A Smart Card Reader With Hacked Drivers
ฝัง
- เผยแพร่เมื่อ 24 พ.ค. 2022
- an IT employee for a large government contractor purchased a smart card reader. Good thing he scanned the downloadable drivers with antivirus because they came with malware.
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my TH-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. - วิทยาศาสตร์และเทคโนโลยี
![[TH] 2024 PMSL SEA W1D1 | Summer | เริ่มโดดแรก ระเบิดความมันส์](http://i.ytimg.com/vi/fnPAjQmWzWE/mqdefault.jpg)
Mental Outlaw is the ultimate advocate for the Amish community.
Big doinks
Yes sir.
Haaaa
Amish cybersecurity and opsec is next level
Don't need operational security when you don't have an operation at all
the more I I learn about electronics the more I understand why most IT experience people tend to use as least amount of technology in their personal lives
👆
There are two types of people into technology: those who install smart appliances everywhere, and those who refuse to touch any smart appliances.
@@voidimperial1179 Its all marketing to the general dumbed down masses. Also trendy to the normies.
um, no?
@@stevefan8283 Actually yes. Imagine if someone compromised your smart devices. Guess your thermostat is getting turned way down then.
Important things like this should be provided directly and ideally manufactured in the country using them. It’s silly to think our government and their contractors do stuff like this to save time and money when they could just hire a few more people to audit things as well as work with a local manufacturer
Government laptops already have CAC readers in the laptop.
They actually do verify the equipment they use on a grander scale. A lot of office equipment like these are, as others have mentioned, built in & provided where you work. At home on your own system(s) can be a different story.
@Johnny depp I'm starting to think some of these were authentic accounts at one point
@@silence___ probably people who clicked on the phishing emails
@Johnny depp finally a spam bot is here
It's crazy how well social engineering and just standing around with boxes works
👆👆👆.
@@whats5471 bro why are you trying that scam on a cyber security channel 🗿
@@boobgoogler They really hit this channel harder than usual. I have no idea why.
@@boobgoogler idiot here, what is the scam? lmao
@@oceanbytez847 it's kinda self explanatory
Quite common in Brazil. They swap the reader thing, usually from a gas station, with a hacked one. Then wait for the harvest.
Got mine stolen once. 3 purchases at 1am. I was awake at the time, my bank sms me all purchases made over R$50, so I knew immediatelly, called my bank, cancelled the transactions and cancelled the card in like 20 minutes.
👆👆👆.....
@Rare one got DAMN it's finally here no way
I don't think he's talking about the same thing...
Dude.
They're both bot accounts 🤣
@@epicat0r I was replying to OP
speaking of malware, youtube has been serving ads of "free games" websites, witch serves malicious fake installers, double packed MSI installer with a small c++ program (and some accompanying 7z archive with a password i couldn't find any ware) that fucks with your DNS config and bricks your internet connection, reminiscent of most of the malware you'd find on TPB back in the day
TH-cam used to advertise drugs selling onion marketplaces in Russia lol
@@burn_out 👆👆👆..
they are all the same installer just downloaded under a different name
how would you know if you have this?
@@Liamfr34k Your internet wouldn't be working
Great timing. Pulled a fake keypad off my local ATM two days ago. Sneaky bastards
👆👆👆.
Ah yes, Amazon special Chinesium smartcard reader for DoD CAC authentication. What could possibly go wrong?
China bad upvotes to the left
@Johnny depp shut up bot
I’m dying 😭🤣
👆👆👆...
@@whats5471 shut up bot
This reminds me of the Despicable Me meme:
"First, identify smart card reader used by military.
Second, get access to vendor's website where drivers are hosted.
Third, infect it with well-known malware that's being detected by most antivirus software."
Yeah talk about getting a shot at fuckin Smaug's scale gap, and announcing it to him.
Thats what he just did.
Its patched now.
What a waste of a good vulnerability.
The dude should have waited, got some dudes together, some funding to make it a very professional stealth rat, or even an evolving botnet. But with stealth.
Something that is well worth it considering its a military grade backdoor.
But instead they give it a script off the streets and just completely waste it.
...just classless.
@@fluffypinkpandas I mean, is the point here not to expose the vulnerability? As opposed to like. Become a felon?
