Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Grath
Posts: 2387
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Fri Feb 24, 2017 1:12 am

A major vulnerability in the Cloudflare proxying provider used by all sites using Cloudflare left all traffic vulnerable to hacking and leakage, going back for multiple months. Details: https://bugs.chromium.org/p/project-zer ... il?id=1139

List of Effected sites: https://github.com/pirate/sites-using-cloudflare

It is recommended you change your password for any site on that list.

User avatar
Kayma
Posts: 343
Joined: Tue Jan 21, 2014 1:40 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Kayma » Fri Feb 24, 2017 6:41 pm

It's a banner month for circumventing basic security practices.

Exhibit B: Google has crafted a practical attack on SHA-1. A nice big "I told you so" to the hardline approach they've taken to shaming-out SHA-1 TLS certificates for the last several years.

User avatar
Mazian
Posts: 517
Joined: Sat Jan 25, 2014 3:47 pm
Location: Lullaby Supermarket

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mazian » Fri Feb 24, 2017 7:08 pm

Kayma wrote:It's a banner month for circumventing basic security practices.

Exhibit B: Google has crafted a practical attack on SHA-1. A nice big "I told you so" to the hardline approach they've taken to shaming-out SHA-1 TLS certificates for the last several years.


Exhibit B-and-a-half: Turns out that SVN deduplication relies on SHA-1, and uploading a pair of files with matching hashes irretrievably corrupts the entire repository. Deduplication is enabled by default.

It's an interesting (and terrible!) failure mode, since most prior thoughts about the effect of hash collisions in VCSes were only looking at avoiding doctored files, not how to break the backend itself. Git uses SHA-1 dedup too, and a few years ago, someone discovered similar repo failure modes by testing a deliberately shortened hash.

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Sat Mar 25, 2017 1:38 am

Image

User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat Mar 25, 2017 12:23 pm

Still has to pass the House, and if it passes the House it doesn't take effect until December 4, but as far as I know that doesn't mean they won't be able to sell your browsing history from today after December 4.

(Well, not yours specifically. But ours.)

There's a followup article at Ars: How ISPs can sell your Web history—and how to stop them

And here's a thing I wrote in the comments section:

I wrote:I've been looking for a good solution to be able to use a VPN but still be able to access Netflix, Hulu, and other sites that block shared IPs.

One possibility is to subscribe to a VPN with a dedicated IP. The downside is that you lose the anonymity that comes with a shared IP. Your ISP can't track your activity, but you're leaving a trail everywhere you go that all points back to the same IP address, much as if you weren't using a VPN at all.

Another possibility is to set up a whitelist so that certain IPs go straight through, circumventing the VPN. I'm running pfSense on my router and I found a thread on that subject: Netflix vpn block -> how to "fix"? (The thread is focused on Sweden, so I'm not sure the same IP whitelist would work in the US, but the principle is the same.)

The downside to that isn't just that it requires a certain amount of technical expertise (this is Ars, after all; adding some rules to a router configuration shouldn't be much trouble for anyone reading this), it's that it's clumsy and tedious. It requires keeping track of a whole raft of IP addresses (not just domains!) associated with the sites you want to use, and of course those can change at any time.

And of course it means your ISP still has access to data about how much time you spend watching Netflix.

There is the possibility of doing both: having both a static-IP VPN and a shared-IP VPN, and using router rules to pass some IPs through the shared-IP VPN and others through the static-IP one. That's really overkill, though -- unless anybody knows of a VPN where you can sign up for both without having to pay double?


Sadly, no responses or recommendations.

I'm already subscribed to Private Internet Access (a shared-IP VPN) but I don't relish the idea of fucking around with pfSense router rules, and then having to do it again every time Netflix or Hulu changes an IP. I could sign up for a dedicated-IP VPN since I think that's probably good enough for my purposes, but I'm not sure how much of a performance hit videos would take if I routed them through a VPN, in which case whitelisting them would be the better route regardless of what type of VPN I'm using.

Though, come to think of it, there have been times I've forgotten to turn PIA off and loaded up Netflix and it didn't get blocked (I must have been assigned an IP that Netflix hadn't noticed was shared yet), and I think video was fine.

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Sat Mar 25, 2017 12:58 pm

Pirates, as always, are unaffected.
Image


User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Apr 02, 2017 6:41 pm

Thad wrote:I'm already subscribed to Private Internet Access (a shared-IP VPN) but I don't relish the idea of fucking around with pfSense router rules,


Relish or no, this is what I spent this morning doing. I'll say one thing for it: it was less frustrating than doing taxes.

Thad wrote:and then having to do it again every time Netflix or Hulu changes an IP.


Incidentally, this is probably not going to be an issue. Hulu doesn't appear to change its required subdomains very often, so hopefully I won't need to change them in the future, and for Netflix there are actually a couple of automatically-updated lists that you can set pfBlockerNG up to use.

Anyway, don't know if anybody else here is using pfSense, but I put together a link roundup of the pages that told me how to do it.

User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Mon Apr 03, 2017 4:02 pm

...oh my God, the Senate resolution allowing your ISP to sell your browsing data is SJR #34.

