|
Biowarfare posted:What would be the easiest way to roll my own crypto? PHP/Python/Java server-side, JS in browser client-side.
|
#
?
Oct 24, 2016 12:15
|
|
|
|
| # ? May 10, 2024 04:28 |
|
|
Custom text/array serialization format specifically for anti-compatibility purposes, in as hosed up a manner as possible.
|
|
#
?
Oct 24, 2016 12:18
|
|
|
pairofdimes posted:Has anyone ever pre-emptively attacked the vulnerable IOT/other vulnerable devices to stop a botnet from forming? For instance, instead of using the Mirai botnet code to infect more hosts, instead just have them all wipe themselves. Super illegal. While there is a SMALL number of countries that allow "counter-hacking" (the US is not one), I don't know of any that allow pre-emptive future-crime justice. If someone were to try to do this, remember that EACH device touched is individually a separate count under the Computer Fraud and Abuse Act in the US if caught. Plus there's the whole Law of Unintended Consequences, as well.
|
|
#
?
Oct 24, 2016 12:28
|
|
|
Biowarfare posted:Custom text/array serialization format specifically for anti-compatibility purposes, in as hosed up a manner as possible. But why? What's the ultimate goal? Any format you choose can be reversed engineered by someone motivated enough. The entire point of using a standard is so that you don't have to do it yourself. Ultimately, it just seems to create work for the sake of creating work.
|
|
#
?
Oct 24, 2016 13:07
|
|
|
keseph posted:You're an ISP and have successfully identified a customer participating in a botnet. You know they have an infected machine on their network, no expertise to fix it, and even if you do send a tech who knows the specific device that's the problem, what're they going to do with it when the device is unpatchable? Now consider the cost born by the ISP in this process and multiply by 500 million clueless subscribers. I was going to say it seems like the solution is mostly just "User education and not being idiots" so pretty much it's unsolvable.
|
|
#
?
Oct 24, 2016 16:45
|
|
|
pairofdimes posted:Has anyone ever pre-emptively attacked the vulnerable IOT/other vulnerable devices to stop a botnet from forming? For instance, instead of using the Mirai botnet code to infect more hosts, instead just have them all wipe themselves. Maybe not exactly what you're looking for, but Welchia did something similar back in the day, although it tried to be more helpful and remove blaster vs hurting the device. https://en.wikipedia.org/wiki/Welchia
|
|
#
?
Oct 24, 2016 17:40
|
|
|
Inspector_666 posted:I was going to say it seems like the solution is mostly just "User education and not being idiots" so pretty much it's unsolvable. Totally! If we can just teach users how to change the telnet password on an interface they don't know exists without common tools like passwd, then we can totally solve this! This is not a user education issue. This is absolutely a device manufacturer issue. We need some kind of 'connected things' alliance to create some standards around this poo poo, create some kind of quality seal and teach users to buy those things. I feel like this whole discussion has gotten muddied because people gotten it into their heads that this is a result of people connecting toasters to the internet, leaving the web management interface internet accessible and not changing the default password. None of the things in that last sentence have anything to do with Mirai or the DDoS from Friday.
|
|
#
?
Oct 24, 2016 17:44
|
|
|
Doug posted:Totally! If we can just teach users how to change the telnet password on an interface they don't know exists without common tools like passwd, then we can totally solve this! This is not a user education issue. This is absolutely a device manufacturer issue. We need some kind of 'connected things' alliance to create some standards around this poo poo, create some kind of quality seal and teach users to buy those things. Yeah I wrote that still in the "Download some sweet tunage off of Kazaa and join a botnet!" headspace. 
|
|
#
?
Oct 24, 2016 18:06
|
|
|
Ah Kazaa and Limewire. Willfully infecting your computer with the worst aids in order to listen to some mp3's.
|
|
#
?
