As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."

1646567697095

Posts

  • MugsleyMugsley DelawareRegistered User regular
    To be clear, I have a Mech Eng degree and I'm looking into stuff like this because I have an affinity for technology and I'm debating on whether I'd like it as a change of pace (or just to pad my knowledge base). I work in a particular portion of the Fed that enjoys disassembling things, and cybersecurity is increasingly becoming its own department/focus in our organization.

    I'm also looking into stuff like a Public Administration degree because I think it would help a lot if I decide to move into a management track (similar with cyber, since that will be an aspect of pretty much any work I do going forward).

    Getting a MS in "more Engineering" doesn't interest me and I don't see it as a value-add because I'm not performing research or focusing heavily on a particular process (e.g. welding).

  • DarkewolfeDarkewolfe Registered User regular
    Most of the fed jobs in "cyber security" are policy jobs. They're about running down a checklist on something you don't entirely understand and marking compliance or not. Classic auditing.

    I juxtapose this against actual IT tradespeople who either do or don't do their jobs securely.

    What is this I don't even.
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    So my bank, for all I begrudge them, has a pretty keen feature associated with their credit cards. There's a section of their website that allow you to generate temporary credit card numbers that are linked to your primary credit card account. These numbers are only valid for a use at single vendor, after which they no longer function. They also can set limits set on their spending, and expiration dates that you can establish. It is a feature that I use extensively for every online purchase I make, because if someone breaches that vendor, then the card number on record for me is useless.

    Turns out that part of my bank's website uses Flash.

    With Flash set to be completely retired, my bank's solution to this problem is simple: They're killing that service.

    Does anyone know of anything similar that can be used to generate temporary credit card numbers? I've heard of Privacy dot com, but I have NO interest in using that service, as they require you to provide credentials to your bank's website, and they link to your debit card, rather than credit card.

    VuIBhrs.png
  • doomybeardoomybear Hi People Registered User regular
    I haven't done it myself (yet), but I have heard of people using reloadable cards for that kind of thing.

    what a happy day it is
  • CantidoCantido Registered User regular
    edited September 2019
    Funny enough my work is making me take SANS Sec401, and I'm learning why I was able to shelve McAfee in favor of Windows Security Essentials. Microsoft is not fucking around with security updates. And the reason its free for household use is the Bullshit Money they make off the enterprise versions.

    I'm going to learn Active Directory, as well as Powershell.

    (Cryptography made my head spin.)

    Cantido on
    3DS Friendcode 5413-1311-3767
  • LD50LD50 Registered User regular
    Yeah, the so-called 'security essentials' is the av now.

  • RadiationRadiation Registered User regular
    Mugsley wrote: »
    I am lowkey looking into cybersecurity programs. I heard on a podcast earlier this morning that Tulsa U and Idaho State have some of the better programs. I'm interested in online programs (and there's a reasonable chance I can get work to pay for tuition and some materials) so I'm not sure which universities offer that.

    I'm a decently-skilled user, but I'd like a program that starts with some basics and goes from there (so maybe some CompSci courses involved as well?).

    Thoughts?

    I know I'm a bit late to the party.
    @Mugsley might be worth looking at WGU which has certs that are the finals sort of? Super online friendly, and I've found it pretty great so far.

    PSN: jfrofl
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited September 2019
    Welp. WELP.
    Hackers are actively exploiting a critical weakness found in most mobile phones to surreptitiously track the location of users and possibly carry out other nefarious actions, researchers warned on Thursday.

    The so-called Simjacker exploits work across a wide range of mobile devices, regardless of the hardware or software they rely on, researchers with telecom security firm AdaptiveMobile Security said in a post. The attacks work by exploiting an interface intended to be used solely by cell carriers so they can communicate directly with the SIM cards inside subscribers’ phones. The carriers can use the interface to provide specialized services such as using the data stored on the SIM to provide account balances.

    Simjacker abuses the interface by sending commands that track the location and obtain the IMEI identification code of phones. They might also cause phones to make calls, send text messages, or perform a range of other commands.

    Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, told Ars the threat looked “pretty fucking bad.” He added: “This attack is platform-agnostic, affects nearly every phone, and there is little anyone except your cell carrier can do about it.

    Looks like just about everyone is at risk, and no one's going to get any relief from this until their mobile carrier fixes things on their end. And most mobile carriers are insisting they're not impacted, despite the fact that such a claim is dubious.

    Notably the location tracking has me much less worried than the theft of the IMEI code. That is much more significant and able to do nefarious things.

    TetraNitroCubane on
    VuIBhrs.png
  • VoodooVVoodooV Registered User regular
    edited October 2019
    Can anyone tell me what the security significance of restricting the ability to do a right click in windows is? One of our customers called in to ask that that restriction be relaxed and our security team is pushing back, their only justification that they're giving is that they don't need it to do their job. But then they have another access group for higher ups that of course, doesn't have any restrictions like that. If the lower tier employee doesn't need it to do their job, doesn't the same apply for the higher tier employee? If it's truly a security thing and we don't need it, shouldn't everyone have right click disabled and we all follow the same standard?




    VoodooV on
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    The only thing I can think of that might be a security issue is the “run as” function but a. you can kill that specifically with group policy and b. you can kinda-sorta do the same thing with shortcut properties which you don’t actually need right-click to access. Hell, the Windows 10 1903 update gives the run as admin function as a hover-menu option in the start menu search results.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    edited October 2019
    VoodooV wrote: »
    Can anyone tell me what the security significance of restricting the ability to do a right click in windows is? One of our customers called in to ask that that restriction be relaxed and our security team is pushing back, their only justification that they're giving is that they don't need it to do their job. But then they have another access group for higher ups that of course, doesn't have any restrictions like that. If the lower tier employee doesn't need it to do their job, doesn't the same apply for the higher tier employee? If it's truly a security thing and we don't need it, shouldn't everyone have right click disabled and we all follow the same standard?

    Sounds like you have a shitty IT department.

    Inquisitor77 on
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    Yeah, it’s kinda like hiding the C: drive in File Explorer; mostly it just inconveniences people that don’t know how to get around it, and they aren’t the people you need to watch in the first place.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • VoodooVVoodooV Registered User regular
    There is security, and there is just being a dick. This is just being a dick. It's the kind of policy you just throw in to let everyone know you have power and they don't. Even if it was to block the run as functionality, I don't get that either, since you have to actually know some admin credentials for it to succeed. If it was a single use kiosk type of situation where it literally only needed to do one thing, I might get it, but no, people use these things on a daily basis.

  • V1mV1m Registered User regular
    VoodooV wrote: »
    There is security, and there is just being a dick. This is just being a dick. It's the kind of policy you just throw in to let everyone know you have power and they don't. Even if it was to block the run as functionality, I don't get that either, since you have to actually know some admin credentials for it to succeed. If it was a single use kiosk type of situation where it literally only needed to do one thing, I might get it, but no, people use these things on a daily basis.

    It does kind of have the feel of something that was put in place as a temporary fix for some issue, and was then never lifted because "screw it, changing this back wouldn't make our lives easier"

  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    See also: low-minimum length, forced-complexity passwords that have to be changed every two weeks

  • MugsleyMugsley DelawareRegistered User regular
    How deep does this go? I couldn't imagine losing right click for pretty much anything in Office that I can do quickly

  • V1mV1m Registered User regular
    See also: low-minimum length, forced-complexity passwords that have to be changed every two weeks

    I have 8 of those for my job. 8! All with different complexity rules! And most with different renewal cycles!

    4 of them are for systems that I can only get to enter by logging in via one of the others first.

    Single sign-on? What's that? Well it's a thing that gets used on some of the systems I have to interact with, but not others. Because the project teams don't talk to each other and some of them just don't know how to goddamb use fancy shit like that, so tough luck, that's another PW and ID I have to email myself and keep in an email subfolder called "registrations".


