|
Burning a dumpster full of passwords would be waaaaaay better than volunteering passwords. Like, take a moment to appreciate that this metaphor is better than reality.
|
#
?
Mar 22, 2017 16:46
|
|
|
|
| # ? May 17, 2024 06:37 |
|
|
Jabor posted:The general motivation is that the database needs to be continuously synced with other machines, while sharing the keyfile is a one-time thing. So there is a meaningful difference if you're concerned about, say, your password database being leaked by your cloud storage provider. I thought the keyfile was a poor-man's "thing you have" - keep a 256 byte dump of random bits on a USB stick? Plug it in to unlock, pull it as soon as you're unlocked, etc etc. (I've never used one that way, but that's what I thought of when I saw the option.) I can see how keeping it away from your butt storage makes some sense as well. B-Nasty posted:KeePass for Windows supports the YubiKey in, I think, HOTP mode. It reencrypts the DB using the next code that you then enter the next time you open it. Doesn't this require fairy dust to make older copies of your database dissapear? one-time-crypto just isn't something supported by the laws of physics as we know them.
|
|
#
?
Mar 22, 2017 20:43
|
|
|
So this Turkish group is threatening to wipe a couple hundred million Apple devices unless they get... $75000? https://forums.macrumors.com/threads/hackers-claim-access-to-300-million-icloud-accounts-say-apple-refused-to-pay-75-000-ransom.2038152/ What's your take on this? Fake or real? I would be super surprised if Apple's database of credentials was stolen in plaintext or passwords that were hashed without salt. Now I could see data from other breaches like email addresses and passwords being combined. Many of them would work but many (people not reusing passwords) would not. Three-Phase fucked around with this message at 03:54 on Mar 23, 2017 |
|
#
?
Mar 23, 2017 03:48
|
|
|
Three-Phase posted:So this Turkish group is threatening to wipe a couple hundred million Apple devices unless they get... $75000? Considering the bug bounty would've given up to 50k, that seems like way more of a hassle to try to get not even that much more money (or itunes gcs? really?). Most likely you're right and it's from other breaches.
|
|
#
?
Mar 23, 2017 04:22
|
|
|
I think the article said they had a video that demonstrated them breaking into one single account. There is all kinds of stuff that smells funny about this whole thing.
|
|
#
?
Mar 23, 2017 04:33
|
|
|
that they've gone to the media to coerce payment and didn't make an example of, say, a thousand random devices being wiped says it all
|
|
#
?
Mar 23, 2017 07:34
|
|
|
Wiggly Wayne DDS posted:that they've gone to the media to coerce payment and didn't make an example of, say, a thousand random devices being wiped says it all Why alert all the users too so they can secure their accounts? Also Apple has responded and is calling this BS. Three-Phase fucked around with this message at 10:15 on Mar 23, 2017 |
|
#
?
Mar 23, 2017 10:13
|
|
|
You can also log into your "Apple ID" page and see what devices and systems have access to your account.
|
|
#
?
Mar 23, 2017 16:51
|
|
|
Wiggly Wayne DDS posted:that they've gone to the media to coerce payment and didn't make an example of, say, a thousand random devices being wiped says it all Pretty much this.
|
|
#
?
Mar 23, 2017 18:04
|
|
|
Has anyone done CCSP? Is there anything remotely interesting or useful in there? The outline isn't really a good indicator. My manager wants me to take it along with her later this year so .. hey, free cert and raise .. but I hope it's more applicable than CISSP.
|
|
#
?
Mar 24, 2017 01:01
|
|
|
Martytoof posted:Has anyone done CCSP? Is there anything remotely interesting or useful in there? The outline isn't really a good indicator. My understanding is the CCSP is essentially the CISSP without the managerial stuff. If you've got access to Lynda.com, they've got some really good training videos for both. I was going to go for the CCSP, but decided to just work towards the CISSP instead since that's what most employers I'm seeing want. That said, if it's free, do it. Certs never seem to hurt.
|
|
#
?
Mar 24, 2017 13:22
|
|
|
Yeah, I'm going to go for it just because. Didn't realize Lynda had any CCSP material. I'll have to check it out. Kind of want to go back through CISSP CBTs just to see if it matches up with what the test was like.
|
|
#
?
