@Mike-Davis said in ubnt guest wireless or separate VLAN?:

My understanding of how Ubiquiti handles guest mode is that it drops packets destined for internal networks. What I don't know is like I think some others were getting at - what if the user tries to go to another local subnet outside the subnet their on. I guess I'll just keep the VLAN thing.

My understanding is that it totally drops those packets too. In some ways, that makes it more secure than a VLAN because just hijacking a physical switch is not enough to grab the packets.

@Minion-Queen said in Security Breach on the Ubuntu Forums:

Our Plan:

Let you all know immediately. Honesty and transparency is something we have tried to really keep, well.... transparent here on ML.

FTFY.

@Ambarishrh said in EFF PrivacyBadger:

I use the combination of both, and works really well. Plus https://unchecky.com/

exactly what I use as well. PrivacyBadger will break some sites but you can turn it off selectively.

@gjacobse said in KeepassX & Cloud Storage:

@johnhooks said in KeepassX & Cloud Storage:

I keep my KeepassX database in DropBox, but my actual key file is not there.

I've not used a Keyfile,.. only a 'decently long complex' password.

I do both just because I'm paranoid. My password is only 15 characters, but with the key file I think it helps. That way even if someone gets my database they can hammer the database with passwords all they want but it won't matter.

Added: https://mangolassi.it/topic/9519/voip-pstn-gateways

The acronym SOS (Secure Open Source) really isn't the best one is it?

Save Our Souls.... many people who haven't the slightest clue might immediately think that open source is dangerous and that auditing is required because of "how insecure it must be".

I'm totally for it but I'm curious as to why they couldn't come up with a better name / acronym.

So I guess I should have specified in the other thread. I use KeePassx and it's updated through yum. And the Android version of Keepass2Android (the one I use) isn't maintained by the same people.

@scottalanmiller said in An eggplant could hijack bloatware:

@nadnerB that's shocking that Lenovo would want people to remove it.

I tend to agree - I'm surprised they care enough to tell people.

@Jason said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@BRRABill said in Why Faxing is Less Secure Than Email:

@Dashrender said

Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

Pretty easy to get access to phone lines if you are in any sort of business complex.

Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!

Our buliding here is in a rural area.. but because we are the biggest company around Verizon brought the whole trunk of lines multiplex in to our buliding incase we need all of them we would have them.. there are resturants, stores, and urgent medical care centers all around us. all of their analog lines both phone and fax come into our building and we could listen in from the NID

Having worked as an alarm installer for 7+ years I too know how common this is.

I wander into the phone room and start clipping on to various pairs looking for the # I am supposed to use and end up finding all kinds of things that are not part of the company I am there working for.

@DustinB3403 said in Using Google Authenticator to Set Up Two Factor Authentication for Linux:

This at all doesn't seem like a bad thing, especially if you're doing this on your own personal systems. Doing this in an organization seems like a crazy step to implement.

Also what happens if you're phone dies, how do you update the authentication device?

There is a hidden file in the root account with the one time use codes and the key for the app. Local console access doesn't require 2FA, only SSH.

If you set it up in PAM correctly that is, I didn't read through this guide. I did one a while ago on here with steps for everything, and doing it that way only requires 2FA codes with SSH, not local console access.

Hmmm, if he cares so much about security he should disable the Universe repository, it's full of security holes. Essentially, installing anything from there is an exercise in installing a backdoor.

Of course, there's not much choice, you want that software to be available. Though choice 😉

From the Badlock page:

What can attackers gain?

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.

Impact examples of intercepting administrator network traffic:
Samba AD server - view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server - modify user permissions on files or directories.

Denial-of-Service (DoS) attacks:
Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.
Who is affected?

Affected versions of Samba are:

3.6.x,
4.0.x,
4.1.x,
4.2.0-4.2.9,
4.3.0-4.3.6,
4.4.0
Earlier versions have not been assessed.

How can I fix my systems?

Please apply the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+ immediately.

Patched versions are (both the interim and final security release have the patches):

4.2.10 / 4.2.11,
4.3.7 / 4.3.8,
4.4.1 / 4.4.2.
With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED (see Samba Release Planning). Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.

