For once, please, can we as an #InfoSec community please NOT be total knobs when it comes to Cybersecurity Awareness Month?
People work hard to produce these programs, tips, and other events.
If our users see security practitioners not taking it seriously and crapping on it, WTF kind of message do you think that sends to end users … AND THEN users get made fun of. 🤦♀️
So, this October, be a part of the solution and not the problem.
Very interesting info on modern password cracking using PassGAN (https://arxiv.org/abs/1709.00440).
I can't vouch for this but also have no reason to doubt it.
@tdp_org@SnorriSturluson "...a cheap
8 TB hard drive can store roughly 10^12 password guesses. As such,
password generation can be treated as an offline process."
That answers that, just generate a huge database of guesses in advance.
Those numbers suggest the average guess is only 8 characters long. Given how bad most passwords in the training set are, that's depressingly plausible.
Most keyboards can't make more than 10^16 unique combos of 8 characters, so 10^12 guesses is a good start.
@tdp_org@SnorriSturluson "In particular,
when we used 7 · 10^9 passwords from PassGAN, we were able to
match 51% (320,365) of passwords from the “new” RockYou dataset,
and 73% (5,262,427) additional passwords from the “new” LinkedIn
dataset."
That's kind of terrifying. 10^5 seconds is only about a day's worth so any password cracker that pumps out 70,000 attempts per second will blast through that set in a day.
Password waste is a huge problem in the United States. We have enough passwords to feed the hungry, but corporations would rather throw away the unsold passwords at the end of the day than let people use them.
For #infosec folks out there, what’s your routine/strategy for “staying current” in the field? I’ve written about my daily reading routine here for anyone interested.
@shellsharks To help address this, I created a curated RSS feed of high-quality sources at https://intel.taggartinstitute.org. You can either read it straight, or subscribe to the main feed, or any of the sub categories!
I've heard from a lot of folks it becomes their first stop during their routine.
@mttaggart I love what you’ve done with it. Even considered trying to do something similar since I’ve put so much effort in over the years compiling this list - https://shellsharks.com/infosec-blogs. Would definitely recommend this to others looking to pump up their regular infosec news-intake routine though.
"Mike #Johnson and His Son Monitoring Each Other’s Porn Intake Is Worse Than You Think"
“A US Congressman is allowing a 3rd Party tech company to scan ALL of his electronic devices daily and then uploading reports to his son about what he’s watching or not watching, who else is accessing that data"
Just fixed my @Efani dashboard issues, support was great. So now that I have access to my dashboard some notes for #Efani
TOTP Code generation shouldn't just be QR, you should also allow the string of text to be manually input. I had to use zbarimg to convert the QR code to text to input into my @yubico security key and vault for TOTP generation.
You should also add FIDO/WebAuthn support. TOTP has a single seed, so if stolen they have access. #infosec#Cybersecurity#SIMSwap#cellphone
Genuinely curious about this. I have heard from a few people that Summer Camp 2023 wasn't that good. Like, at all. Many people are talking about going next year, skipping the cons, and just having dinner with friends, or skipping Vegas entirely. Do others feel this way? Is this bitterness over a lack of an electronic badge, long lines, and overcrowded events in general? Or is this just old school hackers bitching? Inquiring minds want to know.
@geekgrrl I was always more of a HallwayCon person myself. Or just attend something that wasn’t “popular” just to meet interesting people irregardless of event “topic”. For example after QueerCon became a “legit” gathering instead of an Alexis Park pool orgy, I’d attend that despite being straight. Great interesting people, not a huge crowd.
@simplenomad
For me it was to the positive side of the centerline in the graph of all the summercamps I've attended, but not by a whole bunch. Definitely within one standard deviation of the mean.
That said, it wasn't bad. Yeah, it's crowded, but the Forum is easier to move in than the collection of hotels from prior years, and there's fewer goons having to bellow to keep things moving. Some villages were overcrowded, but others weren't. I never really found the simultaneously not completely deafening but still populated with my friends bar to gather at (like the lobby bar at Caesars before or the circular one at Paris).
BsidesLV was great though.