    No of course I don't just use the same short password for all of them with a number sequence on the end how dare you

  • LD50LD50 Registered User regular
    VoodooV wrote: »
    Can anyone tell me what the security significance of restricting the ability to do a right click in windows is? One of our customers called in to ask that that restriction be relaxed and our security team is pushing back, their only justification that they're giving is that they don't need it to do their job. But then they have another access group for higher ups that of course, doesn't have any restrictions like that. If the lower tier employee doesn't need it to do their job, doesn't the same apply for the higher tier employee? If it's truly a security thing and we don't need it, shouldn't everyone have right click disabled and we all follow the same standard?

    What?

  • CantidoCantido Registered User regular
    edited October 2019
    I got the career change I've been dreaming of since 2015, and heading to a cyber warfare school in November!

    I'm getting ready for it now, learning baby stuff like Windows and Linux command line, and manually understanding a raw hex packet before letting *chef's kiss* Wireshark translate it for me <3

    EDIT - Yes, I'm aware this is the baby stuff. I'm surrounded by far more advanced tools that I'm not allowed to touch until I graduate.

    Cantido on
    3DS Friendcode 5413-1311-3767
  • JazzJazz Registered User regular
    Got this in my email this morning.
    Dear Zynga Player,

    We recently discovered that, on or about 31 August 2019, outside hackers may have illegally accessed certain player account information. Our current understanding is that no financial information was accessed. However, we understand that account information for certain players of Zynga games may have been accessed. You are receiving this notice because the information that was accessed may have included your Zynga username, Zynga password, name, email address, phone number, photograph, social media ID, date of birth, or location. As a precaution, where passwords may have been accessed, we have taken steps to protect these users’ accounts from invalid logins.

    Upon discovery of the potential access, an investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we notified law enforcement and regulatory authorities in accordance with law. Zynga has also taken steps to further enhance the security of its systems that contain personal information.

    Additional information is available on our Player Support page here. If you have questions or would like additional information, please contact us by email by filling out the following form.

    The security of our player data is extremely important to us. We have worked hard to address this matter and remain committed to supporting our community.

    Sincerely,

    Team Zynga

    Bolding is mine.

    *sigh*

  • VoodooVVoodooV Registered User regular
    Got approval to turn off the right click restriction for our customer today (bon appetite! hackers! lol) They made the customer leaderships put in writing that they understand this is a non-standard configuration and that they accept the risk of lowered security blah blah blah.

    Almost every one of the new customers I've set up have complained about it so hopefully this is just the first of many. It's frustrating because I feel like I'm fighting against my own team. But Jesus Christ, it's a goddamned right click. Let it go.

  • CarpyCarpy Registered User regular
    VoodooV wrote: »
    Got approval to turn off the right click restriction for our customer today (bon appetite! hackers! lol) They made the customer leaderships put in writing that they understand this is a non-standard configuration and that they accept the risk of lowered security blah blah blah.

    Almost every one of the new customers I've set up have complained about it so hopefully this is just the first of many. It's frustrating because I feel like I'm fighting against my own team. But Jesus Christ, it's a goddamned right click. Let it go.

    We all know this is petty bullshit but as a thought experiment I'm trying to imagine the process that would get someone to the point where they believe turning off the right menu would increase security.

    1. The most obvious is that they have zero understanding of how a breach works and don't know that an attacker is living at the command line. Points against this are someone knowing enough to implement "you can't use right click" but not knowing about cmd or power shell.

    2. The environment uses VMs and security doesn't know that you can use the hypervisor to turn off copy paste between guest/host so they brute force it

    3. There's some installed program that provides a context based right click option, like 7 zips hash generation, that they can't figure out how to disable

    Those are all bad options and whoever made that edict is petty and dumb

  • dporowskidporowski Registered User regular
    Carpy wrote: »
    VoodooV wrote: »
    Got approval to turn off the right click restriction for our customer today (bon appetite! hackers! lol) They made the customer leaderships put in writing that they understand this is a non-standard configuration and that they accept the risk of lowered security blah blah blah.

    Almost every one of the new customers I've set up have complained about it so hopefully this is just the first of many. It's frustrating because I feel like I'm fighting against my own team. But Jesus Christ, it's a goddamned right click. Let it go.

