|
flosofl posted:Well, no. But I'm concerned with stopping them from being self-destructive idiots, not factoring them in as a layer of security. So you can't have any process elements in the defense model, it all has to be physics and (bug-free) software?
|
# ? Dec 14, 2016 01:58 |
|
|
# ? Jun 10, 2024 10:48 |
|
flosofl posted:Sure, but if I'm doing an internal audit or a risk analysis I can only include systems and solutions that are predictable in nature. People exercising common sense or following process would not be one of them. Isn't this what security training, and all teh audits of training courses I see happening, is about?
|
# ? Dec 14, 2016 02:01 |
|
apseudonym posted:I don't think you can remove them completely as a layer, they're still a (failable) part of any reasonable model. I'm not entirely sure I agree with this. Enforceable policy statements and processes sure, but not necessarily relying on people using "common sense". which was the original argument. Users are always going to be the weakest link and introduce the highest amount of risk in general. Even the best of them will be lazy through efficiency, bypassing policy or procedure where they can. And I can't pin my hopes on that they won't. I have to introduce controls in order to keep them from burning the place down.
|
# ? Dec 14, 2016 02:05 |
|
Subjunctive posted:So you can't have any process elements in the defense model, it all has to be physics and (bug-free) software? I didn't say that, but I'm not relying on "common sense" anymore, am I? I'm constraining behavior through enforceable policy and processes. The people are still an identifiable risk who are kept in check by threat of discipline up to and including termination.
|
# ? Dec 14, 2016 02:06 |
|
flosofl posted:I didn't say that, but I'm not relying on "common sense" anymore, am I? I'm constraining behavior through enforceable policy and processes. The people are still an identifiable risk. But you said you couldn't include anything unpredictable in your analysis, which as you say very much includes people and IME often includes software. So what is predictable enough to include?
|
# ? Dec 14, 2016 02:10 |
|
Subjunctive posted:But you said you couldn't include anything unpredictable in your analysis, which as you say very much includes people and IME often includes software. You're right. You win. I'm done with this stupid argument. Rely on "common sense" if you want.
|
# ? Dec 14, 2016 02:13 |
|
flosofl posted:You're right. You win. I'm done with this stupid argument. Rely on "common sense" if you want. I'm not suggesting anyone rely on users practicing common sense. My advice was to IT staff, not users at all. I'm just trying to understand what the components of your analysis are, because I'd always understood such analyses to be about identifying and bounding unpredictability.
|
# ? Dec 14, 2016 02:17 |
|
Subjunctive posted:I'm not suggesting anyone rely on users practicing common sense. My advice was to IT staff, not users at all. It is. I think I'm having trouble communicating what I'm trying to say. I'm never going to a 100% predictable and mechanistic system. What I can have is measures put in place to reduce the chaos. As a simple example, let's say I want to eliminate or reduce the risk of someone snagging information from network communications. I then apply a system policy statement requiring ssh and scp/ftps and eliminating telnet and vanilla ftp as my security measure. Mechanistically that means the end system doesn't even have those ports open, eliminating the possibility of using those methods. That has a predicable result of "no plaintext coms with network devices". But I have an additional risk element being the users themselves. So, the mitigation is another predictable element of "you violate or bypass policy, you are disciplined in some manner". The user themselves never come into play as a mitigation strategy for risk. I can't predict any systems with perfect reliability. But I can get as close as I can with the budget I have. Now, yes. There are people (hopefully a dedicated SOC) responsible for making sure policy is enacted and enforced. But that's an Operations problem (not really, but there's other mitigation specifically for those kind of positions, which are again policy and process related)
|
# ? Dec 14, 2016 02:32 |
|
apseudonym posted:I don't think you can remove them completely as a layer, they're still a (failable) part of any reasonable model. Training users is a matter of last resort and will often have the worst return on investment. You're better off finding ways to protect them from themselves.
|
# ? Dec 14, 2016 02:36 |
|
RFC2324 posted:Isn't this what security training, and all teh audits of training courses I see happening, is about? Yeah, because the same auditors also conveniently have training programs that they can sell you. That doesn't mean its terribly effective and you should seriously consider if that money is really going to prevent anything. I'm sure we've spent hundreds of thousands of awareness training over the last ten years but the hits keep coming and the same people keep doing the same poo poo. Maybe if you have a discipline model lined up to back the program for people who violate it but if you aren't going to do that then I have a stone that deters malware to sell you.
|
# ? Dec 14, 2016 02:39 |
|
flosofl posted:You're right. You win. I'm done with this stupid argument. Rely on "common sense" if you want. I was explicitly point out that common sense is better than AV, but people don't actually have it.
|
# ? Dec 14, 2016 02:46 |
|
RFC2324 posted:I was explicitly point out that common sense is better than AV, but people don't actually have it. Yeah, I'll fully admit I took the conversation in a weird direction. Sorry. Lack of sleep is my only explanation. That and having to say the same thing over and over again today to upper management types.
|
# ? Dec 14, 2016 02:52 |
|
flosofl posted:Yeah, I'll fully admit I took the conversation in a weird direction. Sorry. Lack of sleep is my only explanation. That and having to say the same thing over and over again today to upper management types. We all misread things sometimes. No worries.
