|
The day I switch the password of my meal check provider to a Keepass one, it gets hacked. Nice timing. I wonder if they got a dump before or after my new password.
|
# ? Nov 23, 2019 14:27 |
|
|
# ? Jun 9, 2024 12:54 |
Combat Pretzel posted:The day I switch the password of my meal check provider to a Keepass one, it gets hacked. Nice timing. I wonder if they got a dump before or after my new password. So likely it's your old password.
|
|
# ? Nov 23, 2019 16:23 |
|
Combat Pretzel posted:The day I switch the password of my meal check provider to a Keepass one, it gets hacked. Nice timing. I wonder if they got a dump before or after my new password. Before. The alternative is that the breach was discovered and reported within one day.
|
# ? Nov 23, 2019 22:55 |
|
Some details came out on national news sites. Apparently some malware attack, FWIW. Which isn't exactly confidence inspiring either.
|
# ? Nov 23, 2019 23:51 |
|
How long until it comes out that Google, Facebook and company actively seek out the data dumps every time this happens
|
# ? Nov 27, 2019 16:26 |
|
klosterdev posted:How long until it comes out that Google, Facebook and company actively seek out the data dumps every time this happens if it's the PDL breach you're talking about they already had that info it was "just" job histories, emails, social media profiles, phone numbers, and personal data all collated together. problematic obviously but that information is out there and for sale already. they don't need to seek out these data dumps because they've already matched or exceeded it already
|
# ? Nov 27, 2019 17:56 |
|
Anyone have experience with PentesterLab and how it compares to HackTheBox? I’ve had HTB VIP for the past year or so when I started OSCP and I’m looking for new service, good variety of platforms, more up to date vulns, etc. https://pentesterlab.com/pro
|
# ? Nov 28, 2019 18:16 |
|
klosterdev posted:How long until it comes out that Google, Facebook and company actively seek out the data dumps every time this happens I’m pretty sure they both pull breach dumps in order to lock accounts with reused passwords, yes.
|
# ? Nov 28, 2019 19:37 |
|
Diva Cupcake posted:Anyone have experience with PentesterLab and how it compares to HackTheBox? I’ve had HTB VIP for the past year or so when I started OSCP and I’m looking for new service, good variety of platforms, more up to date vulns, etc. I'm still on HtB tbh. I'm gonna check this out though and I'll post back what what I think :>
|
# ? Nov 28, 2019 21:50 |
|
Diva Cupcake posted:Anyone have experience with PentesterLab and how it compares to HackTheBox? I’ve had HTB VIP for the past year or so when I started OSCP and I’m looking for new service, good variety of platforms, more up to date vulns, etc. I don't have any personal experience with it, but I know I've seen it mentioned in an Infosec/oscp prep discord I'm in and it has always received positive reviews.
|
# ? Nov 30, 2019 12:10 |
|
Is this the thread to talk about VPN's?
|
# ? Nov 30, 2019 15:46 |
|
Billa posted:Is this the thread to talk about VPN's? You can, sure.
|
# ? Nov 30, 2019 22:33 |
|
What VPN's are you guys using? I'm trying to find the one after testing a bunch but I didn't hit the spot yet.
|
# ? Nov 30, 2019 22:58 |
|
Billa posted:What VPN's are you guys using? I'm trying to find the one after testing a bunch but I didn't hit the spot yet. Personal use: Wireguard and OpenVPN. For security purposes/anonymity: ProtonVPN
|
# ? Nov 30, 2019 23:07 |
|
None, you should assume that they're all some flavor of either awful or compromised. Don't rely on them for anything more than getting around geo blocking Netflix.
|
# ? Nov 30, 2019 23:09 |
|
Volmarias posted:None, you should assume that they're all some flavor of either awful or compromised. Don't rely on them for anything more than getting around geo blocking Netflix. Do you mean cloud VPN companies, or did openvpn get popped?
|
# ? Nov 30, 2019 23:12 |
|
Volmarias posted:None, you should assume that they're all some flavor of either awful or compromised. Don't rely on them for anything more than getting around geo blocking Netflix. True. Subjunctive posted:Do you mean cloud VPN companies, or did openvpn get popped? I'd have to assume he means all the cloud companies, because remote access VPNs aint going anywhere.
|
# ? Nov 30, 2019 23:12 |
|
OK, yeah. We have a VPN into our AWS VPC and so forth and I was afraid I was going to have a busy Monday.
