|
So rogue SMB servers can bypass Windows Defender by feeding a different clean file to Defender before delivering the real payload for running, and MS consider fixing this a "feature request". I can't claim to be an expert in the field, but making sure sure you're scanning a copy of what's actually going to be run/opened seems like a key step. edit: forgot the link https://www.bleepingcomputer.com/news/security/new-illusion-gap-attack-bypasses-windows-defender-scans/ Pablo Bluth fucked around with this message at 21:48 on Oct 1, 2017 |
#
?
Oct 1, 2017 21:18
|
|
|
|
| # ? May 13, 2024 16:21 |
|
|
Guy Axlerod posted:Yeah, just the FINAL NOTICE letters from "Car Warranty" companies. The W2, replacement bank cards, and DMV stuff is good though. This. Everything important is on autopilot and the bills come by email. I'd be delighted if there was a way to be notified if an actually important piece of mail came, but there typically never is, outside of W2s and replacement CCs. I can basically just bring in the I'd really, genuinely be far more excited and willing to pay money for a system that allowed the junk mail to never reach me in the first place. Volmarias fucked around with this message at 21:23 on Oct 1, 2017 |
|
#
?
Oct 1, 2017 21:21
|
|
|
Pablo Bluth posted:So rogue SMB servers can bypass Windows Defender by feeding a different clean file to Defender before delivering the real payload for running, and MS consider fixing this a "feature request". I can't claim to be an expert in the field, but making sure sure you're scanning a copy of what's actually going to be run/opened seems like a key step.
|
|
#
?
Oct 1, 2017 21:37
|
|
|
TOCTOU will never die.
|
|
#
?
Oct 1, 2017 21:40
|
|
|
I check my mail like every other week, and there's never anything important. I literally use all of it as grill or fireplace kindling, unless it's completely covered in ink. In that case, I just shove it back into my post box. Eventually the postman will get frustrated and remove it all, except for the one time my voter registration card had "please empty mailbox" written on it. He's the one stuffing it with junk ...
|
|
#
?
Oct 1, 2017 22:09
|
|
|
There was a service called "Inbox" (I think) that diverted and pruned your mail and scanned/shredded/forwarded as needed. I think it got shut down by some USPS regulatory issue, but there's stuff like Traveling Mailbox that does it similarly without hijacking your main address.
|
|
#
?
Oct 1, 2017 22:12
|
|
|
Now I'm onto ISO 27002, I'm missing the technical part of infosec and I hate paperwork
|
|
#
?
Oct 2, 2017 18:27
|
|
|
Are you using a tool to help you link your existing controls to new requirements, a la ServiceNow GRC or KB4 KCM? Or are you just working with spreadsheets? example, control "Bitlocker is turned on and managed with gpos, we run a monthly report to confirm" mapped to 800-53:sc-28, fedramp sc-28, pr.ds1, 800-122 PII 4.3, 800-171 3.13.16....." You can save a lot of time in either of the above as KB4 and Servicenow have hired dudes to enter frameworks into their apps and do a lot of the cross-framework mapping for you Potato Salad fucked around with this message at 19:55 on Oct 2, 2017 |
|
#
?
Oct 2, 2017 19:47
|
|
|
Potato Salad posted:Are you using a tool to help you link your existing controls to new requirements, a la ServiceNow GRC or KB4 KCM? Or are you just working with spreadsheets? Nah, I'm manually linking our existing controls to specific subcontrols on baselines like 800-53 and ISO to prove to another party that we've done it right. When we implemented these we originally followed the 20 critical controls so this is a bit of a pain. A lot of existing tools and comparison charts will only look at the broad high-level checkboxes, I'm diving into them on a deep technical level.
|
|
#
?
