Login

Recent searches

No recent searches

Search options

Not available on photog.social.
photog.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for your photos and banter. Photog first is our motto Please refer to the site rules before posting.

Administered by:

Server stats:

267
active users

photog.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#securityfail

0 posts0 participants0 posts today
Replied in thread
Public
Quinn Comendant 🐧

@Edent If you call Bank of America, they will verify you using a code sent by SMS that contains, “DO NOT share this Sign In code.”

I’ll confirm with the agent that they’re asking for the one that says under no circumstances am I to share with anyone, and they reply cheerfully, “yeah that’s the one.” 🤦‍♂️

A screenshot of a SMS continuing the text: “BofA: DO NOT share this Sign In code. We will NEVER call you or text you for it. Code 437885. Reply HELP if you didn't request it.”
#bank#security#SecurityFail
Replied in thread
Public
Claudius Link

Some more context to my rant about the shortcomings of #Entra ID #Password Protection,

1. The risk is greatly reduced if you use #MFA

BUT while I'm not sure if #Microsoft enforces MFA they enforce the weak password rules.

And a recent event caused me to reevaluate my assumption on how well know #2FA/MFA really is:

I gave #cybersecurity talk to non-IT people (still technical so) and closed it with a set of recommendation. One was to enable Second Factor Authentication wherever possible. Which lead to the question from one participant "What is Second Factor Authentication"

That was quite a 😵​ moment. I had the wrong assumptions. How can I assume that MFA reduces a risk if many people don't know about it.

#Fail#SecurityFail
Replied in thread
Public
Claudius Link

One more thing

Another shortcoming of #Microsoft #Entra ID #Password Protection, I can't wrap.

They recommend to not mandate regular password changes (good) BUT they check the password against known bad passwords ONLY when changing it!

So to detect weak passwords I have to enforce a password change which is (rightfully) not recommended 🤡

You could simply do this on entry. Every time (or once a day) the user enters the password it is checked if it isn't well known and complies to the current rules.

#Cybersecurity#Fail#SecurityFail
Replied in thread
Public
Claudius Link

Sleeping over it I noticed another issue with #Microsoft #Entra ID #Password

Regarding the Global banned password list the write "The contents of the global banned password list aren't based on any external data source, but on the results of Microsoft Entra security telemetry and analysis."
(learn.microsoft.com/en-us/entr)

Now I have more questions:

WHY are passwords part of the security telemetry data?

The only case where I see this as ok, would be in a honeypot.

And what kind of data would be in the security telemetry data? Usually it's failed attempts, so you risk overestimating passwords attacks which fail (anyway). Again, this would only be OK with honeypots.

But if you are getting your data solely from honeypots, I fear you're getting a pre-selected type of data. Namely opportunistic, random attacks not targeted attacks.

While I think it's valuable to protect against these kind ob attacks, I really would like passwords to withstand even targeted attacks, even from the inside.
E.g when the attackers are in the Lateral Movement or Privilege Escalation. Especially if the attackers can start to crack hashes.

For this Microsoft Entra ID Password Protection seems completely useless there.

learn.microsoft.comPassword protection in Microsoft Entra ID - Microsoft Entra IDLearn how to dynamically ban weak passwords from your environment with Microsoft Entra Password Protection
#Cybersecurity#Fail#SecurityFail
Continued thread
Public *
Claudius Link

And the Custom banned password list of #Microsoft #Entra ID #Password Protection just continues the joke.

First, it can only contain 1000 entries. And yes, I really don't want to manage a big custom list.

And it gets even worse. The list is intended to contain company specific banned words like brand or product names, company-specific internal terms as well as abbreviations. Entries must be at least 4 characters.

WTF, half the companies I worked for had 3 letter names. And there are many other BWM, KIA, SAP, IBM, GM, BBC, NBA, NFL, UPS, DHL, ...

And don't get me started on acronyms. #TLA (Three-Letter-Acronym) is a term for a reason.

This means, taking my current company as an example, that SMA12 would be an accepted password (if it would be for the length) because 'SMA' 3 points + '12' 2 points is 5 points).

To reach the necessary length you could simply combine it. E.g. 'SMASolar1' would be an accepted password even if 'Solar' was a banned word.

And I CAN'T do ANYTHING!!!

Or at least not anything sensible. If I start to put combinations of 'SMA*' in the custom banned pw list, I'm back at an inadequate big list I have to manage myself 🤮​.

And even then SMASolar1234 stays valid 🤬
#Cybersecurity #Fail #SecurityFail

Call for #Help: I would be very happy if someone can show me that I'm wrong. The state of Microsoft Entra ID Password Protection is a MUCH bigger pain than that I would have been wrong 😜​.

Public *
Claudius Link

I'm not sure if I get something wrong, but I think #Microsoft #Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.

Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡​.

This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!

Not sure if this applies only to German dictionary words.

It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF

Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).

This leads to the question how many points do none-banned words give?

If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)

And you can't do anything against it.

#Cybersecurity#Fail#SecurityFail
Public
FiXato

I really should've put a few cable ties or something through the whole of that key before letting #BeardGrabber play with this #padlock. 🤦‍♂️😅😖

(It's also why I prefer #locks that need the key to be inserted to actually lock them...)

Tried cutting a copy out of a tin can, but all I got out of that was a small cut. The metal probably was not thick and sturdy enough, or it might also have needed the raised edge on the side. Guess I could look up #lockpicking instructions for a #MasterLock no.130.

Fortunately I should still have some other locks in a storage box, and am not in urgent need for one. :) Might find a spare key too, if I look for it; else I can always cut or file through the key. :)

#parenting #securityFail #dadsOfMastodon

toot.cat/media/MhbJWbyUBX44BiF

A Master No. 130 padlock, locked with the lock through the key's keyhole.
Public
Crazypedia :cyber_heart:

From the tales of the solution is worse than the problem:
Business partner loses control of an email account; it emails all their contacts a malicious attachment. 1 hour later, that same account sends out an email , and puts Every. Single. Recipient in the 'TO' field warning them not to open the previous message.
Guess everyone knows all their business partners and customers now 😡🤦‍♂️
#infosec #netsec #SecurityFail #sysadmin

SearchLive feeds
About