-skilled user, but I'd like a program that starts with some basics and goes from there (so maybe some CompSci courses involved as well?).

    Thoughts?

  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    I've spoken with local guys about it (Boston area) and they recommend getting certifications like an Ethical Hacker certificate or a CISSP. I kept thinking I was going in that direction, but I ended up more towards education these days so I can't say what getting a degree is like. You might want to check with @Bucketman who has nearly completed a degree in Infosec.

    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
  • BucketmanBucketman Call me SkraggRegistered User regular
    Yes hello. I'm in last last two semesters.

    I have seen CEH certs on a ton of jobs but people in Reddit and where I work have told me its worthless, but if it gets you the job.... CISSP is a little harder, it requires having or promising to get, a certain amount of experience in a certain time frame. Personally I'm doing my CompTIA Security+ this year and getting a CCNA (probably the Cyber Ops because why not) so I have a security and a networking related cert, then maybe getting a CEH.

    School has been a mixed bag. Even as a masters level, I think half my courses have been on theory and policy, and the other half have taught me how to like, do things. I would recommend making sure you have a good background in networking basics. I've already been stumped in interviews by questions that seem basic to me, but which I never actually learned, or I did and then never used in anything for 3 years so I promptly forgot.

    Reddit has a sub for netsecstudents and one for system admins that I tend to get some good advice on, and that has lots of people talking about great topics.

    Other then that, I will say Professor Messer is your friend and offers free learning videos on IT and Security certs.

  • DarkewolfeDarkewolfe Registered User regular
    When I hire people, I mentally take points off for having a degree in "cyber security" for what little it's worth. You can still get a job based on an interview, but if someone studied "cyber security" rather than, say, computer science with a focus on secure network design, I generally think they just tried to grab a fast track degree.

    I'd rate a cyber security degree at the same level as a business administration degree.

    What is this I don't even.
  • CiriraCirira IowaRegistered User regular
    Bucketman wrote: »
    Yes hello. I'm in last last two semesters.

    I have seen CEH certs on a ton of jobs but people in Reddit and where I work have told me its worthless, but if it gets you the job.... CISSP is a little harder, it requires having or promising to get, a certain amount of experience in a certain time frame. Personally I'm doing my CompTIA Security+ this year and getting a CCNA (probably the Cyber Ops because why not) so I have a security and a networking related cert, then maybe getting a CEH.

    School has been a mixed bag. Even as a masters level, I think half my courses have been on theory and policy, and the other half have taught me how to like, do things. I would recommend making sure you have a good background in networking basics. I've already been stumped in interviews by questions that seem basic to me, but which I never actually learned, or I did and then never used in anything for 3 years so I promptly forgot.

    Reddit has a sub for netsecstudents and one for system admins that I tend to get some good advice on, and that has lots of people talking about great topics.

    Other then that, I will say Professor Messer is your friend and offers free learning videos on IT and Security certs.

    Just a FYI I was just reading that the CCNA tests (with the exception of Cyber Ops I think) are all changing come next year. If you intend to get one of their certs you may want to either do it first, or wait for the new test.

    I'm studying for my Security+ as well and found that information while researching.

  • BucketmanBucketman Call me SkraggRegistered User regular
    Darkewolfe wrote: »
    When I hire people, I mentally take points off for having a degree in "cyber security" for what little it's worth. You can still get a job based on an interview, but if someone studied "cyber security" rather than, say, computer science with a focus on secure network design, I generally think they just tried to grab a fast track degree.

    I'd rate a cyber security degree at the same level as a business administration degree.

    Well it probably depends on the University. For my school they have a computer science undergrad but for grad it splits, they have IT, programming, engineering and cyber security masters programs. They all overlap a bit in the beginning and then get more focused.

    Also, if that's how you treat people applying for jobs, judging them and "taking points off" based on some weird bias you have with their degree, then Fuck off. Your part of the problem with hiring into the workforce in general.

    Like what makes any degree better then any other in this instance?

  • DarkewolfeDarkewolfe Registered User regular
    edited September 2019
    As the owner of an English degree, it is totally appropriate to assess someone based on their resume and interview them accordingly to see if they can back up their claim that they can do the job. Every interview I've ever had has started with, "why does the owner of an arts degree think they can do this job?" Totally valid.

    Similarly, a cyber security degree is about policy not engineering technical work.

    When that's not the case, the interviewee has the knowledge to bust through anyway.

    Darkewolfe on
    What is this I don't even.
  • BucketmanBucketman Call me SkraggRegistered User regular
    For me its been a mix of both. An issue I think would be that its kind of nebulous, there is no "This is what you learn in this degree track" that is relevant across all learning institutes. And while yes, you might need to ask about experience or technical questions, and I will admit I've failed those in the past personally, saying "That degree is useless no matter what and I prejudge and assume they can't do a job if they have it" is a REAL shit way to do hiring and pre-screening.

    Also I am taking this a little personally because your basically saying the think I spent 4 years of my life and several thousands of dollars on is a negative for getting work in the field it was designed for.

  • DarkewolfeDarkewolfe Registered User regular
    edited September 2019
    Please don't consider it a personal attack. I just saw a conversation topic where I had something to say. No degree is wasted, I just find degrees pretty interchangeable except for very hard engineering degrees. I didn't mean for it to come in after your personal experience.

    Edit: And when you're running a team of admins and have to do like 20 interviews a week and go through a hundred resumes a week sometimes you definitely do start to see trends in what people are like based on what their resume says.

    Darkewolfe on
    What is this I don't even.
  • CiriraCirira IowaRegistered User regular
    Darkewolfe wrote: »
    Please don't consider it a personal attack. I just saw a conversation topic where I had something to say. No degree is wasted, I just find degrees pretty interchangeable except for very hard engineering degrees. I didn't mean for it to come in after your personal experience.

    Edit: And when you're running a team of admins and have to do like 20 interviews a week and go through a hundred resumes a week sometimes you definitely do start to see trends in what people are like based on what their resume says.

    Since you do hiring Dark would you rather see someone WITHOUT a Bachelor's degree, or a fast tracked degree? I'm about to finish my Bachelor's in Information Systems Management. It's been relatively fast tracked (I had an Associate and the Bachelor has taken me about a year and a quarter). I've got several years of experience in IT and have often been overlooked for jobs I am clearly qualified for due to a lack of a BS. I'm curious what your take on it is.

  • DarkewolfeDarkewolfe Registered User regular
    If it's a hard HR requirement, which they can be for contract work, then that's that.

    I pretty much ignored degrees or treated them as similar to an entry level job. My interviews focus around skill based rollplaying (not knowledge stumpers). I think most advanced hiring companies are the same, as it's less biased to certain backgrounds and also harder to BS through.

    What is this I don't even.
Sign In or Register to comment.