Genuinely curious as most of my followers are #infosec and somewhat logically minded (just somewhat) - how many of you have #solar panels, batteries, an #EV, or even gas/diesel generators at home? Or more than one? Curious.
Is anyone else just a little concerned that the rush towards copyable #passkeys (as against hardware bound such as a #YubiKey) is still a single factor #InfoSec risk? I’m quite happy having a #passkey instead of a password as one factor, so long as I can still add MFA to it, but I’m concerned that this isn’t going to be implemented in most cases.
Today I learned about "side channel attacks", in which identity of a user can be inferred by whether or not they have permission to view an embedded object on a page.
In the past I've found #problems in #software, problems with #websites, with bureaucratic processes, some of which were significant, but they all pale in comparison to this one.
NEW: WhatsApp will soon make it possible to chat with people who use other messaging apps. It's revealed some more details on how that will work.
— Apps will need to sign an agreement with Meta, then connect to its servers.
— Meta wants people to use the Signal Protocol, but also says other encryption protocols can be used if they can meet WhatsApp's standards
— WhatsApp has been testing with Matrix in recent months, although nothing is agreed yet. Swiss app Threema says it won't become interoperable
When did it become law to require #2FA if customer info is on a server??
Alternately, what companies are making that shit up so that they can force 2FA??
And stop this madness convincing people to use 2FA when they don't even know what it's called or how it actually works other than "they send a code to your phone"!!
I created this account on 6/6/23, intending it to be my replacement #Instance for my current/active one https://kolektiva.social/@MsDropbear. However back then, after doing all my #Imports et al, i halted my changeover & placed this https://infosec.exchange/@MsDropbear42 on-hold. That was coz i was disappointed, indeed frustrated, that several of my desired #Follows, each of which work fine in #kolektiva, seemed to work only partially or not at all in #infosec. Huh?
Every now & then i've logged back into this account to check if they're better, & no they're not. That's a bugger, coz the infosec.exchange Instance seems to have several nice GUI enhancements over other #Mastodon Instances' #browser websites' #AdvancedWebInterface, which would be good to use.
So, a bit of a #Catch22; make infosec.exchange my new full-time daily home & accept the effective loss of those Follows, or stick with the fully-available Follows but slightly less sophisticated UI of kolektiva.social. Hmmm.
Tonight whilst doing this latest round of testing & head-scratching, i did at least finally ascertain, afaict, exactly why those particular account-Follows aren't working well here. At least one of them is from the domain @bird.makeup, which only tonight i realised, per https://infosec.exchange/about - Moderated servers, is listed! Ah.
⬇️
bird.makeup
Limited
Reason not available
So then i checked each of the troublesome Follows, & voila, they're all on that domain. Gaaaah. 🤦♀️Weirdly though, two other Follows, also on that domain, seem to be working ok here, so that's another huh? 🤷♀️
I'd be sad to lose all four, but the one i most wish to have still, if i had to pick, is the Crikey one. Doing a search in infosec.exchange yielded a possible alternative, which uses a different domain, not included in the Moderated servers list; @crikey_news. So now it's another little waiting game; dunno how long it'll take for my Follow request to be approved [or not], & then... does it actually feed the Crikey posts into my Home timeline with the same alacrity as now in kolektiva.social? If yes, then i'll make infosec.exchange my new daily Instance. If no... then... 🤯
Recently watched this video by #ThePrimeTime on #Youtube, and his hot-take 🔥 was that they were using #Ruby, and half of their pain was caused by this.
I have no experience with Ruby at all and most probably won't even recognize it if I were to read it.
If Ruby is such a bottleneck and inefficient, why did #Mastodon :mastodon: use Ruby for its implementation?
I know Ruby is often praised for servers and backends, especially APIs, but we have many solutions for this in #Python :python: , which I wouldn't recommend, but #Go :golang: and #Rust.
Does anyone have opinions or sources for this statement?
I'm sad, I would really love to go back to hosting my own #Email server again but it's not feasible anymore after running my own for almost a decade thanks to @MailInABox by @josh as it's like a full time job managing deliverability and such. Plus with email security these days you pretty much need an email security gateway and most proper security products only work with Google or Microsoft. Plus to get guaranteed delivery I needed to setup and pay for dedicated relays. #InfoSec#Linux
I see a graphic like this and instantly think “So… iCloud Keychain is now the #1 UltraMax Priority Target for every criminal hacker and national intelligence agency in the world.”