Mar 25, 2017 01:36
|
|
|
I use this app on my phone to sync my Keepass db: https://play.google.com/store/apps/details?id=com.bv.wifisync I have a cron job set on it every two hours to sync from my home server's samba share and force overwrite the latest version of my kdbx file on to the phone. It takes less than a second to sync. It will only try to sync if it's connected to a specific ssid. The main drawback is that if I'm out of the house and I want to sign up for something I just make a note of the password and enter it into my keepass db manually on my laptop. I have a cron job on my laptop to rsync the latest copy of my kdbx to the server every hour. Secondary drawback is that if I join a site on my laptop and save the new creds then it can take a couple of hours before the latest kdbx is on my phone, but I rarely join something so critical that I need portable access immediately. Main positive from this set up is not relying on a third party to handle my db.
|
|
#
?
Mar 27, 2017 20:55
|
|
|
apropos man posted:I use this app on my phone to sync my Keepass db: That seems pretty unnecessary and a lot of annoyance/effort. Just use Dropbox/Google Drive? Your kdbx database is encrypted out of the gate and you can use a key file, etc to take it even further.
|
|
#
?
Mar 27, 2017 21:23
|
|
|
Yeah, I know it's convoluted. I quite like it, though.
|
|
#
?
Mar 27, 2017 21:37
|
|
|
apropos man posted:Main positive from this set up is not relying on a third party to handle my db. Except for the Android app that hasn't been updated in almost two years?
|
|
#
?
Mar 27, 2017 22:15
|
|
|
apropos man posted:Yeah, I know it's convoluted. I quite like it, though. Yes, but why? As said, that app hasn't been updated in years, and you would have a FAR easier and better and faster and smoother experience by just using Dropbox or Drive.
|
|
#
?
Mar 27, 2017 22:28
|
|
|
Anyone using Tenable's products to run CIS benchmarks against assets? Just wondering how well that works vs running CIS's own benchmarking tool. I'm trying to revamp our CVA processes and I'd love to just kill two birds with one.. software.. Strip out my custom cis-cat cronjob on every server, etc.
some kinda jackal fucked around with this message at 22:37 on Mar 27, 2017 |
|
#
?
Mar 27, 2017 22:34
|
|
|
Martytoof posted:Anyone using Tenable's products to run CIS benchmarks against assets? Just wondering how well that works vs running CIS's own benchmarking tool. I'm trying to revamp our CVA processes and I'd love to just kill two birds with one.. software. Yes, Tenables is a lot better imo. We did have to craft our own scan templates though.
|
|
#
?
Mar 27, 2017 22:37
|
|
|
Swank. I'm setting up a tenable.io trial right now. I like the idea of controlling everything from the cloud but I'm going to have to do a lot of due diligence to sell keeping a list of vulnerabilities and IPs in the cloud to my C-levels.
|
|
#
?
Mar 27, 2017 22:41
|
|
|
Phone posting!!!! N/m
Sickening fucked around with this message at 00:43 on Mar 28, 2017 |
|
#
?
Mar 27, 2017 23:13
|
|
|
I... don't get it. some kinda jackal fucked around with this message at 00:54 on Mar 28, 2017 |
|
#
?
Mar 28, 2017 00:10
|
|
|
Martytoof posted:I... don't get it. Phone posting mishap.
|
|
#
?
Mar 28, 2017 00:43
|
|
|
Phew, I thought I was just missing something obvious by not making a connection.
|
|
#
?
Mar 28, 2017 00:54
|
|
|
Last Chance posted:Except for the Android app that hasn't been updated in almost two years? Maybe it's perfect.
|
|
#
?
Mar 28, 2017 06:30
|
|
|
apropos man posted:Maybe it's perfect. Yes, I'm sure it is. People here in The Infosec Thread must be crazy to raise concerns about a convoluted method using a product that appears abandoned. Don't listen to them. You be you.
|
|
#
?
Mar 28, 2017 22:58
|
|
|
Oh, it wasn't sarcasm
|
|
#
?
Mar 28, 2017 23:02
|
|
|
Thanks Ants posted:Oh, it wasn't sarcasm How could it be? I've never met a sarcastic goon in my life.
|
|
#
?
Mar 28, 2017 23:04
|
|
|
My girlfriend's roommate asked for suggestions on a VPN solution to their house, so I recommended OpenVPN because it's free and easy to configure. He replied "Free usually means exploitable." He's a software engineer.
|
|
#
?
