Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 09-Aug-2024 22:58:21 JST Ryan Castellucci :nonbinary_flag:

   My own write up is here:

   https://rya.nc/vpp-hack.html

   • Embed this notice
     ath0 (scottlink@infosec.exchange)'s status on Saturday, 10-Aug-2024 04:18:41 JST ath0

     in reply to

     @ryanc I appreciate the write-up. I reckon what you got a hold of was a DERMS--Distributed Energy Resource Management System.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 10-Aug-2024 18:25:09 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Ge0rG

     @ge0rg I assume some sort of allowlist. The number of legitimate API tokens couldn't have been more than a few hundred.

   • Embed this notice
     Ge0rG (ge0rg@chaos.social)'s status on Saturday, 10-Aug-2024 18:25:11 JST Ge0rG

     in reply to

     @ryanc
     Excellent work! You write:

     > not only was I no longer able to mint my own API tokens, the legitimate ones I’d initially generated still worked.

     Does that mean they kept the old 512-bit-signed tokens valid? How would they accomplish that?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 10-Aug-2024 22:16:20 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Ge0rG

     @ge0rg They appeared to be doing something slightly more interesting, but an allowlist is part of what I would have done.

     I would have, in fact, migrated the system to one that uses opaque random bearer tokens, but difficult to do that in a single day.

   • Embed this notice
     Ge0rG (ge0rg@chaos.social)'s status on Saturday, 10-Aug-2024 22:16:23 JST Ge0rG

     in reply to

     @ryanc
     I hope so, even if keeping a server side list of all issued JWTs is _interesting_.