I had forgotten I created a Twitch account (since I almost never use it). Changed my password, which was simple thanks to having a password manager.
I personally use KeePass2 / Keepass XC (depending on the OS). You will have to sync the database yourself, but there are plugins for it to work with browsers, etc. Someone wrote a plugin for Keepass that allows you to use a yubikey as a 2-factor authentication mechanism for your master password, which I have added, if you want that extra layer of security. It's too bad more places don't support yubikey. Some banks started supporting it, but their implementation sucks since you can bypass it and downgrade to SMS two factor.
I think these companies want you to use SMS 2-factor to obtain more information about you. If you read the fine print, it says they can use your number for other reasons (like marketing) so they can fuck off with that. Give the option to use an authenticator app or yubikey.
Yeah I use Keepass XC on my workstations, keepass2android on my phone, and then I have the database synced via cloud services, a gigantic goddamn master password, and a key file that I have on my phone and 3 flash drives. You need both the key file and the password to access the database, but goddamn do I love not typing in passwords and shit anymore for websites I visit 2 times a year.
Opsec fails:
- the admin's password manager was open in the browser window
- the password manager had the password for the ESXi admin account in it
- two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.
Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.
I wouldn't say I'm at devotee level, but I pay for a standalone license (for one PC, my primary home one) and then sync my keychain to my phone via dropbox, and can access it from there using their free app. Any other PCs that I need to sign into things with I have to type in the passwords, but I don't feel like doing the subscription thing nor do I want to link the password manager to the browser.
I'm slowly integrating Bitwarden for personal browsing. I wish I could have a manager for work. But alas, the fed won't approve pw managers. I have no idea why.
Twitch decided to deactivate all issued streamer keys and reissue them, to prevent shenanigans.
Though apparently the shitheadery has begun over on Twitch, as a number of background images on the pages of popular video games on Twitch were replaced with creepy zoomed-in photos of Jeff Bezos for a few hours this morning.
I get the feeling we’re going to see a lot more of this shit for a good long while, and I only hope this is as bad as it’s going to get (though let’s face it, the 4channers will always live down to their reps, so this is just the tip of the shitberg).
I can has cheezburger, yes?
+1
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.
Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.
I’m pretty much staying away from Twitch forever, I suppose, then. Because with the source code out, the only way this is ever going to end is that they’re going to have to nuke the entire site from orbit- source code, libraries, graphics, clients, associated sites, everything- and just rebuild it all from scratch with a new source code and everything. You might as well treat Twitch like a computer that was compromised- yeah, it might look like it's still working, but who knows if you missed anything?
The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.
Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.
Oh God this is amazing. Amazingly bad
it's wild how insecure 90% of websites actually are
A shockingly high number of large, very integral websites apparently have opted for the "security through obscurity" method.
Which doesn't hold up too well when the entirety of your source code gets dumped and leaked.
Every time security through obscurity comes up I always remember that dude that railed on me for using mysql in our software because it was open source and thusly less secure than mssql.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
on the bright side, due to twitch's code's new lack of obscurity, they're going to have all their security problems in their code pointed out to them really quickly! how helpful!
Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.
The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?
I'm a happy user of Keepass. I use Strongbox on iOS, which is a KeePass client.
Thank you for this tidbit of info. I was just coming to ask about Keepass as I've used it forever and when I switched to iThings I had used a keepass app that no longer works and wanted to know if I should move to another app. This was easy to download and setup and I switched from DropBox as my cloud method to iCloud just for giggles. Is there any reason to get the paid Pro version of Strongbox?
0
OrcaAlso known as EspressosaurusWrexRegistered Userregular
The paid pro version makes your life much easier since it allows you to unlock the key store with your fingerprint (and presumably Face ID), and offers integration with cloud services (historically a pain in the ass on iOS).
You can use it without the paid perks and it works like your classic Keepass clients that need a password and you need to manually manage the key store between your phone and PC.
Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.
The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?
Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.
The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?
Curse was sold to overwolf last year.
Overwolf, aka how to push malware to users and claim it's a service.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Something else to think about- I'm fairly certain that Twitch also owns a site by the name of Curseforge, which used to be just plain Curse- the place where everybody and their dog got mods for stuff like WoW and many other games- they had an app and everything that let you download in mods right to your game, took care of setup and everything.
The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?
Curse was sold to overwolf last year.
Overwolf, aka how to push malware to users and claim it's a service.
I didn't even realize that overwolf still existed until the only useful part of the twitch app was sold to them. I then quickly found workarounds for managing minecraft modpacks hosted on curseforge.
Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…
No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.
Opsec fails:
- the admin's password manager was open in the browser window
- the password manager had the password for the ESXi admin account in it
- two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.
Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.