Oct 2, 2017 19:50
|
|
|
I'm not a real IT guy, just a lowly sql report writer, so I could use some help understanding something. We use a terrible ams that is "in the cloud" in as much as it is running on an app server and users have to remote connect to it. The process is: 1. Go to rd web access page. 2. Log in. 3. Third-party multifactor authentication requires approval, give it. 4. Page with links to applications running on app servers appears. Click on ams link. 5. It prompts to download or open an .rdp file. Can set it to auto-open in IE, only allows saving in Chrome. 6. Open rdp file, log in, and if not on intranet, i.e. teleworking, approve mutifactor authentication. When we rolled this process out (moving from a desktop application) the users of course complained about the multi-step process that took about a minute to complete for a program that crashes often and/or needs to be restarted after editing/entering more than 50 or so records (i hate this program so much). Since it was saving the rdp file to the default location anyway, I just moved it to their desktops and made it as shortcut, meaning they only had to do the first half of step 6 to run a vital program they use all day. This got me in trouble, as the multi-factor authentication vendor tracks logins and wasn't showing any for the in-office team (as it would only be required on the web page). I was told they were not allowed to save the link and use it, they had to go to the website every time. I asked how we could require that when it wasn't, you know, required, like telling people they couldn't go through the open front door, they had to go to the side door and enter a code on a keypad. The response was to tell them to do it and they are not computer savvy enough to do otherwise (fair, but I know some of the temps/interns figured it out on their own). Security through assumed stupidity. Whatever. The problem is now I have to go around to all the users computers regularly to clear out the ams.rdp, ams.rdp (1), ams.rdp (2) ... files in their download folders regularly because they "can't find their file". Every time they get to step 6 they either click open in their browser or go to their downloads folder on and click on a random one, making steps 1-5 security theater. Is this normal? Is there a way I can explain to the CIO this is insane and we need to make this easier and more sensible for everyone? Am I the rear end in a top hat here (very possible)? As far as I know the connection process (remote desktop to the app server) is the ONLY way to run the ams program, because it is terrible. unrelated ams complaints: 1. still doesn't allow single quotes/apostrophes in any field, so all our O'Toole and d'Marcos have to be entered in by using an accent ` or some other idiocy. 2. uses IE as a rendering engine because until we went "cloud" last year it required the computers it was installed on to have IE 9 or it wouldn't work (which meant a lot of websites didn't work, which is why everyone has and got used to Chrome). Now it just sometimes opens an IE window filled with rendering errors instead of the program when you go to run it (I don't understand how this happens, but it has happened to me). 3. if you edit too many fields on a record before clicking save it will not save all of the field updates, but save without any warning or issue. E.g. you edit someone's address line 1, address line 2, city, st, zip and phone and maybe the first address line doesn't update, or maybe the phone. 4. a lot of the processes that should be the responsibility of the various departments is my responsibility because it is so user unfriendly. For example, when creating an event (meeting, webinar, etc.) I have to do so a. within the AMS program b. on a backoffice webpage that drives the web elements c. by possibly edit stored procedures in the sql database (this includes basic messaging that should be anywhere else, like checkout confirmations) d. checking some random asp files to make sure there isn't hardcoded messaging there as well
|
|
#
?
Oct 4, 2017 14:56
|
|
|
Sounds like their RD gateway (proxy that wraps the RDP stream in to an HTTPS session) only has single factor auth and they did nothing to actually place it behind the web front end so they've created security theatre and their 2 factor Implimentation is clearly broken. Any random internet person could find the RD gateway IP/port and bang against it all day long with a brute force or stolen passwords and the 2 factor system would be blind. CIO should probably call for a proper review of the thing.
|
|
#
?
Oct 4, 2017 15:02
|
|
|
get a remote desktop solution in place that actually does federated login ask the 3rd party if they even know that that means you're looking for a user experience that is 1) enter username and primary auth pw 2) get a mfa challenge of some sort 3) there is no third step, they're in
|
|
#
?
Oct 4, 2017 15:07
|
|
|
Guy Axlerod posted:Sign up for informed delivery: https://informeddelivery.usps.com/box/pages/intro/start.action yeah or sign up to see your neighbor/ex/stalking target's mail, all you have to is pass some basic KBE questions https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/
|
|
#
?