Mar 29, 2017 01:19
|
|
|
psydude posted:My girlfriend's roommate asked for suggestions on a VPN solution to their house, so I recommended OpenVPN because it's free and easy to configure. He replied "Free usually means exploitable." So what languages does he code in primarily?
|
|
#
?
Mar 29, 2017 01:30
|
|
|
OSI bean dip posted:So what languages does he code in primarily? HTML oh PBS fucked around with this message at 01:38 on Mar 29, 2017 |
|
#
?
Mar 29, 2017 01:33
|
|
|
PBS posted:HTML Trust me, that poo poo is full of holes. How much did he pay for his browser?
|
|
#
?
Mar 29, 2017 01:37
|
|
|
psydude posted:He's a software engineer. Sounds about right.
|
|
#
?
Mar 29, 2017 01:39
|
|
|
Not sure if this is the best place, but I'm a 20 year SysAdmin/Network admin and I'm looking to get into more of an infosec position in the next year or so. I'm reading about CISSP certification.... Is this a good route to take? Any recommendations on methods or practice material?
|
|
#
?
Mar 29, 2017 02:50
|
|
|
After learning about the new ISP privacy law, our DBA immediately tried to install Tor on his workstation 
|
|
#
?
Mar 29, 2017 02:56
|
|
|
Gyshall posted:Not sure if this is the best place, but I'm a 20 year SysAdmin/Network admin and I'm looking to get into more of an infosec position in the next year or so. What sort of position are you looking for? Infosec is a wide wide field. CISSP requires five years of "verifiable" work experience in three (I think) of its domains which you can probably talk your way through if you did any serious jack of all trade sysadmin duties, and it'll get you on recruiter lists but to be honest it won't really land you a job in and of itself without actual security experience. What material I'd recommend would depend entirely on the path you want to choose. CISSP is too "managerial" so even if you just wanted to use it to learn instead of get your foot in the door I still wouldn't recommend it as a source of real world security knowledge. SANS runs a lot of good courses but you need to sell a kidney if work isn't paying for them. OSCP I guess if you're interested in offensive security. I don't really know much about the entry level sec certs like Sec+ or CEH though, sorry.
|
|
#
?
Mar 29, 2017 03:02
|
|
|
beepsandboops posted:After learning about the new ISP privacy law, our DBA immediately tried to install Tor on his workstation The new activity repealed a law that wasn't yet in effect, so what's his motivation? It's not a new law, it's exactly the opposite: keeping a new law from taking effect.
|
|
#
?
Mar 29, 2017 04:58
|
|
|
Gyshall posted:Not sure if this is the best place, but I'm a 20 year SysAdmin/Network admin and I'm looking to get into more of an infosec position in the next year or so. It certainly is a good way to pick up some background knowledge about different aspect of security. Given how many domains there are in the course, you're bound to learn a lot of things. Some of it is boring and abstract (security models), some is amazing (cryptography), but overall I think it's a Good Thing to go through the book even if you don't attempt or pass the actual certification. Note that the exam, being so long (250 questions and up to 6 hours), doesn't really test your technical skill but rather your endurance and ability to regurgitate 800+ pages of content. I think this certification will open up new job opportunities but only that; opportunities. It doesn't guarantee a job (not in any company worth working for I think).
|
|
#
?
Mar 29, 2017 08:10
|
|
|
Just my two cents but I have to believe that there are way better sources for picking up cryptography than the ISC2 material. Maybe check out the 11th Hour CISSP book for a much more readable version of the syllabus if you're really interested.
|
|
#
?
Mar 29, 2017 13:26
|
|
|
|
| # ? May 17, 2024 06:37 |
|
|
Martytoof posted:Just my two cents but I have to believe that there are way better sources for picking up cryptography than the ISC2 material. I've been working in IT (starting as a field tech, moving into tech support, then network/system admin and finally security ops) for 15 years now. My experience studying for CISSP has been that it's a good way to ensure that people talking cyber security have a shared vocabulary and perspective, but that's about it. It's very broad and focuses on a managerial mindset, so in some ways it's counter to the way a lot of us think. It seems like most security positions in my area (Cincinnati) want you to have it or be working towards it, and I'm sure having the cert can help your salary, but it definitely doesn't impart any skills or specific information to make you a better hands-on technician. I definitely agree on the 11th Hour book by Eric Conrad. It's a pretty quick read that covers the domains quickly but enough that you'll understand the main concepts and maybe make a determination at that point if that's what you really want to focus on.
|
|
#
?
Mar 29, 2017 13:58
|
|
