No issue. I did it. 20k phantom load and lost all settings and lost AC Couple on 18kpv

[robbob2112]

There are freely available lists IPs with the device type on the net, just a result of NMAP scans with fingerprinting turned on. My neighbor had their baby camera hacked until they switched it to an internal only wifi SSID.

I run 3 SSID on my wifi - The one we use in the house, the one I give to visitors when they want to use wifi, and the one of IoT devices. I have the internet of things devices segmented out so they can't see or access my lan devices.

 

[Quattrohead]

So Gilbert is pointing a finger at "user error" Quite possible but a chat with the OP would have been nice to see if he was ok with his data being posted and being "ratted out". We have all made mistakes in the past.

BTW my new wireless router has guest and IoT networks, very nice.

 

[Bluedog225]

Seems like a lot of work just to mess with you.

 

[robbob2112]

I think the key would be the access log verse when the user was able to log in and change things. If the changes were made when he was fiddling then I vote user error..... if it was while he was on planes, trains, or away from home that is far less likely

 

[jarred125]

If the system logs IPs obviously that could be confirmed with the OP via PM.

But again this is a common thing with password reuse (not saying that happened as I have no clue about millsan1s "opsec").

 

[gotbeans]

besides my serial number and station name?

Serial number not a privacy concern to anything or any device other than how inner systems operate and what employees have access to from there.
E.g. certain ISP employees can identify you via device serials
similar with the IMEI / IMSI numbers of a phone. Anyone with those numbers can uniquely track your device globally but they need access to the systems in the first place.. And that type of access they could be doing that tracking already regardless.

Anyway if these were unique keys they'd be random generated strings, not anything close sequential numbers like serials are.
*cough except for social security lmao

If the system logs IPs obviously that could be confirmed with the OP via PM.

But again this is a common thing with password reuse (not saying that happened as I have no clue about millsan1s "opsec").

he already has app / web access on that list so he's using multiple devices to reset his settings. Assuming it's all under the same IP it'd be easier
but yea I agree, a list of all sessions and their IPs is easiest method to see what is logged in. Sessions list being far superior.
Google, netflix, facebook and some other places usually make that available and let you see whom currently has an unexpired session key and can login.

In order to access accounts in many online systems you don't need username or password at all, you just need a valid key. This is why browser addons are dangerous as they can just steal that. Hence the heavy crack down on them last several years.

 

[robbob2112]

Lastpass is my friend - a bazzilion passwords - not one the same and none less than 12 characters unless the stupid webste won't allow complex and longer.

 

[jarred125]

Serial number not a privacy concern to anything or any device other than how inner systems operate and what employees have access to from there.
E.g. certain ISP employees can identify you via device serials
similar with the IMEI / IMSI numbers of a phone. Anyone with those numbers can uniquely track your device globally but they need access to the systems in the first place.. And that type of access they could be doing that tracking already regardless.

Anyway if these were unique keys they'd be random generated strings, not anything close sequential numbers like serials are.
*cough except for social security lmao



he already has app / web access on that list so he's using multiple devices to reset his settings. Assuming it's all under the same IP it'd be easier
but yea I agree, a list of all sessions and their IPs is easiest method to see what is logged in. Sessions list being far superior.
Google, netflix, facebook and some other places usually make that available and let you see whom currently has an unexpired session key and can login.

In order to access accounts in many online systems you don't need username or password at all, you just need a valid key. This is why browser addons are dangerous as they can just steal that. Hence the heavy crack down on them last several years.

Yeah but those session attacks need "physical" (obviously could happen without being physically there) access and in this case it's simply trying to track down whodunnit and an IP would generally be sufficient as most attacks aren't going to originate from legit sources but mostly from datacenter blocks that are known to not care who runs what (I love those, they are my most favorite thing in the world when one of our users does the bad thing).

 

[gotbeans]

Yeah but those session attacks need "physical" (obviously could happen without being physically there) access and in this case it's simply trying to track down whodunnit and an IP would generally be sufficient as most attacks aren't going to originate from legit sources but mostly from datacenter blocks that are known to not care who runs what (I love those, they are my most favorite thing in the world when one of our users does the bad thing).