@@The_Bird_Bird_Harder from a certain point of view, Anakin
@@The_Bird_Bird_Harder Taking note that a door is left unlocked, but not going through it, is not breaking and entering. It is merely being observant. Doing nothing with this piece of information you just gained, because you might need that information later, is similarly not "Conspiracy to commit." You just know about an unlocked door, and you've got no intention to tell anyone. You can't call it negligence either, it isn't the observer's reasonable responsibility.
@@fluffypinkpandas The thing about that is Mental's not a criminal....
Actually government laptops are specced out to have CAC readers in the laptop, so not external reader is required. We also have cac readers within our keyboards, so a government employee should never have to buy a reader.
Not to mention that the ones sold at the exchanges are inspected & verified. Still seems like a possible security issue though.
They do if they want to work from home or use multiple cards in one session.
👆👆👆.
@@ProDCloud can they just multiple keyboards with the card reader? It's not like they have any resale value anyway, nobody would steal that
That’s great at work but if you want to access your pay or anything else from home you have to use a CAC reader
I cannot believe an IT person who works for a big IT company did not know about file signatures. When I download things like drivers from any vendor, I check the digital signature of the EXE and DLL's before executing the installer. In fact, I check this before buying a piece of hardware that requires driver installation. I visit their websites and download the driver file before buying the hardware, and check if the EXE is signed. If it is not, then I buy from a different company.
I also did not expect so-called "smartcards" are just a mere password card, that if someone else read it, it gets compromised. I thought it would send some sort of calculated result so that only the device that has a previously agreed data can verify its authentisitity, like a bank OTP device. If it is just sending the same data whoever the reader is, why is it called "smart" card? It's a dumb card.
@@whats5471 number doesnt work
it only needs to be smarter than the employees, not the malicious party
Hey, I get paid more for being friends with the boss than that
How do you know what the signature was suppose to be if the company didn't tell you?
Could you tell us how you do what you describe in the first paragraph?
An IT employee for a large government contractor bought a smart card reader. This is what happened to his highly sensitive data.
☝️Presenting to the emergency room!
@@EricGranata Presenting to the emer/g/ency room!
@@doooofus that was really cringy
@@kenshinhimura9387 so was your mom
A company I worked for just gave everyone a laptop with a smartcard reader built in. Much finer control for them. We also used RSA keys and a password. I don't think you can get more security for online identification than RSA keys
Anywher that uses smart cards buys computers with card readers built in
RFID can be intercepted from a man in the middle attack! It’s so unsafe
MiTM is not the same as a replay attack
@@radomane what if the MiTM does the replay attack tho
@@JustPlayerDE MiTM is a form of replay attack where the original message was intercepted and the squashed, then the attacker sends a modified request to the target.
It's difficult to design systems that are resistant to MiTM attacks, look up 2 generals problem.
Protecting against replay attacks is fairly simple, if you have an RFID key to your local gym the reader probably has protections against this already.
@@radomane im talking about the Man in the middle, not the MiTM attack.
i will write the text in another way:
what if the man in the middle does the replay attack tho
@@JustPlayerDE Have you invented some new abbreviation where MiTM does not stand for Man-in-the-Middle?
Thats the CAC (common access card), something that pretty much every US military personal will use, along with everyone who works for the DOD. One thing I find weird here is the "drivers" you need are actually DoD certificates, otherwise CAC enabled sites won't load. (Though I'm pretty sure this is just so your local FBI or NSA agent can watch your activity easier) The one positive thing is the DOD has been issuing out laptops that now use VPNs, and already contain a CAC reader built with the certificates you need, and are continuing to improve their OPSEC mostly due to the fact that having people work from home during COVID instead of a secure office has forced them too.
👆👆👆
I was under the impression that the CAC was already on the way out. Maybe that was bad information.
The drivers he’s talking about is of the cac reader itself so it knows how to function. Cac readers do nothing but read the card and send it’s data to your computer.
Dod certs are pretty much just for dod website identification, which you can use without downloading the certs, but you would have to accept that the website is using the cert every time because it’s not standard. Downloading it makes it standard to your computer.
As far as I know you can’t directly load malware on a cert, but unchecked drivers can cause havoc.
You can access DoD websites just fine without importing the root certs, but your browser will throw a certificate error for every page. This is because the DoD is it's own root certificate authority.