|
# ? Nov 30, 2019 23:18 |
|
Subjunctive posted:OK, yeah. We have a VPN into our AWS VPC and so forth and I was afraid I was going to have a busy Monday. No new CVEs for OpenVPN that I've heard lately.
|
# ? Nov 30, 2019 23:20 |
|
Billa posted:What VPN's are you guys using? I'm trying to find the one after testing a bunch but I didn't hit the spot yet. First choice: Mullvad. Second choice: Proton.
|
# ? Nov 30, 2019 23:25 |
|
siggy2021 posted:I don't have any personal experience with it, but I know I've seen it mentioned in an Infosec/oscp prep discord I'm in and it has always received positive reviews. I just bought it. Hope it doesn’t suck.
|
# ? Nov 30, 2019 23:28 |
|
I've kinda always wanted to get a job in the cybersec part of corporate IT, but my recent experience with it atleast at $currentcompany is that its effectively running nessus and making note of the poo poo nessus finds, while me and my compatriots in the infrastructure department are the ones who handle poo poo like firewalls, vpns, user education, patching, site access control, most of the policy stuff, and a lot of other stuff that I would think would fall in the cyber security divisions lap. Is this a common thing?
|
# ? Nov 30, 2019 23:38 |
|
CommieGIR posted:I'd have to assume he means all the cloud companies, because remote access VPNs aint going anywhere. Yeah, sorry, I meant the commercial VPN providers.
|
# ? Nov 30, 2019 23:42 |
|
Defenestrategy posted:I've kinda always wanted to get a job in the cybersec part of corporate IT, but my recent experience with it atleast at $currentcompany is that its effectively running nessus and making note of the poo poo nessus finds, while me and my compatriots in the infrastructure department are the ones who handle poo poo like firewalls, vpns, user education, patching, site access control, most of the policy stuff, and a lot of other stuff that I would think would fall in the cyber security divisions lap. Is this a common thing?
|
# ? Dec 1, 2019 00:42 |
|
Defenestrategy posted:I've kinda always wanted to get a job in the cybersec part of corporate IT, but my recent experience with it atleast at $currentcompany is that its effectively running nessus and making note of the poo poo nessus finds, while me and my compatriots in the infrastructure department are the ones who handle poo poo like firewalls, vpns, user education, patching, site access control, most of the policy stuff, and a lot of other stuff that I would think would fall in the cyber security divisions lap. Is this a common thing? It is, SOC is usually incidents, you might have a guy who handles Firewalls/WAFs, but its often in network ops court.
|
# ? Dec 1, 2019 02:24 |
|
Powered Descent posted:First choice: Mullvad. Second choice: Proton. I've switched to Mullvad (tried it a long time ago) and I'm quite happy with it. BTW which password managers do you guys use? Right now I'm using Keeper and its working good although I wish it had a PIN unlock feature.
|
# ? Dec 1, 2019 20:40 |
|
KeepAss is popular around here, mainly because of the name
|
# ? Dec 1, 2019 21:27 |
|
Billa posted:I've switched to Mullvad (tried it a long time ago) and I'm quite happy with it. 1Password
|
# ? Dec 1, 2019 21:28 |
|
I just went from KeePass to KeePass2 on the desktop and Keepass2Android on my phone. I wasn't unhappy before but I am positively delighted now. Keepass2Android can talk directly to Dropbox, so sync is not an issue at all. I use a key file that isn't in Dropbox, so even if an attacker cracks Dropbox wide open, they'd still have trouble brute-forcing my database. I don't bother with plugins, I just do a lot of tinkering with auto-type strings in Windows, or the Keepass2Android keyboard in Android.
