|
BangersInMyKnickers posted:The ops people don't want to lose visibility, but the vast majority of those are coming from garbage ISPs full of crap that nobody cares about.
|
#
?
Jun 28, 2018 21:09
|
|
|
|
| # ? May 31, 2024 09:07 |
|
|
I'm investigating moving to an ELK stack for hilarious license reasons.
|
|
#
?
Jun 28, 2018 21:09
|
|
|
Martytoof posted:I'm investigating moving to an ELK stack for hilarious license reasons. Oh yeah, that's happening too but the timeline is hosed.
|
|
#
?
Jun 28, 2018 21:33
|
|
|
Elastic means the timeline is always hosed. If you're able to have Enterprise level data following into it and it won't crash hilariously every other day, we need to talk.
|
|
#
?
Jun 29, 2018 02:03
|
|
|
luv2search every American's credit, assets, interests, kinks
|
|
#
?
Jun 29, 2018 02:24
|
|
|
Can anyone point me to a decent encrypt / decrypt script that will use .asc keys and handle large files? Already tried gpg but there seems to be an issue using pinentry and I can't decrypt without a passcode.
|
|
#
?
Jun 29, 2018 03:58
|
|
|
(Do Not) Install Gentoo https://twitter.com/tarah/status/1012455792551661569
|
|
#
?
Jun 29, 2018 04:05
|
|
|
"Gentoo does NOT use GitHub to distribute anything. Nor take code from the GitHub repo. That is just a public mirror of our private infrastructure. Zero Gentoo users affected. Oh, and the infra keys were not compromised :-p" At least it's more of a problem with GitHub than with Gentoo.
|
|
#
?
Jun 29, 2018 04:28
|
|
|
Cup Runneth Over posted:"Gentoo does NOT use GitHub to distribute anything. Nor take code from the GitHub repo. That is just a public mirror of our private infrastructure. Zero Gentoo users affected. Oh, and the infra keys were not compromised :-p" "the first week Microsoft buys github they attack gentoo" -some irrational linux nerd
|
|
#
?
Jun 29, 2018 04:35
|
|
|
has anyone played with one of these? https://github.com/whid-injector/WHID thanks for the book rec's btw I will be getting Kingpin and Cuckoo's Egg shortly... post hole digger fucked around with this message at 16:19 on Jun 29, 2018 |
|
#
?
Jun 29, 2018 05:38
|
|
|
Mustache Ride posted:Elastic means the timeline is always hosed. If you're able to have Enterprise level data following into it and it won't crash hilariously every other day, we need to talk. I guess Loggly makes it work for their product. I've otherwise never seen it work beyond "I guess this is OK sometimes"
|
|
#
?
Jun 29, 2018 15:11
|
|
|
What I've found is that if you have a support team that can keep it up and running constantly, then it'll work fine. But most security orgs can't waste manpower on cluster support, and it's still not integrated into most orgs enough for a separate infrastructure group to keep it running unless you're very very lucky.
|
|
#
?
Jun 29, 2018 15:36
|
|
|
BangersInMyKnickers posted:We're in a situation where we have seasonal load for our border firewall traffic and we're in a down cycle. We're logging all inbound drops to Splunk at the moment and we're going to blow through our license in a spectacular manner once the next cycle hits. The people running the service are just sorta sitting there fretting about it but not actually doing any load shedding and are trying to play chicken with the execs to get more money for more ingest license. Apparently the border firewall accounts for about half our ingest rate and drops are a huge portion of those. The ops people don't want to lose visibility, but the vast majority of those are coming from garbage ISPs full of crap that nobody cares about. My thought as a compromise position was to import SpamHaus or whoever's RBL in to a deny rule one above the default deny with no logging to load shed a bunch of poo poo that we don't care about, and even that they are iffy on. Honestly importing the RBL seems like an incredibly shotgun approach to solve the problem, but if the ops people are giving you literally nothing to work with and the other dudes are just sitting on their thumbs, then it seems pretty reasonable. fake edit: Probably push this cause it's easy?
|
|
#
?
Jun 29, 2018 16:59
|
|
|
So I tried running the Spamhaus drop list against it but apparently someone upstream of me is already null routing that traffic so there was no overlap. I've moved on taking on the entire list of registered and common service ports and picking/choosing which ones I want (services I know we run, other things we may not want but maybe want drop stats for DDoS/attack campaign awareness or whatever) which dropped all the ephemeral range poo poo, games, bunch of other non-registered ports and that cuts the border log ingest down to about 1/4 of its previous size which is great. It's a pretty conservative list too, with way more stuff thrown in than we probably want. That should be enough to fix the immediate issue without losing any real ops visibility. It turns out that spending hundreds of thousands of dollars per year to ingest loving nmap scans is a bad use of security resources.
|
|
#
?
Jun 29, 2018 19:38
|
|
|
BangersInMyKnickers posted:It turns out that spending hundreds of thousands of dollars per year to ingest loving nmap scans is a bad use of security resources. loving amen. Also good to hear the painful process (as it always is) was the right one. Do you get to tell ops to pound sand now and fix it themselves next time?
|
|
#
?
Jun 29, 2018 22:04
|
|
|
my bitter bi rival posted:I just finished Spam Nation and enjoyed reading it. Does anyone have any recommendations for other narrative-based books about hacking or security? Surveillance Valley is also on my list. It's not hacking or security per say but I feel anybody working in IT/networking/computers should read The Master Switch.
|
|
#
?
Jun 29, 2018 22:51
|
|
|
BangersInMyKnickers posted:It turns out that spending hundreds of thousands of dollars per year to ingest loving nmap scans is a bad use of security resources. On the other hand: holy poo poo, are companies doing this? That's money that could go in my pocket for basically nothing.
|
|
#
?
