|
hobbesmaster posted:she had at the very least 11 years experience in something or other - she's blocked details of previous jobs. she could be extremely qualified we don't know yeah, she doesn't actually seem to answer the question, like, at all. i mean she's sort of somewhere in the right area at the start, when her answer is so generic it could answer any question in the form "how does <x> help security?" but then she starts talking about interviewing people - which might well be part of an investigation but doesn't really need ~big data~ - and then sort of maybe talks about needing more hard disk space for it, then talks about loving change windows if someone gave me that answer in a job interview for a soc job they'd get politely shuffled off into the "seriously, recruitment people?" pile the rest of the interview really isn't helping either: quote:Prat: Is the cloud easier to secure than the data center for the enterprise?
|
# ? Sep 9, 2017 23:40 |
|
|
# ? May 28, 2024 16:27 |
|
did this already get posted yet? https://twitter.com/webster/status/906346071210778625?s=04 quote:OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415. the PIN is just a timestamp.
|
# ? Sep 10, 2017 00:42 |
|
goddamnedtwisto posted:yeah, she doesn't actually seem to answer the question, like, at all. i mean she's sort of somewhere in the right area at the start, when her answer is so generic it could answer any question in the form "how does <x> help security?" but then she starts talking about interviewing people - which might well be part of an investigation but doesn't really need ~big data~ - and then sort of maybe talks about needing more hard disk space for it, then talks about loving change windows Ok well it's a puff piece in a business magazine, whether or not someone knows what they're doing, the coversion ends up filtered into something th quote:the rest of the interview really isn't helping either:
|
# ? Sep 10, 2017 01:19 |
|
i kindof get that response, actually. most organizations considering putting their assets in the cloud aren't just tired of maintaining physical hardware for their existing, well-designed, centralized information systems. it's more likely that every department, maybe even individual groups, have their own independent it staff maintaining their own independent servers running whatever software their staff has decided to install. ideally those servers support sso using company-wide credentials but it's just as likely that they use a department-specific or even server-specific login, and even if they use sso there's probably nothing being centrally logged except that user X authenticated to server Y at 2:19 AM. even if you assume that all those it staff are competent at keeping their servers warm healthy and clean, it's still a setup that makes most security tasks a lot harder, both proactively and forensically. forcing those departments to move those systems to the company's cloud provider is a pretty good lever for actually fixing those problems, one easily enforced by the big budget hammer, even if, yes, the company could theoretically just replicate the same lovely systems in the cloud, as well as that conversely they could have fixed those systems without moving to a cloud at all
|
# ? Sep 10, 2017 01:56 |
|
goddamnedtwisto posted:the rest of the interview really isn't helping either: well i mean if we're comparing a proper aws/azure/whatever setup versus the janky ad hoc poo poo you see in a lot of bare-minimum-investments-in-infrastructure smbs then yeah, i guess
|
# ? Sep 10, 2017 09:19 |
|
rjmccall posted:most organizations considering putting their assets in the cloud aren't just tired of maintaining physical hardware for their existing, well-designed, centralized information systems. it's more likely that every department, maybe even individual groups, have their own independent it staff maintaining their own independent servers running whatever software their staff has decided to install. extremely this.
|
# ? Sep 10, 2017 09:27 |
|
surebet posted:extremely this. yeah but do you really think a management dumb enough to let that sort of thing happen are then going to be smart enough not to leave everything on a public-accessible aws bucket?
|
# ? Sep 10, 2017 09:37 |
|
No kidding in the cloud you can just go and enforce policies about authentication and management and get your cost fully itemized at the end of the month, and know that for example, if your folks use an AWS ELB or ALB, the loving thing is going to be patched and have an up to date policy and won't heartbleed 3 years into the future (and they even get advanced notifications before major CVEs make it to the public). The cloud is definitely more secure for a fuckton of people because it tends to ensure that a limited number of knowledgeable people can impose far reaching policies (you need this kind of auth to touch any thing, and here are your limited permissions, use this service to do it and not use an inhouse shitshow of an app, audit trails are automatically generated through it all) and can leverage the size of another organization dedicated to maintaining that stack for you. The one thing you don't get is that total isolation of running poo poo in your own controlled data centers and the flexibility that comes with it, but I'm ready to bet that for most orgs out there, that's a level of security that is not yet relevant because the applicative side of things is so bad it's guaranteed to make the rest irrelevant. The kind of org that leaves a bucket available to the public on S3 is the kind of team to have the password validated in JS with an admin backdoor hidden in an HTML comment anyway.
|
# ? Sep 10, 2017 13:35 |
|
PyPy posted:Those qualifications....her LinkedIn is gone now, ofc. my degree is in literature but my job is primarily in tech. somebody's degree doesn't necessarily indicate whether they're good at a given job, just that they were academically trained in that subject.
