|
What's Upguard?
|
#
?
Aug 20, 2017 06:40
|
|
|
|
| # ? May 10, 2024 16:27 |
|
|
Cup Runneth Over posted:What's Upguard? Not bad, how about you?
|
|
#
?
Aug 20, 2017 06:44
|
|
|
Cup Runneth Over posted:What's Upguard? UpGuard is the first cyber resilience platform designed to reduce risk of outages and breaches by managing configurations, IT processes, and vendor risk.
|
|
#
?
Aug 20, 2017 15:26
|
|
|
So a money hole then?
|
|
#
?
Aug 20, 2017 17:54
|
|
|
Thanks Ants posted:For some reason I'm shocked that @fart does Serious Work oh, I was wondering why http://www.smashmouth.com got a zero on their CSTAR score
|
|
#
?
Aug 20, 2017 19:13
|
|
|
A friend wanted to give Signal a try. So we did. Now he has a mobile plan with no data. But Signal (which now replaces my Text app in Android) insists on trying to send the messages to him over Signal and not SMS. I can't find any way to tell Signal "this person doesn't use Signal anymore, please send it over SMS, yes I know it's poo poo and not encrypted anymore." What am I missing? This doesn't seem like much of a loophole nobody ran into before.
|
|
#
?
Aug 21, 2017 12:05
|
|
|
When the send icon is blue, it will try to send the messge over Signal. Long press that and you can chose between Signal messages and SMS. e: or tell your friend to use this: https://whispersystems.org/textsecure/unregister/ Tamba fucked around with this message at 13:04 on Aug 21, 2017 |
|
#
?
Aug 21, 2017 13:00
|
|
|
Tamba posted:Long press that and you can chose between Signal messages and SMS. Oh for gently caress's sake. Thanks!
|
|
#
?
Aug 21, 2017 14:49
|
|
|
Unfortunately that doesn't stick and every sender has to remember to do it every time they send a message, so he should consider just unregistering if he doesn't have proper data
|
|
#
?
Aug 23, 2017 05:30
|
|
|
Rufus Ping posted:Unfortunately that doesn't stick and every sender has to remember to do it every time they send a message, so he should consider just unregistering if he doesn't have proper data Absolutely, I'll have him do that, but that's a good workaround (and overall trick, I never considered trying to hold the button to check for an alternative way of sending).
|
|
#
?
Aug 23, 2017 11:09
|
|
|
*snip*
PBS fucked around with this message at 17:10 on Sep 4, 2017 |
|
#
?
Aug 23, 2017 15:21
|
|
|
I just bought the new IKEA smart light system as a impulse buy to play with before figuring out if I want to keep it or not. Never had another iot device before. This one comes with a hub that I plug into my network. Link: http://m.ikea.com/us/en/catalog/products/art/90353361/ How do I plug it in without getting my network pwned? For what it's worth my home network is a edge router lite -> hub -> wifi . There is an unused port on my router still. Is my understanding correct that plugging the ikea hub into that second unused port will isolate it from my wifi/pc network?
|
|
#
?
Aug 26, 2017 18:10
|
|
|
Create a second VLAN for all the IoT stuff so that you can apply much harsher ACLs. You may have to put some IP-helpers in place so that your phone on your normal Wi-Fi network can get to the restricted IoT network though. For what it's worth, an assessment of the Ikea product was quite encouraging https://www.iot-tests.org/2017/04/ikea-tradfri-a-smart-light-in-the-darkness-of-iot-security/
|
|
#
?
Aug 26, 2017 18:15
|
|
|
Boris Galerkin posted:I just bought the new IKEA smart light system as a impulse buy to play with before figuring out if I want to keep it or not. Never had another iot device before. This one comes with a hub that I plug into my network. If it's actually a router and not a switch, you would configure that unused port on its own network with an ACL preventing access to your other subnet. There's more around IoT security of course, but that segments it from your other devices. Note that that makes it trickier to control those lights from devices on your "trusted" network.
|
|
#
?
