Post AV1T0FszTFTPxDB5P6 by mjg59@nondeterministic.computer
(DIR) More posts by mjg59@nondeterministic.computer
(DIR) Post #AV1T0FszTFTPxDB5P6 by mjg59@nondeterministic.computer
2023-04-25T21:15:57Z
1 likes, 1 repeats
If people are recommending that you rotate your credentials somewhere, it's legitimate to ask what's changed between when your creds were nominally compromised and now that would avoid them just immediately being compromised again
(DIR) Post #AV1TA3wuhpsHpRgnvk by mjg59@nondeterministic.computer
2023-04-25T21:16:31Z
0 likes, 0 repeats
If the thing that was causing your credentials to be compromised has already been fixed, what's the issue with disclosure? And if it it hasn't, what's the benefit in rotating?
(DIR) Post #AV1TLEenEe9GDvXcOm by sid77@infosec.exchange
2023-04-25T21:17:44Z
0 likes, 0 repeats
@mjg59 Bug fixes and performance improvements.
(DIR) Post #AV1U7Y9A4l16ZPmf2m by tenet@defcon.social
2023-04-25T21:28:40Z
0 likes, 0 repeats
@mjg59 There’s zero guarantee that the threat is readily replicable. It could be a form of botnet using zombie sessionIDs or spoofed logins or some shit. I’ve already talked to a couple of people that had unknown devices on their accounts. Clearing everything out allows for easier monitoring, especially if you have a home full of Echo shit like my sister and brother in law.
(DIR) Post #AV1UXHN946vK4faqmW by mansr@society.oftrolls.com
2023-04-25T21:34:45Z
0 likes, 0 repeats
@mjg59 Smells like someone desperate for attention.
(DIR) Post #AV1UnRbembu0Rq5aVs by FishermansEnemy@infosec.exchange
2023-04-25T21:37:38Z
0 likes, 0 repeats
@mjg59 @mansr glad it wasn’t just me thinking that.
(DIR) Post #AV1UrF7L9tsYs9ii1Y by witewulf@mastodonapp.uk
2023-04-25T21:38:20Z
0 likes, 0 repeats
@mansr @mjg59 I asked for more details and was told no due to ethical disclosure. I’m very cynical, however…particularly as giving a journalist a “scoop” was also mentioned 😒
(DIR) Post #AV1UzEN3olZesFskka by Natanael_L@mastodon.social
2023-04-25T21:38:28Z
0 likes, 0 repeats
@mjg59 leak of old hashes?
(DIR) Post #AV1W57Pkh9dozSVpnk by mansr@society.oftrolls.com
2023-04-25T21:52:04Z
0 likes, 0 repeats
@FishermansEnemy @mjg59 Seems all too common in the field. Someone finds a genuine, yet limited, problem and hypes it up beyond all reason while keeping the details secret. It's a shame, because if there ever is a real issue, I'll be disinclined to believe it. Crying wolf and all that.
(DIR) Post #AV1XNTvZpVJbyrib56 by SpaceLifeForm@infosec.exchange
2023-04-25T22:04:46Z
0 likes, 0 repeats
@mjg59 Exactly the correct question.If you have a long complex password, and the hash has not been exfiltrated, then you should be fine.When a site says you need to change your password, you know they were hacked or they suspect they may have been hacked.So, change the password, and avoid.It is like any org that says you need to change your password every X days. You know they do not even trust their own network.It is Security Theatre.And, most likely, there is some MS involved.
(DIR) Post #AV1XZM8ScuwJHxPHLU by gofish@infosec.exchange
2023-04-25T22:07:21Z
0 likes, 0 repeats
@mjg59 What about if someone is asking you to sign-out of all devices before rolling your password? Does that make a difference to your statement?