Apple isn’t stupid, but is it smart to bet on them against all of those adversaries? Not a rhetorical question.
Telegram uses confusing language to pretend it is end-to-end encrypted by default. It is not — you have to enable that separately for each chat, and it only works for one-on-ones, not groups.
Having an AI ("Windows Recall" is enabled by default) that tracks every move you do on your computer and of course has no filter (Microsoft's own FAQ clearly states it will remember every password you type) is idiotic. But Tech bros are frothing at the mouth for anything AI so here we are.
Small rant. I’m trying to sell my stuff online. I was immediately permabanned by #eBay and #Poshmark, most likely due to my active #mullvad VPN connection and associated IP.
I’m glad I signed up for Mercari from my mobile, sans VPN.
so, it's been almost a month since the patch released (exactly a month would be friday)
Introducing bitpixie (CVE-2023-21563), a 17 year old bug (introduced in 5231.2 from october 2005 at the latest) leading to bitlocker (with TPM) bypass and key dumping
When booting from network via PXE, there's a special type of boot entry allowed called "PXE soft reboot".
This just loads the given PE from the remote PXE server, and does BS->LoadImage and BS->StartImage on it.
...except when BS->StartImage is called, derived BitLocker keys are still in memory!
When Secure Boot is disabled, you can just load any payload you want, of course.
When Secure Boot is enabled, things are slightly more complicated.
Luckily, there's a way for a physically present user to bypass Secure Boot: if you go into advanced options menu and choose "disable driver signature enforcement", win8+ winload will load a selfsigned mcupdate*.dll, and call its entrypoint before ExitBootServices.
When loading bootmgfw again, winload won't know of the older BitLocker keytable, and will enable access to the advanced boot options menu.
You need to set up enough of a Windows image so winload can reach the code path to load and execute mcupdate*.dll.
I used windows 8.1 RTM (9600.16384) for this, the files required from its boot.wim are:
(and of course, your payload as mcupdate_AuthenticAMD.dll and mcupdate_GenuineIntel.dll)
This is a total of 136MB of data uncompressed, and a 42MB WIM. It can probably be smaller than that :)
To dump bitlocker keytables, your payload must scan physical memory pages looking for a valid keytable.
But what about getting the bitlocker keys derived in the first place?
When loading a boot application, BitLocker keys are derived very early. If loading the boot applicaiton PE from disk fails, integrity validation is not performed and derived keys remain in memory.
That way, in a BCD coming from PXE server, the default boot option can have a device of the BitLocker-encrypted OS partition, a path of "" (valid, but will always fail), and a recovery sequence pointing to the pxesoftreboot entry.
Then, for Secure Boot being enabled, you can swap the BCDs on the PXE server after the first one gets loaded. You can slow the boot down by pressing down arrow during bootmgr initialisation to cause the boot menu to show up.
Then just PXE boot from this, using the vulnerable bootmgfw from the system you are attacking :)
If Secure Boot is used for integrity validation (the default when Secure Boot is enabled), a downgrade attack can be performed here, and any vulnerable bootmgfw can be used.
Make sure your systems are patched, and using legacy integrity validation configured to use PCRs 0, 2, 4, 7 and 11. "Secure Boot integrity validation" is not secure!
Been thinking about this for a while now. I wonder if I could write a "worm" that uses smb to spread? It would require access to the DC with the design I have. Think it would be interesting to code, but would require specific requirements before it can be used.
A note to the roughly 5 other people on the planet who run their own mail server - do you reject the spam/scam/malware source of the email (returning a reject automagically) or do you let the process quietly discard it? I do the latter.
It made sense when a lot of people ran their own mail servers (mainly businesses) as it could delay and maybe prevent some from recently the bad email before the source got added to a block list, but now with everyone using something like gmail (BTW a huge source of spam in recent years) it doesn't seem worth it.
Idea: A new #InfoSec conference called "The Boring Security Conference". It covers topics and hands-on advice that are what actually keeps organizations secure. No zero-days, no APTs and no "if the criminal does these 39 things in precise order and you're not watching your owned" talks.
Suppose you have a sign in form which first accepts an email address and then proceeds to MFA steps. If you enter an email which does not match one in the system you get an error. "No matching account found" or whatever. Conversely if you enter an email which matches, you progress to the next screen. In this way you can know whether or not a particular email address is registered with the service.
What would be an alternative approach that doesn't reveal this information?