r000t @r000t@infosec.exchange

@fluffy @angristan @rotawerx
More to the point, if someone needs to be pre-emptively shielded from all negativity, they may wish to put the computer away.

Nick Jr., Noggin, and Sprout are still broadcasting for their convenience.

"A 2FA bypass is not a bug because you'd need to know the username and password to use it"

uhhhhh folks what do you think 2FA is for?

Riot Games 2FA implementation is inherently broken: The same code can be used multiple times.

The code is also emailed to you, and email is known to be an insecure channel. You do not have the option to use your own TOTP application to generate login codes.

Riot Games responded to a report saying that the system is "working as intended"

Lesson? Phish Riot accounts. They will do nothing to stop you.

Also, HackerOne is an absolute fucking joke.

If the infosec community can thank cryptocurrencies for one thing, it's that 0days get exposed much quicker (universal profit motive vs. targeting a specific firm), and with potentially less damage than a breach that exfiltrates data.

Also, patch your shit. Also, stop paying for virtualization.

Happy Friday everyone!

As a reminder, anticheat "drivers" that run in kernel mode are a spectacularly bad idea, and *every* MDM/BYOD policy I roll out blocks the most popular ones.

Now, they did exactly one thing right:

They don't ask permission to send the code when you log in. They just send it.

Asking things like "Where would you like us to send the code?" or "Is it alright if we send you the code?" gives an attacker a chance to back out before the notification alerts the account owner to the potential breach.

Your auth systems should make attackers noisy. We like noisy attackers.

Riot Games deployed multifactor auth in basically the worst way they could:

1) *only* email 2FA is supported, no TOTP
2) The code is shown in the subject line, making it trivial to steal from streamers, or participants in a video call, or anybody who can wake up a target's phone (no unlock needed)
3) Enrolling your account forwards you through an absolute fuckton of redirects to unrelated domains, including sites for Riot's other games, and their eSpOrTs site.

Abysmal failure.

This should be really fun to watch.

Lesson learned: "The cloud" is an infinitely large (and expanding) attack surface.

Do not purchase "cloud" manageable enterprise equipment. Limit it to an internal management network, and always use TLS, even on internal networks.

Hey, Your IT Guy here,

Don't do this. Not only will your changes be reverted in under an hour, but it will take less time than that to attribute it to you. You will catch federal charges.

There's far better ways to be a saboteur than being an rm monkey.

Patch now. Like right now. This one looks pretty easy to exploit, and it's present on default Debian, Ubuntu, and CentOS/RHEL installs.

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Hot take: "public wifi is bad, you *will* get owned if you use it" is outdated advice, especially given that TLS is now considered mandatory, not just "standard"

The VPNs being sold with this outdated advice are statistically more likely to be a security threat than your coffeeshop's wifi

Selling educational materials for educational purposes only is still legal. Just saiyan.

Alternatively, giving away cyberattack tools is based and GNUpilled

Twitch pwnt. 120+GB of data leaked.

YOUR
INTERNAL
SERVICES
STILL
NEED
TLS

YOUR
LAN
SHOULD
BE
ASSUMED
TO
BE
HOSTILE