|
denereal visease posted:Thanks for posting this: I work in the wet infrastructure sector (water and wastewater specifically) and this is actual nightmare fuel. When I was in working as consultant for a medium/large regional firm that specialized in wet infrastructure, I asked my group manager a few times if we had any internal cybersec/infosec talent to offer our clients and the answer was "kinda" I will say that this might be the part where underfunded/smaller plants might be less vulnerable. I worked a few years doing construction oversite on a filter expansion for a water plant in bum gently caress Georgia, and the internal plant controls where air gapped from everything else.
|
#
?
Feb 9, 2021 18:19
|
|
I'm on the public side of the equation now and our leadership is definitely worried about incidents like this. 
|
|
| # ? May 24, 2024 06:30 |
|
|
denereal visease posted:I don't think that the wet infrastructure sector takes this stuff seriously enough: I read about this incident here before I heard about it any professional capacity, but AWWA did email me about an hour after you posted this. These guys got extremely loving lucky, it reads like someone just happened to be babysitting the right part of the system when it was hacked. Yeah, there's a lot to be said about the fact that whoever gained access to Teamviewer didn't really understand how to exploit it, this could have been MUCH MUCH worse had it been someone who knew what they had access to and started setting up persistence and moving laterally in the environment.
|
|
#
?
Feb 9, 2021 19:20
|
|
|
stevewm posted:We use both Mandrill and Mailchimp. Mailchimp uses their own mail-from, so SPF on your domain is not required, they do use DKIM though. Cool, thanks for sharing the report.
|
|
#
?
Feb 9, 2021 19:33
|
|
|
CommieGIR posted:Yeah, there's a lot to be said about the fact that whoever gained access to Teamviewer didn't really understand how to exploit it, this could have been MUCH MUCH worse had it been someone who knew what they had access to and started setting up persistence and moving laterally in the environment. That was my take too. If anyone but an armature had found the system people could have died. I will also bet someone just ruined their life though if they are in the US.
|
|
#
?
Feb 9, 2021 19:42
|
|
|
Sickening posted:That was my take too. If anyone but an armature had found the system people could have died. There was a post on Ars that seemed to have a good amount of info on this, if anyone is interested. I thought it was informative. https://arstechnica.com/information...1&post=39648168
|
|
#
?
Feb 9, 2021 19:44
|
|
|
Thanks for that link Internet Explorer!Defenestrategy posted:I will say that this might be the part where underfunded/smaller plants might be less vulnerable. I worked a few years doing construction oversite on a filter expansion for a water plant in bum gently caress Georgia, and the internal plant controls where air gapped from everything else. CommieGIR posted:Yeah, there's a lot to be said about the fact that whoever gained access to Teamviewer didn't really understand how to exploit it, this could have been MUCH MUCH worse had it been someone who knew what they had access to and started setting up persistence and moving laterally in the environment. Again, these guys got super loving lucky.
|
|
#
?
Feb 9, 2021 19:53
|
|
|
Internet Explorer posted:There was a post on Ars that seemed to have a good amount of info on this, if anyone is interested. I thought it was informative. Nerdy environmental engineer here, can confirm that this is a good post.
|
|
#
?
Feb 9, 2021 20:38
|
|
|
Internet Explorer posted:There was a post on Ars that seemed to have a good amount of info on this, if anyone is interested. I thought it was informative. This is an excellent post, and reflects my limited experience with Industrial Control systems as an infosec guy.
|
|
#
?
Feb 9, 2021 23:03
|
|
|
EDITED.
BaseballPCHiker fucked around with this message at 21:20 on Feb 2, 2022 |
|
#
?
Feb 10, 2021 14:15
|
|
|
denereal visease posted:My understanding is that pretty much every utility has their systems airgapped from their parent entity (ie, city network =/= treatment plant network). Obviously bad actors within the plant network could still present challenges. Can't be airgapped from anything if you are exposed to the internet! 
|
|
#
?
Feb 10, 2021 18:39
|
|
|
RFC2324 posted:Can't be airgapped from anything if you are exposed to the internet! Obviously its on Wifi, so it gaps over the air, ta-da!
|
|
#
?
Feb 10, 2021 19:05
|
|
|
lol https://twitter.com/_mg_/status/1359582048260743169
|
|
#
?
Feb 10, 2021 23:26
|
|
|
for a non-fte consulting rate that is beyond cheap as hell lmao
|
|
#
?
Feb 11, 2021 00:15
|
|
|
quote:Breached water plant employees used the same TeamViewer password and no firewall https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/
|
|
#
?
Feb 11, 2021 01:26
|
|
|
Total amateur here. I'm working from home 100% and would be interested to know how my work computer is spying on me. It only needs a VPN if I'm accessing the corporate intranet, so presumably I can see where it's sending packets to across my home network? I can see various anti IP loss software in task manager but presumably there is other hidden stuff. I live in a country where employee surveillance is somewhat prohibited but imagine my US employer doesn't care much about that. Is there an easy resource you can point me to for monitoring this? The network uses Ubiquiti access points and then an ISP supplied fiber modem, that unfortunately I can't switch for anything better. Sorry if this is the wrong thread!
|
|
#
?
Feb 11, 2021 14:30
|
|
|
knox_harrington posted:Total amateur here. I'm working from home 100% and would be interested to know how my work computer is spying on me. It only needs a VPN if I'm accessing the corporate intranet, so presumably I can see where it's sending packets to across my home network? I'm sure others will have better ideas but I would run Wireshark, take a good long packet capture, then see where your traffic is going. If you arent able to install Wireshark you could put in more effort by getting an old fashioned hub, and connecting your work computer to it, then another computer to the hub running Wireshark.
|
|
#
?
Feb 11, 2021 15:01
|
|
|
knox_harrington posted:Total amateur here. I'm working from home 100% and would be interested to know how my work computer is spying on me. It only needs a VPN if I'm accessing the corporate intranet, so presumably I can see where it's sending packets to across my home network? First thing to check is your routing table to see if all traffic is getting bounced through the work VPN. Running a traceroute to google.com will tell you how its handling traffic not destined for work. Many VPN tunnels will force any DNS query to run through them so there may be logs of all the lookups your computer makes on their end when its active. You can use something like Process Explorer and Autoruns to see what is running on the systems and if all the processes to their software shut down when you aren't on the VPN you're probably fine. Beyond that, you're going to need to do some research on what software they are using to see what it is capable of. If its running a persistent service with system/root permissions all bets are off and it could be doing practically anything. You are correct that a US company is able to operate in what would normally be violation of your privacy laws, these are called safe harbor provisions and again, what this means for you is going to depend on the country you are talking about and what you suspect they are doing
|
|
#
?
Feb 11, 2021 15:43
|
|
|
Like, what's the threat model (to you) here? Just use your own machine.
|
|
#
?
Feb 11, 2021 15:57
|
|
|
evil_bunnY posted:Just use your own machine. I mean if you're working from home literally just use your work laptop for work crap and keep pornhub on your own laptop? If it's annoying just buy a KVM switch to rotate between computers. also, if your laptop has a webcam/mic, remember to cover the camera and disable the mic. Even the most nefarious corps aren't going to install malware on your home router to snoop on your private time....yet.
|
|
#
?
Feb 11, 2021 16:28
|
|
|
BaseballPCHiker posted:I'm sure others will have better ideas but I would run Wireshark, take a good long packet capture, then see where your traffic is going. If you arent able to install Wireshark you could put in more effort by getting an old fashioned hub, and connecting your work computer to it, then another computer to the hub running Wireshark. The answer to this is going to be "to the corporate VPN," whether it's logging and transmitting every single click and keystroke, or just phoning home once a day to see what updates are whitelisted by their MDM setup. The entire point of the VPN is that the traffic is opaque to anybody using, say, Wireshark to sniff and analyze it. You might be able to make some inferences based on traffic volume, but outside of that, it's not going to be very helpful without some way to MITM the VPN - which would be very noticeable to anybody looking for it.
|
|
#
?
Feb 11, 2021 16:43
|
|
|
I think it's fine to talk about "hey how could my work network be tracking me," god knows there's enough poo poo out there to monitor an employee's every move, but just a reminder that talking about how to get around your work's security is against SH/SC rules. https://forums.somethingawful.com/showthread.php?threadid=3800661#post467110202 quote:Employees: don't ask or discuss how to get around your work's network security.
|
|
#
?
Feb 11, 2021 16:59
|
|
|
I know that the question has come up "Is it ethical to scan an employees home network if we discover that there is an infected device on the network when they are WFH?" and the general answer is "No, its outside of scope" But people keep asking, and some Director or C level somewhere is going to mandate it be done....
|
|
#
?
Feb 11, 2021 17:17
|
|
|
Then someone is going to get a nice payday when they discover that their place of work cataloged that they have an internet connected sex toy or disclosed that someone in their household has diabetes when they scanned their internet connected glucose meter. If a company is that concerned about WFH wifi threats that they don't trust the protections on the device itself to do their job, they they need to start shipping out hotspots for employees to use when working from home.
|
|
#
?
Feb 11, 2021 17:22
|
|
|
bull3964 posted:Then someone is going to get a nice payday when they discover that their place of work cataloged that they have an internet connected sex toy or disclosed that someone in their household has diabetes when they scanned their internet connected glucose meter. Pretty much.
|
|
#
?
Feb 11, 2021 17:27
|
|
|
Sorry if I didn't phrase it well, the laptop doesn't require the VPN to be active all the time, just when I need to do intranet stuff like access the version controlled document repository. So the traffic is just going across my home network. I only use the computer for work, and I'm not interested in defeating the corporate network security, but I think it's reasonable to be interested in what it's collecting about me, particularly if it's not in accordance with local law. I have plenty of other devices for watching smurf porn.
|
|
#
?
Feb 11, 2021 17:41
|
|
|
CommieGIR posted:I know that the question has come up "Is it ethical to scan an employees home network if we discover that there is an infected device on the network when they are WFH?" and the general answer is "No, its outside of scope" So what is the end goal you want to achieve? What is the scan going to do for you? Confirm the infection? Isn't whatever you have detected the possible infection by the managed machine enough? I would assume folks want to minimize risk, but besides letting the employee know another machine on the network is possibly infected, how would that change your strategy? If its a laptop that you, as a company, are going to allow to be on non-company networks (its a laptop after all) , isn't the computer being on networks with other possible infected machines the normal expectation?
|
|
#
?
Feb 11, 2021 17:46
|
|
|
Sickening posted:So what is the end goal you want to achieve? What is the scan going to do for you? Confirm the infection? Isn't whatever you have detected the possible infection by the managed machine enough? I would assume folks want to minimize risk, but besides letting the employee know another machine on the network is possibly infected, how would that change your strategy? I don't want to achieve this at all. You are misreading my post. The correct assumption is the one you already stated: That you just need to assume any company assets that are mobile are going to exist on networks with infections and malicious machines, and just build your security around that assumption. CommieGIR fucked around with this message at 18:18 on Feb 11, 2021 |
|
#
?
Feb 11, 2021 17:47
|
|
|
knox_harrington posted:Sorry if I didn't phrase it well, the laptop doesn't require the VPN to be active all the time, just when I need to do intranet stuff like access the version controlled document repository. So the traffic is just going across my home network. Outside of what is already suggested, the chances of you figuring this out without breaking some security controls on your machine is pretty nill. Have you thought to reach out to your company to ask?
|
|
#
?
Feb 11, 2021 17:52
|
|
|
CommieGIR posted:I don't want to achieve this at all. You are misreading my post. The correct assumption is the one you already stated: That you just need to assume any company assets that are mobile are going to exist on networks with infects and malicious machines, and just build your security around that assumption. Yeah, I phrased that poorly as in not meaning "you" but more of the context of the person who would want to follow through with such an endeavor.
|
|
#
?
