Little Pig, Little Pig! Let Me Admin! (Security Thread)

[sei]

Adobe is gathering data on
Adobe isn’t just tracking what users are doing in DE4

For the uninitiated like me, DE refers to Digital Editions.

[Brantly B.]

What's great is that Microsoft is fine-tuning their operating system based exclusively on data collected from whatever odd demographic would regularly use a pre-alpha build of Windows. That data seems worse than junk.

Honestly, with this nationwide addiction to unfiltered data collection, I'm surprised there aren't more coordinated poison pill types of data attacks. Make Google think the general public is really into ecchi anime, for example, or make the NSA conclude that Obama must be an actual terrorist, or fool Microsoft into tuning their OS for Dvorak keyboards. Modern day data wizards with the power of Anonymous at their backs ought to be able to pull it off.

[sei]

"Our findings show that users love manually editing the registry!"

[Thad]

Adobe responds, denies the part about collecting information on any book besides the one the end user is currently reading, confirms pretty much everything else, says encryption is something they've totally been meaning to get around to.

[Mothra]

If memory serves, isn't Acrobat's ability to run any command on your computer it needs one of the single biggest computer security issues in history?

Wonder how long they've been "getting around to it."

[Brantly B.]

So now there's a vulnerability in SSLv3 itself, not just a particular implementation of it. Realnice.

[Mongrel]

James Mickens, a Microsoft security researcher talks about some of the silly social paradigms ruling the current security community

This is well done and on point, but the real reason you need to read this is because holy fuck is this guy ever funny. The article is a scream.

Sometimes, when I check my work email, I’ll find a message that says “Talk Announcement: Vertex-based Elliptic Cryptography on N-way Bojangle Spaces.” I’ll look at the abstract for the talk, and it will say something like this: “It is well-known that five-way secret sharing has been illegal since the Protestant Reformation [Luther1517]. However, using recent advances in polynomial-time Bojangle projections, we demonstrate how a set of peers who are frenemies can exchange up to five snide remarks that are robust to Bojangle-chosen plaintext attacks.” I feel like these emails start in the middle of a tragic but unlikely-to-be-interesting opera.

Researchers who work on problems like these remind me of my friends who train for triathlons. When I encounter such a friend, I say, “In the normal universe, when are you ever going to be chased by someone into a lake, and then onto a bike, and then onto a road where you can’t drive a car, but you can run in a wetsuit? Will that ever happen? If so, instead of training for such an event, perhaps a better activity is to discover why a madman is forcing people to swim, then bike, and then run.” My friend will generally reply, “Triathlons are good exercise,” and I’ll say, “That’s true, assuming that you’ve made a series of bad life decisions that result in you being hunted by an amphibious Ronald McDonald.” My friend will say, “How do you know that it’s Ronald McDonald who’s chasing me?”, and I’ll say “OPEN YOUR EYES WHO ELSE COULD IT BE?”, and then my friend will stop talking to me about triathlons, and I will be okay with this outcome.

[Mothra]

The USA Freedom Act, a measure designed to "rein in the dragnet collection of data by the National Security Agency (NSA) and other government agencies [and] increase transparency of the Foreign Intelligence Surveillance Court," fails in the senate due to republican obstructionism. It was their own bill. Ted motherfucking Cruz was for this.

After a 58-42 vote, the measure had the support of the majority – but it didn't get the 60 votes necessary to break a Republican filibuster. It was something of an odd end for a bill that had been approved by the Republican-controlled House back in May.

The USA Freedom Act sought to amend the Foreign Intelligence Surveillance Act of 1978, to "rein in the dragnet collection of data by the National Security Agency (NSA) and other government agencies, increase transparency of the Foreign Intelligence Surveillance Court," as its chief House sponsor, Rep. Jim Sensenbrenner, R-Wis., says in a summary on his website.

Oddly, one of the votes against was Rand Paul. His justification was that it extended the Patriot Act's provision that allowed the NSA to search cell phone records:

Paul said he voted against the bill because it would have extended the Patriot Act provision that allows the NSA to search Americans’ phone records. He has consistently opposed the Patriot Act, passed in the wake of the Sept. 11, 2001, terrorist attacks.

Leahy’s bill extended the provision’s expiration to June 2017 -- as a compromise, in order to change the law to stop the NSA from holding onto phone records. Under Leahy’s bill, that duty would have been handed off to phone companies. The companies' records could only have been searched with a surveillance court's order.