|
# ? Dec 1, 2019 21:33 |
|
evil_bunnY posted:It is if your infra team keeps letting a basic scan find legit issues, and your CISO has literally zero weight I guess. yeah. i’m still learning how to sort through companies like this in the interview period, so my current job is pretty poo poo (but it does pay well)! Defenestrategy posted:I've kinda always wanted to get a job in the cybersec part of corporate IT, but my recent experience with it atleast at $currentcompany is that its effectively running nessus and making note of the poo poo nessus finds, while me and my compatriots in the infrastructure department are the ones who handle poo poo like firewalls, vpns, user education, patching, site access control, most of the policy stuff, and a lot of other stuff that I would think would fall in the cyber security divisions lap. Is this a common thing? ime small shop infosec seems to be at least some, maybe all, of: - run everything scan related: scan infra > triage > project manage the remediation process - run everything SEIM related: admin the SEIM, tweak rules, do terrible IDR - do user education / yell about phishing - run the probably corp mandated AV there’s also a lot of straight up infra work that is needed in security roles, which i particularly enjoy. writing playbooks to automate new collector / scan engine build outs, gluing a bunch of messaging services into your actual company-used messaging service, automating reports from services that don’t have a real reporting engine, creation of tooling in python and powershell, etc etc. i am very surprised your infra folks are doing policy creation lol.
|
# ? Dec 1, 2019 22:39 |
|
3rding Keepass
|
# ? Dec 1, 2019 23:00 |
|
Current 1Password but them constantly trying to push me into some monthly bullshit is starting to make me think about changing to something else.
|
# ? Dec 1, 2019 23:38 |
|
cr0y posted:Current 1Password but them constantly trying to push me into some monthly bullshit is starting to make me think about changing to something else. What "bullshit"?? I haven't gotten so much as an email from them for ages and it works just fine.
|
# ? Dec 2, 2019 00:11 |
|
Just unsubscribr from the marketing emails. There should be a link at the bottom. Might take a few days because some jurisdictions give companies a grace period because the laws assume some human being manually maintains marketing email lists.
|
# ? Dec 2, 2019 00:58 |
|
Jowj posted:yeah. i’m still learning how to sort through companies like this in the interview period, so my current job is pretty poo poo (but it does pay well)! Yeah, in Enterprise, security rarely actually touches anything. The do scans and then tell whoever owns the things that failed to fix it. Good ones will actually look at the nessus results to see if any of the failures are relevant
|
# ? Dec 2, 2019 01:16 |
|
Anyone heard of Dashlane? How straight garbage is it? It purports to track whether your account info has been bundled up and sold and lets you change all your passwords with the click of a button.
|
# ? Dec 2, 2019 02:19 |
|
Jowj posted:i am very surprised your infra folks are doing policy creation lol. I get the feeling, and this could be completely wrong, that cybersec at my company is strictly there as a fig leaf to customers saying "Hey we have a couple of dudes with cybersec certs on our roster.", I was just curious if that was par for the course or not. Defenestrategy fucked around with this message at 02:23 on Dec 2, 2019 |
# ? Dec 2, 2019 02:20 |
|
Cup Runneth Over posted:Anyone heard of Dashlane? How straight garbage is it? It purports to track whether your account info has been bundled up and sold and lets you change all your passwords with the click of a button. Well the first one is easy, it probably has.
|
# ? Dec 2, 2019 04:24 |
|
Zorak of Michigan posted:I just went from KeePass to KeePass2 on the desktop and Keepass2Android on my phone. I wasn't unhappy before but I am positively delighted now. Keepass2Android can talk directly to Dropbox, so sync is not an issue at all. I use a key file that isn't in Dropbox, so even if an attacker cracks Dropbox wide open, they'd still have trouble brute-forcing my database. I don't bother with plugins, I just do a lot of tinkering with auto-type strings in Windows, or the Keepass2Android keyboard in Android. Browser integration plugins are so nice though. But I have to ask. Why are you using the Keepass2Android keyboard? Are you on an older version of Android? Since version 8 (Oreo), Android has had an autofill service and Keepass2Android supports it. You tap the autofill button. Keepass2Android will say it can't find an autofill entry so you tap the "Select another entry" button, navigate to the password you want, and tell it to use that one. It will then save the app affiliation into your database. Now every time you tap the autofill button, it will just work.
|
# ? Dec 2, 2019 05:26 |
|
|
# ? Jun 9, 2024 12:54 |
|
Cup Runneth Over posted:Anyone heard of Dashlane? How straight garbage is it? It purports to track whether your account info has been bundled up and sold and lets you change all your passwords with the click of a button. I've been using it for a couple of years now. I'm happy with it. I'm sure in whatever period of time, something will gently caress up, and I'll find out everything is owned, but in the meantime its great. My wife has an account as well, and we can share passwords, so if I reset our Netflix account, it auto-syncs the new password to her account.
|
# ? Dec 2, 2019 13:55 |