    We all know this is petty bullshit but as a thought experiment I'm trying to imagine the process that would get someone to the point where they believe turning off the right menu would increase security.

    1. The most obvious is that they have zero understanding of how a breach works and don't know that an attacker is living at the command line. Points against this are someone knowing enough to implement "you can't use right click" but not knowing about cmd or power shell.

    2. The environment uses VMs and security doesn't know that you can use the hypervisor to turn off copy paste between guest/host so they brute force it

    3. There's some installed program that provides a context based right click option, like 7 zips hash generation, that they can't figure out how to disable

    Those are all bad options and whoever made that edict is petty and dumb

    Alternately:

    - Wallpaper is corporate-set
    - Someone was browsing something they shouldn't
    - Someone right-clicked and "set as wallpaper"
    - Oh shit.
    - BURN DOWN EVERYTHING THIS MUST NEVER HAPPEN AGAIN

  • LD50LD50 Registered User regular
    You can restrict wallpapers by group policy.

  • VoodooVVoodooV Registered User regular
    The security team makes the "need and least privilege" arguments, which, while draconian and dickish, I at least get since I implemented CIS benchmarks in my previous job. But those things had 300+ settings but not one of them restricted right click or control panel access.

    But when I speak to my fellow coworkers on my own team about it, they seem to have the "protecting users from themselves" mentality which I do not hold to. They seem to think letting them do things like doing a right click and being able to get into the control panel will cause a massive increase in support calls from users who can't help but to mess around. Which, ok, I get that, In my old job, sure, I had the occasional illiterate user who thought it was a great idea to change theme colors to some extremely obnoxious level or something like that, but that crap never bothered me and usually they did it once, got burned, and learned their lesson and never did it again and I just considered it a teachable moment for the users which in the long term, reduced calls.

  • SiliconStewSiliconStew Registered User regular
    The single biggest thing to "protect users from themselves" is just to make sure their accounts are standard users and they don't have local admin. In my opinion, blocking right-click is really only appropriate for a single-app kiosk. I suspect the people pushing for it are still stuck in a Win95 security mentality where that was a popular "security" recommendation back then due to a lack of proper security controls.

    Just remember that half the people you meet are below average intelligence.
  • ThawmusThawmus +Jackface Registered User regular
    How do you expect users to accomplish anything in their productivity software if right-click context menus aren't available?

    Twitch: Thawmus83
  • InquisitorInquisitor Registered User regular
    edited October 2019
    All the logins at my work grant admin privileges and use the same password that everyone knows.

    I have been trying to explain why this is a bad idea but no one is taking action on it yet.

    Inquisitor on
  • dporowskidporowski Registered User regular
    edited October 2019
    LD50 wrote: »
    You can restrict wallpapers by group policy.

    You assume someone knows that, knows how to do that, and can say no to "Right click did the thing, so we must destroy right click!" You can see right click being disabled. You can't see a group policy. Clearly the thing one can see is more effective than the thing one can't.

    dporowski on
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Inquisitor wrote: »
    All the logins at my work grant admin privileges and use the same password that everyone knows.

    I have been trying to explain why this is a bad idea but no one is taking action on it yet.

    Yes but can they right click?

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    *sits here with admin access on his work machines and looks confusedly at this "local user" crap*

  • LD50LD50 Registered User regular
    Orca wrote: »
    *sits here with admin access on his work machines and looks confusedly at this "local user" crap*

    To be fair, you really shouldn't be logging in as a local admin on your own workstation. Not that you shouldn't have that access, but it shouldn't be what you're using by default.

  • InquisitorInquisitor Registered User regular
    edited October 2019
    Inquisitor wrote: »
    All the logins at my work grant admin privileges and use the same password that everyone knows.

    I have been trying to explain why this is a bad idea but no one is taking action on it yet.

    It would also seem that everyone uses the same login and password for our AWS bucket. I didn’t want to click around and find out but at a glance it looks like I could hop in and spool up any service I wanted and that the owners card was on file.

