|
Secure email may be a bit low-brow for this thread, but it's not something I've found a satisfactory solution for. An acquaintance recently started using Virtru at his workplace, which appears to just point the recipient to an 'unencrypted' version of the conversation on their website, using their Google account for authentication. Do y'all see this as a meaningful and sufficient step to protecting sensitive client information sent via email, or is it not up to snuff? If not, what are the go-to solutions for sensitive, routine business communications? Their Chrome extension wants permission to read and change all data on visited websites—does this basically come down to trusting the developer to not be doing shady stuff? Edit: And why the gently caress isn't encryption built into Gmail at this point?
|
#
?
Oct 19, 2016 21:58
|
|
|
|
| # ? May 9, 2024 23:58 |
|
|
Cugel the Clever posted:Edit: And why the gently caress isn't encryption built into Gmail at this point? It is, the mail is getting sent encrypted and you're accessing the gmail webapp over https. Encrypted email has been the norm in gmail for a while.
|
|
#
?
Oct 19, 2016 22:07
|
|
|
Cugel the Clever posted:If not, what are the go-to solutions for sensitive, routine business communications? What do you want to protect against? A state actor intercepting it? Probably not. A malicious employee stealing confidential data? That can be tricky - just ensure that sensitive data is behind lock and key and ACL (though not so much that it actually interferes with regular business). Some random 3rd party who uses a wide-spectrum attack? Ensure that your employees use strong passwords if accessing external services storing sensitive data, ideally multi-factor auth, or don't even keep that sensitive data externally. Idiot employees running trojans? Turn on Windows Defender and hope you are not targeted with a custom attack that's not in the signatures yet. Microsoft ATP or whatever it was called offers additional protection against that. (A...dvanced Threat Protection maybe?) The threat model is a very important part of any security design, so there really is no right answer.
|
|
#
?
Oct 19, 2016 22:37
|
|
|
Honestly, if you're sending sensitive information using SMTP over the Internet, you're pretty much going want find another distribution mechanism. I recently had to deal with that as my division was purchased (yet again) by another company and wanted me to send PII over email to their HR. If it was O365 to O365, I'd be slightly less concerned, but it's still really not acceptable, due to people with no real business still having access to that information. No facility to encrypt files prior to attaching. I convinced them that wasn't going to happen. I suggested SFTP with user directories, they countered with the HR Director's BOX account with user assigned folders. I have reservations about cloud services like that, but it's far better than "just email it to us!" My group is one that they are excited to have on board since we're filling a niche they currently outsource (they insource 98% of their company and only outsource as a last resource). One of the things I'll be doing is a gap analysis of policies and practices and recommended steps for our new group when fully on-board. I'm hopeful to expand that to rest of the company, since it's looking more and more like it can be an afterthought internally.
|
|
#
?
Oct 20, 2016 01:47
|
|
|
I just spin up slack or hipchat rooms for clueless clients that I need to communicate with relatively securely. No complaints so far, even a CTO was able to install slack once it was a loving miracle.
|
|
#
?
Oct 20, 2016 03:47
|
|
|
I'm currently working as a software engineer. It's cushy as all hell, I'm making amazing bank (esp. for a 26 y/o), but I'm incredibly bored. It's not particularly challenging and I have to work with mostly poo poo code all day. Basically I have 3 options: 1) Treat my job as a paycheck, enjoy working <= 8 hour days, and focus on fun things instead of computer touching 2) Try to get a more challenging position at Google/FB/etc, working more but improving my career prospects 3) Try to get a position doing something in security, of which I only have a rudimentary knowledge but find really interesting I realize you beautiful people can't make this decision for me, and I'm partially typing this out for my own good, but can anyone convince me to go down the 3rd path (or another path really)? I think I would be happy doing security but I don't really know what it's like to work professionally in the industry, and the brief research I've conducted seems to point that it's less chill/more corporate than what I do now, and will probably come with a pay decrease.
|
|
#
?
Oct 20, 2016 06:38
|
|
|
Pie Colony posted:I'm currently working as a software engineer. It's cushy as all hell, I'm making amazing bank (esp. for a 26 y/o), but I'm incredibly bored. It's not particularly challenging and I have to work with mostly poo poo code all day. Basically I have 3 options: Good software engineers that understand security are worth their weight in gold, its really hard to find security people that can build stuff and its rewarding as gently caress work, can't recommend it enough.
|
|
#
?
Oct 20, 2016 06:56
|
|
|
apseudonym posted:Good software engineers that understand security are worth their weight in gold Looks like I'm eating a whole pizza tonight boys All kidding aside, it does seem like "security engineer" is the path that makes the most sense, but I'm confused by exactly what I'd be doing, and how much of a coding resource vs a security resource I'd be. Not sure how to prepare for one of these interviews either, or if my background in software dev/computer science would at all make up for my lack of security training.
|
|
#
?