Oct 4, 2017 17:33
|
|
|
All companies that release a "cloud" version of their app by putting it into a RDP session can die.
|
|
#
?
Oct 4, 2017 19:20
|
|
|
I feel the same way about citrix.
|
|
#
?
Oct 4, 2017 19:22
|
|
|
Thanks Ants posted:All companies that release a "cloud" version of their app by putting it into a RDP session can die. How do their sales people can even say "cloud version" with a straight face when they know is just a loving computer somewhere that you remote into? It is not multitenant, it is not multiuser it is just a plain old desktop application. And how do CxOs believe that? Are they that incompetent (i think i know the answer ....)?
|
|
#
?
Oct 4, 2017 21:24
|
|
|
[quote="“Volguus”" post="“477055975”"] How do their sales people can even say “cloud version” with a straight face when they know is just a loving computer somewhere that you remote into? It is not multitenant, it is not multiuser it is just a plain old desktop application. And how do CxOs believe that? Are they that incompetent (i think i know the answer ....)? [/quote] It's running on a VM instance in the cloud.
|
|
#
?
Oct 4, 2017 21:25
|
|
|
Their sales people don't know. I believe LabTech Cloud is just their normal lovely product installed on an EC2 instance and called done.
Thanks Ants fucked around with this message at 22:22 on Oct 4, 2017 |
|
#
?
Oct 4, 2017 22:19
|
|
|
Volguus posted:How do their sales people can even say "cloud version" with a straight face when they know is just a loving computer somewhere that you remote into? It is not multitenant, it is not multiuser it is just a plain old desktop application. And how do CxOs believe that? Are they that incompetent (i think i know the answer ....)? In our case we paid a lot to some consultants to help us choose a new ams; they said we had to get rid of our siloing, document our processes, revamp our business rules and basically fix our poo poo. So it was decided to ignore them and assign the ams review, rfp and selection process to a three-person inhouse team: my overtasked boss, a coworker who REALLY knows sql and crystal reports but not much else (I couldn't get her to understand network drives?), and me, no formal IT training and convinced any new responsibility will end up with me formatting our production server because my only real skill is googling. I know I'm incompetent, but I feel bad for my boss who is skilled, but responsible for ALL non-helpdesk IT stuff from network infrastructure to webpage design to sql to registering our domains etc. If he ever leaves I'm on his heels because 1 he's a good guy and 2 that place will immediately explode because they spent years trimming redundancies and now when one of us takes vacation it's a goddamn warzone. I work at Peter Principal Inc.
|
|
#
?
Oct 5, 2017 02:05
|
|
|
Volguus posted:How do their sales people can even say "cloud version" with a straight face when they know is just a loving computer somewhere that you remote into? Isn't that pretty much the definition of "cloud" ? Sure you can add bells and whistles and elastic this and scalable that, with a bit of SDN on top, but at the end a cloud is just someone else's computer you remotely connect to. RDP or SSH or HTTP API doesn't change much the basics. I could be wrong though.
|
|
#
?
Oct 5, 2017 08:15
|
|
|
For me 'cloud' means a self-healing platform with a fleet of cattle doing all the work, with load balancers sat in front of it. Not a single AWS instance that needs fixing when it breaks.
|
|
#
?
Oct 5, 2017 11:21
|
|
|
I don't like the whole "we're coming full circle back to mainframe computing!" We aren't. Mainframe physically separated user terminal from server hardware, server-client logically separated user hardware from server hardware, virtualization separated application from hardware, and now we're taking the hardware of a server, breaking it all up into smaller, self-provisioning little pieces, and throwing those to the wind, securely. It's not a cycle.
|
|
#
?
