|
man nasa having the budget to piss away $120 per pencil instead of having to beg for spare satellite parts from the NSA seems like an alternate history timeline at this point
|
#
?
Nov 13, 2017 07:21
|
|
|
|
| # ? May 14, 2024 19:20 |
|
|
pretty sure NSA doesn't have any satellites, could you be thinking of the NRO? america has something like sixteen separate intelligence agencies 
|
|
#
?
Nov 13, 2017 07:40
|
|
|
that we know of DUN DUN DUNNNNN
|
|
#
?
Nov 13, 2017 07:42
|
|
|
Farmer Crack-rear end posted:pretty sure NSA doesn't have any satellites, could you be thinking of the NRO? america has something like sixteen separate intelligence agencies i thought the NRO was like, a subdivision of the NSA but i guess it's its own thing 
|
|
#
?
Nov 13, 2017 07:46
|
|
|
am i the only one who feels phishing tests are worthless. the way i see it used is mainly secops being shitheads. “haha gotcha u dummy”. it sucks rear end for morale and the tools don’t care if the user didn’t interact with the phish. the only thing phishing tests prove is that people whose job is to click emails click emails.
|
|
#
?
Nov 13, 2017 08:17
|
|
|
Shinku ABOOKEN posted:am i the only one who feels phishing tests are worthless. the way i see it used is mainly secops being shitheads. “haha gotcha u dummy”. it sucks rear end for morale and the tools don’t care if the user didn’t interact with the phish. Often clicking the link is the only interaction you need. But I definitely agree with punitive "gotcha" phishing tests being very bad.
|
|
#
?
Nov 13, 2017 08:30
|
|
|
spankmeister posted:Often clicking the link is the only interaction you need. But I definitely agree with punitive "gotcha" phishing tests being very bad. Maybe they don't convey it too well, but you really do want to train users not to click on links in unexpected emails. If you've had meetings/training telling people not to do that, and they still do it, I'm not sure how exactly to get the message across.
|
|
#
?
Nov 13, 2017 08:46
|
|
|
infernal machines posted:Maybe they don't convey it too well, but you really do want to train users not to click on links in unexpected emails. If you've had meetings/training telling people not to do that, and they still do it, I'm not sure how exactly to get the message across. the days of unexpected emails are long past. nowadays phishing is super specific. the phishing exercise im complaining about is both timing and subject specific. the users 120% expect the kinds of emails that were sent.
|
|
#
?
Nov 13, 2017 09:04
|
|
|
Shinku ABOOKEN posted:the days of unexpected emails are long past. nowadays phishing is super specific. So the anti-phishing exercise is mimicking exactly what a spearphisher targeting your organisation is going to try? This is a bad thing why?
|
|
#
?
Nov 13, 2017 09:39
|
|
|
Jabor posted:So the anti-phishing exercise is mimicking exactly what a spearphisher targeting your organisation is going to try? because the management is using it as a performance indicator which is the dumbest poo poo. have fun telling management that people clicked because they have a billion emails to process and not because they are “bad” employees. e: i didn’t click btw
|
|
#
?
Nov 13, 2017 09:44
|
|
|
i know posting about video games is cheating but https://forums.enmasse.com/tera/discussion/18877/status-of-potential-chat-vulnerability apparently there's an rce floating around the tera community where you can post malware into chat, and it'll execute(???) for people.
|
|
#
?
Nov 13, 2017 11:05
|
|
|
Well executed phishing attacks are a technical issue to be solved, not a training one. Phishing has become sophisticated enough that it isn't reasonable to expect a user to be able to identify them. Technical measures are required to block them and/or make them easier for users to identity.
|
|
#
?
Nov 13, 2017 11:28
|
|
|
Truga posted:i know posting about video games is cheating but tera is the pedorpg right? if so good gently caress em
|
|
#
?
Nov 13, 2017 11:56
|
|
|
ate all the Oreos posted:man nasa having the budget to piss away $120 per pencil instead of having to beg for spare satellite parts from the NSA seems like an alternate history timeline at this point it's cuz they discovered the terrible secret of space* *if you look down from it you can see that florida real-estate is going the way of atlantis
|
|
#
?