|
# ? Dec 14, 2016 04:31 |
|
I hate to be that guy who starts posting in a thread asking for something. Buuut, does anyone here work for DigitalOcean, or know somebody who does? I'm trying to figure out some information on a box that keeps hitting my company. According to ARIN this mystery box is registered to them. I shot an email to the abuse address listed on ARIN but haven't heard anything back. I'm pretty new to InfoSec so my ability to enumerate a mystery attacker is still pretty poor in my opinion, so I'm looking for some help. I've suggested blocking this address until we understand exactly what's going on. Some of my coworkers have voiced concerns about the traffic coming from a possible partner.
|
# ? Dec 15, 2016 05:51 |
|
Diametunim posted:I hate to be that guy who starts posting in a thread asking for something. Buuut, does anyone here work for DigitalOcean, or know somebody who does? I'm trying to figure out some information on a box that keeps hitting my company. According to ARIN this mystery box is registered to them. I shot an email to the abuse address listed on ARIN but haven't heard anything back. I'm pretty new to InfoSec so my ability to enumerate a mystery attacker is still pretty poor in my opinion, so I'm looking for some help. I've suggested blocking this address until we understand exactly what's going on. Some of my coworkers have voiced concerns about the traffic coming from a possible partner. By "hitting" what do you see the attacking computer doing?
|
# ? Dec 15, 2016 06:34 |
|
OSI bean dip posted:By "hitting" what do you see the attacking computer doing? The box is accessing various customer accounts. I originally thought the box may belong to a third party financial aggregator (I.e-Intuit's Mint). However, when I cross referenced traffic generated by an app like Mint the two didn't show any relation. It seems this address is simply logging into an account, loads the landing website landing page, then logging out. The accounts being accessed have all been accessed by Mint previously though.
|
# ? Dec 15, 2016 07:05 |
|
Diametunim posted:The box is accessing various customer accounts. I originally thought the box may belong to a third party financial aggregator (I.e-Intuit's Mint). However, when I cross referenced traffic generated by an app like Mint the two didn't show any relation. It seems this address is simply logging into an account, loads the landing website landing page, then logging out. The accounts being accessed have all been accessed by Mint previously though. What is concerning here is that you're telling me you have multiple customers being accessed--how many customers are we talking about? Are we talking a handful? Dozens? Hundreds? What is your relation to Mint here? Have you done any research on this IP address? I don't think it actually matters if it is coming from a DO server or elsewhere but save your logs.
|
# ? Dec 15, 2016 07:11 |
|
Yahoo reporting that a billion users had account information compromised in 2013, including phone numbers, birthdays, and hashed passwords. But the passwords were hashed with MD5 so it's all good.
|
# ? Dec 15, 2016 13:33 |
|
Encrypt passwords with ROT-13 twice just to be extra secure.
|
# ? Dec 15, 2016 13:44 |
|
Diametunim posted:I hate to be that guy who starts posting in a thread asking for something. Buuut, does anyone here work for DigitalOcean, or know somebody who does? I'm trying to figure out some information on a box that keeps hitting my company. According to ARIN this mystery box is registered to them. I shot an email to the abuse address listed on ARIN but haven't heard anything back. I'm pretty new to InfoSec so my ability to enumerate a mystery attacker is still pretty poor in my opinion, so I'm looking for some help. I've suggested blocking this address until we understand exactly what's going on. Some of my coworkers have voiced concerns about the traffic coming from a possible partner. I do (and in T&S, no less); if you emailed abuse@ and didn't get a response I'll take a look. If you could provide the IP/domains of the sites you're seeing the traffic to, logs showing it (with timestamps) and what, exactly they were trying to do that'd help tremendously. You can contact me directly with my username @digitalocean.com
|
# ? Dec 16, 2016 00:20 |
|
cstine posted:I do (and in T&S, no less); if you emailed abuse@ and didn't get a response I'll take a look. If this were a movie, I'd call this coincidence a plot contrivance.
|
# ? Dec 16, 2016 00:24 |
|
Goons really do have their sticky little fingers in everything.
|
# ? Dec 16, 2016 00:30 |
|
CLAM DOWN posted:Goons really do have their sticky little fingers in everything. quote:Thank you for writing.
|
# ? Dec 16, 2016 00:55 |
|
Context, please.
|
# ? Dec 16, 2016 10:20 |
|
Guess its from 2007 https://encyclopediadramatica.se/Something_Awful_Sycophant_Squad
|
# ? Dec 16, 2016 17:02 |
|
New Zealand can eat me posted:Guess its from 2007 https://encyclopediadramatica.se/Something_Awful_Sycophant_Squad Yeah. That is what I am referring to. I don't know who the user was but this did happen.
