|
infernal machines posted:well the other option is gateway filtering through an appliance or dedicated server, whether that's better or worse depends on your budget and key-management policies. oh, what, I thought that's what we were talking about the whole time. The only acceptable scenario I'm aware of (outside of just air-gapping) is a well managed chain of trust with company certs pushed down to all end points so that your appliances can seamlessly decrypt all traffic. I was referring to that scenario as being inevitable and necessary. what the gently caress kind of whack rear end a/v bonkers poo poo product were you guys talking about?
|
# ? Feb 8, 2017 18:36 |
|
|
# ? May 17, 2024 18:54 |
|
unmanaged endpoints that roll their own certs and do mitm in whatever half-assed way the vendor designed. it's more common than you'd expect in smaller environments, because it's dirt cheap and low effort. it's also how every consumer oriented "internet security" suite does things.
|
# ? Feb 8, 2017 18:40 |
|
so if anything can hook into the endpoint, or hijack the cert authority, you're hosed and you'd probably never notice which would also probably not be a huge deal except for how cavalier some vendors are with their cert authorities that your machine now trusts by virtue of having their product installed
|
# ? Feb 8, 2017 18:43 |
|
can you give some examples? our research team had fun with some endpoints protection stuff recently and I'd love to throw them some suggestions of things to look at next
|
# ? Feb 8, 2017 18:45 |
|
nothing i can show being exploited, although i'll see if i can find something.
|
# ? Feb 8, 2017 18:49 |
|
Winkle-Daddy posted:can you give some examples? our research team had fun with some endpoints protection stuff recently and I'd love to throw them some suggestions of things to look at next The security appliances are in an even worse state than endpoint security, I've never gotten my hands on one that wasn't laughably bad.
|
# ? Feb 8, 2017 18:52 |
|
infernal machines posted:nothing i can show being exploited, although i'll see if i can find something. just one that looks lovely, we have a research team that's traditionally been auditing IoT devices, but some of the members have had an increased interest in endpoint security. So I'm always looking for something to name drop for them to look at.
|
# ? Feb 8, 2017 18:54 |
|
there was an issue with avast not verifying the intercepted certs to begin with before injecting their own, i assume that was fixed because it happened back in 2015. basically going to a site with an invalid cert wouldn't trigger a warning because the browser always received a valid avast cert no matter what more recently there's a kaspersky fuckup where their internal ca used keys that were trivial to compute https://bugs.chromium.org/p/project-zero/issues/detail?id=978
|
# ? Feb 8, 2017 19:01 |
|
Winkle-Daddy posted:can you give some examples? our research team had fun with some endpoints protection stuff recently and I'd love to throw them some suggestions of things to look at next
|
# ? Feb 8, 2017 19:13 |
|
oh my god. how are there still that many that don't do any kind of cert validation?
|
# ? Feb 8, 2017 19:21 |
|
gotta make the errors go away, man
|
# ? Feb 8, 2017 19:36 |
|
there was another one that didn't know how to validate SAN fields and failed in such a way that it allowed the cert to validate on practically any domain you threw at it
|
# ? Feb 8, 2017 19:38 |
|
Is there any good reading on managing your own CA for personal devices? I run a couple services on my home network that require certs. So far I've got a root CA I keep locked away, and intermediate CA I install on my personal devices, and I issue individual certs from the intermediate CA. Looking for anything that will help me avoid a sec fuckup
|
# ? Feb 9, 2017 04:51 |
|
Winkle-Daddy posted:I think F5 is one of the companies to stay away from. We reported some tls issues to them and they were huge cocks about how they know what they're doing (despite providing a poc exploit)
|
# ? Feb 9, 2017 10:01 |
|
Winkle-Daddy posted:my post was more directed at trying to find out what alternative to mitm'ing ssl that poster might be suggesting, obviously there are poo poo vendors (F5 *cough*) and better ones. There are poo poo deployments and good deployments. but your packets are getting inspected in corporate america. we use f5 for ssl offloading, load balancing, and as a waf and we didn't face any issues yet. what's so bad about it?
|
# ? Feb 9, 2017 10:04 |
http://www.guru3d.com/news-story/anti-virus-vendors-are-intercepting-and-analyzing-your-https-traffic.html
|
|
# ? Feb 9, 2017 11:36 |
|
I'm not familiar with a bunch of the names on that list but it seems to be classifying parental control software as anti virus vendors for some reason
|
# ? Feb 9, 2017 12:06 |
|
https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/ owns quote:Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher.