Oct 24, 2016 18:10
|
|
|
Inspector_666 posted:Yeah I wrote that still in the "Download some sweet tunage off of Kazaa and join a botnet!" headspace. Yeah, that seems to be where the majority of the "community" is too. People posting screenshots on Twitter of web admin panels with default creds, others bashing users, and still others taking the curmudgeon angle and talking about how it shouldn't be connected to the internet in the first place. Self righteousness is at an all time high trending perfectly with ignorance and misinformation.
|
|
#
?
Oct 24, 2016 18:16
|
|
|
ChubbyThePhat posted:Ah Kazaa and Limewire. Willfully infecting your computer with the worst aids in order to listen to some mp3's. https://www.youtube.com/watch?v=bAQqrnX7BsM&t=3s
|
|
#
?
Oct 24, 2016 18:31
|
|
|
Any PCI experts in here? I can't seem to get a straight answer from anyone, and cannot really wrap my head about the PCI council documentation I can find on the topic.. We are getting ready to implement a PCI validated point-to-point encryption system for taking credit cards/EMV. (Verishield Protect). With this, the customer's account data is encrypted on the pad with a per device key and stays that way to our processor. Our POS software never sees any part of the CC data, it only receives status codes. We have zero access to any card holder data period, and it never travels over our network in a unencrypted form. I cannot get a straight answer on how much this reduces our PCI scope.. Our POS software provider is telling us it puts us out of scope entirely, i.e. zero PCI requirements. But I am not believing that. Our processor doesn't really have a answer for us either. Is anyone familiar with such systems?
|
|
#
?
Oct 25, 2016 16:32
|
|
|
stevewm posted:Any PCI experts in here? I can't seem to get a straight answer from anyone, and cannot really wrap my head about the PCI council documentation I can find on the topic.. I feel like that might be something you pay a consultant to walk you through. Right?
|
|
#
?
Oct 25, 2016 17:26
|
|
|
stevewm posted:Any PCI experts in here? I can't seem to get a straight answer from anyone, and cannot really wrap my head about the PCI council documentation I can find on the topic.. Hahahahahaha oh software vendor. Yeah, you'll still have some work to do, it may just be a very small scope. This document describes which SAQ applies to you: https://www.pcisecuritystandards.org/documents/SAQ_InstrGuidelines_v3-1.pdf Based on what you described, I'd assume this one, but you should double check with your processor/bank, as they're the ones ball busting you annually: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-P2PE.pdf?agreement=true&time=1477412953976 Maneki Neko fucked around with this message at 17:30 on Oct 25, 2016 |
|
#
?
Oct 25, 2016 17:28
|
|
|
Sickening posted:I feel like that might be something you pay a consultant to walk you through. Right? Same. I can get complicated at that level. Hardware encrypted on the device with device specific key. Does the POS software interact with the device when you need to re-key? Does it have access to the secure enclave in any way at all? If they do (or even if they don't) the software vendor will still most likely need to fill out an SAQ for an auditors signing an affidavit that their software is in compliance with whichever of the sections of PCI-DSS apply to their software. Get a PCI consultant to review your systems and determine what you are responsible for in an auditor's eyes. And you are responsible for everything on your systems, whether it's vendor supplied or not. Because, it doesn't matter what the software vendor says. It matters was the auditor says.
|
|
#
?
Oct 25, 2016 17:31
|
|
|
flosofl posted:Same. From what I can tell, each device has to be registered by serial number with our processor. They then turn around and give this information to Verifone who makes a key pair specific to that device and gateway combination only. Our processor then has to arrange for that key to be installed on the device. From what I can tell our software provider does nothing but ingest status codes from it, they are not involved past shipping the hardware to us and helping getting it configured. We don't even have access to the settings on the device. We are completely locked out of it. Can't even change the IP without getting several people involved!
|
|
#
?
Oct 25, 2016 18:22
|
|
|
If you're big enough to need a QSA talk to them since your ROC is up to them anyway. If you're self-reporting use SAQ P2PE (after verifying that those terminals are the only point-of-interaction for credit cards in your environment, and that the terminals have been implemented per the vendor guidelines, and that they are actually PCI P2PE certified).
|
|
#
?
