How to harden against credential stealing in EC2 via the http://169.254.169.254 API?

AWS has a feature called Instance Metadata, which on EC2 gives you access to the AWS credentials through HTTP calls:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> 

The feature itself is intentional, thus technically not a vulnerability. The risk is also stated in the documentation:

If you use services that use instance metadata with IAM roles, ensure that you don’t expose your credentials when the services make HTTP calls on your behalf. The types of services that could expose your credentials include HTTP proxies, HTML/CSS validator services, and XML processors that support XML inclusion.

As long as an application cannot be tricked by an attacker to make such a request and to output the response, it is certainly a convenient feature. Unfortunately, it is a common source of attacks.

Of course, a server should properly verify all URLs before, but in the spirit of defense in depth, I wonder if it is possible to disable it, or maybe allow it only during startup (before opening any ports).

Questions:

  • Is it technically possible to disable the feature? In other words, how can I ensure that requests to http://169.254.169.254/ are blocked?
  • If it is technically possible, are there any drawbacks in blocking it?
  • Is there a way to still have access to the safe parts of the API, but not to the critical ones? Maybe by whitelisting specific paths? For example, I see the point of allowing /meta-data/spot/instance-action, which tells you whether your EC2 spot instance has been scheduled for termination.

Firefox bug permits stealing encrypted passwords: How is this possible?

It’s my understanding that passwords I save in Firefox’s Password Manager are encrypted and that setting a Master Password encrypts the encryption key used in this process. The Google hit for “Does firefox encrypt saved passwords?” returns this Mozilla Support forum article in which the chosen answer (posted by a moderator) states:

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.

(Note that logins.json is where FF stores passwords.)

This Information Security question posted by a high rep user assumes the encryption of the passwords, even before a user has set a Master Password, as does this well-received question.

But according to the Sophos Naked Security article, Firefox fixes “master password” security bypass bug, Mozilla released a security fix to resolve an issue where an attacker can copy saved passwords to the clipboard without entering the Master Password:

It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

How is this possible if the passwords are encrypted?

Isn’t the Master Password, needed to decrypt them before access? I’m very worried now that an attacker that gains access to my logins.json and key4.db files would have all my saved passwords!

How can I handle a player (unintentionally) stealing the spotlight?

Quite recently, I replaced a friend as DM for a D&D game. During that game, I came across something I did not expect: One of the players was just too good.

When I am saying “too good” I am not talking about his character being overpowered, but the player himself having the time of his life roleplaying his bard.

Now I have no problem with someone enjoying roleplaying, quite the contrary, the problem came from the fact that the rest of the party (3 players), weren’t quite on the same level of intensity.

This disparity caused the game to basically devolve into a 1 on 1 with the bard. Usually on that kind of situation I tend to give more attention to the withdrawn players, by interacting with them a bit more often. But in this case, whenever I did that, they almost always found a way to give the spotlight back to the bard.

A simple example:

At one point the group witnessed a girl being annoyed by a group of ruffians, so I asked one of the other players (a paladin) what he was going to do, his answer was, word by word:

I think we should let the bard handle this.

This is the kind of answer I got for almost every problem I threw at them.

Another example:

The adventure is heavily puzzle based, with combat encounters being pretty rare. So the DM had prepared a dungeon with custom made puzzle for each class.

  • 1 puzzle for the paladin, where the goal was to identify which object between several was wicked.
  • 1 puzzle for the ranger, where the goal was to guide the party through a labyrinth that took the form of a forest
  • 1 puzzle for the cleric, where the goal was to reconstitute a story from fragments, related to different deities
  • 1 puzzle for the bard, where the goal was to sing the correct song to a creature to put it to sleep

Of all these puzzles, only the paladin did his puzzle without asking the bard to do it for him. All the other puzzles were basically done by the bard, on demand from the other players.

So my question would be:

In that kind of situation, how can I prevent a single player from hogging the spotlight, when all other players always refuse to be in the spotlight?

PS:

This problem has also been noted by the usual DM of the group, and he did not find a solution either.

Stealing WiFi password on reconnect [duplicate]

This question already has an answer here:

  • How does WPA2-PSK prevent evil twin password phishing? 2 answers

If I made a clone of a WiFi network I’m trying to access, could I get the WiFi password when someone tries to connect to my network?

I know my phone will automatically try connect to the network if it’s saved already and set to automatically connect. All of this assuming I’m closer to the device that will try connect than the router is.

In short, I’m making a WiFi network with the same name as the one I’m trying to crack on my laptop/phone and then waiting for someone to connect to it. Will this work?

When stealing something do you need to roll stealth and sleight of hand?

Scenario: An arcane trickster casts disguise self as a blind old man.

In a crowded room, his accomplice distracts the target, while the arcane trickster tries to steal his pouch of gold. As a DM, what would you have him roll?

I am trying to solve a minor disagreement between a player (me) and a DM. He felt like I should roll a stealth check followed by a sleight of hand check. I thought I should roll a sleight of hand check with advantage since I had gone to all the trouble to orchestrate the distraction with a party member and disguise myself.

How to handle DM constantly stealing everything from sleeping characters?

In past campaigns, the DM has had a habit of stealing from our characters while they sleep impulsively without any sort of story reason. And not just regular stealing either, they manage to remove all our items, including worn such as clothes and armor. All based on beating our listen check minus 10 in one roll. The party find this entirely bullshit since we can lose everything for no reason, and have very little way to get it back.

We have just started a new 3.5 campaign, all of us level one base races, and the dm has made it very clear we are following the rules to a T. Our characters however, are entirely being trampled because he is making all the encounters 3 levels higher then our party would be able to handle. After 2 failed encounters, we arrived at a village with about 20 people, all level 1s, and decided to all go to sleep there. After waking up, 2 of us woke up with no armor, no clothes, no starting gear at all. The other 2, who went to sleep outside the village, woke up with all their items missing and being carried away by animals.

We were not drugged, and there was nothing special about the npcs that would allowed them to do this. Is there any rules, or anything we can show to the dm to prove these actions to be impossible and completely unfair?

Protect LUKS encrypted HDD against boot sector key stealing attack

I have HDD with GPT, 1 MiB BIOS boot partition and LUKS encrypted volume group with data. When I boot the computer, GRUB asks for passphrase.

However, I want to run some untrusted application which MAY have full HDD access. Could it insert some malware into boot sector to record the passphrase somewhere and then steal it when possible?

If yes, is it possible to protect against it?

Is stealing the HTTP Basic Authenication header possible via CSRF?

Recently I’ve been trying to find a way to steal HTTP Basic Authentication credentials via CSRF. For example, if a site is using basic authentication is it possible for an attacker to grab the Authorization header with some sort of proxy hidden in an iframe, or steal it any other way?

I’ve done some research and nothing I can find really proves this is logically possible.

If anyone has a solid answer, whether this is 100% impossible or actually possible, thanks in advance!