Jun 30, 2018 00:56
|
|
|
Volguus posted:On the other hand: holy poo poo, are companies doing this? That's money that could go in my pocket for basically nothing. We're trying to use it as a "big data" platform which the license model does not support in any way.
|
|
#
?
Jun 30, 2018 03:41
|
|
|
Has anyone run into an issue with gpg2 where it will not decrypt files because it cannot read in a passphrase with pinentry? The gpg2 commands work fine on root but one one of my profiles always fails the decrypt command stating that the private key does not have a passphrase when in fact it does. I have a feeling its some sort of permissions issue but I can't seem to figure out what that is.
|
|
#
?
Jul 4, 2018 01:11
|
|
|
https://twitter.com/waxpancake/status/1014211658128822272
|
|
#
?
Jul 4, 2018 02:34
|
|
|
Those of us who were paying attention when they got bought out expected this, and switched to the fork Stylus instead.
|
|
#
?
Jul 4, 2018 08:24
|
|
|
Kerning Chameleon posted:Those of us who were paying attention when they got bought out expected this, and switched to the fork Stylus instead.
|
|
#
?
Jul 4, 2018 11:44
|
|
|
BangersInMyKnickers posted:So I tried running the Spamhaus drop list against it but apparently someone upstream of me is already null routing that traffic so there was no overlap. I've moved on taking on the entire list of registered and common service ports and picking/choosing which ones I want (services I know we run, other things we may not want but maybe want drop stats for DDoS/attack campaign awareness or whatever) which dropped all the ephemeral range poo poo, games, bunch of other non-registered ports and that cuts the border log ingest down to about 1/4 of its previous size which is great. It's a pretty conservative list too, with way more stuff thrown in than we probably want. That should be enough to fix the immediate issue without losing any real ops visibility. You’re going to get fired when the number of attacks prevented executive metric drops 75%.
|
|
#
?
Jul 4, 2018 14:41
|
|
|
Its going to go to 0% when we blow through our license so I will take my chances.
|
|
#
?
Jul 5, 2018 16:06
|
|
|
Turns out Strava wasn't the only opsec disaster app out there: https://www.bellingcat.com/resources/articles/2018/07/08/strava-polar-revealing-homes-soldiers-spies/
|
|
#
?
Jul 8, 2018 14:22
|
|
|
cheese-cube posted:Turns out Strava wasn't the only opsec disaster app out there: https://www.bellingcat.com/resources/articles/2018/07/08/strava-polar-revealing-homes-soldiers-spies/
|
|
#
?
Jul 8, 2018 14:37
|
|
|
its an issue with both, finding more public data sources for this is p great for osint
|
|
#
?
Jul 8, 2018 15:07
|
|
|
evil_bunnY posted:This was painfully obvious to everyone with 2 brain cells when the strava thing hit. It was an opsec issue, not a strava one. Yeah well why didn't you take your two brain cells and write a detailed research piece about it instead of posting in retrospect like a lovely Nostradamus. Also I never said it wasn't an opsec issue?
|
|
#
?
Jul 8, 2018 15:39
|
|
|
cheese-cube posted:Yeah well why didn't you take your two brain cells and write a detailed research piece about it instead of posting in retrospect like a lovely Nostradamus. Also I never said it wasn't an opsec issue?
|
|
#
?
Jul 8, 2018 16:06
|
|
|
I was just posting a thing that I thought people might enjoy reading. Also posted the same thing in the secfuck thread in case you want to throw your weight around there.
|
|
#
?
Jul 8, 2018 16:16
|
|
|
I enjoyed reading it
|
|
#
?
Jul 8, 2018 16:30
|
|
|
evil_bunnY posted:A bunch of people smarter than both of us did exactly this after the strava thing. Also please calm down.
|
|
#
?
Jul 8, 2018 16:42
|
|
|
I have the same hot take as I did when Strava was in the news for the same thing. If keeping your location secret is a part of your job, then maybe don't use services whose entire purpose is to share your location.
|
|
#
?
Jul 8, 2018 20:10
|
|
|
The Fool posted:If keeping your location secret is a part of your job, then maybe don't use services whose entire purpose is to share your location. calm down nostradamus
|
|
#
?
Jul 8, 2018 22:33
|
|
|
Ah, but that old, hosed up place... the crossroads of “too important to be bothered” and “to uninformed to care” with “can’t rub two logical brain cells together.” Any one is potentially dangerous. However, at least two together are required for high level command. (Waay off topic, but there’s the ever-present, “You mean the thing is going to be listening to me all day?” “No, it’s telepathic.” Same logic application. A GPS that... tracks position globally? Nevertheless, they get used. I wonder if an even an Echo would actually fly with such folk, given the striking absence of 1+2=3 conclusion drawing ability.)
|
|
#
?
Jul 9, 2018 03:41
|
|
|
mad about strava
|
|
#
?
Jul 9, 2018 04:19
|
|
|
Just seems sensible to not make all runs public by default, and to not link all 'anonymous' exercises up to each other. But I agree that wearing a GPS tracker when you're doing stuff that presumably requires clearance is also fairly dumb, and I'm surprised that the various agencies didn't act when the Strava thing first came out.
|
|
#
?
Jul 9, 2018 10:22
|
|
|
Thanks Ants posted:Just seems sensible to not make all runs public by default, and to not link all 'anonymous' exercises up to each other.
|
|
#
?
Jul 9, 2018 10:41
|
|
|
If this thread has taught me anything its that I should never get into infosec or i'll be abrasive and mad all the time.
|
|
#
?
Jul 9, 2018 14:32
|
|
|
|
| # ? May 31, 2024 09:07 |
|
|
Sounds about right.
|
|
#
?
Jul 9, 2018 14:56
|
|
