@joshbressers@kurtseifried I just listened to the latest episode of the Open Source Security podcast. Rather entertaining listening to you two go back and forth. I was rather intrigued with the notion that it really isn't "supply chain" in the traditional sense - particularly in this cut-and-paste-from-stackoverflow world. Also interesting since a library or package might be listed as a component but either the vuln part of that component is never called or even never used. Interesting to think about (and we're still just talking about security, skipping the whole privacy elements aka "features" in this altogether).
@kurtseifried@joshbressers@simplenomad Cloud services could be well, anything really. Other than possibly making the management of the service someone else's job, it's only as static or reliable as someone is interested in keeping it.
(IoT cruft that depends on a vendor's whims for functionality are particularly bad; they may disappear at any time, and may not be maintained before then either.)
The questions I want answered for any cloud-based password manager:
· Is its encryption approach sane?
· Does the server have access to any plaintext data?
· Can the server manipulate the data?
· Are users being aided in creating safe credentials?
· Do encryption keys or their components ever leave user’s computer?
· Are there encryption backdoors meant to aid account recovery for example?
· Is the client-side software safe from web-based attacks?
· Are there precautions in place to avoid filling in passwords on the wrong websites?
· Are there precautions in place to avoid filling in passwords on compromised websites without user’s knowledge?
· …
The questions media coverage tends to focus on:
· Are there plain text passwords in memory that someone with administrator privileges on user’s machine could read out?
@WPalant Interesting, thanks. I do use sync (and a master password)n with 2FA.
What do you mean by “entering the password for your Firefox account (which also happens to be your Firefox Sync encryption secret)”? I rarely need my account account password, and it's not my master password.
@fnxweb The local master password is irrelevant for sync. The encryption key for sync is derived from your Firefox account’s password. And even if you never use your Firefox account, setting up sync requires you to enter that password into a web page at least once (it is displayed within the browser’s user interface).
Hi #InfoSec fediverse: Can you recommend "hacker type" people, who still actively post here?
Doesn't have to be particularly infosec related, I simply want my timeline to be filled with more technical/interesting/clever/creative hacker mindset stuff.
"Der Diebstahl eines Signatur-Schlüssels wirft weiterhin Fragen auf, die Microsoft nicht beantwortet. Was betroffene Unternehmen jetzt selbst tun können."
Den Aufruf von @ju916 kann ich nur unterstützen! Stellt bzw. flutet Microsoft so lange mit Fragen, bis endlich aussagekräftige Antworten kommen. heise bietet entsprechende Fragen/Vorlagen, die ihr einfach für eure Anfrage kopieren könnt. 👇
@kuketzblog@ju916 Hallo, sind nur Unternehmen/Benutzer betroffen, die sich direkt bei MS anmelden? Oder auch, die über einen Türsteher-Dienst/Authentifizierungsfirmen sich an die #MS365 CLoud-Dienste (wie Okta, ADFS) verbinden? Die Türsteherdienste nehmen doch auch OpenID-Techniken, um sich bei #Microsoft zu registrieren? #cloud
Wenn ich mir schon anschaue, wie lausig MS auf normale Support Fragen antwortet, dann sehe ich schwarz wenn's auch noch peinlich wird für die Herrschaften.
Hatte zuletzt ein Teams <-> Exchange Online Problem. Zwei Monate fragen sie dir das Hemd vom Leib eskalieren das Ticket immer wieder und haben dennoch keine Lösung. Noch nicht mal vernünftige Vorschläge. Bis wir schließlich selbst über die Ursache gestolpert sind.
One of my favorite things about working with #Yubico as an affiliate and brand ambassador. Whenever I need keys for projects they oblige! #infosec#cybersecurity#yubikey
@hypernova yup ANY yubikey will work they all work exactly the same no more or less capability the only difference is the way you interface NFC, USB A, USB C, or lightning. It’s why I have so many as some devices don’t have USB C yet
I may have found the ideal cell provider, and they actually have a nice cybersecurity posture, and you probably haven't heard of them either. I'll have details soon #infosec#cybersecurity
Dear #infosec community. How come we use Mastodon and not Nostr? I find it a little odd because, technically speaking, Nostr is way more interesting, don't you agree? User experience is great on Mastodon (talking elk.zone) though - and the crowd is better (in my bubble anyway). What's your take on Mastodon v Nostr? Genuinely interested in your opinions
Someone from Bardstown, Kentucky has just been trying to log into my LinkedIn account using credentials leaked from elsewhere, and I'm here chuckling about the little they would stand to gain from this fraudulent access. What's the endgame for compromised LinkedIn accounts? #InfoSec
@hypolite The endgame is almost always #spam. LI accounts frequently have complete copies of their owners' professional address books, a valuable set of mostly high-quality addresses.
Very rarely (all day every day, but only to a tiny percentage of people) they are going after the account owner specifically or hitting contacts of their primary target to impersonate them.
So I’m testing my assumptions, but does anyone pirate games or software in general anymore? I mean I know they are out there the fitgirl repacks etc etc , but do people still trust the pirates stuff to not come with new and novel malware?
@meejah Yeah same for myself, personally. I guess I should qualify my assumptions with, do people over a certain age pirate software and games as much as they used to anymore?:)
@PogoWasRight I would love to see mandatory breach disclosures in the US, more in line with what is required by GDPR in Europe. I think it's way overdue. The current "breach notification" regime hasn't worked out well for consumer victims.
@euroinfosec Great! I think we need to identify what we consider the minimum necessary elements or conditions to be disclosed and also what kinds of deceptive language or possibly misleading language need to be flat-out prohibited.
Maybe you can do an OpEd on your site, too, and we can start to get more people publicly speaking up on this issue.
And fwiw, I think the #GDPR and Canadian laws are also too weak in terms of mandating disclosure and transparency. I actually got sued in a Canadian court and had a court order against me for reporting on a breach and disclosing info on it.
It didn't stop me, of course, but still, the presumption should be disclosure and transparency.
(For those who don't know me IRL, my dad always told me I was a "tough cookie." 😂 )
Yikes, I just got what appears to be a signed email from Paypal that was also a phishing email. Curious if any #infosec people know how this could happen?
@williamgunn Well, that rules that out, I guess. To be honest I would have been surprised otherwise. Then my guess is also along the lines of someone somehow abusing the invoicing functionality.
@jkirk@livinginsyn@chetwisniewski Bug on Microsoft's web site. The metadata used to generate the link preview contains <meta property="og:url" content="www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023"/>, which (lacking the https:// prefix) is a relative URL that resolves to https://www.microsoft.com/en-us/security/security-insider/www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023 (observe the repeated www.microsoft.com in the middle), which is 404.