(DIR) Post #AV1XvJyHM04Uwn7NZI by mjg59@nondeterministic.computer
2023-04-25T22:11:21Z
0 likes, 0 repeats
@gofish If you're then logging back into those devices, not really (unless you're then also advising people not to change their passwords again without logging out of those devices again)
(DIR) Post #AV1YtCUYI7Ub7olZE8 by pH_0x05@infosec.exchange
2023-04-25T22:19:12Z
0 likes, 0 repeats
@mjg59 someone put their auth key secrets s3 bucket to worldwide read permissions didn’t they? Or an “intern” published them on GitHub thinking it’s public keys? /s
(DIR) Post #AV1c0DNDi9D3kWNBjc by marcorobotics@mastodon.social
2023-04-25T22:56:52Z
0 likes, 0 repeats
@mjg59 "what's changed" usually is that the open S3 bucket where passwords were exposed in plain sight has been deleted 😂 🤣 😂
(DIR) Post #AV1cYWG00cGAA4LxHU by mjg59@nondeterministic.computer
2023-04-25T23:02:49Z
0 likes, 0 repeats
@marcorobotics then why not disclose?
(DIR) Post #AV1dsMhlKjLkHWMm0G by checlarke@infosec.exchange
2023-04-25T23:17:54Z
0 likes, 0 repeats
@mjg59 Based on other comments I would guess that *maybe* its related to a potential for credential leak from old devices no longer in your possession, but that's pure 100% guess. In my case it was low effort and good hygiene to ensure only active devices are connected, but if it was more than that I would certainly be asking a lot more questions. Will be curious to see if anything comes of it.
(DIR) Post #AV1eKhzvlArSQfNakq by rivetgeek@dice.camp
2023-04-25T23:22:59Z
0 likes, 0 repeats
@mjg59 Sign out of all of your devices and change your password every day.
(DIR) Post #AV1fAgJ9HwgqFJ9R2G by Ve3ldj@universeodon.com
2023-04-25T23:32:25Z
0 likes, 0 repeats
@mjg59 that was my first thought. Let’s let it all shake out first. Don’t dry off before you’re out of the pool, eh?
(DIR) Post #AV1i0wYaJuGPbkQ4HY by kuba@ruby.social
2023-04-26T00:04:11Z
0 likes, 0 repeats
@mjg59 I would expect something like "we used to use security by obscurity, but after report we changed, but we did not invalidated old tokens for the sake of convenience" (just a guess)
(DIR) Post #AV1wpzEDXu5K1K7syu by stepheng@mastodon.online
2023-04-26T02:50:11Z
0 likes, 0 repeats
@mjg59 I've asked vendors this question many times. Only once did I get an actual answer, and it turns out they were forthcoming only because they thought from my investigative nature that I was looking to sue 🙃
(DIR) Post #AV1zFel0TmjTy3paq0 by gnomon@mastodon.social
2023-04-26T03:17:23Z
0 likes, 0 repeats
@mjg59 in my professional experience "deploying firmware updates to devices with occasional connectivity on residential internet lines" can often take up the bulk of the responsible disclosure period, though I think you've had more experience there than me.And it's usually so difficult to convince users to rotate their creds in a system lacking a mechanism to force it that trying to get that message out early also seems like a reasonable angle.
(DIR) Post #AV22aIuZCF2u9qq8US by gofish@infosec.exchange
2023-04-26T03:54:50Z
0 likes, 0 repeats
@mjg59 Agreed. I'm guessing it's those devices you're not going to log back into that are of concern. Time will tell.
(DIR) Post #AV2Gcb8jnDHSd8SLpI by ian_mclaughlin@mastodon.social
2023-04-26T06:31:49Z
0 likes, 0 repeats
@mjg59 sessionIds for never-expiring sessions?