Aug 26, 2017 18:21
|
|
|
An ERL is a three-port router and yes, using the extra ethernet port will isolate the hub from the network. Even if it was a switch, many routers with built-in switches actually have basic managed switch chipsets which can be accessed by the user, if not on the official firmware then almost certainly with OpenWRT or similar if available. As noted the Ikea hub at least at this point seems to be well implemented, though we'll see if that changes as they add features.
|
|
#
?
Aug 26, 2017 18:42
|
|
|
Also, you can unplug the gateway at anytime, and the lights will still work with the remote pucks. I bought one, but realized I didn't have much use of the gateway (apart from a timer when traveling), so I just keep it unplugged.
|
|
#
?
Aug 26, 2017 23:12
|
|
|
What's the best introductory book to hacking/pentesting/vulnerability exploiting? I am a consultant that works mostly on enterprise environments with Microsoft stuff, but I'm bored of this and want to switch to a more security based role. Stuff I know: - Computer architectures. Did Assembly in school and a shitload of programming languages, including object oriented; - General tools. I've tried out Mimikatz, for example, to get a feel for what it can do; - Basic terminology for malware - delivery, payload, exploit, C2; - Network protocols, I studied everything including BGP but could probably use a refresh; What I don't know: - I don't yet work with github that much. It seems like a shitload of trouble looking for projects where I might have any know-how and be able to help. But I know that having a good github profile will get you jobs. Any tips on where to start out here would be very good; - Everything about hacking history, main hacking targets & weak spots, etc; - What to do next. This seems like a very, very big area; Any help would be appreciated.
|
|
#
?
Aug 31, 2017 14:35
|
|
|
I would say the Georgia Weidman book is pretty boss as far as introductory penetration testing skills and methodologies go. It lines up pretty well as a study guide for OSCP as well. Hacker Playbook 2 is also good.
|
|
#
?
Aug 31, 2017 14:40
|
|
|
Check your PMs.
|
|
#
?
Aug 31, 2017 15:24
|
|
|
"The Web Application Hacker's Handbook" seems to be the bible of websec, and everyone and their dog bring it up. It'd probably at least be a good book to have on your shelf.
|
|
#
?
Aug 31, 2017 16:05
|
|
|
Furism posted:Check your PMs. I'm looking to move in the same direction. Could you PM me the same info?
|
|
#
?
Aug 31, 2017 17:15
|
|
|
Thank you all for your help guys! Got a lot to go through already 
|
|
#
?
Aug 31, 2017 17:54
|
|
|
I would also like some recommendations on the side of IS Risk Management and Auditing. I already have a CISM, but I would like to do more way more reading about this topics. Thanks in advance.
|
|
#
?
Aug 31, 2017 19:51
|
|
|
Yeah, a good part of commercial infosec is auditing and regulatory compliance, which is a field that you might not run into otherwise doing IT/dev. Check out PCI standards, and get familiar with the requirements of HIPAA, FERPA, etc. Oh whoops you just mentioned this ... thought I'd just make note of it while I'm about. I learned about PCI from just reading the standards documents online, they're very helpfully written. Vvv Oh yeah, http://csrc.nist.gov/publications/PubsSPs.html and specifically 800-30: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf dougdrums fucked around with this message at 20:22 on Aug 31, 2017 |
|
#
?
Aug 31, 2017 20:14
|
|
|
Talas posted:I would also like some recommendations on the side of IS Risk Management and Auditing. I already have a CISM, but I would like to do more way more reading about this topics. It's probably not deep enough for you, but one of the 12 domains of the CISSP covers Risk Management so you might want to read that bit? It's too bad guys, something like 1 month ago there was an InfoSec ebook bundle on Humble Bundle :/
|
|
#
?
Aug 31, 2017 20:18
|
|
|
Reading cissp material is enough to make me want to off myself out of boredom. Why am I doing this.
|
|
#
?
Aug 31, 2017 20:22
|
|
|
CLAM DOWN posted:Reading cissp material is enough to make me want to off myself out of boredom. Why am I doing this. I have to admit I can't do much more than 1 hour at a time. But it's great high-level reference material I think. Really worried about being able to spit it back out for the exam though.
|
|
#
?