Oct 20, 2016 07:49
|
|
|
Pie Colony posted:it does seem like "security engineer" is the path that makes the most sense, but I'm confused by exactly what I'd be doing, and how much of a coding resource vs a security resource I'd be. Good news, the industry doesn't either! It's going to vary heavily from position to position and from company to company. Sometimes it's code audit monkey work, sometimes it's building better tooling or rearchitecting things to actually be secure because the company has a real idea of their and their customers' threat models now, sometimes it's a code word for "fill out due diligence questionnaires all day". Some jobs, it's all of the above in varying amounts. My best advice is to find some folks working the job you think you want (even if not at the company you want) in the community and offer to buy them a cup of coffee or a beer to hang out one-on-one and discuss what it's like and how to get there from where you are. Not quite at a mentor level, just as fellow tech nerds.
|
|
#
?
Oct 20, 2016 08:04
|
|
|
Storysmith posted:Good news, the industry doesn't either! It's going to vary heavily from position to position and from company to company. Sometimes it's code audit monkey work, sometimes it's building better tooling or rearchitecting things to actually be secure because the company has a real idea of their and their customers' threat models now, sometimes it's a code word for "fill out due diligence questionnaires all day". Some jobs, it's all of the above in varying amounts. Also, look to your nearest metropolitan area for meet-ups. They're fantastic for networking and learning things.
|
|
#
?
Oct 20, 2016 12:57
|
|
|
We hired a software engineer as an "Automation Specialist". Basically he scripts our security tools together using APIs so that everything talks to each other and real time threat data is passed everywhere. Now he's learning about reverse engineering and after a little training he'll probably be one hell of a good reverser. But there have been times when we haven't given him much to do, and he took the initiative to develop his own thing. So if you're not much of an innovator you might get easily bored.
|
|
#
?
Oct 20, 2016 12:58
|
|
|
Twerk from Home posted:It is, the mail is getting sent encrypted and you're accessing the gmail webapp over https. Encrypted email has been the norm in gmail for a while. EssOEss posted:What do you want to protect against? A state actor intercepting it? Probably not. Thanks for the responses, guys.
|
|
#
?
Oct 20, 2016 15:53
|
|
|
gently caress the internet of things https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
|
|
#
?
Oct 22, 2016 08:29
|
|
|
Are DDOS a theoretically solvable problem?
|
|
#
?
Oct 22, 2016 14:00
|
|
|
Forgall posted:Are DDOS a theoretically solvable problem? In magical christmas land, you'd be able to block abusive traffic at your upstream provider, who would get their upstream provider to block it as well, and so on until you have consumer ISPs blocking traffic from customers who have had their computers or iot devices recruited into a botnet. In the real world, that's a lot of effort for each individual provider to implement, and it doesn't even achieve a heck of a lot until you have everyone on board. So it's quite an unrealistic solution.
|
|
#
?
Oct 22, 2016 14:07
|
|
|
Forgall posted:Are DDOS a theoretically solvable problem? You're an ISP and have successfully identified a customer participating in a botnet. You know they have an infected machine on their network, no expertise to fix it, and even if you do send a tech who knows the specific device that's the problem, what're they going to do with it when the device is unpatchable? Now consider the cost born by the ISP in this process and multiply by 500 million clueless subscribers.
|
|
#
?
Oct 23, 2016 02:49
|
|
|
I'm intrigued how these devices are ending up accessible to the outside world in the first place, since they all talk to the control servers over outbound connections, and I've not seen an ISP-supplied home router that doesn't block inbound connections by default. Has someone decided that UPnP is a great thing to use to punch holes in firewalls because nobody can be bothered to deal with NAT in their applications?
|
|
#
?
Oct 23, 2016 14:23
|
|
|
Is DNS redundancy something mere mortals can do? I've never looked into it much, and just use CloudFlare for my own projects.
|
|
#
?
Oct 23, 2016 15:33
|
|
|
Thanks Ants posted:I'm intrigued how these devices are ending up accessible to the outside world in the first place, since they all talk to the control servers over outbound connections, and I've not seen an ISP-supplied home router that doesn't block inbound connections by default. Has someone decided that UPnP is a great thing to use to punch holes in firewalls because nobody can be bothered to deal with NAT in their applications? Because they direct you to setup remote access (port forward / UPnP) so that you can dim your lights from the office. The mirai sourcecode revealed all it's doing is scanning for telnet these devices use, trying default passcodes, and infecting. The mirai botnet has spread by bruteforing telnet, so that's going to be a good number of the routers themselves adding to it.
|
|
#
?