|
# ? Feb 9, 2017 12:07 |
|
cinci zoo sniper posted:
im the ones that simultaneously validate and don't validate certificates
|
# ? Feb 9, 2017 14:00 |
|
Truga posted:https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/ oh great now we're gonna have to do mandatory reboots every 1 hour to 'fix' the problem Edit: also Powerful Two-Hander fucked around with this message at 14:06 on Feb 9, 2017 |
# ? Feb 9, 2017 14:03 |
|
Powerful Two-Hander posted:oh great now we're gonna have to do mandatory reboots every 1 hour to 'fix' the problem given they explicitly call out banks and such, i'm going to guess that these things rely pretty heavily on the infrastructure being outdated and they wouldn't work as well on modern hardware that has all the fun virtual memory protection that modern operating systems offer.
|
# ? Feb 9, 2017 15:36 |
|
Wiggly Wayne DDS posted:speaking of: https://isc.sans.edu/diary/Ticketbleed+vulnerability+affects+some+f5+appliances/22051 lmao what timing
|
# ? Feb 9, 2017 17:25 |
|
polytopolis (eripsa's new thing) is going to roll its own crypto.
|
# ? Feb 9, 2017 17:29 |
|
WrenP-Complete posted:polytopolis (eripsa's new thing) is going to roll its own crypto. out of poo, like a scarab
|
# ? Feb 9, 2017 18:24 |
|
Powaqoatse posted:out of poo, like a scarab Scarabaeus polytopolis
|
# ? Feb 9, 2017 18:35 |
|
Powaqoatse posted:out of poo, like a scarab mlyp
|
# ? Feb 9, 2017 18:45 |
|
supposedly an updated version of the upcoming wizardsecurity executive order: https://www.lawfareblog.com/revised-draft-trump-eo-cybersecurity didn't see anything unusual from a skim, mostly expanding on the previous one with more detail
|
# ? Feb 9, 2017 18:53 |
|
Powerful Two-Hander posted:oh great now we're gonna have to do mandatory reboots every 1 hour to 'fix' the problem power companies should start making inroads in infosec by triggering random power outages and charging customers for it
|
# ? Feb 9, 2017 19:41 |
|
LeftistMuslimObama posted:given they explicitly call out banks and such, i'm going to guess that these things rely pretty heavily on the infrastructure being outdated and they wouldn't work as well on modern hardware that has all the fun virtual memory protection that modern operating systems offer. we only moved off xp and server 2003 last year so basically Deep Dish Fuckfest posted:power companies should start making inroads in infosec by triggering random power outages and charging customers for it the only safe computer is a dead computer
|
# ? Feb 9, 2017 20:05 |
|
WrenP-Complete posted:polytopolis (eripsa's new thing) is going to roll its own crypto. link to details please
|
# ? Feb 9, 2017 20:08 |
|
Deep Dish Fuckfest posted:power companies should start making inroads in infosec by triggering random power outages and charging customers for it brownsomeware
|
# ? Feb 9, 2017 20:20 |
|
OSI bean dip posted:link to details please If you start a few pages back you'll get the gist: https://forums.somethingawful.com/showthread.php?threadid=3804685&userid=0&perpage=40&pagenumber=88
|
# ? Feb 9, 2017 20:20 |
|
flakeloaf posted:brownsomeware AC/DC-256 encryption
|
# ? Feb 9, 2017 20:25 |
|
WrenP-Complete posted:If you start a few pages back you'll get the gist: https://forums.somethingawful.com/showthread.php?threadid=3804685&userid=0&perpage=40&pagenumber=88 Eripsa posted:Two factor means two distinct and independent pieces of information. I have my password, and I have my phone to receive texts. To get past two factor authentication, I need access to both, which is harder than just compromising one. Eripsa posted:So an ID card or passport is something you have, and not something you know? Eripsa posted:Verification, identification, and authentication are all different problems from encryption. They are related, but theoretically you can solve each independently. jre was right to scold us on this, and I've found the resulting discussion very constructive.
|
# ? Feb 9, 2017 20:26 |
|
What did I just read?
|
# ? Feb 9, 2017 20:29 |
|
im the self-identifying cat person that is very important to me
|
# ? Feb 9, 2017 20:29 |
|
apseudonym posted:What did I just read? a seemingly ill person who thinks that they can remake the world with bitcoin and poo poo crypto he should come here to explain why his crypto will work and give us a real technical explanation of things
|
# ? Feb 9, 2017 20:31 |
|
apseudonym posted:What did I just read?
|
# ? Feb 9, 2017 20:32 |
|
OSI bean dip posted:a seemingly ill person who thinks that they can remake the world with bitcoin and poo poo crypto
|
# ? Feb 9, 2017 20:32 |
|
|
# ? May 17, 2024 18:54 |
|
anthonypants posted:you will never get this because it does not exist it involves bitcoin so that is a given
|
# ? Feb 9, 2017 20:34 |