site banner

Small-Scale Question Sunday for February 26, 2023

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

1
Jump in the discussion.

No email address required.

I am not sure how feasible this is, but I checked some emails of people I know using https://haveibeenpwned.com/ and it tells you which databreach the email password combination was found in. So isn't all that remains to acquire the breached data hoping they don't use 2FA? Or am I missing something?

Depends on the data breach. I've been pwned on gravatar, for example, but that meant that it only linked my gravatar to my e-mail. Even if a breach includes password information, it's been long-considered a best-practice to hash stored password data, and while some hashes are effectively broken (MD5), others are expensive enough to break that uncommon passwords have not yet been broken.

And some more important sites will block even correct passwords if the login is coming from a strange enough location (usually banks, some e-mail providers). And some people will change (or be forced to change) their passwords.

That said, it's usually a good practice to change passwords after a breach rather than praying.

Anyways, back on the topic of infosec/osint, what are you favorite tools that you totally use for security reasons? I am interested in knowing any clever techniques you have heard being used or used yourself as well for/against all things infosec.

Answering the explicit question:

Absolutely most vital: KeePass is an offline locally-stored password manager. People find cloud options like 1Password and LastPass more attractive because they're a little more convenient across multiple devices, but there's a reason that they have long incident reports. KeePass can't protect you from a pwned host computer, but it reduces your threat model to that. More importantly, it makes it possible to avoid or reduce password reuse across multiple sites.

Some non-SMS 2FA. I like Authy, but they're a dime-a-dozen. Not every site supports this, and even sites that do support it sometimes it's too obnoxious to be worth the effort, but for banks and e-mails you really should default to it on. Do make sure to save your emergency tokens, however; in addition to the risk of losing a cell phone, time desyncs can cause Problems.

(Open)SSH. Yes, you could do a self-hosted VPN of some kind if absolutely necessary, but it's obnoxious. SSH can quickly get ports on one machine to ports on another machine, where and when you need them, whether that's to redirect your web browser requests or something more esoteric.

Some web-scraping tools. I use a home-mixed C# abomination, some fossils just use wget, some madmen use javascript. Being able to bulk pull files down from the web and parse them locally has a ton of applications, and is really something you need to understand. More advance options exist -- SpiderFoot seems pretty popular for specifically OSINT work -- but ultimately it's just an extrapolation of existing tools.

Related, Inspection Mode for your web browser of choice. This is pretty useful for anything from bypassing paywalls to finding the underlying sources for specific media to tracing javascript. The UIs are universally bad, but you still should learn them.

The implicit one:

SHODAN or MassScan. It's so damned hard to lock down this stuff that a surprising number of places are vulnerable across a wide range of matters. You can use nmap if you're going after one or two targets, but as either black or white hat, you absolutely need to understand that these are running everywhere all the time.

Remote Access Tools. This is an ugly one because they're absolutely vital to even small-scale IT management and support. TeamViewer's an easy and relatively legit one, but SplashTop, LogMeIn, yada yada are all valid mainstream services focused on it; Guacamole and the various VNC descendants are more self-hosted options. For Virtue of Silence reasons I'm not gonna list the scuzzy ones. But they're also core to a lot of really scummy stuff, ranging from tech support scams to outright owning someone's home machine.

People find cloud options like 1Password and LastPass more attractive because they're a little more convenient across multiple devices, but there's a reason that they have long incident reports.

It's unfair to lump 1Password and LastPass together, 1Password's security record is much better.

There are key differences that make 1Password much more secure.

Yeah, of the two I've been more impressed by 1Password's model and record. If your use case makes online a requirement, it's probably better than self-hosted file transfer, if you trust 1Password.

Passwords are hard. Pwned host computer is game over for almost everyone, barring some Qubes-type VM segregation setup. The passwords need to be entered in plaintext somehow. You can limit the extent of a breach by keeping your entire password db on an offline machine and lazily QR code'ing it across to the live machine whenever it needs a refresh. Password db encrypted with a gpg smartcard is also pretty good (though not as good as the offline setup, unless you need to tap per decryption like with a Yubikey, in which case I'd rate it as only slightly inferior).

I think you forgot the most important tip however: the more secure your setup, the higher the risk of you locking yourself out of your accounts/backups/encrypted storage. Find a way to dump your secrets in plaintext that fits your threat model (all of them, including TOTP secrets - ie, what generates your 2FA codes). This might be a box in your apartment with a backup at your office, or a safety deposit box, for instance. On the other end of the paranoid spectrum, a engraved titanium plate inside a waterproof container encased inside a block of concrete dumped in the middle of a remote lake works as well.