Oct 23, 2016 15:33
|
|
|
Khablam posted:The mirai botnet has spread by bruteforing telnet, so that's going to be a good number of the routers themselves adding to it. It's not bruteforcing. It has checks against 60+ known default-of-of-the-box admin credentials. Which are many times hard coded into the devices. I'd have to look it up, but some group did a 24 hour scan of the Internet and found 550,000+ internet accessible CCTV camera with default admin settings about a month ago.
|
|
#
?
Oct 23, 2016 17:41
|
|
|
VPNs are tough 
|
|
#
?
Oct 23, 2016 18:38
|
|
|
Reminder that security online is a dumpster fire https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass quote:Recently I was in a hotel needing to make a payment, there was no phone signal so I could not receive my Two Factor Auth token. Luckily for me Paypal’s 2FA took less than five minutes to bypass.
|
|
#
?
Oct 23, 2016 18:47
|
|
|
Forgall posted:Are DDOS a theoretically solvable problem? Theoretically, anything is solvable!*  *Theory may not have any grounds in reality. I suppose you could do something like roll out a change of standards that renders all botnets incapable of using the devices they've captured to communicate with servers, and then ensure that everything made to the new standards closes all the known loopholes. But that would only solve it until they figured out another way to bypass ultimately profit-motivated security, and it would be extraordinarily disruptive to normal usage along with a whole host of other problems. Basically DDoS potential grows with the speed and convenience of the Internet, so there's no way to choke it out completely without rolling back all that progress. I think it's really based on how many devices you can enslave rather than how quickly any particular device can communicate with the Internet, anyway, which is why the IoT is empowering those hackers so much. Honestly, it sounds like the companies making these cameras and such have made some token attempt at securing them, but their primary focus is on capitalizing on a growing market and in their view they simply don't have time to sit around and consult professionals and do pentests and poo poo. Sometimes the Internet grows too fast for its own good, I guess?
|
|
#
?
Oct 23, 2016 21:34
|
|
|
Tough situation. My initial thought was that IoT manufacturers should be held accountable for enabling these bad practices (i.e. all security cameras should come with truly unique default usernames/passwords printed on them, automatic firmware updates should be standardised and mandatory, etc). On the other hand what are you going to do against users who simply don't know/care about security and use uPnP/expose ports to the WAN side "until it works". This is probably going to get much worse before it gets better. My only consolation is that the root of the problem would be exceedingly simple to solve with a correctly set up firewall in every office/home. I find things like 0-day cryptolockers with payloads that upload data to remote servers far scarier in that regard.
|
|
#
?
Oct 23, 2016 22:19
|
|
|
Squeegy posted:Theoretically, anything is solvable!* Even if they had up to date secure software who patches their security cameras?
|
|
#
?
Oct 23, 2016 22:29
|
|
|
Basic home internet connections should have the firewall part hosted by the ISP, and the box that goes in the home is just a bunch of dumb interfaces. No inbound rules allowed, but the ISP has simple apps available that let you establish VPN connectivity to your private subnet(s). Edit: This is more pipe-dream spitballing, but there's no real need for most home users to be able to break their routers in the way that following random guides on the Internet will let them do. The issue is doing this in a secure and reliable way at the ISP end which isn't really compatible with a low margin product. Thanks Ants fucked around with this message at 22:37 on Oct 23, 2016 |
|
#
?
Oct 23, 2016 22:32
|
|
|
Now's the perfect time to go to market with a home firewall/network security tool. Goon Project©?
|
|
#
?
Oct 23, 2016 22:39
|
|
|
Rbl applied by mac family at the router level. "Dyn is under DNS 3com can access it, cheap Chinese up camera can't."
|
|
#
?
Oct 23, 2016 22:41
|
|
|
Thanks Ants posted:Basic home internet connections should have the firewall part hosted by the ISP, and the box that goes in the home is just a bunch of dumb interfaces. No inbound rules allowed, but the ISP has simple apps available that let you establish VPN connectivity to your private subnet(s). Now that you mention it, at least one ISP in my country does carrier-grade NAT by default, which is a whole other  and no firewall but would prevent this type of vulnerability.https://en.wikipedia.org/wiki/Carrier-grade_NAT I set up such a connection once to jump through some hoops to get a truly public IP and be able to forward ports. It would be interesting to know how many users actually make use of the public IP option, probably <1%.
|
|
#
?
