UAC Security Issue when Running Batch Files

I was having trouble pushing a batch file to a local users machine, when it ran just fine on another person. It turns out I was having the file run as the Current Logged in User.

So the problem is the user is able to run any batch files without being prompted by UAC, they have the highest level of UAC set and they are a local Administrator. Other users with the same level of Access and UAC do get prompted when attempting to run any batch files.

Is there something I am missing here? Any ideas would be great!

Thanks! Eatery of Ramen

isn’t it a security gap if TLD hostname doesn’t send the strict-transport-security header?

If you connect to https://google.com (without www.) you get a HTTP 301 redirect to https://www.google.com/ . Then if you connect to https://www.google.com/ the response includes the strict-transport-security header.

I contend this is a (small) security gap, because the strict-transport-security attribute never gets set for the top-level hostname, google.com. This means that no matter how many times the user has connected to google.com or www.google.com, if an attacker manages to send them to http://google.com/ , and the attacker is a man-in-the-middle who can redirect google.com to a site the attacker controls, they can eavesdrop on the connection. (Also, Google’s entry on the HSTS preload list only applies to www.google.com, not google.com.)

However, Google is rejecting all reports of “security holes” regarding HSTS: https://sites.google.com/site/bughunteruniversity/nonvuln/lack-of-hsts with the statement “Migrating all the domains to HTTPS, and deprecating all clients that can only talk over plaintext HTTP takes time.”

I contend these objections makes no sense. If a client only speaks http, then the way to continue supporting that client is to continue serving http. But if you serve the STS header over https connections, you’re telling the client, “Hey client, since you obviously speak https, this host promises it will always serve you https in the future and you should always make https requests to me.” The only valid reason not to serve the STS header would be if you think the hostname might some day not support https any more, which is hopefully not the case for google.com!

Perhaps there are subdomains of google.com that don’t support https. But then google.com can just serve the STS header without the “includeSubDomains” attribute, so it won’t be applied to subdomains.

So I maintain that: 1) Not serving the STS header for the hostname google.com is a security gap. While it’s a small gap, there is no offsetting legitimate reason not to serve the header. 2) It is not a valid objection that they “want to keep supporting clients that only talk over plaintext HTTP”. 3) It is not a valid objection that they have not migrated other subdomains to https yet.

Am I missing something?

Security Measures Categorization

I’m doing a research about Information Security Measures. Considering that the topic is very wide, I would like to organize in macro categories the security measures that can be adopted by an enterprise to reduce the risk of attack.

I give an Example:

  • Macro Category 1: Vulnerability Assessment
  • Macro Category 2: Patching
  • Macro Category 3: Firewall & IPS

Is there any list of security measure or any categorization like this?

Is having multiple correct passwords for a single username a security problem?

This question occurred to me when using online banking. My wife and I have a joint account. The username to login to internet banking is just our account number, so it is the same for both of us. Nevertheless the bank supplied us with 2 distinct passwords.

If the passwords where only given out by the bank and we would log into the same account this would probably be fine.

But first the bank actually forces us to each choose our own new password. In theory I could choose the same password as my wife and then the system would tell me ‘you can’t use this password because it is already taken’ or something like that so I would have guessed my wifes password. Seems securitywise very shady.

Secondly although we access the same money in the bank account we don’t have the exact same user account in the bank as for some actions the identity of the user is needed (for example ‘please send a new credit card’, should it be for me or for my wife?). The situation of one username combined with one password accesses one user account, the same username with another password accesses a different user account looks to me like a severe breach of security.

Is this actually fine or is the bank using some very sloppy and potentially unsafe programming for their joint accounts?

How to ensure Windows 10 is safe from critical security hole reported by NSA on 2020-01-14?

All over the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.

But I haven’t been able to find clear instructions about how to ensure that Windows Update has worked properly.

When I click the Start button and then then type “winver” and click “Run command”, I see that I have Windows 10 Version 1803 (OS Build 17134.191)

Windows > Settings > “Update & Security” > “See what’s new in the latest update”, it bounces me to https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new-in-recent-updates, which doesn’t seem to mention security at all.

The Windows Update feature itself seems flaky, confusing, and unreliable.

I’m the most tech-savvy in my large extended family, and I generally try to help others (especially older generations) keep their systems working well, but right now I’m struggling to find a set of steps I can walk them through to confirm that their systems are no longer vulnerable.

Any security standards applicable to empty S3 buckets?

My employer has a lot of S3 buckets which are no longer used or are just sitting there empty. Cleaning them up would obviously reduce the attack surface and be less to monitor and secure, but that doesn’t seem to be a motivator. Is there anything in the CIS or NIST standards I can cite as a basis for doing a cleanup of these artifacts?

Do 4k IP security cameras with uncompressed 4k video output exist? [closed]

Are there any companies selling IP security cameras that produce uncompressed 4k RAW video output (to NVR, or even to cal sd-card)? Almost all popular brands compress using H.265 (HEVC) which works great for many reasons (network bandwidth, storage, playback, remote streaming, on and on)

However, my local network resources are not limited by bandwidth, storage, processing power and I’d really love to find a camera that, at the least, saves a lossless 4k version of the video output, maybe to internal sd-card in case of later investigation requiring higher resolution/quality version. I’ve been searching around for about a week now, in various subs here and other places like Security on StackExchange, Discord, forums, etc.

For those that are more list-oriented, I’m looking for something with the following traits:

Required:

  • 4k video output, minimum 8 MP uncompressed @ ~32Mbps bitrate (at least to internal sd-card)

Preferred:

  • Wired RJ45/Ethernet connection, with POE.
  • Compatibility with Home Assistant / Blue Iris software
  • Supports ONVIF protocol.
  • Decent viewing angle, but definitely not wide (e.g. not > 180 deg, etc).

I really haven’t found anything out there that meets this criteria, so any suggestions appreciated.

Security in web sockets

Scope: penetration testing of web server with critical information in it (user management)

We had an argue with my college about security in web sockets and I got suck with him on one topic which is the following :

is it secure to let any inbound connection into the web-socket without filtering the source of the connection?

let me explain my opinion on that
Only Authorized user (by a certain cookie which is on the server already) can connect to web sockets gateway (WSG) via server S then happens the handshake, 101, and the communication starts.

his opinion is that: every user no matter whether he had the cookie or not or not can query the WSG

now from my point of view if we allow any connection tries to the WSG it may result into – unrestricted flood – scans – exploitation of possible vulnerability of the server to extract sensitive data

what do you think?