User avatar
sei
Posts: 1074
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Tue Apr 04, 2017 5:58 am

[drawing of a draft taking lady liberty from behind]
Image

User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue May 16, 2017 10:31 am

Charlie Stross summarizes WannaCry, framing it as a novel pitch rejected for being too implausible.

Seriously, this shit's fucking crazy. NSA finds a Windows zero-day, doesn't disclose it (because it doesn't want it fixed); names it after a Sega CD game*; it gets compromised by somebody (Russians?) and put up on Wikileaks; somebody else (North Koreans?) uses it to create a ransomware worm, which leads to massive global problems until a vacationing security researcher happens to notice a domain name in the code, registers it, and discovers that registering that domain triggers a kill switch that makes the worm go dormant.

* I think; unless there's some other possible source for "Eternal Blue" I'm missing. I know there were a bunch of nerd culture references in their malware names; the TV-spying program was called Weeping Angel.

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Fri Aug 04, 2017 11:50 am

G & M: WannaCry hero arrested in US on charges of authoring malware several years ago

This could also go in the "politicians don't understand computers thread" because the charges appear to be flimsy in the extreme and not well thought out at all.
Image

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Aug 09, 2017 1:48 pm

Image

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Tue Oct 17, 2017 2:27 pm



Uh, this appears to be a real thing and not actually crazy hyperbole.
Image

User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Mon Oct 23, 2017 10:43 am

Eeyup.

MS has issued a patch. The latest news I'm seeing from Apple and Google is a few days old and says they haven't fixed it yet. Not sure about any individual Linux distros.

But keep in mind the sheer number of devices out there that will never receive patches.

Basically, always treat wifi like it's unencrypted. Always treat e-mail like it's unencrypted.

Banking sites and other sites that are designed to handle sensitive information should be using HTTPS, meaning you've got in-browser encryption, so even if your wifi's encryption is no good, your data will still be encrypted. (It's a good idea to use HTTPS Everywhere so that you can use encryption on every site that supports it.) But your devices are most likely using unencrypted DNS, so that means third parties can snoop on what domains you're visiting even if they can't see what you're doing there.

In other very serious security news, RSA v1.02.013 is fucked (not literally); there's a vulnerability in the prime generation algorithm that allows an attacker to deduce a private key from a public one.

All told, the researchers estimate that Infineon's faulty library may have generated tens of millions of RSA keys in the five or so years it has been commercially available. A good many of them are practically factorizable, but even those that are not are considerably more vulnerable to factorization than federal standards and common-sense security guidelines dictate. RSA keys generated with OpenSSL, PGP-compliant programs, or similar computer programs aren't affected. People who have relied on smartcards or embedded devices for cryptographic functions should test their RSA keys using the researchers' fingerprinting tool. In the event the keys test positive, people should revoke them as soon as possible and generate new ones. Keys using Elliptic Curve Cryptography and other non-RSA methods aren't affected.

User avatar
IGNORE ME
Woah Dangsaurus
Posts: 3679
Joined: Mon Jan 20, 2014 2:40 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby IGNORE ME » Mon Oct 23, 2017 12:44 pm

Better yet, treat any sort of encryption as a suggestion.

User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Nov 21, 2017 4:36 pm

Have we talked about IME yet?

If you've bought an Intel processor in the last few years, it has a coprocessor called Intel Management Engine. IME's firmware runs a complete proprietary OS based on MINIX; it has network support and runs at a lower level than your OS. The security implications are serious, and, predictably, there are serious vulnerabilities.

There are steps for disabling some of IME's components (look for "Active Management" or "AMT" in your EFI settings), and some vendors (Google, Purism) ship hardware with modified firmwares that disable IME entirely. But there doesn't seem to be a good general-purpose tool for users to disable it.

And there's not really any good alternative. AMD and ARM chips don't use IME, but they've got similar coprocessors with similar proprietary firmware and similar vulnerabilities. POWER and SPARC don't, but they're not practical solutions for consumer PCs (the Talos II is about as entry-level as POWER gets, and it's $2400 for just a motherboard and processor).

Basically, I'm hoping RISC-V turns into a decent option at some point in the next few years, but in the meantime, hopefully Coreboot or somebody releases a good general-purpose tool for disabling IME.

(Then we'll just have to worry about the proprietary firmware on our GPUs!)

User avatar
Thad
Posts: 13165
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Nov 21, 2017 7:42 pm

By the way, if you're not using NoScript or similar, websites -- even seemingly reputable ones! -- are probably using your processor to mine cryptocurrency or logging your keystrokes.

User avatar
Grath
Posts: 2387
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Tue Nov 28, 2017 4:48 pm


Apparently all you need to get root on MacOS High Sierra is "log in with username root and no password".

User avatar
IGNORE ME
Woah Dangsaurus
Posts: 3679
Joined: Mon Jan 20, 2014 2:40 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby IGNORE ME » Tue Nov 28, 2017 5:22 pm

Yep, confirmed on a company machine.

(It's from an elevation prompt, though, not a login, so you can't wander over and access somebody's locked computer. Well, we can't on our LDAP anyway.)

Who is online

Users browsing this forum: No registered users and 20 guests