General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,568
    Location:
    Adelaide
    Oof, that's some good info thanks Wazza
     
  2. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    4,099
    Location:
    Melbourne
    This is glorious! https://signal.org/blog/cellebrite-vulnerabilities/

    Signal got a hold of a Cellebrite device, reversed engineered it, found some vulnerabilities that render it completely unreliable as evidence for any and all scans done on phones and now ships the exploits to all users of Signal.
     
    elvis, wazza, 3Toed and 2 others like this.
  3. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
    I love this after reading the article:

    upload_2021-4-22_12-44-23.png

    if this isnt a big F-you i dont know what is
     
    elvis, 3Toed, Daemon and 1 other person like this.
  4. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    I both love and hate the idea.

    I don't want unknown exploit code sitting around on my phone.
     
  5. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
    meh, if its contained in a .txt file and does nothing and nothing can interact with it as it is located in the App storage location then it's harmless
     
    scrantic likes this.
  6. oldguy_qld

    oldguy_qld Member

    Joined:
    Feb 9, 2021
    Messages:
    33
    Mandatory?

    I thought most ISPs blocked IPV6
     
  7. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,540
    um not sure where you've been bud but ipv6 is everywhere on the public internet. Your phone is likely ipv6 right now. Enterprises haven't bought in but the standard NBN install is dual stack and most consumer devices will just grab it and go
     
  8. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    Another supply chain compromise - PasswordState updates between 20th-22nd April were under control of an attacker, and passwords stored in passwordstate are likely to have been compromised.
    https://www.bleepingcomputer.com/ne...ssword-manager-hacked-in-supply-chain-attack/

    I'm a fan - think honeypots and anything that wastes the time of someone trying to compromise you is great, and this would only ever do something if a cellbrite device was used to get all of your private info from your phone.
     
    elvis likes this.
  9. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,540
    oh man imagine working somewhere using that product and the chaos next week
     
  10. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    Doesn't seem like it will have a huge impact IMO - upgrades are triggered manually which will significantly lower the number of people caught up in it, and the attack was discovered and shut down within 28 hours. Also seems that researchers found the C&C servers quickly and they've been shut down too. Someone on r/sysadmin confirmed they were hit, had multiple outbound calls to the C&C server but run MFA on everything and haven't had any MFA notifications (though of course you wouldn't get notifications for MFA where you have a token/MFA app etc, only those that email/sms).

    I run it and am not too concerned - we didn't upgrade during that timeframe, a vast majority of passwords kept in passwordstate require you to be on our network to access the resource (and no one has detected it dropping reverse shells) and wherever possible we use MFA.
     
  11. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    Microsoft's authenticator notifies you via the app when a request is needed. And you don't even need to copy the number across, just accepting the notification is enough.

    I would assume others do the same - in an attempt to make things more convenient for end users.
     
  12. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,428
    Location:
    Brisbane
    If enabled and configured etc. but yes. Duo also offers similar
     
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    Yup, Google has the same thing. Tap yes/no on phone to let your PC log in.

    More prone to risk that HOTP, but it has a much better user acceptance factor.
     
  14. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    can also be configured horribly, works changed things. so now

    notification on phone, can't just accept that.
    have to unlock phone (pin/biometric)
    accept notification
    then get prompted again for your unlock pin/biometric. wtf. I literally just unlocked the phone 0.5s ago.
     
    stiben likes this.
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    /thread
     
  16. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    new security guy.

    #must_enable_everything
     
  17. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,568
    Location:
    Adelaide
    This is fine. The authenticator has no awareness (by design) of whether or not the phone has been unlocked and for people who leave phones unlocked (or with poor unlock practices for convenience) this is a good thing.

    Did your fingertip get tired?
     
  18. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    that'd make sense, if policy enforcing lock screens wasn't a thing.

    my finger is largely fine, assuming I didn't bash it or cut it on the weekend doing non-IT stuff.
    I'm more annoyed by the waste of time.
     
  19. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,428
    Location:
    Brisbane
    I mean you're assuming every user with an authenticator has it on a managed phone, which may not be the case at all.
     
  20. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    Specific to Google, you can enforce the "tap yes to continue" authenticator on a managed device.

    HOTP/SMS you can't control, of course.
     

Share This Page

Advertisement: