|
At least the big players have their act toget-- oh
|
#
?
Jan 22, 2020 17:52
|
|
|
|
| # ? May 25, 2024 22:45 |
|
|
CommieGIR posted:Lastpass is claiming that they are up, did they come back up? I think they were already back up by the time the twiter got posted here, the outage was just over the weekend it's funny because it happened the day after we had yet another page of lastpass defense posting
|
|
#
?
Jan 22, 2020 17:54
|
|
|
Martytoof posted:At least the big players have their act toget-- Yeah, we can't figure out how to use Azure either. ~ Microsoft Any tickets I've opened being published will be them just doxing their own stupidity. Three months of "working as intended" that turned into "oh wait actually that is bad. Here is the CVE."
|
|
#
?
Jan 22, 2020 18:20
|
|
|
good I hope everyone gets to read the dogshit interactions I have had with those people trying to get them to fix their lovely teams client
|
|
#
?
Jan 22, 2020 18:25
|
|
|
I like to believe the MS Teams team works with Teams themselves and that's why they can't get any poo poo done.
|
|
#
?
Jan 22, 2020 18:28
|
|
|
Microsoft support is the literal loving worst and also come on can we please stop pretending that anyone is able to do this whole infosec or uptime thing correctly. It's all bad and our ape brains are struggling to keep up.
|
|
#
?
Jan 22, 2020 19:09
|
|
|
Guy Axlerod posted:Any tickets I've opened being published will be them just doxing their own stupidity. Three months of "working as intended" that turned into "oh wait actually that is bad. Here is the CVE."
|
|
#
?
Jan 22, 2020 19:15
|
|
|
geonetix posted:I like to believe the MS Teams team works with Teams themselves and that's why they can't get any poo poo done. Office 365 support explicitly doesn’t support teams, email or phone only.
|
|
#
?
Jan 22, 2020 20:07
|
|
|
SlowBloke posted:Office 365 support explicitly doesn’t support teams, email or phone only. Smart move on their part imo
|
|
#
?
Jan 22, 2020 20:12
|
|
|
geonetix posted:I like to believe the MS Teams team works with Teams themselves and that's why they can't get any poo poo done. I can confirm that they do.
|
|
#
?
Jan 22, 2020 20:20
|
|
|
Internet Explorer posted:can we please stop pretending that anyone is able to do this whole infosec or uptime thing correctly I argue that "infosec or uptime" is easy, it's "infosec and uptime" that nobody can manage.
|
|
#
?
Jan 22, 2020 20:52
|
|
|
Zorak of Michigan posted:I argue that "infosec or uptime" is easy, it's "infosec and uptime" that nobody can manage. I accept your amendment.
|
|
#
?
Jan 22, 2020 22:00
|
|
|
Ynglaur posted:I can confirm that they do. I also like to believe they’re so hyped up about teams because the only comparison they have is Skype for business and have actually never collaborated with any other human being
|
|
#
?
Jan 22, 2020 22:34
|
|
|
geonetix posted:I also like to believe they’re so hyped up about teams because the only comparison they have is Skype for business and have actually never collaborated with any other human being they probably used Project lmao
|
|
#
?
Jan 22, 2020 23:18
|
|
|
Tableau had a somewhat similar issue with leaking customer info a while back, it never got any public attention or an official announcement as far as I know. IIRC it was an issue with permissions in their support portal or something to that effect as opposed to an open database, whether that's actually any better is another matter.
|
|
#
?
Jan 23, 2020 04:55
|
|
|
BangersInMyKnickers posted:good I hope everyone gets to read the dogshit interactions I have had with those people trying to get them to fix their lovely teams client And some things work for the desktop client but not the web client.
|
|
#
?
Jan 23, 2020 15:52
|
|
|
PBS posted:Tableau had a somewhat similar issue with leaking customer info a while back, it never got any public attention or an official announcement as far as I know. That's probably just their workaround to actually find anything in that stupid thing (or the customer center, or the partner portal). Actually, Tableau Server might be an interesting attack target, since the update process is rubbish (it's the same as the upgrade, i.e. it dumps all of its internal stuff into a backup, removes the old version, installs the new version, and restores from backup -- even for point releases.). This is made more interesting by the fact that they bundle elasticsearch, Apache, Zookeeper, Postgres (9.4 or so?) alongside their proprietary poo poo.
|
|
#
?
Jan 23, 2020 19:29
|
|
|
Hollow Talk posted:Actually, Tableau Server might be an interesting attack target, since the update process is rubbish (it's the same as the upgrade, i.e. it dumps all of its internal stuff into a backup, removes the old version, installs the new version, and restores from backup -- even for point releases.). Also, during the upgrade attempt, the license key is updated so that it only works on the new version (at least for major releases, not sure about minor versions). Which means if something goes wrong with an upgrade, restoring the VMs to the pre-upgrade snapshot won't solve anything, since your license is now invalid for that version. You cannot roll back without assistance. You're at the mercy of Tableau's support line... which opens at 9am. Hope you weren't trying to do the upgrade after hours or anything... Ask me how I know this. On second thought, don't.
|
|
#
?
Jan 23, 2020 22:17
|
|
|
Powered Descent posted:Also, during the upgrade attempt, the license key is updated so that it only works on the new version (at least for major releases, not sure about minor versions). Which means if something goes wrong with an upgrade, restoring the VMs to the pre-upgrade snapshot won't solve anything, since your license is now invalid for that version. You cannot roll back without assistance. You're at the mercy of Tableau's support line... which opens at 9am. Hope you weren't trying to do the upgrade after hours or anything...  I'm continuously amazed Tableau Server works at all, tbqh. Their linux packages are also quite something. I mean, who doesn't "package" 1.4G of statically linked poo poo, bundling half of the Apache world, and yet, somehow, you still need to restart the whole bloody thing if you want to cycle SSL certificates. Also, during the last upgrade on a test server, it ate our key. I didn't roll back or anything, it just forgot it had a key, which means the next activation over-activated the key. It's okay, we're a Tableau partner. 
|
|
#
?
Jan 23, 2020 22:57
|
|
|
geonetix posted:I also like to believe they’re so hyped up about teams because the only comparison they have is Skype for business and have actually never collaborated with any other human being As someone making that transition right now, I can confirm that Teams is 10000% better than Skype for Business, though that's not saying much considering SfB is the worst IM client I've ever used. What I want to know is why it sucks so much considering that they had, you know, consumer Skype to work from as a base. Like consumer Skype has its own issues but especially ~10 years ago it was pretty good. Instead it feels like they decided to rewrite everything from scratch, except worse and less reliable (consumer Skype had a reputation for being able to work on even the shittiest Internet connections with n layers of firewall/NAT/etc. whereas SfB seems like it refuses to connect if you look at it wrong and on top of that it gives you the vaguest errors like "there is an issue with your DNS configuration" when nothing has changed since it worked an hour ago).
|
|
#
?
Jan 24, 2020 02:02
|
|
|
That's because SfB isn't Skype and never was. It's Lync rebranded, which used to be Office Communicator.
CLAM DOWN fucked around with this message at 02:06 on Jan 24, 2020 |
|
#
?
Jan 24, 2020 02:03
|
|
|
Teams was written from scratch. Originally it was meant to compete against Slack, but they quickly realized that collaboration is collaboration and maybe they should just make a collaboration platform. I believe it shares some of the audio codecs with Skype for Business--it's why many of the "Certified for Skype" corporate headsets and phones instantly became "Certified for Teams" without so much as a firmware upgrade.
|
|
#
?
Jan 24, 2020 04:08
|
|
|
Powered Descent posted:Also, during the upgrade attempt, the license key is updated so that it only works on the new version (at least for major releases, not sure about minor versions). Which means if something goes wrong with an upgrade, restoring the VMs to the pre-upgrade snapshot won't solve anything, since your license is now invalid for that version. You cannot roll back without assistance. You're at the mercy of Tableau's support line... which opens at 9am. Hope you weren't trying to do the upgrade after hours or anything... Can't say I've ever really had licensing issues, we have rolled back before but I haven't touched Tableau since pre-tsm days. Tableau's administration, upgrades, etc are all absolute perfection compared to Birst though. Ask me about the nightmare that was Birst.
|
|
#
?
Jan 24, 2020 04:44
|
|
|
Alright, gotta ask a question that is beyond my expertise and I don't have too much time to look into it. We have a project we're implementing that is not using SSL/TLS for its web traffic and it uses pass-through auth using local AD (KERBEROS/NTLM I assume). I'm trying to find out if this could be used for a pass the hash type attack. I know it would be trivial to log into the website and application as a user because that cookie is unencrypted. What I'm trying to figure out is if this config to lead to AD login tokens being able to be replayed. Anyone have any thoughts?
|
|
#
?
Jan 24, 2020 21:02
|
|
|
Internet Explorer posted:Alright, gotta ask a question that is beyond my expertise and I don't have too much time to look into it. If it's passing through kerberos my gut reaction is this is a pass-the-hash scenario, but let me think more on this situation later. I'm currently yelling at developers.
|
|
#
?
Jan 24, 2020 21:19
|
|
|
I'm being stupid, ignore
|
|
#
?
Jan 24, 2020 21:26
|
|
|
Internet Explorer posted:Alright, gotta ask a question that is beyond my expertise and I don't have too much time to look into it. The specific concern of "if I get a dump of just the unencrypted traffic between a client and this web app, then I can turn that into credentials that let me access everything else the client can do over AD" is mitigated by Kerberos and even NTLM. NTLM transmits a password hash, so it's theoretically vulnerable to pass-the-hash, but that hash is encrypted when it goes over the wire. Kerberos hands out tickets that are tightly scoped. But, it's 2020. There's no excuse for unencrypted http for pictures of your cat, let alone anything behind access control. Fix your spec.
|
|
#
?
Jan 25, 2020 17:28
|
|
|
Thanks for the answer. It's not my spec it's another department implementing COTS software that was decided before my time and no one objected to it so now I get to be the bad guy. Ultimately it's not my call but I want to make sure I am as accurate as I can be in my objection. They'll likely move forward regardless. If it was my call, I agree, lack of HTTPS alone is enough to cancel/postpone the project.
|
|
#
?
Jan 25, 2020 17:36
|
|
|
Tell them not to bother with authentication at all. No TLS/SSL means you're shouting in the town square.
|
|
#
?
Jan 25, 2020 18:44
|
|
|
Kerberos service tickets have a short lifespan and can't be renewed, so that's pretty good. However, if it's a web application that just creates your standard session cookie after authentication, someone could just take that one by listening in. The great thing about Kerberos is that your password never passes over the wire in any form. You could get your tgt stolen, but for that your machine has to be compromised already. The typical attack is to trick someone to rdp into a compromised Windows machine or to lure someone onto a machine that has unconstrained delegation rights (i.e. is allowed to impersonate whoever logs into it).
|
|
#
?
Jan 26, 2020 17:14
|
|
|
TLS or no web service. Gotta draw the line somewhere.
|
|
#
?
Jan 27, 2020 12:31
|
|
|
Just in case anyone didn't see the bulletin, the Feb security updates are going to turn on LDAP signing to mitigate MITM attacks on AD infrastructure. Hopefully all your stuff is doing LDAPS so it doesn't matter, but if you have lovely software with LDAP connector that isn't RFC compliant it might start choking on unexpected input or have its queries rejected by the other end.
|
|
#
?
Jan 27, 2020 15:16
|
|
|
Re: ntlm Please ensure your MS donation infra is only accepting strong encryption for ntlm. This is a relatively straightforward thing to convert into if you're using 8 (?) character strings.
|
|
#
?
Jan 27, 2020 15:52
|
|
|
BangersInMyKnickers posted:but if you have lovely software with LDAP connector that isn't RFC compliant it might start choking on unexpected input or have its queries rejected by the other end. In my experience, everyone probably has at least one of these 
|
|
#
?
Jan 27, 2020 16:25
|
|
|
BangersInMyKnickers posted:Just in case anyone didn't see the bulletin, the Feb security updates are going to turn on LDAP signing to mitigate MITM attacks on AD infrastructure. Hopefully all your stuff is doing LDAPS so it doesn't matter, but if you have lovely software with LDAP connector that isn't RFC compliant it might start choking on unexpected input or have its queries rejected by the other end. rip my ucm directory sync
|
|
#
?
Jan 27, 2020 17:54
|
|
|
BangersInMyKnickers posted:Just in case anyone didn't see the bulletin, the Feb security updates are going to turn on LDAP signing to mitigate MITM attacks on AD infrastructure. Hopefully all your stuff is doing LDAPS so it doesn't matter, but if you have lovely software with LDAP connector that isn't RFC compliant it might start choking on unexpected input or have its queries rejected by the other end. This is relevant to me. From a client perspective (i.e., I have an application that integrates with LDAP) how big of a pain in the rear end is it to go to LDAPS? Quick port change and firewalls? Easy cert stuff? Or should I update my resume?
|
|
#
?
Jan 27, 2020 18:25
|
|
|
Dr. Arbitrary posted:This is relevant to me. What are you using for ldap in your project today? Er, are you an it worker or do you develop said application
|
|
#
?
Jan 27, 2020 18:45
|
|
|
Love to get a big Teams ad popup in S4B when trying to load a S4B conference call that was sent to me via Teams. It wasn’t my choices that got me to this point, S4B.
|
|
#
?
Jan 27, 2020 18:53
|
|
|
Dr. Arbitrary posted:This is relevant to me. The biggest thing is that you're going to want valid certs on AD webservices so its not giving out the default self-signed ones. Once that's done, it should just be a matter of changing the port if you software supports LDAPS since that's just a TLS encapsulation of normal LDAP.
|
|
#
?
Jan 27, 2020 21:01
|
|
|
|
| # ? May 25, 2024 22:45 |
|
|
https://twitter.com/EtelkaL/status/1221882916764028929
|
|
#
?
Jan 27, 2020 21:16
|
|