[Thad]

Paul said immediately after the vote that he “felt bad” about his vote against the motion.

“They probably needed my vote,” he said, opposing Leahy’s bill because it would extend the sunset provisions for the laws authorizing surveillance. “It’s hard for me to vote for something I object to so much.”

PROBABLY?

You stupid bastard, it was TWO VOTES short of cloture.

I'm as opposed to extending PATRIOT as anybody. But either Paul knows as well as I do that the inevitable result of this is that PATRIOT's going to be extended anyway in another bill AND the warrantless surveillance program is going to continue unabated because this bill didn't pass, OR Paul is even stupider than I previously thought.

[Mongrel]

Bets on how many bad "So this is how Freedom dies." memes we'll see out of this? :whoops:

[Thad]

Wyden puts forward bill to prevent the government from requesting encryption backdoors. Doubt it'll pass but it's a nice sentiment.

[Thad]

Ars Technica briefly compromised; attackers probably got user database containing username/E-Mail/hashed password combinations.

If you're exercising good password hygiene -- unique, pseudorandomly-generated -- you're probably fine; it's a good idea to change your password on principle, but odds are against it being recovered by brute force. It's worth reading the promoted comments by epixoip (Jeremi Gosney), who notes of the PHPass hashing algorithm Ars uses:

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

[Mongrel]

I'm going to separate this out from the overall "The Interview discussion, because it relates specifically to absolutely boneheaded security practices.

Nextweb: New Sony Pictures leak appears to contain lists of passwords in plain text, security certificates

Reportedly found in a folder called “Password,” a huge list of Excel files (many of which are unprotected) contained scores of what appear to be passwords for almost every system imaginable, from phones to AMEX logins and more.

a folder called “Password,”

[Brantly B.]

Now to be fair...

...

...

Nope, I've got absolutely nothing to play Devil's Advocate with.

[Thad]

So if this is true, basically nobody should listen to what Mandiant says about anything, ever.

[Brantly B.]

In case you still haven't figured it out already:

In some ways, Mandia’s argument reflects the current wisdom in the security industry that, “There are two types of companies: Those that have been breached, and those that don’t know yet that they’ve been breached.” Yet, even for security professionals that accept that mantra, it does not mean that a successful compromise needs to lead to a significant breach, Levine told Ars.

There's a very significant difference between access and security, and anybody who conflates the two has already fucked up.

[Thad]

Adding:

a folder called “Password,”

This isn't really the problem; UNIX-style systems traditionally store the entire userbase's passwords in the obvious and standardized location /etc/passwd.

The difference is that the passwords in /etc/passwd are salted and hashed.

The problem isn't that there's a big neon sign with an arrow that says "PASSWORDS STORED HERE." The problem is that the passwords are in cleartext.

There are a couple of precepts to keep in mind here.

One: Passwords stored in cleartext should be considered equivalent to not having any passwords at all.

Two: Nobody, not even people given root access, should have access to anyone else's passwords but their own.




(There are a couple of caveats to these rules of thumb, which mostly boil down to situations that require physical access. When I was working for a medical nonprofit -- which, due to HIPAA, had the strongest security regs of any place I've ever worked -- every laptop we shipped out to employees had a unique boot password. Given that (1) boot passwords can't be reset remotely, (2) a master list of boot passwords is not useful unless an attacker has physical access to at least one of the laptops on it, and (3) a boot password is merely a first line of defense and still won't decrypt the hard drive or allow you to log in, it is perfectly reasonable for the IT department to have a master list of everybody's boot passwords. That is not, however, the same thing as having a central listing of multiple different users' passwords. That shouldn't exist. There's a reason that, in a typical "forgot my password" situation, your password cannot be recovered, only reset.)

[Grath]

I'm going to separate this out from the overall "The Interview discussion, because it relates specifically to absolutely boneheaded security practices.

Nextweb: New Sony Pictures leak appears to contain lists of passwords in plain text, security certificates

Reportedly found in a folder called “Password,” a huge list of Excel files (many of which are unprotected) contained scores of what appear to be passwords for almost every system imaginable, from phones to AMEX logins and more.

a folder called “Password,”

Surprisingly relevant VGCats! He must've updated recentl- oh wait, no, it's just from the LAST time Sony got massively hacked.

[Grath]

Detailed timeline and breakdown of entire Sony hack so far.

[Mongrel]

This is completely off topic but I wanted to mention the through these emails we learned that George Clooney is apparently the only person working with or for Sony that understand information security.

Pffflolol