Feb 11, 2021 17:57
|
|
|
Space Gopher posted:The answer to this is going to be "to the corporate VPN," whether it's logging and transmitting every single click and keystroke, or just phoning home once a day to see what updates are whitelisted by their MDM setup. The entire point of the VPN is that the traffic is opaque to anybody using, say, Wireshark to sniff and analyze it. Not necessarily, lots of places are running split tunnel VPNs these days. Unless I am totally misreading the question. I thought this was something along the lines of "I have a work computer running the VPN but it only talks back to corporate for intranet traffic, not google" sort of thing. Maybe I'm assuming to much.
|
|
#
?
Feb 11, 2021 18:07
|
|
|
BaseballPCHiker posted:Not necessarily, lots of places are running split tunnel VPNs these days. Unless I am totally misreading the question. I thought this was something along the lines of "I have a work computer running the VPN but it only talks back to corporate for intranet traffic, not google" sort of thing. Maybe I'm assuming to much. Sure, but if the interest is seeing what the company is collecting / sending back over the VPN, you're still not going to be able to sniff that via Wireshark on a hub or something. You could sniff some stuff that way when it's not connected via VPN, though (assuming you can't just install Wireshark directly on the laptop--since doing so would raise a bunch of red flags in a lot of companies).
|
|
#
?
Feb 11, 2021 18:12
|
|
|
Sickening posted:Yeah, I phrased that poorly as in not meaning "you" but more of the context of the person who would want to follow through with such an endeavor. Fair enough! Yeah, I've had to talk down a couple C levels from the brink about where their legal and ethical limits are, managed to convince all of them that its just far easier to assume a hostile environment than play offensive security.
|
|
#
?
Feb 11, 2021 18:17
|
|
|
*long sigh* https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
|
|
#
?
Feb 11, 2021 18:54
|
|
|
Internet Explorer posted:*long sigh* I'm going to be employed forever.
|
|
#
?
Feb 11, 2021 18:55
|
|
|
If you just are running openvpn that you have a config file for then it's probably fine and they just vacuum up network packets. If you have any data loss prevention or managed endpoint security software/"antivirus", and the VPN verifies this (like anyconnect or globalprotect) then it's basically a complete keylogger that watches every single keystroke and your clipboard. BaseballPCHiker posted:Not necessarily, lots of places are running split tunnel VPNs these days. Unless I am totally misreading the question. I thought this was something along the lines of "I have a work computer running the VPN but it only talks back to corporate for intranet traffic, not google" sort of thing. Maybe I'm assuming to much. If the split tunnel VPN is demanding you have endpoint security software, root CAs, or DLP, then it's probably taking everything and the kitchen sink, though.
|
|
#
?
Feb 11, 2021 19:14
|
|
|
CLAM DOWN posted:I'm going to be employed forever. Big same.
|
|
#
?
Feb 11, 2021 19:16
|
|
|
CLAM DOWN posted:I'm going to be employed forever. Yeah the real question is "is it worth it". Sometimes I wish I had a less annoying job like garbageman or explosives disposal.
|
|
#
?
Feb 11, 2021 19:28
|
|
|
Martytoof posted:Yeah the real question is "is it worth it". Some days I just loving hate computers and want to change jobs to run away into a forest or something. Park ranger. I dunno. Many years ago I worked on ships and I miss being at sea. But other days I genuinely enjoy my job and can make a difference. I wish I didn't flip flop so regularly. I also make far more money doing security lol
|
|
#
?
Feb 11, 2021 19:31
|
|
|
I love what I do. I hate working with the people that employ me, because they don't listen.
|
|
#
?
Feb 11, 2021 19:35
|
|
|
|
| # ? May 24, 2024 06:30 |
|
|
I'm really struggling recently. Not exactly a new phenomena for me, but I guess like CLAM, I I fluctuate. I don't work strictly in infosec, but I have generally been the most infosec-minded person in my travels. I'm at the point where I don't know what I want to do next in my career, but I really wish I could just get away from anything even remotely user facing. Security seems like a logical next step, but I'm starting to realize that I think I've had ADHD my entire life and the idea of studying for a cert is just absolutely dreadful. The general depression that this world is bringing on isn't any help. Maybe one day.
|
|
#
?
Feb 11, 2021 19:41
|
|