I am planning on going to Defcon next year, and plotting how to get the right balance of time with friends, meeting new friends, attending talks without having to sprint and stand in line, and some targeted village activities. Definitely attending BsidesLV again.
Are there any interesting #redteam or offensive security reports on cracking #guix or #nixos? I've always been curious what kind of challenges it would present in practice/how much difficulty the immutable store and containerization of packages would really pose, or if there are minor faults throughout the codebase they can easily be tracked down and exploit for professionals. But haven't found any good posts on the matter.
@twomikecharlie well, packages in the store are containerized and usually more or less ignorant of one another, or the greater filesystem and they are individually privileged without ambient authority. We run OS services in containers as well.
From everything I've read about the subject, container breakout seems hard.
@rml Could you specify what you mean by containerized, you obvioulsy do not think of what people usually describe with the term (namespaces, cgroups, ...). Nixos is not an immutable container-based OS like for example fedora sliverblue or subgraph.
Service NSW says starting tomorrow it will scan the "Dark Web" for the email/password combination people use to log in and alert users if it finds that the credentials have leaked. I wonder what service provider it is using for this. #infosec#Australia
@dreadpir8robots@endareth@jkirk It seems that's more of a rhetorical device against password reuse/global ownership mentality. "I'm afraid of anyone knowing 'my' password."
With the lookup tool, you're not sharing passwords with any third party (inspect the network traffic, the input stays client-side), it's not associated with a username, and there's no way for it to know if the provided password is actually in use.
I may have found the ideal cell provider, and they actually have a nice cybersecurity posture, and you probably haven't heard of them either. I'll have details soon #infosec#cybersecurity
One of my favorite things about working with #Yubico as an affiliate and brand ambassador. Whenever I need keys for projects they oblige! #infosec#cybersecurity#yubikey
@hypernova yup ANY yubikey will work they all work exactly the same no more or less capability the only difference is the way you interface NFC, USB A, USB C, or lightning. It’s why I have so many as some devices don’t have USB C yet
Hi #InfoSec fediverse: Can you recommend "hacker type" people, who still actively post here?
Doesn't have to be particularly infosec related, I simply want my timeline to be filled with more technical/interesting/clever/creative hacker mindset stuff.
Dear #infosec community. How come we use Mastodon and not Nostr? I find it a little odd because, technically speaking, Nostr is way more interesting, don't you agree? User experience is great on Mastodon (talking elk.zone) though - and the crowd is better (in my bubble anyway). What's your take on Mastodon v Nostr? Genuinely interested in your opinions
You know you will be asked about #InfoSec topics in the news during your #Thanksgiving observance. Why not have some fun with it? See if you get a bingo talking to family and friends. 🦃🍽️
The questions I want answered for any cloud-based password manager:
· Is its encryption approach sane?
· Does the server have access to any plaintext data?
· Can the server manipulate the data?
· Are users being aided in creating safe credentials?
· Do encryption keys or their components ever leave user’s computer?
· Are there encryption backdoors meant to aid account recovery for example?
· Is the client-side software safe from web-based attacks?
· Are there precautions in place to avoid filling in passwords on the wrong websites?
· Are there precautions in place to avoid filling in passwords on compromised websites without user’s knowledge?
· …
The questions media coverage tends to focus on:
· Are there plain text passwords in memory that someone with administrator privileges on user’s machine could read out?
@WPalant Interesting, thanks. I do use sync (and a master password)n with 2FA.
What do you mean by “entering the password for your Firefox account (which also happens to be your Firefox Sync encryption secret)”? I rarely need my account account password, and it's not my master password.
@fnxweb The local master password is irrelevant for sync. The encryption key for sync is derived from your Firefox account’s password. And even if you never use your Firefox account, setting up sync requires you to enter that password into a web page at least once (it is displayed within the browser’s user interface).
@joshbressers@kurtseifried I just listened to the latest episode of the Open Source Security podcast. Rather entertaining listening to you two go back and forth. I was rather intrigued with the notion that it really isn't "supply chain" in the traditional sense - particularly in this cut-and-paste-from-stackoverflow world. Also interesting since a library or package might be listed as a component but either the vuln part of that component is never called or even never used. Interesting to think about (and we're still just talking about security, skipping the whole privacy elements aka "features" in this altogether).