Nov 13, 2017 12:03
|
|
|
Shinku ABOOKEN posted:tera is the pedorpg right? if so good gently caress em yea its the "actually 1000 year old dragons" shite 
|
|
#
?
Nov 13, 2017 12:45
|
|
|
Truga posted:i know posting about video games is cheating but this reminds me of when someone playing dark souls could show up in your game and hit you with a sword which executed code that made your game run at a different speed (the game did calculations at 30 fps/hertz, getting hit with the modified weapon would make the game run at half speed). you would get disconnected from online play for running your game too slow or fast. I always wondered if you could run anything worse from the code that handled getting hit with a sword.
|
|
#
?
Nov 13, 2017 12:48
|
|
|
Shinku ABOOKEN posted:because the management is using it as a performance indicator which is the dumbest poo poo. have fun telling management that people clicked because they have a billion emails to process and not because they are “bad” employees. it is a performance indicator because lol if your employees blind click links/open attachments in emails that vaguely look like they're related to work instead of thinking about what they're doing. if you regularly get phished during exercises you're clearly not learning from the trainings and are a "bad" employee
|
|
#
?
Nov 13, 2017 13:22
|
|
|
Mandatory non-sms two factor mitigates most phishing attacks that aren't unpatched rce in the browser. Then you just have to patch browsers quickly which is easier than trying to change behavior in thousands of people.
|
|
#
?
Nov 13, 2017 13:30
|
|
|
What I'm saying is if your attitude is "I will scream at users until they STOP BEING WRONG" instead of trying to engineer guard rails and mitigations to well known problems of human behavior, you're never going to make any real progress.
|
|
#
?
Nov 13, 2017 13:40
|
|
|
decent post re: social engineering and pen testing: https://jacobian.org/writing/social-engineering-pentests/
|
|
#
?
Nov 13, 2017 13:51
|
|
|
mrmcd posted:What I'm saying is if your attitude is "I will scream at users until they STOP BEING WRONG" instead of trying to engineer guard rails and mitigations to well known problems of human behavior, you're never going to make any real progress. at the end of the day if an attacker sends an email looking like it's from the ceo and joe from accounting sends every employee's w2 back, that's on joe engineering can only go so far to mitigate the human factor
|
|
#
?
Nov 13, 2017 13:56
|
|
|
Blinkz0rz posted:at the end of the day if an attacker sends an email looking like it's from the ceo and joe from accounting sends every employee's w2 back, that's on joe ok but there's a difference between "click on a link because you spend all goddamn day clicking on links and that's not out of the ordinary" and "responded to a bizarre request to send a bunch of private information over email"
|
|
#
?
Nov 13, 2017 14:35
|
|
|
Homeland Security team remotely hacked a Boeing 757 https://www.csoonline.com/article/3236721/security/homeland-security-team-remotely-hacked-a-boeing-757.html 
|
|
#
?
Nov 13, 2017 14:42
|
|
|
lmbo, can't wait for digital 9/11 also, i'm the trijet on the 757 news picture 
|
|
#
?
Nov 13, 2017 14:44
|
|
|
Haquer posted:everyone including the US used pencils at first but it turns out that graphite dust and shards floating around in the air you are breathing is terrible and also that poo poo is conductive I thought they used grease pencils
|
|
#
?
Nov 13, 2017 14:50
|
|
|
Truga posted:lmbo, can't wait for digital 9/11 or more likely someone has a sky marshal tackle me for editing a latex document on the plane
|
|
#
?
Nov 13, 2017 14:54
|
|
|
maskenfreiheit posted:Homeland Security team remotely hacked a Boeing 757 quote:While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757’s “radio frequency communications.” unfortunately this could mean anything it’s worth mentioning that there’s no digital control network to hack into, the best they can do is break the entertainment system or send garbage commands over ACARS which is kinda like a SMS service between pilots and their company
|
|
#
?