Isn't that how Joey and Lucy hacked the Gibson?
No matter where you go...there you are. ~ Buckaroo Banzai
Opsec fails:
- the admin's password manager was open in the browser window
- the password manager had the password for the ESXi admin account in it
- two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.
Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.
The rumor is that a lot of passwords were hard-coded into the Twitch sourcecode, so there's likely a world of hurt on the horizon.
Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.
Oh God this is amazing. Amazingly bad
it's wild how insecure 90% of websites actually are
A shockingly high number of large, very integral websites apparently have opted for the "security through obscurity" method.
Which doesn't hold up too well when the entirety of your source code gets dumped and leaked.
Every time security through obscurity comes up I always remember that dude that railed on me for using mysql in our software because it was open source and thusly less secure than mssql.
Its like my dude there's literally dozens of automated tools that will find any known vulnerability in your server in minutes.
Opsec fails:
- the admin's password manager was open in the browser window
- the password manager had the password for the ESXi admin account in it
- two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.
Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.
I don't quite get how the attackers had access to the password manager in the browser in the first place? Wouldn't you need physical access to the computer running the browser? Was this person accessing their Teamviewer account in a public library or something? Or alternatively, did they already hack into that users computer with a key logger or something?
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
Opsec fails:
- the admin's password manager was open in the browser window
- the password manager had the password for the ESXi admin account in it
- two weeks earlier, someone had legitimately enabled the ESXi shell in order to do some maintenance and left it on.
Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.
I don't quite get how the attackers had access to the password manager in the browser in the first place? Wouldn't you need physical access to the computer running the browser? Was this person accessing their Teamviewer account in a public library or something? Or alternatively, did they already hack into that users computer with a key logger or something?
Earlier tweet mentions that they got initial access through a non-MFA'd valid TeamViewer account.
Opsec fail:
- initial access came via a (legit) TeamViewer account
-- the account didn't have MFA enabled
-- they obtained the correct credentials prior to attacking
That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.
About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?
Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…
No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.
It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.
There are better tools to handle mods.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…
No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.
It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.
There are better tools to handle mods.
My only problem is that Curseforge and Overwolf are the only ways to get mods easily for a lot of games. I'd love to use another one, but the problem is that they seem to be the only way possible to get hold of certain mods for various MMOs and such. If there's a safer app to get the same mods, I'll not reinstall either of them. But at this point, well, it's like I'd have to at least go on their site to get the mods and check to see if they were updated.
I can has cheezburger, yes?
0
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.
About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?
Wait, Overwolf is malware? I scanned it multiple times and Kaspersky didn’t find anything…
No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.
It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.
There are better tools to handle mods.
My only problem is that Curseforge and Overwolf are the only ways to get mods easily for a lot of games. I'd love to use another one, but the problem is that they seem to be the only way possible to get hold of certain mods for various MMOs and such. If there's a safer app to get the same mods, I'll not reinstall either of them. But at this point, well, it's like I'd have to at least go on their site to get the mods and check to see if they were updated.
There are probably a few managers for your mmos, for instance wow/wow-classic has:
I actually already use Minion for TESO stuff, and I'm likely to configure it to handle WoW (if I ever go back to it).
It's just that a number of older mods for older games don't seem to have a home anywhere else on the net besides CurseForge... so I'm either going to have to rely on it or to figure out how to install them manually and hope I don't fuck up my install. Which sucks if the program and loader is as bad as everyone says it is, but they have a stranglehold on a lot of the mods for games that the Twitch client used to handle pretty seamlessly.
I can has cheezburger, yes?
0
ShadowfireVermont, in the middle of nowhereRegistered Userregular
In news that is very sad and terrible for everyone, Sinclair has been hit by ransomware.
That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.
About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?
Was it “12345678?”
That's amazing, I have the same combination on my luggage!
That reminds me of when I was training my backup / replacement at my last job and gave him the super secret keystore admin password. I didn't want to email it or transmit it in an unsecure fashion so - in accordance with company policy- I read it off verbally to him.
About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?
Was it “12345678?”
That's amazing, I have the same combination on my luggage!
No it was a Purple3Monkey6Dish9washer12 type of fairly easy to remember but incredibly solid and basically uncrackable password. It was used for the master password file which like three people knew at any time.
It was actually good and solid security practices until some dumbass decided to take 'I am giving you the crown jewels of our corporate security' without thinking about being on a public speakerphone. I probably should have double checked too, but he was 500 miles away and I assumed better.
Posts
Thread is documenting a ransomware breach where the attackers turned low privilege access directly into esxi access because someone left their password manager open in the browser.
I wouldn't say I'm at devotee level, but I pay for a standalone license (for one PC, my primary home one) and then sync my keychain to my phone via dropbox, and can access it from there using their free app. Any other PCs that I need to sign into things with I have to type in the passwords, but I don't feel like doing the subscription thing nor do I want to link the password manager to the browser.
Though apparently the shitheadery has begun over on Twitch, as a number of background images on the pages of popular video games on Twitch were replaced with creepy zoomed-in photos of Jeff Bezos for a few hours this morning.
I get the feeling we’re going to see a lot more of this shit for a good long while, and I only hope this is as bad as it’s going to get (though let’s face it, the 4channers will always live down to their reps, so this is just the tip of the shitberg).
I can has cheezburger, yes?
Like, replacing thumbnails is going to be benign, compared to when someone figures out a way to deliver a drive-by attack from actual, factual twitch.
Oh God this is amazing. Amazingly bad
it's wild how insecure 90% of websites actually are
A shockingly high number of large, very integral websites apparently have opted for the "security through obscurity" method.
Which doesn't hold up too well when the entirety of your source code gets dumped and leaked.
I can has cheezburger, yes?
Every time security through obscurity comes up I always remember that dude that railed on me for using mysql in our software because it was open source and thusly less secure than mssql.
The thought of the shenanigans that assholes could get up to with the sourcecode to that site, too, is just plain fucking scary- I mean, we're talking pushing malware as a mod update and getting it automatically downloaded once someone figures out how... and I think that's only a matter of time because I think the sourcecode to that was leaked too...?
I can has cheezburger, yes?
Thank you for this tidbit of info. I was just coming to ask about Keepass as I've used it forever and when I switched to iThings I had used a keepass app that no longer works and wanted to know if I should move to another app. This was easy to download and setup and I switched from DropBox as my cloud method to iCloud just for giggles. Is there any reason to get the paid Pro version of Strongbox?
You can use it without the paid perks and it works like your classic Keepass clients that need a password and you need to manually manage the key store between your phone and PC.
Curse was sold to overwolf last year.
Overwolf, aka how to push malware to users and claim it's a service.
I didn't even realize that overwolf still existed until the only useful part of the twitch app was sold to them. I then quickly found workarounds for managing minecraft modpacks hosted on curseforge.
I can has cheezburger, yes?
No it's not. At some point in the past one of the mods it added to their repository served some bad ads. That's the closest thing to malware I can find in their history. The general consensus seems to be that it's kinda crap but it's not dangerous.
Isn't that how Joey and Lucy hacked the Gibson?
~ Buckaroo Banzai
Poor phorgotten Phreak.
Steam | XBL
Its like my dude there's literally dozens of automated tools that will find any known vulnerability in your server in minutes.
I don't quite get how the attackers had access to the password manager in the browser in the first place? Wouldn't you need physical access to the computer running the browser? Was this person accessing their Teamviewer account in a public library or something? Or alternatively, did they already hack into that users computer with a key logger or something?
Earlier tweet mentions that they got initial access through a non-MFA'd valid TeamViewer account.
About ten seconds later my chat pops up and one of our DBAs says 'you know <dude> is on a loud speakerphone in the middle of all our cubes right'?
It's deeper than that, it's got a pretty sordid history of bloat and shittiness with how it handles mods and the kind of shit it loads/etc. It did get flagged as malware for the longest time though.
There are better tools to handle mods.
My only problem is that Curseforge and Overwolf are the only ways to get mods easily for a lot of games. I'd love to use another one, but the problem is that they seem to be the only way possible to get hold of certain mods for various MMOs and such. If there's a safer app to get the same mods, I'll not reinstall either of them. But at this point, well, it's like I'd have to at least go on their site to get the mods and check to see if they were updated.
I can has cheezburger, yes?
Was it “12345678?”
There are probably a few managers for your mmos, for instance wow/wow-classic has:
https://wowup.io
TESO has:
https://minion.mmoui.com/
It's just that a number of older mods for older games don't seem to have a home anywhere else on the net besides CurseForge... so I'm either going to have to rely on it or to figure out how to install them manually and hope I don't fuck up my install. Which sucks if the program and loader is as bad as everyone says it is, but they have a stranglehold on a lot of the mods for games that the Twitch client used to handle pretty seamlessly.
I can has cheezburger, yes?
Very sad. Hate to see it. Shucks.
Fetch me a tiny violin.
No, tinier!
That's amazing, I have the same combination on my luggage!
Steam | XBL
No it was a Purple3Monkey6Dish9washer12 type of fairly easy to remember but incredibly solid and basically uncrackable password. It was used for the master password file which like three people knew at any time.
It was actually good and solid security practices until some dumbass decided to take 'I am giving you the crown jewels of our corporate security' without thinking about being on a public speakerphone. I probably should have double checked too, but he was 500 miles away and I assumed better.