You need dod root certificates to access CAC enabled sites, but the drivers for the CAC itself are different. Both of them are a pain in the ass to obtain if you don't have can access set up on a computer already
I work for a publicly run employer in the uk that's one of the largest employers in the country (work it out). Our smart cards for accessing the country wide databases uses an active x control in IE . The config file for this still states " do not change any settings as all settings are the same for windows 95 and NT " , smart cards are not secure !
👆👆👆.
I thought Native bridge + Edge took over from this now. Wouldn't be surprised if it was still common elsewhere in the industry as IE is still used for some legacy applications
@@whynotandy it does , native bridge however is also getting replaced with credential manager , but you have to do a lot of fucking about with IE and group policy for that , go with native bridge and the latest hscic. Native bridge is still supported as of May 22
@@andljoy IE officially retires on the 16th, wonder if everything will be ready in time
Saicoo Card readers, proceed to place a Yuan symbol on the online payments sign and encourage employees from the DoD to use it. It is obviously a Chinese spy tool, lol.
"On-Line purchases"
Anyone who speaks English knows it's "online"
Congrats on 300k. Thanks for spreading the information that actually matters!
I've been in the military for nearly four years now. I'm happy to see that I've never seen any of these kinds of cac readers for sale, especially at the physical stores and gas stations.
>gas station card reader
Less notorious than gas station dock pils
You could use a regular Android phone to “copy” and “paste” the balance of a subway card in Moscow. That’s how I got unlimited rides lol.
👆👆👆
@Winnie the Flu The balance gets stored in the card instead of an ID linked with a DB, so you buy a card reader/writer and change it.
I was gonna do the same for games place(Magic planet in middle east) but noticed u can charge it from their website so it wont work
Care explaining how
@@DeeezNuts how to trick
Nice
"Security products company with unsecure website", yep, sounds about right.
You never cease to surprise me with these interesting vids, keep it up!
I used to work for a DOD contractor. We where super strict on card readers and lucky we never had this issue. All of our external readers where provided by a trusted vendor.
What kind of a brain dead govt agency would actually deploy workstations that don't have internal smart card readers?
Oh right, quite a lot of them
👆👆👆.
basically everyone that isn't NSA and MAYBE the FBI
@@marcogenovesi8570 that's just false. Most of DoD specs smart card readers directly into laptops and keyboards.
@@marcogenovesi8570 Source? Litterally? This is just wrong, my parents aren’t nearly that important and they get cac card readers.
I always thought there's a private key in each of them, and therefore you cannot duplicate a smartcard by listening to the traffic. It's just common sense! RSA has been around since the 70s. Guess I was wrong
@@tripplefives1402 Smart cards often do have a CPU and crypto modules on board.
@@tripplefives1402 are you sure? MK says otherwise.
Different EMV modes - DDA is the only one that works like a true smartcard. SDA and CDA are just complicated badges. I'm unclear why DDA isn't mandatory for chip txns…
@@codegeek98 Thanks for the clarification!
Man your content is just awesome! I tell everyone to check out your channel
This would not have been a problem if the drivers where open source
The problem would have been bigger in that case. People never check if the compiled code is the same as the open source version.
I don't think there is a easy way to compare open source code and it's compiled version.
Moreover a open source version of driver will be leaked to public which can be easily exploited by hackers.
@@gaming__god Yes, that would very much be the case for open source drivers on Windows. However, open source + a proper package management would pretty much solve the problem.
(Or you could compile them yourself - assuming the code you got is legit.)
@@gaming__god You can just compile it yourself instead of getting a compiled version.
"Moreover a open source version of driver will be leaked to public which can be easily exploited by hackers."
There will also be security researchers that will find those exploits and even upload patches.
@@testacals I think that the exploit comment is not about the lack of patches, but rather people still getting pre-compiled software.
You have to sign the drivers with a certificate to install them on Windows iirc.
In Brazil is very common in sales fairs and at gas stations , they modify they payment machines and insert some msr90 board or something like these on the video , criminals call this type of modified machine as "chupa-cabra" . And they also use jammers for block gps signals from the cars and than steal , they typically call this type of jammer as "capetinha"
kkkkkkkkkkkkkk still chupa-cabras working nowadays?
Modern rogue footage, hell yeah!