Nov 13, 2017 15:47
|
|
|
BangersInMyKnickers posted:I thought they used grease pencils i legit did too but read that link because the actual story is much weirder the space pen was actually the cheaper option compared to overpriced pencils and even the soviets wound up using the space pen  e: might help if i actually included the actual post with the link Shame Boy fucked around with this message at 15:52 on Nov 13, 2017 |
|
#
?
Nov 13, 2017 15:49
|
|
|
hobbesmaster posted:unfortunately this could mean anything posting straight out of my rear end in a top hat here but wasn't there an 802.11 bug that allowed for RCE recently? I could picture a 757 not being well patched.
|
|
#
?
Nov 13, 2017 16:13
|
|
|
They're running the in-house wifi and the control network over the same switches with vlan segregation (weight/space savings) and possibly other additional controls with I assume none of the management interfaces being exposed on the in-house side which is where the APs would live. There's been a bunch of speculation but I don't believe anything conclusive has been published on how they jumped in to the control network and the avionics systems. Owning the AP itself probably won't get you there but it might expose you to some kind of management port on the switches to compromise and pivot to.
|
|
#
?
Nov 13, 2017 16:17
|
|
|
BangersInMyKnickers posted:They're running the in-house wifi and the control network over the same switches with vlan segregation (weight/space savings) and possibly other additional controls with I assume none of the management interfaces being exposed on the in-house side which is where the APs would live. There's been a bunch of speculation but I don't believe anything conclusive has been published on how they jumped in to the control network and the avionics systems not on the 757 - all that stuff is analog hydraulic lines and such
|
|
#
?
Nov 13, 2017 16:18
|
|
|
Is it the 767 or 777 that's the sec-fuckup on wings then?
|
|
#
?
Nov 13, 2017 16:19
|
|
|
737 next gens so 737-700,800,900 767 is 80s tech, 777 90s
|
|
#
?
Nov 13, 2017 16:20
|
|
|
anything airbus and the 777 since its all fly by wire
|
|
#
?
Nov 13, 2017 16:20
|
|
|
BangersInMyKnickers posted:Is it the 767 or 777 that's the sec-fuckup on wings then? the infamous diagram you're thinking of is the 787 e: actually now I'm not so sure cuz I can't find it so I might be remembering it wrong
|
|
#
?
Nov 13, 2017 16:22
|
|
|
ate all the Oreos posted:the infamous diagram you're thinking of is the 787 e2: ok found it and the diagram itself just says "modern aircraft" so idk e3: quote is not edit lol
|
|
#
?
Nov 13, 2017 16:28
|
|
|
here’s the description for 747-8: https://www.gpo.gov/fdsys/pkg/FR-2010-01-15/html/2010-661.htm
|
|
#
?
Nov 13, 2017 16:31
|
|
|
looking it up did lead me to this winner of an article from 2015 https://www.forbes.com/sites/thomasbrewster/2015/04/16/us-government-flight-security-claims-fallacious/ quote:Polstra believes the US Government Accountability Office (GAO) report was put together by people who didn't understand how modern aircraft actually work. He took umbrage with the claims that as airplanes are increasingly connected to the internet, the control systems on planes are in danger of being remotely compromised. He told FORBES over email that the avionics networks, which deal with flight controls and coordination, were simply not connected to the internet like Wi-Fi services. “To imply this is irresponsible.”
|
|
#
?
Nov 13, 2017 16:32
|
|
|
That quote hurts my brain
|
|
#
?
Nov 13, 2017 16:35
|
|
|
|
| # ? May 14, 2024 19:20 |
|
|
Blinkz0rz posted:at the end of the day if an attacker sends an email looking like it's from the ceo and joe from accounting sends every employee's w2 back, that's on joe engineering should be able to do something that says THIS EMAIL CAME FROM OUTSIDE THE COMPANY BEWARE OF PHISHING ATTACKS
|
|
#
?
Nov 13, 2017 16:43
|
|
