Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.
Oof, that's some good info thanks Wazza
This is glorious! https://signal.org/blog/cellebrite-vulnerabilities/
Signal got a hold of a Cellebrite device, reversed engineered it, found some vulnerabilities that render it completely unreliable as evidence for any and all scans done on phones and now ships the exploits to all users of Signal.
I love this after reading the article:
if this isnt a big F-you i dont know what is
I both love and hate the idea.
I don't want unknown exploit code sitting around on my phone.
meh, if its contained in a .txt file and does nothing and nothing can interact with it as it is located in the App storage location then it's harmless
I thought most ISPs blocked IPV6
um not sure where you've been bud but ipv6 is everywhere on the public internet. Your phone is likely ipv6 right now. Enterprises haven't bought in but the standard NBN install is dual stack and most consumer devices will just grab it and go
Another supply chain compromise - PasswordState updates between 20th-22nd April were under control of an attacker, and passwords stored in passwordstate are likely to have been compromised.
I'm a fan - think honeypots and anything that wastes the time of someone trying to compromise you is great, and this would only ever do something if a cellbrite device was used to get all of your private info from your phone.
oh man imagine working somewhere using that product and the chaos next week
Doesn't seem like it will have a huge impact IMO - upgrades are triggered manually which will significantly lower the number of people caught up in it, and the attack was discovered and shut down within 28 hours. Also seems that researchers found the C&C servers quickly and they've been shut down too. Someone on r/sysadmin confirmed they were hit, had multiple outbound calls to the C&C server but run MFA on everything and haven't had any MFA notifications (though of course you wouldn't get notifications for MFA where you have a token/MFA app etc, only those that email/sms).
I run it and am not too concerned - we didn't upgrade during that timeframe, a vast majority of passwords kept in passwordstate require you to be on our network to access the resource (and no one has detected it dropping reverse shells) and wherever possible we use MFA.
Microsoft's authenticator notifies you via the app when a request is needed. And you don't even need to copy the number across, just accepting the notification is enough.
I would assume others do the same - in an attempt to make things more convenient for end users.
If enabled and configured etc. but yes. Duo also offers similar
Yup, Google has the same thing. Tap yes/no on phone to let your PC log in.
More prone to risk that HOTP, but it has a much better user acceptance factor.
can also be configured horribly, works changed things. so now
notification on phone, can't just accept that.
have to unlock phone (pin/biometric)
then get prompted again for your unlock pin/biometric. wtf. I literally just unlocked the phone 0.5s ago.
new security guy.
This is fine. The authenticator has no awareness (by design) of whether or not the phone has been unlocked and for people who leave phones unlocked (or with poor unlock practices for convenience) this is a good thing.
Did your fingertip get tired?
that'd make sense, if policy enforcing lock screens wasn't a thing.
my finger is largely fine, assuming I didn't bash it or cut it on the weekend doing non-IT stuff.
I'm more annoyed by the waste of time.
I mean you're assuming every user with an authenticator has it on a managed phone, which may not be the case at all.
Specific to Google, you can enforce the "tap yes to continue" authenticator on a managed device.
HOTP/SMS you can't control, of course.