(DIR) Post #AV2HtAvkalkWDhqlzE by revk@toot.me.uk
2023-04-26T06:46:23Z
0 likes, 0 repeats
@mjg59 Well yes. I can think of a third option though. What if the vulnerability is in the “update password” process, and so getting everyone to do so gets way more accounts compromised. Obviously not saying that is the case here, but it is a third option…
(DIR) Post #AV2Inzznv3ISoTqFv6 by danieldurrans@mastodon.me.uk
2023-04-26T06:56:44Z
0 likes, 0 repeats
@mjg59 The part of the instructions that smelled strange to me was the "delete and reset 2FA auth tokens", implying that those tokens had become compromised on Amazon's side.But then it went on to talk about Fido/YubiKey - except I don't think I have ever seen an option in Amazon to auth using hardware keys?
(DIR) Post #AV2NZhlXOvcvzSAk52 by ben@mastodon.bentasker.co.uk
2023-04-26T07:50:04Z
0 likes, 0 repeats
@mjg59 Assuming we're talking about the same thing - my reading was that the bit that really mattered was the "log everything out now" step.Killing all the old sessions doesn't stop your new sessions being jacked, but it does reduce the number of sessions you have that could be.I had 331 "apps" signed into my account - that's quite a surface if someone were to try and BF session IDs, so I may be better off even though the issue itself isn't fixed
(DIR) Post #AV2jOQjcZyaOyZIxWq by sanctionedanya@toots.matapacos.dog
2023-04-26T11:54:14Z
0 likes, 0 repeats
@mjg59 Assuming it's the post I think it's about, I also immensely dislike how it's structured and worded, he presents believing what *should* be a statement of fact as if it's a test of faith in him.I took the opportunity to change my password (this was overdue for other good-practice security reasons), but I take a dim view of it and erred on the side of not sharing it with anyone.
(DIR) Post #AV3FAjlWDxqOTehsuG by DXS@infosec.exchange
2023-04-26T17:50:06Z
0 likes, 0 repeats
@mjg59 If there is a problem that is so bad that one needs to obtain new 2FA credentials, could one actually be better off temporarily getting a new 1FA password?
(DIR) Post #AV3aRRYLHzfJx7LpVA by ick@infosec.exchange
2023-04-26T21:47:50Z
0 likes, 0 repeats
@mjg59 that guy seems oddly obtuse/abrasive towards anyone asking for clarity in follow up questions. Even if he’s got something legitimate and significant, the way it’s being communicated is just bizarre to say the least. If someone makes a claim that the sky is falling, questions like these seem perfectly reasonable and expected. If you can’t/rather not answer the questions due to <reasons>, there’s better ways of handling it.
(DIR) Post #AV3jJSI7YjuJVt1t7g by mjg59@nondeterministic.computer
2023-04-26T23:28:02Z
0 likes, 0 repeats
@spiralmind @funbreaker publicly asserting that a vulnerability exists before it's remediated is absolutely not what responsible disclosure generally means
(DIR) Post #AV42urIHSfeotveXlg by pjaol@fosstodon.org
2023-04-27T03:07:44Z
0 likes, 0 repeats
@mjg59 ahhh the LastPass method
(DIR) Post #AV54Cyv88fMgsZzRdQ by clemenceau@infosec.exchange
2023-04-27T14:58:32Z
0 likes, 0 repeats
@mansr @mjg59 no. You have to *actually* realise that he has a clue.Also, it's been a scary day.
(DIR) Post #AV54KVuvr7gpFCUNf6 by mansr@society.oftrolls.com
2023-04-27T14:59:57Z
0 likes, 0 repeats
@clemenceau @mjg59 Well, he's not making that very easy nor, dare I say, desirable.
(DIR) Post #AV54cjFt0KHbp7yYZE by clemenceau@infosec.exchange
2023-04-27T15:03:14Z
0 likes, 0 repeats
@mansr @mjg59 ikr? He said to look him up if I don't believe him, which I did, and... doesn't seem like someone who would have a "scoop" on Amazon's world-ending security issue.I mean, he *can* be right, but like you said, he's not making it easy to believe him