Oct 5, 2017 12:22
|
|
|
Furism posted:Isn't that pretty much the definition of "cloud" ? Sure you can add bells and whistles and elastic this and scalable that, with a bit of SDN on top, but at the end a cloud is just someone else's computer you remotely connect to. RDP or SSH or HTTP API doesn't change much the basics. For me, the definition of the cloud is that remote machine also hosts a remotely-accessible service or application. Accessible by multiple users at the same time. If the application is not remotely accessible ... then all you have is a desktop application hosted "in the cloud". Essentially did nothing but inconvenience everyone and would be much more logical to just let them run it on their own desktops. Oh, that application needs to talk to a database that's shared between people? Sure, host that in the cloud if you want. I mean what, because i run ls on a VM in AWS that sales guy will then say that ls is now "hosted in the cloud"? WTF?
|
|
#
?
Oct 5, 2017 12:24
|
|
|
I have a consumer level question and I wasn't sure where to turn. I have gotten a bunch of emails from amazon with a "reset your password" token that I haven't prompted. I figured it was a phishing attempt but the messages were signed appropriately, so I called customer service and they confirmed the messages were generated by someone or some bot trying the recover password function. My account has a strong password separate from my Gmail account pass, both amazon and Gmail are protected by 2fa (phone token app) and there are no access attempts logged in my Gmail account other than me. Amazon says I'm secure and don't need to do anything but I'm mildly uneasy about somebody even having my login without a pass or access to 2fa token. Should I change the login name or not bother?
|
|
#
?
Oct 5, 2017 14:35
|
|
|
Is your username something that they might confuse with their own? Maybe there is another Andrew Smash out there who does not realize he is trying to log into your account. I would not bother doing anything about it, unless you mind the emails that much.
|
|
#
?
Oct 5, 2017 14:47
|
|
|
Doubtful, but possible. Thanks
|
|
#
?
Oct 5, 2017 15:09
|
|
|
It's amazing the number of emails I get directed at other people. Every day I get a couple. The dot-able nature of gmail addresses seems to mess people up or something.
|
|
#
?
Oct 5, 2017 15:16
|
|
|
gently caress products that do an open port scan and probe the service version to generate a list of "Security Findings" gently caress clients that run them against your product and then bitch about their VERY SERIOUS "FINDINGS" without any examination of the results. gently caress the LACK OF GOD drat INSTITUTIONAL MEMORY making me dig out and send the EXACT SAME rebuttal for every one of those "findings" for the last three years. It's the same god drat poo poo that keeps getting "discovered" in the annual "let's look like we know what we're doing but we really don't" audit. I need some vodka.
|
|
#
?
Oct 5, 2017 16:09
|
|
|
That first one is standard operating procedure and is extremely helpful in discovering so-called "appliances" that are really commodity hardware/OS's that the vendor isn't patching correctly. There are a lot of them. All the stuff after that is the person running the scan being bad at their job but that's what you get for paying someone 40k/yr to run a qualys scan
|
|
#
?
Oct 5, 2017 17:49
|
|
|
Yeah, the workflow of discover things, ask how those things integrate, and look back at the port scan as one small part of looking for holes requires work, and that's a scarce commodity.
|
|
#
?
Oct 5, 2017 17:55
|
|
|
I had this happen just the other day on one of our websites at a semi-large client. They ran some poo poo, it found 404 pages, tacked a bunch of GET parameters onto the end and said "this is now a blind sql injection". The comedy is, even our CMS doesn't use GET parameters for anything beyond flushing current page cache for convenience when changing stuff, which you also can't do unless you're logged in as admin (which you can't do from outside the network, /admin just drops a 403). But anyway, that's besides the point, the 404 pages are static html  So I had to do a long writeup about why their findings are bullshit because our CMS doesn't work that way at all and their vuln scanner software thing is bad because it makes poo poo up and why static html pages can't have SQL injections, because they kept sending mails about ARE SECURITY every 5 loving minutes. 
|
|
#
?
Oct 5, 2017 18:08
|
|
|
BangersInMyKnickers posted:That first one is standard operating procedure and is extremely helpful in discovering so-called "appliances" that are really commodity hardware/OS's that the vendor isn't patching correctly. There are a lot of them. All the stuff after that is the person running the scan being bad at their job but that's what you get for paying someone 40k/yr to run a qualys scan Yeah, it's really less about the tool and more about the user. I just wish they didn't confuse having the tool with having the needed expertise.
|
|
#
?