|
# ? Dec 16, 2016 18:23 |
|
OSI bean dip posted:What is concerning here is that you're telling me you have multiple customers being accessed--how many customers are we talking about? Are we talking a handful? Dozens? Hundreds? What is your relation to Mint here? Have you done any research on this IP address? Last I checked it was roughly 60 accounts or so, none of which have had any suspicious activity on them. I don't have the IP off the top of my head at the moment but when I was initially researching the mystery box I didn't find it on any of the blacklists sites I use (Cymon, threatcrowd, MDL..ect). I also couldn't find any other information besides a basic whois page on the address. The pattern of traffic from this address has them logging into a new account roughly every two hours; some GET requests for various elements on our landing page, then the traffic stops. Intuit is a partner of ours, so I was looking at the traffic generated when a user logs in via Mint vs. the traffic that's being generated when someone logs in from this unknown address. The two don't share any relation, which leads me to believe this unknown address that is accessing accounts isn't any kind of financial aggregate, like Mint. Hopefully that makes sense. cstine posted:I do (and in T&S, no less); if you emailed abuse@ and didn't get a response I'll take a look. e: email sent Diametunim fucked around with this message at 23:27 on Dec 20, 2016 |
# ? Dec 20, 2016 05:23 |
|
Heresiarch posted:https://twitter.com/isislovecruft/status/811466577300357121 Here are my favorite parts: https://twitter.com/isislovecruft/status/811503299576950784 https://twitter.com/isislovecruft/status/811507244890226688
|
# ? Dec 21, 2016 16:32 |
|
The Free Software Foundation's developers being anti-women turbospergs who are actually really bad at what they do is entirely unsurprising
|
# ? Dec 21, 2016 17:32 |
|
Kazinsal posted:The Free Software Foundation's developers being anti-women turbospergs who are actually really bad at what they do is entirely unsurprising Pretty much.
|
# ? Dec 21, 2016 17:46 |
|
Lol at that Ingo guy, strong MRA vibes from that one
|
# ? Dec 21, 2016 23:53 |
|
I like how they PGP signed that message, presumably with OpenPGP
|
# ? Dec 22, 2016 00:04 |
|
The FSF is heavily infiltrated by intelligence agencies, who are deliberately sabotaging infosec. Wake up, sheeple.
|
# ? Dec 22, 2016 11:49 |
|
Platystemon posted:The FSF is heavily infiltrated by intelligence agencies, who are deliberately sabotaging infosec.
|
# ? Dec 22, 2016 13:17 |
|
The Infosec Thread: ROLL YOUR OWN PGP
|
# ? Dec 22, 2016 14:54 |
|
I recommend Big Bambu
|
# ? Dec 22, 2016 19:16 |
|
Was there any discussion that the FBI recently (Nov 30th) burned a 0-day to go after someone on TOR again? At the time I thought it was just the usual - Tor Browser Bundle lags behind firefox, a bug is fixed in firefox so they throw an exploit out on TOR hidden servers to get tracking data before TBB updates. But digging into it, it was a brand new SVG vulnerability in all versions of firefox. That's different behavior - specific high-value target in mind, maybe? Another reminder that TOR isn't a panacea and activists under dictators should really consider using VM-enforced separation of browser from the internet. E: I may be remembering one incident as more than one. I'm thinking "TOR-PEDO" and silkroad investigation involved separate uses of TBB exploits but tor-pedo involved hijacking freedom hosting to put an exploit in every page and silkroad was done differently. Harik fucked around with this message at 05:51 on Dec 23, 2016 |
# ? Dec 23, 2016 05:31 |
|
Harik posted:E: I may be remembering one incident as more than one. I'm thinking "TOR-PEDO" and silkroad investigation involved separate uses of TBB exploits but tor-pedo involved hijacking freedom hosting to put an exploit in every page and silkroad was done differently. the Torpedo and Freedom Hosting attacks were separate: - the attack on Freedom Hosting exploited an already-patched vuln in Firefox 17 ESR - the Operation Torpedo attack used the old Metasploit decloaker swf. iirc the TBB at the time didn't actually run Flash by default iirc the Silk Road court docs didn't claim to have caught individuals by pwning them but it did sound like they hacked into SR itself and then identified the hidden service's actual location (or it was all parallel construction)
|
# ? Dec 24, 2016 02:38 |
|
I'm about to start trying out CryFS with a Dropbox account for keeping a backup of ID scans, banking pdf's, payslips etc. https://www.cryfs.org/ It's a fork of EncFs which is more suited to cloud storage. Does anyone find anything that looks bad about it? Seems pretty nifty IMHO.
|
# ? Dec 25, 2016 21:54 |
|
|
# ? Jun 10, 2024 10:48 |
|
apropos man posted:I'm about to start trying out CryFS with a Dropbox account for keeping a backup of ID scans, banking pdf's, payslips etc. That does sound neat, thanks for the link. But unfortunately it doesn't appear to have my favorite feature of EncFS: reverse mode. That allows you to mount an encrypted view of unencrypted files, on the fly and with no extra disk space used up. I've been using it for years for my own backups. I'm not quite paranoid enough (yet) to keep my stuff encrypted on my local machine, but I want it scrambled before it goes off to the cloud. So my backup script just mounts the encrypted view and then rsyncs that. Works great.
|
# ? Dec 25, 2016 22:21 |