What do you mean by physical?
Any compromise to a computer/phone can take the session key from it and login on their own device
It's the most common "hack" method today.
The only other one is of course social engineering.. just asking for the info, most people give it out lmao

Lastpass is my friend - a bazzilion passwords - not one the same and none less than 12 characters unless the stupid webste won't allow complex and longer.

yep password managers are good, I definitely wouldn't trust an online one though
but regardless, when these big sites get compromised, it's nice to not have to change 500 passwords because they all were the same.
It's more likely a bank or website leaks your pass today and hackers try that password on all your other accounts, than it is they "guess" it
"stupid website that won't allow complex and longer"
*cries for the bad banks on 50 year old systems*

 

[robbob2112]

Serial number not a privacy concern to anything or any device other than how inner systems operate and what employees have access to from there.
E.g. certain ISP employees can identify you via device serials
similar with the IMEI / IMSI numbers of a phone. Anyone with those numbers can uniquely track your device globally but they need access to the systems in the first place.. And that type of access they could be doing that tracking already regardless.

Anyway if these were unique keys they'd be random generated strings, not anything close sequential numbers like serials are.
*cough except for social security lmao



he already has app / web access on that list so he's using multiple devices to reset his settings. Assuming it's all under the same IP it'd be easier
but yea I agree, a list of all sessions and their IPs is easiest method to see what is logged in. Sessions list being far superior.
Google, netflix, facebook and some other places usually make that available and let you see whom currently has an unexpired session key and can login.

In order to access accounts in many online systems you don't need username or password at all, you just need a valid key. This is why browser addons are dangerous as they can just steal that. Hence the heavy crack down on them last several years.

Ideally these devices would require a button push when setting up devices so only someone with physical access and the original password could add things. Then store a 4096 or similar key for future use.

Then the only way they get accessed is if someone physically has access of your device is hacked.

And if they supported MFA

 

[jarred125]

What do you mean by physical?
Any compromise to a computer/phone can take the session key from it and login on their own device

I understand, the point of it being that those attacks are more sophisticated and you generally look at the low hanging fruit first.

To me, physical access is akin to any malware compromise where someone has gained remote access to the device itself. Outside of the very rare instances where someone literally steals memory modules from the machine to freeze and pick from later, physical and remote access attacks essentially result in the same thing.

But, going back to it, people looking for that are likely not interested in an inverter and would be looking for banking sites or email where they can pivot from.

 

[gotbeans]

Ideally these devices would require a button push when setting up devices so only someone with physical access and the original password could add things. Then store a 4096 or similar key for future use.

Then the only way they get accessed is if someone physically has access of your device is hacked.

And if they supported MFA

remember, rsa keys aren't secure, use ed25519

would be an interesting device to press a button to grant access for the next 15 seconds. That'd be pretty cool

 

[gotbeans]

To me, physical access is akin to any malware compromise where someone has gained remote access to the device itself. Outside of the very rare instances where someone literally steals memory modules from the machine to freeze and pick from later, physical and remote access attacks essentially result in the same thing.

That's remote access, you even said it there
physical access is physical being there or having it. There's not much protection or any at all for most devices at that point

Session key exploits are the most common other than email spam scams. These aren't people looking for them, it's shot gunned out broadcast of hoping literally anything gets on their radar. Those are the low hanging fruit. It's just "hope someone downloads this and bam you are in"

That's why all IPs are scanned for "regular" ports multiple times daily and when those ports are seen open they will start hitting it with basic requests for "low hanging fruit" like port 80/443 and wordpress default URL and default logins etc

 

[robbob2112]

My wifi router has a button for that.... press the button and for 2 minutes it will accept a connection on the default SSID. Then you can log in and configure it.

People are lazy, plain and simple - security takes time

 

[gotbeans]

My wifi router has a button for that.... press the button and for 2 minutes it will accept a connection on the default SSID. Then you can log in and configure it.

The regular WPS button?

or actual access to it's web interface?
never seen one like that, only things like "disable all wireless access to admin config"

 

[robbob2112]

The regular WPS button?

Might be, not sure since it has been hiding in it's cave under the stairs for about 10 years. I think it might be hybernating and I don't want to poke the bear.