Aug 31, 2017 20:24
|
|
|
Yeah it's all incredibly dull. If I were to do this as my career forever I think I'd go into LE instead. I'm sure LE have their share of boring poo poo, but it still seems like a much more useful and interesting gig.
|
|
#
?
Aug 31, 2017 20:29
|
|
|
Furism posted:I have to admit I can't do much more than 1 hour at a time. But it's great high-level reference material I think. Really worried about being able to spit it back out for the exam though. The most boring part to me is that most of it is review as I've been working in various parts of infosec for a while, but I just know that the exam is going to require me to spit out specific tidbits and the very thought of that makes me want to puke then eat my own puke
|
|
#
?
Aug 31, 2017 20:42
|
|
|
EveryMicrosoftExamEver.jpg
|
|
#
?
Aug 31, 2017 22:13
|
|
|
CLAM DOWN posted:Reading cissp material is enough to make me want to off myself out of boredom. Why am I doing this. Oof, this post brought back unpleasant memories.
|
|
#
?
Sep 1, 2017 02:40
|
|
|
Martytoof posted:Oof, this post brought back unpleasant memories. Get the app that customize the tests for your weak subjects. Just remember that on the test they will mix answers from out subjects that sound acceptable if you second guess yourself . That was the one thing that will trip you up seriously.
|
|
#
?
Sep 1, 2017 02:46
|
|
|
Talas posted:I would also like some recommendations on the side of IS Risk Management and Auditing. I already have a CISM, but I would like to do more way more reading about this topics. I got my CISSP earlier this year which has turned into a new job in IT RIsk and Controls - and while my security background and the CISSP have both been valuable, I definitely don't feel super comfortable compared to my previous job in Ops. I had someone recommend a book to me - Information Assurance Handbook by Dr. Corey Schou and Steve Hernandez - but I would welcome other recommendations. I would especially love anything audio (podcasts, audiobooks, etc) because I have a pretty good hike back and forth to my car now and need to fill up that time with something.
|
|
#
?
Sep 1, 2017 12:43
|
|
|
Is it common practice for a third party we use to host an external support website (these guys are pretty large too) to ask for the following?quote:We do not fulfill CSR requests and it should not be necessary in order to retrieve the certificate information from the provider. Doesn't sending the private keys to someone that didn't generate them defeat one of the basic points of a loving private key? 
|
|
#
?
Sep 1, 2017 18:51
|
|
|
Wicaeed posted:Is it common practice for a third party we use to host an external support website (these guys are pretty large too) to ask for the following? It is pretty loving strange they are asking for the exact thing they need to fully pretend to be your company. What is exactly happening? It says they are not filling out a CSR ; renewal? Ask them why they need the private key since that will allow them to create their own certs that identify as you. Are they looking for ways to identify you are saying who you are? Easy way is to sign something using the private key and they'll be able to identify using the public keys they already have. Or go through, I dunno, the loving CSR process which is built for this exact situation? EVIL Gibson fucked around with this message at 19:06 on Sep 1, 2017 |
|
#
?
Sep 1, 2017 19:01
|
|
|
Wicaeed posted:Is it common practice for a third party we use to host an external support website (these guys are pretty large too) to ask for the following? What are you trying to do here? Renew a cert? I would say you are extremely correct to be suspect of this request. I can't imagine a world in which they would need your private key for any reason other than to pretend to be your company.
|
|
#
?
Sep 1, 2017 19:06
|
|
|
Presumably the cert they want is one for support.acmecorp.com or whatever Bit stupid they can't just handle the issuance/renewal themselves once you've set up the CNAME at your end though
|
|
#
?
Sep 1, 2017 19:10
|
|
|
I don't see a good reason to request that the customer provides a cert any more when certbot is a thing.
|
|
#
?
Sep 1, 2017 19:28
|
|
|
Allowing a custom one to be uploaded (for e.g. EV) would kinda make sense but yes I agree
|
|
#
?
Sep 1, 2017 19:33
|
|
|
|
| # ? May 10, 2024 16:27 |
|
|
I listen out of curiosity rather than any relevance to anything I do, but I've take to listening to the weekly Risky Business podcast on my way to work and find most of it pretty interesting. https://risky.biz/
|
|
#
?
Sep 1, 2017 19:54
|
|