Excellent video 👌🏻🔥 love the demonstration clips you got, I make videos sometimes and getting footage online like that takes a lot of work😂 keep it up man 💪
Please make a video on how the internet of things will ultimately destroy the human right to privacy and make us subservient to the surveillance state. I do know you briefly touched on it in your Guide to Escaping the Botnet video, but an in depth video would be really awesome and do us a great public service.
You could've just said "do a video on how problematic IoT devices are" and you wouldn't have sounded so conspiratorial.
@@speedfastman His username is "Spyro 115", he is likely tuned in to the higher consciousness. Nothing wrong with having a conspiratorial worldview in an exponentially conspiring world.
@@1d10tcannotmakeusername That's because 114 Spyro-mongers beat him to it. He is delirious anyways.. "Will ultimately destroy???" he must think he is in 1994 with all that "future tense." wake up and smell the google my little purple dragon. That being said, i have to go now... time for my red pill.
@@maxheadspace6670 1. Spyro is a time-traveling hyperdimensional intelligence
2. Only if you're a city slicker, if you go out innawoods and make sure there's no IoTrash in the house you should be fine
When I was attempting to enlist in the army, all their laptops had a card reader built into them.
Great video. So true. This can be a major attack point, especially in Pubic or private institutions.
Also, RFID/NFC/proxy cards are a different technology than smart cards
wow...
Thank you for the video!
What is so hard about using pgp smartcards? Nonce in, signature out, access granted, no way to copy anything.
👆👆👆..
I don’t understand your logic
Another good example would be the Hak5 usbs. Think Mrwhosetheboss did a video on those, but all someone would need to do swap out a smart card reader that looks similar enough to whatever actual smart card reader you're using, and then they have access to all your credentials.
so. this video gives me an insight of why my military laptop (Latitude Rugged Extreme 7214) has a reader for those cards, both contactless and slot to insert the card
thanks for the updates as usual outlaw!
👆👆👆....
The first bag you posted is the good one to protect against rfid. They have larger sleeves too on amazon.
Properitary drivers be like:
hey what the fuck
👆👆👆.
I love how the credit card companies decided to update their older cards to a much more VULNERABLE card. It’s like they WANT everyone to get their cards compromised. Plus I betcha they do, because they are most likely directly connected to those “credit monitoring” companies and they get more money from them every time a card is compromised.
My father in law has a bug with his card where it doesn't ask for the code.
I think people should just be more aware of their card activity. Maybe this only applies to credit cards, but I get a notification for every purchase the instant it happens. Even if something I see doesn't make sense, I can just cancel the card and get my money back in less than 24 hours. I don't even cancel the cards I lose because I don't want the hassle of having a new number, I just get "replacement" cards which are meant to be ordered if your card breaks essentially.
That employee helped their company dodge not just a bullet,but an entire fucking nuke.
I don't know about the authenticity of the web site you presented that had that card reader listed as recommended. In addition, any contractor that allowed average users local admin rights to install random drivers for crap wouldn't have their ATO for long and thus wouldn't be contractors for long I can tell you that much. Furthermore, when I contracted Federal IT I know we couldn't just hand out random garbage even for peripherals. There's actually standards in place that prevent even the purchasing of computer equipment from mainland China. Even the cards themselves are single sourced from one company to meet the HSPD-12 requirements.
Nice modern rogue cameo
👆👆👆
As always, everything is super. Waiting for new cheats from your te
gratz on 300k
I like to think that the hackers have a handful of weird dumps where they have no clue what the card is for, what the data is about or how to use it
While in reality, it's stuff like Pokémon print kiosk cards or someone's memory card that holds a script to install the network driver for an industrial computer
Tbh it's probably fairly likely
They're sold via dark web in large data packages. Then someone else buys a package that may have usable stuff while a ton of it is junk. Same way as how legal companies scrape all our information and then sell bundles of peoples' info to literally a n y o n e.
Yeah, I totally believe that a "hacker" compromised their download page. Nudge, nudge, wink, wink. Pull there other one guvnor.
👆👆
Mental outlaw is either the biggest redhat or straight works for feds lmao
👆👆👆.