 

[jarred125]

That's remote access, you even said it there
physical access is physical being there or having it. There's not much protection or any at all for most devices at that point

Session key exploits are the most common other than email spam scams. These aren't people looking for them, it's shot gunned out broadcast of hoping literally anything gets on their radar. Those are the low hanging fruit. It's just "hope someone downloads this and bam you are in"

That's why all IPs are scanned for "regular" ports multiple times daily and when those ports are seen open they will start hitting it with basic requests for "low hanging fruit" like port 80/443 and wordpress default URL and default logins etc

Besides arguing the fact I don't use words real good that often, I have not seen a single session cookie exported from a user of ours but I have seen hundreds of compromises based on phishing and just simple password re-use.

But, the real point to this was not how it was done but simply looking to see if it was OP logged in from a device he owns or if it was from a remote device he does not own, most easily done by referencing the IP.

Outside of that, this probably isn't the best place to dive further into technobabble.

 

[gotbeans]

but I have seen hundreds of compromises based on phishing and just simple password re-use.

Yep like I said, people will just spit that info out to others. social engineering is pretty sad/funny depending where you're sitting

But, the real point to this was not how it was done but simply looking to see if it was OP logged in from a device he owns or if it was from a remote device he does not own, most easily done by referencing the IP.

This is where this discussion started. It's most easily done by referencing the session*
If he's NAT'd he can have thousands of devices behind 1 IP address, if a device is compromised it's easiest to see which specific device it is by session, IP won't help unless the person is accessing from a different location entirely.
And assuming his phone was out of the house, it probably has 20 different IPs every day from different cell towers.

for example:

Find your Facebook activity log | Facebook Help Center

Your activity log lets you review and manage what you share on Facebook.

www.facebook.com

See devices with account access - Google Account Help

You can see computers, phones, and other devices where you are or were signed in to your Google Account recently. You can check google.com/devices to make sure no one else has signed in

support.google.com

 

[jjww]

Just a note; there is a reverse the CT's switch on the first page of maintenance- would this cause your bizarre response?

 

[n2aws]

Lastpass is my friend - a bazzilion passwords - not one the same and none less than 12 characters unless the stupid webste won't allow complex and longer.

You might want to have a look at lastpass's security track record . There are other choices out there. I used to use lastpass but stopped when logmein bought them. Since then, I realized multiple times that it was likely a wise choice to move on

 

[robbob2112]

You might want to have a look at lastpass's security track record . There are other choices out there. I used to use lastpass but stopped when logmein bought them. Since then, I realized multiple times that it was likely a wise choice to move on

I am aware they got hacked and the crypted files were stolen. And the logmein thing irritated me. But they still do the crypt and hash on the local devices so what they hackers got was unusable without the salt and password.

I used a yubikey for while and a couple of others. My stumbling block when I started with was that nobody supported Windows, Mac, Linux, iphone, and android except lastpass.

 

[n2aws]

remember, rsa keys aren't secure, use ed25519

RSA keys above 2048 bits are still considered secure. I'm pretty sure NIST is recommending > 2048 after the year 2030 though. But claiming a vague statement like "they aren't secure" is a little.. misguided IMO.

*edited* I'm not sure why I said NSA but I meant NIST. edited the post to reflect the correction.

 

[robbob2112]

RSA keys above 2048 bits are still considered secure. I'm pretty sure the NSA is recommending > 2048 after the year 2030 though. But claiming a vague statement like "they aren't secure" is a little.. misguided IMO.

Meaning their back door will work until then? kinda like the DSA fun a few years back.

 

[1201]

There are freely available lists IPs with the device type on the net, just a result of NMAP scans with fingerprinting turned on. My neighbor had their baby camera hacked until they switched it to an internal only wifi SSID.

I run 3 SSID on my wifi - The one we use in the house, the one I give to visitors when they want to use wifi, and the one of IoT devices. I have the internet of things devices segmented out so they can't see or access my lan devices.

Hi. How can I create a different ssid for my iot devices?

 

[robbob2112]

You have to log into your router's web interface and see if it has the ability to setup multiple SSID. Most newer routers will support 3~6 different SSID. Older ones only have one.

Once in the process will be different per vendor and probably model in some cases.... Start with the online user manual.