@kurtseifried@joshbressers@simplenomad Cloud services could be well, anything really. Other than possibly making the management of the service someone else's job, it's only as static or reliable as someone is interested in keeping it.
(IoT cruft that depends on a vendor's whims for functionality are particularly bad; they may disappear at any time, and may not be maintained before then either.)
"Der Diebstahl eines Signatur-Schlüssels wirft weiterhin Fragen auf, die Microsoft nicht beantwortet. Was betroffene Unternehmen jetzt selbst tun können."
Den Aufruf von @ju916 kann ich nur unterstützen! Stellt bzw. flutet Microsoft so lange mit Fragen, bis endlich aussagekräftige Antworten kommen. heise bietet entsprechende Fragen/Vorlagen, die ihr einfach für eure Anfrage kopieren könnt. 👇
@kuketzblog@ju916 Hallo, sind nur Unternehmen/Benutzer betroffen, die sich direkt bei MS anmelden? Oder auch, die über einen Türsteher-Dienst/Authentifizierungsfirmen sich an die #MS365 CLoud-Dienste (wie Okta, ADFS) verbinden? Die Türsteherdienste nehmen doch auch OpenID-Techniken, um sich bei #Microsoft zu registrieren? #cloud
Wenn ich mir schon anschaue, wie lausig MS auf normale Support Fragen antwortet, dann sehe ich schwarz wenn's auch noch peinlich wird für die Herrschaften.
Hatte zuletzt ein Teams <-> Exchange Online Problem. Zwei Monate fragen sie dir das Hemd vom Leib eskalieren das Ticket immer wieder und haben dennoch keine Lösung. Noch nicht mal vernünftige Vorschläge. Bis wir schließlich selbst über die Ursache gestolpert sind.
Yikes, I just got what appears to be a signed email from Paypal that was also a phishing email. Curious if any #infosec people know how this could happen?
@williamgunn Well, that rules that out, I guess. To be honest I would have been surprised otherwise. Then my guess is also along the lines of someone somehow abusing the invoicing functionality.
@jkirk@livinginsyn@chetwisniewski Bug on Microsoft's web site. The metadata used to generate the link preview contains <meta property="og:url" content="www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023"/>, which (lacking the https:// prefix) is a relative URL that resolves to https://www.microsoft.com/en-us/security/security-insider/www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023 (observe the repeated www.microsoft.com in the middle), which is 404.
So I’m testing my assumptions, but does anyone pirate games or software in general anymore? I mean I know they are out there the fitgirl repacks etc etc , but do people still trust the pirates stuff to not come with new and novel malware?
@meejah Yeah same for myself, personally. I guess I should qualify my assumptions with, do people over a certain age pirate software and games as much as they used to anymore?:)
@PogoWasRight I would love to see mandatory breach disclosures in the US, more in line with what is required by GDPR in Europe. I think it's way overdue. The current "breach notification" regime hasn't worked out well for consumer victims.
@euroinfosec Great! I think we need to identify what we consider the minimum necessary elements or conditions to be disclosed and also what kinds of deceptive language or possibly misleading language need to be flat-out prohibited.
Maybe you can do an OpEd on your site, too, and we can start to get more people publicly speaking up on this issue.
And fwiw, I think the #GDPR and Canadian laws are also too weak in terms of mandating disclosure and transparency. I actually got sued in a Canadian court and had a court order against me for reporting on a breach and disclosing info on it.
It didn't stop me, of course, but still, the presumption should be disclosure and transparency.
(For those who don't know me IRL, my dad always told me I was a "tough cookie." 😂 )
Someone from Bardstown, Kentucky has just been trying to log into my LinkedIn account using credentials leaked from elsewhere, and I'm here chuckling about the little they would stand to gain from this fraudulent access. What's the endgame for compromised LinkedIn accounts? #InfoSec
@hypolite The endgame is almost always #spam. LI accounts frequently have complete copies of their owners' professional address books, a valuable set of mostly high-quality addresses.
Very rarely (all day every day, but only to a tiny percentage of people) they are going after the account owner specifically or hitting contacts of their primary target to impersonate them.