|
# ? Sep 10, 2017 19:27 |
|
i don't even own a degree
|
# ? Sep 10, 2017 19:34 |
|
ate all the Oreos posted:i don't even own a degree You don't need to own one to screw your underlings 360 degrees.
|
# ? Sep 10, 2017 19:46 |
|
duTrieux. posted:my degree is in literature but my job is primarily in tech. somebody's degree doesn't necessarily indicate whether they're good at a given job, just that they were academically trained in that subject. same. my degree certifies me to write deece poems but instead i make deece figs
|
# ? Sep 10, 2017 19:52 |
|
I got into a multimedia professional to graphic designer, discovered programming by accident while there. I later got a part-time minor in CS while working in the industry, but in Quebec those (when not part of a bachelor's degree) are called a 'certificat' which I literally translate to a 'certificate in CS'. I think a bunch of non-quebec businesses hired me assuming this was some form of Bsc from a tiny university but I technically never lied about my creds.
|
# ? Sep 10, 2017 20:06 |
|
so basically, a degree is a good measure of somebody's interests but not necessarily their career. this isn't to say that the person at equifax didn't totally gently caress up.cis autodrag posted:same. my degree certifies me to write deece poems but instead i make deece figs nice.
|
# ? Sep 10, 2017 20:21 |
|
duTrieux. posted:my degree is in literature but my job is primarily in tech. somebody's degree doesn't necessarily indicate whether they're good at a given job, just that they were academically trained in that subject.
|
# ? Sep 10, 2017 22:13 |
|
anthonypants posted:if they have only ever held director-level and c-level infosec positions at various companies over the past decade then a degree would definitely help assuage the belief that they were given a title and a paycheck they don't deserve, and that they are completely unprepared for this breach. Counter point. Professional at IBM.
|
# ? Sep 10, 2017 22:24 |
|
MononcQc posted:he kind of org that leaves a bucket available to the public on S3 is the kind of team to have the password validated in JS with an admin backdoor hidden in an HTML comment anyway. also extremely this ~the cloud~ sure as poo poo isn't the end all be all of secure enterprise computing but for a lot of smbs it's better and even usually cheaper than trying to figure it out themselves, especially if their it dept is essentially james from accounting that likes video games. a couple weeks time per year in contract outside help to plan and deploy is an easier sell than trying to push a smallish medium company to bite down and hire their first full time it guy, and in-housing all the hardware & keeping it current makes management crap themselves once they realize they can't just run everything on a router they bought at staples. now of course, if no one's at the helm, this all becomes james from accounting with an azure account, but there's no saving some people
|
# ? Sep 11, 2017 09:19 |
|
securing cloud's gazillion hidden apis is not that simple, or so ive heard
|
# ? Sep 11, 2017 11:47 |
Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied. These vulnerabilities could be exploited remotely. A third-party component used in the pump does not verify input buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device. The pump receives the potentially malicious input infrequently and under certain conditions, increasing the difficulty of exploitation. CVE-2017-12718b has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).c A third-party component used in the pump reads memory out of bounds, causing the communications module to crash. Smiths Medical assesses that the crash of the communications module would not impact the operation of the therapeutic module. CVE-2017-12722e has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).f The pump with default network configuration uses hard-coded credentials to automatically establish a wireless network connection. The pump will establish a wireless network connection even if the pump is Ethernet connected and active; however, if the wireless association is established and the Ethernet cable is attached, the pump does not attach the network stack to the wireless network. In this scenario, all network traffic is instead directed over the wired Ethernet connection. CVE-2017-12725h has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).i The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections. CVE-2017-12720k has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).l The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections. CVE-2017-12724n has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).o Telnet on the pump uses hardcoded credentials, which can be used if the pump is configured to allow external communications. Smiths Medical assesses that it is not possible to upload files via Telnet and the impact of this vulnerability is limited to the communications module. CVE-2017-12726q has been assigned to this vulnerability. A CVSS v3 base score of 5.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).r The pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack. CVE-2017-12721t has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).u The pump stores some passwords in the configuration file, which are accessible if the pump is configured to allow external communications. CVE-2017-12723w has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).x
|
|
# ? Sep 11, 2017 12:56 |
|
Is a company like Equifax even required to notify the public of a breach? If so, within what timeframe. If not, why bother? The timing of sandwiching it between two major hurricanes to keep it off the front page is devilishly devious.