Oct 25, 2016 20:41
|
|
|
wyoak posted:If you're big enough to need a QSA talk to them since your ROC is up to them anyway. If you're self-reporting use SAQ P2PE (after verifying that those terminals are the only point-of-interaction for credit cards in your environment, and that the terminals have been implemented per the vendor guidelines, and that they are actually PCI P2PE certified). Not big enough to need QSA, self reporting. Strangely no one I have talked to has been particularly helpful on this. Even our own processor, they just refer me to the PCI website and won't answer any questions.
|
|
#
?
Oct 25, 2016 21:54
|
|
|
stevewm posted:Not big enough to need QSA, self reporting. Mainly because pci can't loving make up its mind what the hell its talking about and keeps changing its standards and definitions of words. It has it made it so you need to hire a consultant to make sure you are doing things right (which I recommend you try you hardest to do) Such as what you can store about a card and what you can't. I think at one point it didn't mention cvv should not be stored which.... Could be interpreted as you could store cvvs. Also processors give no fucks. They just want a check box to click saying the customer said they are good so they have plausible deniability when you share you mysql connection to the outside world. Just think about it this way. Some good advice can be bad advice if you don't know the other factors of their situation. If you give a person good advice to put a lock on the door to their house without asking enough follow-up questions they can blame you for giving bad advice even though they didn't say anything about how the door in question was a screen door. EVIL Gibson fucked around with this message at 17:17 on Oct 26, 2016 |
|
#
?
Oct 26, 2016 17:08
|
|
|
Wish I would of known about this thread before heading to DerbyCon. Oh well. I am finally getting around to getting my CISSP (going to a bootcamp next week) and I was curious what the best prep book out right now. There was a guy at Derbycon who was the author of supposedly one of the best but I can't remember his name. Also, What is the best way to get into pen testing just for my own fun, not trying to go that way in my career route it is just something that I have always thought was interesting.
|
|
#
?
Oct 26, 2016 18:54
|
|
|
fyallm posted:Wish I would of known about this thread before heading to DerbyCon. Oh well. Like you want stuff to hack or want to learn how? If the former, try vulnhub. If the latter, check out Hacker's Playbook 2 or Georgia Weidman's Penetration Testing book. How'd you like Derby? Are you local to the area? Also, skip CISSP unless your management is going to pay for it and give you a raise for getting it.
|
|
#
?
Oct 26, 2016 22:22
|
|
|
Doug posted:Like you want stuff to hack or want to learn how? If the former, try vulnhub. If the latter, check out Hacker's Playbook 2 or Georgia Weidman's Penetration Testing book. I want to learn how. And I love Derby, I go every year, been to the past 4 I believe? I am about 2+ hours away, but I have a client that I usually try and go visit every few months there. And management is paying for the bootcamp, exam and going to give me a raise.. I have put it off for as long as I possibly could :/
|
|
#
?
Oct 27, 2016 00:57
|
|
|
Doug posted:Also, skip CISSP unless your management is going to pay for it and give you a raise for getting it. This. I have zero certifications and have gotten this far.
|
|
#
?
Oct 27, 2016 10:28
|
|
|
Agreed. The only certs I have are ones that the company paid for. GIAC certs are nice, because it typically means a week off work and occasionally learning stuff at a SANS course (learning may vary depending on which course).
|
|
#
?
Oct 27, 2016 12:20
|
|
|
Can anyone recommend a company to do an external security analysis of a very small financial firm that runs Linux? There isn't really much to do - literally the only services visible to the internet are http and https on a single computer (Apache for a very basic website). My colleagues are insisting on it though, and they managed to get a quote for $5,000 from a place that seems to only do Windows stuff. I've never had security testing done before, so I don't really know what pricing is reasonable, but I would think that somewhere in the $2500 range is more than reasonable considering how simple our setup is.
|
|
#
?
Oct 27, 2016 19:36
|
|
|
Is that little Apache server on the network with the rest of your stuff?
|
|
#
?
