* Posts by aphiatri

8 publicly visible posts • joined 30 Jan 2021

You can hijack Google Cloud VMs using DHCP floods, says this guy, once the stars are aligned and...


Setting authentication information over unauthenticated channels?!

Who thought it would be a good idea to configure credentials over an unauthenticated connection on a shared network?

Why don't they just pass them through the hypervisor instead? Simply communicating over an emulated serial connection or an additional network containing just the VM and the hypervisor/metadata server?

Or they could simply change the necessary files on the template disk before booting it.

So many ways of doing this securely but instead they chose an unencrypted, unauthenticated communications channel, giving everyone on the same subnet root access to all other machines...

Indonesia’s national health insurance scheme leaks at least a million citizens' records


Re: Every time I see a report like this

While the customer/doctor/patient facing side of the application often (but not always) has rate limits, they don't work so well for the system administrator side of the application. You'll want to be able to back up the database in minutes or hours rather than months and you also need access to all data and not just "your own".

There are a lot of potential attack scenarios but most of them end with the attacker using the system administrator side of the application giving them unrestricted access to everything.

In quite a lot of cases the attacker will also attack the operating system rather than the application and end up with full access to the file system, where they can simply copy the raw files and bypass the database entirely.

Finally unless there are sophisticated, monitored security systems detecting irregular access patterns the attacker might have been (ab)using the system for months before being detected, giving them enough time to bypass rate limits.

Stealthy Linux backdoor malware spotted after three years of minding your business


Re: Disguising it as Systemd is cunning

The read-only medium for tripwire does not help you much if you can't trust that the (potentially compromised) system will actually execute the real tripwire ...

A simple bash alias could redirect your call to tripwire to a program that simply repeats the last report (or makes other arbitrary changes to the output).

Setting up a system like tripwire effectively would mean powering down the VM, mounting the disk in a different OS and then inspecting it from there.

Of course the question remains how you'd verify that a given change was legitimate or malicious.

Any OS update will legitimately change more binaries on the system than you'll want to manually verify and if you just waive them all in tripwire then that's the perfect time to persist malware to the disk.

Tripwires (physical or virtual) only work when the attacker does not expect or find them. Otherwise it's not a lot of work to simply step over or bypass them.

This scumbag stole and traded victims' nude pics and vids after guessing their passwords, security answers


Re: Computer++ sentence

If you put them on a scanner ...


Re: "Security" questions....

Another problem is that a large portion of the attacks come from people that know the victim anyways (disgruntled ex, pranking friends, employees, horny students, ...).

Even if you don't share anything on the internet, these people will often already know the answers to many of these questions or can simply ask without raising too much suspicion.

Most of the answers are also easily guessed (especially with some knowledge of the victim).

There are only about 700 birthdays in a two year period, most pet names will be from a set of a few dozen and the top ten lists for a few years likely cover favorite shows, books and movies for lots of people...


Re: It isn't a excuse, but

I'd guess that they didn't transmit the photos by email but rather connected their email address to the services where they did send them (Snapchat, Messengers, ...) and the attacker simply used access to their email address to reset the associated passwords.

Or perhaps the attacker gained access to their iCloud or Google Account where their phones synchronize and/or backup every picture they take automatically...

Your email account(s) provide access to almost all of your other online accounts through password reset features and conveniently your stored emails typically reveal where those other accounts are as well.

Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble


Re: Don't ban C, but lets fund them to rewrite this in Rust...

A Rust library for parts of gpg already exists. It's called sequoia-pgp and while it does not replace gpg, it implements quite a few of the important features in a compatible way.

It should be possible to write a wrapper for it that emulates gpg usage sufficiently to replace it for most cases. Of course extending sequoia and writing a wrapper might be more work than your suggested solution.

Link: https://sequoia-pgp.org/


Re: systemd and DNSSEC ?

There is nothing preventing you from using DNSSEC on your Clients as well.

And besides Split Horizon DNS, Captive Portals and other manipulation of DNS lookups everything should work just fine.

You'll only get problems with the above when using DNSSEC signed domains, which is unavoidable and the whole point of DNSSEC.

Also DNSSEC is not a server-to-server protocol (or even a protocol) at all. It's a standard for signing DNS records. The domain owner and the owners of all dns levels above them will sign their respective records and publish the signatures in DNS. Any dns resolver can verify these signatures or simply pass the associated queries along for someone else to verify them.