Some vendors may choose to ship 4.4.1, 4.3.7, and 4.2.10 versions and add regression patches on top of them, due to wide scale and complexity of this release. Some may also just backport the patches to older releases. Please contact your Samba supplier for details.

What further improvements after patching are suggested?

Mitigations for man-in-the-middle (MITM) attacks:
Network protections that could be used MITM attacks include DHCP snooping, ARP Inspection and 802.1x.

It is recommended that administrators set these additional options, if compatible with their network environment:

server signing = mandatory
ntlm auth = no

Without server signing = mandatory, Man in the Middle attacks are still possible against our file server and classic/NT4-like/Samba3 Domain controller. (It is now enforced on Samba's AD DC.) Note that this has heavy impact on the file server performance, so you need to decide between performance and security. These man in the Middle attacks for smb file servers are well known for decades.

Without 'ntlm auth = no', there may still be clients not using NTLMv2, and these observed passwords may be brute-forced easily using cloud-computing resources or rainbow tables.

Mitigations for denial-of-service (DoS) attack:
Apply firewall rules on the server to permit connectivity only from trusted addresses.

Will encryption protect against these attacks?

The SMB protocol, by default, only encrypts credentials and commands while files are transferred in plaintext. It is recommended that in security / privacy sensitive scenarios encryption is used to protect all communications.

Samba added encryption in version 3.2 in 2008, but only for Samba clients. Microsoft added SMB encryption support to SMB 3.0 in Windows 8 and Windows Server 2012. However, both of these types of encryption only protect communications, such a file transfers, after SMB negotiation and commands have been completed. It is this phase that contains the fixed vulnerabilities.

Samba/SMB encryption is good practice but is not sufficient for protection against these vulnerabilities. Network-level encryption, such as IPSec, is required for full protection as a workaround.

How bad is Badlock?

The severity of Badlock according to the Common Vulnerability Scoring System (CVSS):

CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Base: 7.1 (High); Temporal: 6.4 (Medium)

Is this vulnerability exploited currently?

It may be possible since we already have several PoC (none of them will be released in the near future).

What does "Badlock" stand for?

"Badlock" was meant to be a rather generic name and does not point to any specifics.

Yet Another Bug With A Logo?

What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.

It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn't start with the branding - it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.

Who found the Badlock Bug?

Badlock was discovered by Stefan Metzmacher. He's a member of the international Samba Core Team and works at SerNet on Samba. He reported the bug to Microsoft and has been working closely with them to fix the problem.

@tonyshowoff said:

@scottalanmiller said:

@tonyshowoff said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Frankly, I'm frustrated that ICANN has allows so many registrars and SSL cert providers. There are over 1400 CAs trusted by Windows in 2010.

Any one of those CAs can be compromised and their root cert used to sign fake certs for any site on the internet, instantly having Windows trust those certs.

The whole security model on the internet is just broken. We don't have secure DNS or reliable Certificate Pinning.

It would be a monopoly if they didn't make it basically open. Or monopoly-ish. Not an open market.

Frankly, in this case, a monopoly, like you want for healthcare, seems like the better play. The fees should either be free or extremely low, only enough to handle the costs of administration and hardware required.

Universal coverage does not imply monopolistic treatment. Further, most countries with universal health coverage also have private systems too.

Like Panama... good healthcare for free or suckers can pay for private American healthcare from Johns Hopkins.

Or Bosnia, the only place I know of where the "free" is way worse than private to an insane degree, and that's because of a war so at least that's an excuse.

Johns Hopkins is the hospital that thought that nut job who thinks the pyramids were grain stores and all kinds of whacky things led their surgical department. You'd have to be insane to get treated at a hospital letting crazies like that even work there let alone run departments.

(Working there as a janitor would be okay, just not in healthcare portions of the business.)

That's the kind of hospital that removes your spleen because "if God wanted you to have it, he'd not have made it make you sick." Those people scare me.

Do they support booting from UEFI yet?

@coliver said:

Do VPN connections get created/torn down with every communication? Or are they persistent until the device disconnects?

Normally neither. They are normally persistent until a certain amount of time, then they tear down when idle. Might be hours or days. That way they don't remain absolutely forever, but normally a very long time.