When I worked as IT, we had a lot of people doing work from home stuff. We had protections against this and actually survived the Kaseya Ransomware attack because of a tool... which for the life of me I cannot remember the name of. It essentially worked as a DLL and EXE whitelist - we had a contract with the developers to ensure they updated our whitelist with the file signatures of executable files that came from reputable sources such as Microsoft, Adobe, Chrome, etc, that we'd use on a day to day basis. Everything else would be hard blocked, across all our devices. It would most certainly have protected us against smart card readers with modified drivers. Though, one time, we had a whole day of printer issues because microsoft did a silent patch to Edge, which was responsible for ensuring PDF files print correctly from edge, so we had a day of nonstop printer issues, but it was a small issue :/
Ty for whoever liked this comment first, cause I remember the software. It was called Airlock
My trusty ACR122U is always packed with my laptop when I'm on vacation :D
Most of the card readers are just connected to "psychologically" give a false sense of security, nine out of ten times they aren't even securely wired!
had no idea that people could just buy their own hardware like this for security critical tasks. should at least have a list of hardware that you need to purchase from or something.
Problem is this WAS on the DOD suggested list...
@@jakegarrett8109 well thats unfortunate lol
Yeah we’re told to buy our own CAC readers for our personal computers at home. Half the time they tell you which one is the good one…
I work for a security company where we make security cards. A lot of high security places are moving to cards with an encrypted chip where it stores certifications, your fingerprints, and your photo. Similar to CAC cards. It's fully encrypted and the card is tied to the facility and the readers.
The card you showed is a PIV-I card. It's very secure. The government is slowly moving to this. You need a scanner, that isn't just a reader, but one where you insert the card and it reads the chip. It's all tied to the individual. As far as readers go, use an HID reader. Our company has tore apart the drivers and such, and they are secure.
For common smart cards and card readers, yeah. It's easy to hack. People are always the issue in security. But there is smarter - smart cards.
*CAC
Small detail, a large number of Amazon reviews are fake but you’re correct in assuming at least half of those are actual purchases. There’s some sites that will scan listings and tell you the percent of fake reviews
Grats on the 300k
Thanks for this helpful identity theft guide
As someone who works for a company that installs card readers in high security places, we only install swipe cards and we demand that we use cables rather than wireless transmission.
Our system also nullifies cards every 2-3 days, so you have to get a new one at the reception.
The company one of my friends works at provides laptops with built in card readers, they also have cell tower service so they don't have to connect to WiFi while they are not at home
Good thing ghost cell towers don't exist...
I believe new most Access cards/fobs systems now have 2 steps; meaning not only does the card provide a password to the opener, but the opener also put a signal back to your FOB and if your FOB cannot correctly verify the signal coming from the opener then the gate stays locked even tho the FOB has the correct access code.
Congrats on getting that shout-out from Mutahar yesterday!
Wait, what video?
@@BCDeshiG the smartphone hacking video he made a few days ago
I suspect they are doing the same thing with Smart Lamps selling on Amazon that are impossible to beat on price but force you to allow access to your local home network traffic. Might be useful for a researcher to take a look at it, which I can use the time to jump deeper.
The first part is about RFID/NFC tech
The 2nd part is about Smart-Card tech
Love Mental outlaw keep it up 🖤
This is sooooo dangerous....
So many people need to know about this..
well, that proves to carders that they should also be careful when buying their MSRs and omnikeys online (that if they aren't working out of the box). i wouldn't be surprised if mental outlaw one day participated in a talk at defcon or blackhat. I was wondering if you can do a video about sim card hacking or corebooting modern desktop hardware (such as: ryzen 5000 based motherboards)?? thanks for your great content.
+1 for the sim like cloning (like if you want a GPS tracker on your bicycle, why should you have to double your phone bill just for it to send a text once a day? I guess thieves will just become more rampant). Also would corebooting even work with modern hardware? If one of its features is to replace some of the old junk, would that do much for Ryzen since its probably mostly new UEFI anyways.
Military contractor here, these types of CAC readers are used but not sensitive information, at most the hackers would be getting some PII. More sensitive information is still only able to be reached at your base with a different type of CAC :-)
I used to work in an IT department of a hospital and they used card readers in-house and 2fa when working from home, worked better imo.
And this is why physical security, with human security, will never be outdated.
Oof, I was in the Army and never knew about sus drivers... fortunately I bought mine at AAFES and needed no additional drivers but I did need all sorts of security protocols.
a long while ago people used to use coiled copper rods to extend the reach to their sleeve.