Oct 5, 2017 18:20
|
|
|
Proteus Jones posted:gently caress products that do an open port scan and probe the service version to generate a list of "Security Findings" I love having people write out the reason why this server requires telnetd running which, but default, sends everything in the clear or why a dedicated database server also needs to run the print service as well. Telnet is just adding risk for no reason since ssh exists and opening the bare minimum ports required to run and maintain a server with a very specific purpose saves you from having to worry about any new vuln that comes and hits a service totally unrelated to the server purpose. In other words, I think your web server really does not need to step up to sync everyone's time (port 123 udp) But if you really don't care, just hit acceptable risk and update/document the next team to ignore those ports. Super easy.
|
|
#
?
Oct 5, 2017 18:36
|
|
|
Truga posted:I had this happen just the other day on one of our websites at a semi-large client. They ran some poo poo, it found 404 pages, tacked a bunch of GET parameters onto the end and said "this is now a blind sql injection". The comedy is, even our CMS doesn't use GET parameters for anything beyond flushing current page cache for convenience when changing stuff, which you also can't do unless you're logged in as admin (which you can't do from outside the network, /admin just drops a 403). But anyway, that's besides the point, the 404 pages are static html Whats wrong with a static 404 page?
|
|
#
?
Oct 5, 2017 18:45
|
|
|
Nothing, except the part where they found a bunch of SQL injections in it.
|
|
#
?
Oct 5, 2017 18:54
|
|
|
*sends a GET request to your toaster* please pay us to fix your security hole
|
|
#
?
Oct 5, 2017 18:58
|
|
|
Truga posted:Nothing, except the part where they found a bunch of SQL injections in it. Did they give you an example request? Was it an oracle type or blind SQL injection? Sometimes web apps look at headers of the request and run them through the database for reasons
|
|
#
?
Oct 5, 2017 18:59
|
|
|
EVIL Gibson posted:I love having people write out the reason why this server requires telnetd running which, but default, sends everything in the clear or why a dedicated database server also needs to run the print service as well. No it's poo poo like  Hey, port 443 is open. We have a finding for SWEET32. No you loving don't. Because for this device when you enumerate the ciphers on that port it returns this: tls1_2: AES256-SHA, tls1_2: AES128-SHA.or We see that your device has OpenSSH J-PAKE Session Key Retrieval Vulnerability(CVE-2010-4478) Really curious how that one came up since J-PAKE isn't enabled there.It's just pages of poo poo like this. It's like "Ah ha! You're running X on there. Well, here's a list of every CVE from the past 7 years regarding this particular service. Please respond to each in detail on how you plan to mitigate"
|
|
#
?
Oct 5, 2017 19:02
|
|
|
Truga posted:I had this happen just the other day on one of our websites at a semi-large client. They ran some poo poo, it found 404 pages, tacked a bunch of GET parameters onto the end and said "this is now a blind sql injection". The comedy is, even our CMS doesn't use GET parameters for anything beyond flushing current page cache for convenience when changing stuff, which you also can't do unless you're logged in as admin (which you can't do from outside the network, /admin just drops a 403). But anyway, that's besides the point, the 404 pages are static html That's when you ask them for PoC. And really the only thing you should have to say until then is that your application doesn't support GET parameters.
|
|
#
?
Oct 5, 2017 19:06
|
|
|
|
| # ? May 13, 2024 16:21 |
|
|
They gave the sample requests, I ran them and the things their tool said happened, didn't. It's a fairly simple php cms, and nothing in the get parameters ever gets anywhere near a database. I could maybe give them the benefit of the doubt if the 404 url in question was an url that tried to inject SQL (since url is the thing that ends up being in a query to get the page for that location), but that part also gets sanitized before it's anywhere near the db. 
|
|
#
?
Oct 5, 2017 19:08
|
|