    I plan to bring this up to management tomorrow. Yikes.

    Inquisitor on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    This is about a week-old story by now, but it's really starting to come out of the woodwork a lot more in the last few days.

    The short story is that heavily advertised and high-volume YouTube sponsor NordVPN were hacked in March of 2018.
    NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.

    The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

    There have been plenty of arguments about whether or not this constitutes a serious breach. Well, I should say that Nord have claimed it is not - because the compromised server key would only allow a malicious actor to set up a spoofed VPN server, and users would have to point themselves toward that server before being at risk. But others aren't so keen to downplay the damage.
    A senior security researcher we spoke to who reviewed the statement and other evidence of the breach, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings “troubling.”

    “While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems,” the security researcher said. “That should be deeply concerning to anyone who uses or promotes these particular services.”

    NordVPN said “no other server on our network has been affected.”

    But the security researcher warned that NordVPN was ignoring the larger issue of the attacker’s possible access across the network. “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?” the researcher said.

    Realistically, the issue of the damage caused is secondary at this point. The primary issue, which every single company seems to overlook, is that this happened in MARCH OF 2018 and it's only now coming out. And it's only coming out because someone went public with evidence it happened!

    VuIBhrs.png
  • bowenbowen How you doin'? Registered User regular
    edited October 2019
    MITM attacks like that are deceptively hard to pull off. Nord VPN is more right, you'd need to be part of their list of VPNs to even have people end up on it, just saying "hey I'm a Nord VPN server!" isn't enough, it's not bittorrent/tor where they're all peer to peer.

    That being said, you shouldn't use a VPN to do sensitive data transfer, because the person in the middle absolutely can look at it, and many of them are run in places with less protections than you have with your ISP. That isn't to say VPNs are bad and we shouldn't be using them, but the transparency about what they do with your data of a great many of them leaves a lot to be desired.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited October 2019
    I think the issue is that, while Nord is absolutely right about the MITM being hard to pull off, that's a disingenuous assessment of the limits of the damage caused by this compromise. Particularly given the nature of the intrusion, and the duration for which it lasted.

    The damage is likely far greater than a potential MITM, given that someone had unfettered access to their server for months.

    Also, completely agreed on "Don't use VPN for sensitive data transfer".

    TetraNitroCubane on
    VuIBhrs.png
  • bowenbowen How you doin'? Registered User regular
    edited October 2019
    Hm, the difficulty in making a spy vpn like that with Nord's certificates would be astronomical. I imagine the damage is in the ballpark of 0. Unless I'm seriously misunderstanding what exactly was compromised here other than "a certificate expired" and "maybe the hackers got some customer information".

    The bigger problem is it wasn't even them that compromised the system as far as I can tell. Maybe I'm wrong though!

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • a5ehrena5ehren AtlantaRegistered User regular
    edited October 2019
    It's bad in a general sense that a VPN provider that was widely billed as one of the "good ones" had a security lapse that made this kind of thing possible, even if there was no actual impact.

    It's like if your AV accidentally shipped an update in 2019 that didn't detect Stuxnet. Not a big immediate problem if you're not an Iranian nuclear scientist, but it raises some questions about their process.

    a5ehren on
  • bowenbowen How you doin'? Registered User regular
    Also fair. But it looks like they were compromised by the 3rd party colocation not doing what they were supposed to. How do you even fix that other than DIY and owning your own datacenters in all these countries just to make sure? Even then, some irate employee could cut corners and that could go undetected.

    I'm just not sure anything could have been done that they weren't already doing to the best of their abilities, this is a problem with business on a larger scale more than anything dangerous or compromising actually happening.

    Your stuxnet example would maybe make more sense if the AV accidentally shipped an updated that had a bug that was present in the compiler they used to build the antivirus that allowed someone to buffer overflow and take control of the machine on full moons.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    It sounds like they're doing a bunch of things on that vein, such as "buying" and "owning" the hardware in those datacenters, but in some cases that's a distinction without much of a difference.

Sign In or Register to comment.