"curbs on security " 😂🤣😂🤣😂🤣😂🤣😂
I choose to live in a cave at this point.
My ThinkPad has a Smartcard reader. And there seems to be some tricks to read out the data anyway I want. Would be great to have this tool with me.
I also think there is an RFID reader in that laptop... Which should be able to read some more information.
things like these need OSS drivers with signed binary releases.
Virustotal is not magic, it is rather easy to write undetected viruses, especially if their only job is to upload the smartcard data to a server. That is not even the definition of a virus, that would just be a modified/hacked driver
Polymorphic viruses aren't that hard to make, you basically write a set of tests that define the behavior and have a script fudge the instructions around till you don't get detected. And you can even use out of the box generators that do the job for you.
Smart cards are not vulnerable to replay attacks.
They use the algorithm of challenge-response.
They have another set of vulnerabilities but not that one.
I once saw receiver that can read card from like 3m away. They used it on entrance to private community. You can just place card under front window and it will read it no problem
Yep, and set that baby to overdrive for movie night drive through popcorn!
Thanks Jayson Tatum 👍
Now those cc reader signal blocker sleeves finally have a purpose😆
In Brazil a guy managed to switch his card reader with gas'tation's card reader and recived 3 days of payments before be catch.
Or employees might have to scan both their card and fingerprint to enter a door while cameras monitoring the door will raise the alarm if the person’s face is obstructed with something like a mask or if it detects a face other to the face of the employee linked to the card signature and fingerprint provided! :)
This is unbelievable... #stoptheoutsourcing
This is exactly why we need open source drivers period.
I prefer the battering ram method.
Who needs any fancy electronics when you have a log and pure strength.
👆👆👆.
Badge cards typically must be used in very specific manners the closer they work with government controlled data, such as PII, PHI, or official data. Though if a company isn't having this enforced on them it's pretty typical that they will use whatever. You'd think banks in particular would take more care to protect their cards for example, but it seems that rfid chips in cards are quite compatible with thief scanners.
its funny that your average smart ticket card you use to commute is safer than most smart cards against copying lol
Eyy mahn.
Can you give me advise or sense of direction,
Im trying to setup NAT Network for Windows virtual machine.
Using QEMU/Virt Manager on a Debian system.
Thanks in advance, I appreciate your videos bro
Something I leaned is that windows will go out and get drives for some things if the driver is proper signed. My guess is that when they made that drive it was but now it is not and that's why they had to manually install it.
yeah, but if I wanted to break into a building I would rather bribe a janitor to copy their pass vs having my face on camera intercepting their card.
You'd think most companies/governments would have some sorta deal with a tech trusted tech supplier instead of simply paying staff to buy whatever they want.
When I was in the army we had to buy a cac reader I thought about buying it off amazon. But thought it would contain some kind of survaliance ware since I knew about the third party sellers on amazon. So I just went to the PX and bought one since if I got one from there nobody could put the blame on me lol
The company I worked for had smart cards but they supplied laptops that had the readers already installed. I would have figured the government would have done the same.
I encountered something similar getting drivers for an old fujitsu laptop, I used the (supposedly) official fujitsu support page, but after downloading one installer, even windows defender detected a trojan in the driver.
I’ve never used a smartcard in the last few years that doesn’t use private key authentication. I’m sure they still exist, maybe Europe has different standards than the US, but once the card uses a private key, there habe to be multiple exchanges between the “reader” and the card for something to unlock, and the traffic is safe from a replay attack AFAIK.
thanks man
We’re doing 2 factor authentication with our phones. It’s a little annoying that work requires me to use my personal phone, but it seems reasonable secure.
I feel like if a weird creepy guy with too many bags was pretending to make a phone call next to the card reader I would wait for him to leave or try to make things awkward so that he leaves.
You'd think comm shop or s2 would be on top of the CAC issue.
i feel like I’m watching a DedSec tutorial video
The worst part is so many military website are flagged as not secure by browsers so many people just click to continue to unsecure website, because that's the only way to access the website. So it wouldn't surprise me if windows defender would have caught this, it would have been ignored.
Probably just unofficial certs
@@P1T4Bot that is the issue but I think it conditions people to just click okay, even if something is flagged
Even easier, just walk behind someone who goes into the office building. They will probably hold the door open for you out of politeness.