Oct 27, 2016 20:24
|
|
|
Thanks Ants posted:Is that little Apache server on the network with the rest of your stuff? No, it's separate and outside the firewall, and not connected to the internal network. Droo fucked around with this message at 20:27 on Oct 27, 2016 |
|
#
?
Oct 27, 2016 20:24
|
|
|
Droo posted:No, it's separate and outside the firewall, and not connected to the internal network (even physically). Do you patch it regularly?
|
|
#
?
Oct 27, 2016 20:27
|
|
|
CLAM DOWN posted:Do you patch it regularly? I would answer that, but I don't want to inadvertently end up with a $2500 bill for a completed security analysis.
|
|
#
?
Oct 27, 2016 20:29
|
|
|
Droo posted:I would answer that, but I don't want to inadvertently end up with a $2500 bill for a completed security analysis. 
|
|
#
?
Oct 27, 2016 20:50
|
|
|
Droo posted:Can anyone recommend a company to do an external security analysis of a very small financial firm that runs Linux? In many cases getting an audit is to cover your arse in case of a breach, because you can show you took all reasonable steps to prevent it. The figure you pay is about how nice you want the watermark on the piece of paper to be
|
|
#
?
Oct 27, 2016 21:04
|
|
|
We did some PCI relevant stuff with USD. They were not retards, though I cannot vouch for them any deeper than that as I was not too closely involved.
|
|
#
?
Oct 28, 2016 09:41
|
|
|
fyallm posted:I want to learn how. Since you are taking a bootcamp, they should be drilling most of the stuff and give you material to research later (since all the students in there are in the same situation as you) I used Eleventh Hour CISSP for refreshing my head. https://www.amazon.com/Eleventh-Hour-CISSP%C2%AE-Third-Study/dp/0128112484/ref=sr_1_4?ie=UTF8&qid=1477844800&sr=8-4&keywords=cissp There is also the Pocket Prep smartphone guides which really worked for me because it let's you focus on domains instead of doing the whole test repeatedly. In my case, I worked a good while on a contracted project where the product was chip cards. I picked up lots, and I mean LOTS, of crypto during that time. There is one domain for that kind of stuff that I could build a test WITHOUT that crypto domain. I also liked the fact you can configure the tests to show you the correct answer along with a reason why it was the correct and why the other answers were incorrect (though they can be bullshit, like "Answer A is wrong because it's not Answer B".) edit: Oh, forgot to remind you. The CISSP will have questions with some of the answers NOT from the domain that look good enough to trick people who did not really study. EVIL Gibson fucked around with this message at 17:44 on Oct 30, 2016 |
|
#
?
Oct 30, 2016 17:39
|
|
|
 Senior Research Analyst
|
|
#
?
Nov 4, 2016 13:59
|
|
|
ming-the-mazdaless posted:
Yay me too! Senior Security Engineer. gently caress you oil and gas market.
|
|
#
?
Nov 4, 2016 18:39
|
|
|
EVIL Gibson posted:Since you are taking a bootcamp, they should be drilling most of the stuff and give you material to research later (since all the students in there are in the same situation as you) Thanks for all.of that.. Just finished the bootcamp and still not sure how I feel about it. Grabbed the pocket prep app, taking the test on December 2nd, so time to stuff my brain with Time Multiplexing and Time domain reflectometry
|
|
#
?
Nov 4, 2016 19:41
|
|
|
ming-the-mazdaless posted:
I get quoted in articles as a senior engineer that's kinda
|
|
#
?
Nov 4, 2016 20:07
|
|
|
apseudonym posted:I get quoted in articles as a senior engineer that's kinda They just mean that you're old.
|
|
#
?
Nov 4, 2016 20:47
|
|
|
Subjunctive posted:They just mean that you're old. "Senior" is in my title and I am only in my early 30s.
|
|
#
?
Nov 4, 2016 20:54
|
|
|
|
| # ? May 10, 2024 04:28 |
|
|
Subjunctive posted:They just mean that you're old. I'm 26 and look 16 if I shave 
|
|
#
?
Nov 5, 2016 00:47
|
|