|
# ? Sep 11, 2017 13:04 |
|
cinci zoo sniper posted:Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied. i'm disappointed that none of them is a sql injection
|
# ? Sep 11, 2017 13:12 |
|
flakeloaf posted:i'm disappointed that none of them is a xss injection
|
# ? Sep 11, 2017 13:18 |
|
gonadic io posted:i'm disappointed that none of them is a xss injection The real heartbleed
|
# ? Sep 11, 2017 13:25 |
|
Shinku ABOOKEN posted:securing cloud's gazillion hidden apis is not that simple, or so ive heard while fully admitting that i'm basically james from accounting in this scenario, both on aws & azure i'm able to filter out any incoming connection except whitelisted ips/ports and i try not to ship my keys to github, so at least there's that + the usual credentials being required i'm curious/afraid to ask in what new and exciting ways my poo poo could get owned though
|
# ? Sep 11, 2017 13:57 |
|
surebet posted:i'm curious/afraid to ask in what new and exciting ways my poo poo could get owned though let me tell you about row-hammering, where other users running in other vms on the same physical hardware can alter and read your data
|
# ? Sep 11, 2017 14:00 |
|
surebet posted:while fully admitting that i'm basically james from accounting in this scenario, both on aws & azure i'm able to filter out any incoming connection except whitelisted ips/ports and i try not to ship my keys to github, so at least there's that + the usual credentials being required one more thing you can do is limit the poo poo out of your keys like you can make a key that can only upload to a specific bucket and also expires quickly
|
# ? Sep 11, 2017 14:00 |
|
schranz kafka posted:rufo is the best agreed
|
# ? Sep 11, 2017 14:40 |
gonadic io posted:let me tell you about row-hammering, where other users running in other vms on the same physical hardware can alter and read your data still loving amazing that someone managed to whip up a working reasonably high bitrate covert communications channel between vms using that sort of behavior in the CPU cache https://cmaurice.fr/pdf/ndss17_maurice.pdf
|
|
# ? Sep 11, 2017 14:47 |
|
i mean yeah i know im going to get super owned by stuff like that, iirc there's not a lot users can do to armor against vm level attacks anyhow, which is why anything confidential (so like everything) gets rar'ed and encrypted before it hits external storage Iiiiii do enjoy watching talks about parallel vm attacks though, anything good come out about that at defcon or blackhat this year?
|
# ? Sep 11, 2017 15:56 |
surebet posted:i mean yeah i know im going to get super owned by stuff like that, iirc there's not a lot users can do to armor against vm level attacks anyhow, which is why anything confidential (so like everything) gets rar'ed and encrypted before it hits external storage guys we found the only place on the planet with licenced (hopefully) winrar
|
|
# ? Sep 11, 2017 16:24 |
|
im the implication of coworkers who were previously unable to categorize and catalog poo poo locally suddenly being able to do so because its in the cloud now
|
# ? Sep 11, 2017 16:27 |
|
gonadic io posted:let me tell you about row-hammering, where other users running in other vms on the same physical hardware can alter and read your data aren't clouds are the place where this is the least concern though they've got ECC, decided on higher refresh rates to further mitigate, and already have detection tools to spot attempts
|
# ? Sep 11, 2017 16:28 |
|
crazypenguin posted:aren't clouds are the place where this is the least concern though what other places do you have random other people running their code on the same physical machines that you have? if you have your own company servers this isn't at all an issue. unless you're already owned or mine eth lol (but I repeat myself)
|
# ? Sep 11, 2017 16:38 |
|
cinci zoo sniper posted:Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion More like Smiths Medical Malpractice
|
# ? Sep 11, 2017 16:48 |
|
gonadic io posted:what other places do you have random other people running their code on the same physical machines that you have? if you have your own company servers this isn't at all an issue. colocs?
|
# ? Sep 11, 2017 16:55 |
|
PyPy posted:Those qualifications....her LinkedIn is gone now, ofc. duTrieux. posted:my degree is in literature but my job is primarily in tech. somebody's degree doesn't necessarily indicate whether they're good at a given job, just that they were academically trained in that subject. yeah. i am in the same boat. i dropped out three and a half years into my BA in history (was aiming to be a teacher) and ended up working on securing corporate and industrial control networks. while funny, i don't judge her credentials. i do however judge her job performance
|
# ? Sep 11, 2017 16:56 |
|
Alec Muffett's degree (partial degree) is in astronomy.
|
# ? Sep 11, 2017 16:57 |
|
Lain Iwakura posted:yeah. i am in the same boat. i dropped out three and a half years into my BA in history (was aiming to be a teacher) and ended up working on securing corporate and industrial control networks. while funny, i don't judge her credentials. i do however judge her job performance dunking on her degree is some stemlord bullshit when her interview response asking about security was "I hope I budgeted for enough hard drives" is infinitely more damning and telling
|
# ? Sep 11, 2017 17:03 |
|
Powaqoatse posted:colocs? Colo isn't shared hardware.
|
# ? Sep 11, 2017 17:06 |
|
|
# ? May 28, 2024 16:27 |
|
necrotic posted:Colo isn't shared hardware. hah yea brainfart but i mean theres a ton of places where you can get your stuff hosted that arent cloudy unless my definition of cloud is outdated
|
# ? Sep 11, 2017 17:11 |