Oct 23, 2016 23:28
|
|
|
What would be the easiest way to roll my own crypto? PHP/Python/Java server-side, JS in browser client-side. none of this is security critical in the slightest, i just want the easiest possible way to not meet any standard or protocol but have a working encode/decode implementation that can be parsed into a js object/array that i can cycle formats periodically, was thinking about some abomination of protobuf xor'd with the user's client ip and current timestamp
|
|
#
?
Oct 23, 2016 23:57
|
|
|
Hughlander posted:Rbl applied by mac family at the router level. "Dyn is under DNS 3com can access it, cheap Chinese up camera can't." Mr Chips fucked around with this message at 00:54 on Oct 24, 2016 |
|
#
?
Oct 24, 2016 00:38
|
|
|
Biowarfare posted:What would be the easiest way to roll my own crypto? PHP/Python/Java server-side, JS in browser client-side. Why in the world do you want it not to meet any standard?
|
|
#
?
Oct 24, 2016 01:25
|
|
|
Mr Chips posted:How will this cope with spoofed MAC addresses? Are the IOT devices on the bot net spoofing mac addresses while getting dhcp from the router? Haven't seen that in the reports...
|
|
#
?
Oct 24, 2016 01:46
|
|
|
Hughlander posted:Are the IOT devices on the bot net spoofing mac addresses while getting dhcp from the router? Haven't seen that in the reports... If you're got root level access on a linux based device it shouldn't be hard (unless the device has been hardened to the point it wouldn't get compromised easily). I have NFI what most of this "IOT" smart lightbulb type crap runs, however.
|
|
#
?
Oct 24, 2016 01:59
|
|
|
Hughlander posted:Are the IOT devices on the bot net spoofing mac addresses while getting dhcp from the router? Haven't seen that in the reports... You're assuming the companies churning out this stuff actually register for MACs and then use them uniquely per device, and that's not always true. It's real cheap and easy to just make something be 12:34:56:78:90:ab or something, and if it's a product most people only buy one of, it won't matter if you hardcoded it in every device. I'm not saying someone is using ioctls to change the MAC as part of malware, I'm saying that blocking "one manufacturer" may be harder than you think because of the level of not giving a poo poo in the space.
|
|
#
?
Oct 24, 2016 02:33
|
|
|
apseudonym posted:Why in the world do you want it not to meet any standard? I'd venture onto a guess here: security by obscurity? Since history teaches us that it is working so well for people....
|
|
#
?
Oct 24, 2016 02:34
|
|
|
Considering that hackers seem to hit most of their IoT targets by just scanning until they find something vulnerable, I'd wager that there's no such thing as obscurity on the Internet. If you exist, you will get tested.
|
|
#
?
Oct 24, 2016 03:06
|
|
|
Storysmith posted:You're assuming the companies churning out this stuff actually register for MACs and then use them uniquely per device, and that's not always true. It's real cheap and easy to just make something be 12:34:56:78:90:ab or something, and if it's a product most people only buy one of, it won't matter if you hardcoded it in every device. That just makes it even easier to detect then. You know that no valid client wants to go to that address from that MAC so you can safely block yourself. Mr Chips posted:If you're got root level access on a linux based device it shouldn't be hard (unless the device has been hardened to the point it wouldn't get compromised easily). I have NFI what most of this "IOT" smart lightbulb type crap runs, however. True enough, I bet it could be refined though to make it unlikely to have a strong impact... Spitball: There's a device on the network with UPNP exposed outside. You know the ports that it's exposing, you know it's outgoing ports. From that you can fingerprint what the device is. If there's an RBL for a service that was targetting devices of that type the router would know that it fits the bill. If you've never sent traffic to that address/network and you start trying to drop all traffic going to that address since you fit the pattern. Slightly more work than MAC but still doable.
|
|
#
?
Oct 24, 2016 03:27
|
|
|
Has anyone ever pre-emptively attacked the vulnerable IOT/other vulnerable devices to stop a botnet from forming? For instance, instead of using the Mirai botnet code to infect more hosts, instead just have them all wipe themselves. It seems that if it hasn't happened yet it's only a matter of time. Maybe that would finally force manufacturers to take security more seriously since they would have to deal with a bunch of angry customers.
|
|
#
?
Oct 24, 2016 07:35
|
|
|
|
| # ? May 9, 2024 23:58 |
|
|
pairofdimes posted:Has anyone ever pre-emptively attacked the vulnerable IOT/other vulnerable devices to stop a botnet from forming? For instance, instead of using the Mirai botnet code to infect more hosts, instead just have them all wipe themselves. yes, http://hackaday.com/2015/10/02/a-white-hat-virus-for-the-internet-of-things/
|
|
#
?
Oct 24, 2016 07:39
|
|
