|
Internet Explorer posted:At this point you're just better off using Chromebooks as portable thin clients. Much easier to manage. Chromebooks own.
|
# ? Feb 27, 2021 20:23 |
|
|
# ? May 31, 2024 08:21 |
|
Combat Pretzel posted:That assumes the host doesn't run any security software. The DLP service running inside the VM is restricted to the VM. You can not bother using any security software on the host and the DLP service will not be able to tell or know that you are not protecting the host at all. Your VPN provider like AnyConnect can scan to ensure updated A/V inside the VM but that does nothing because you can be fully updated inside the VM and unpatched and vulnerable on the host It's basically a "can't see out but outside can read/write in" problem. Combat Pretzel posted:About this malware thing, since the web is typically a vector for this, and the browser isn't restricted on my work laptop, wouldn't it be safer to be running a VM anyway? What are the chances of catching malware that can specifically meddle with apps/data within a VM versus one that typically wreaks havoc on the host system itself (only). The difference is if you browse entirely in a separate VM, and NEVER EVER do ANYTHING on the host. If you plug in a flash drive onto the host, now your host has autorun malware. If you browse on the host, the work VM is compromised, with no way to detect it or prevent it. If you browse in the work VM, at the very least the work VM has security software running in it. If you browse in a separate, non-work VM, then there's a sandboxing effect that reduces the risk. Impotence fucked around with this message at 21:22 on Feb 27, 2021 |
# ? Feb 27, 2021 20:48 |
|
Potato Salad posted:With HVCI and *properly-configured* Defender Application Control, you can make it extraordinarily difficult for a keylogger to run. A stripped down, modern HP or Dell laptop with all of the platfirm security bells and whistles laboriously configured and controlled is a hell of a tough nut to crack if it's just running VDI. Sure, there are still the normal bevy of os exploits that come out each month, and a weak code signing cert gets exploited every once in a while in the wild, but the attack surface is razor thin, and there's less to leverage once the attacker has user or even admin escalation on the endpoint. yes, but the original question was "why is my company not just letting me connect from my personal machine" which I am pretty sure is not the device you just described.
|
# ? Feb 27, 2021 21:11 |
|
Enabling HVCI is a pain in the rear end. I had to sacrifice my G27 steering wheel, my smartcard reader for my electronic ID and my STLink, because all their drivers interfered with it.
|
# ? Feb 27, 2021 22:12 |
|
If you're so paranoid about installing work poo poo in a VM (from employee perspective, not employer) you should probably find a new employer. I have gone from like 4 seperate machines down to one and I will never go back.
|
# ? Feb 27, 2021 22:35 |
|
Is there a preferred multi factor authentication app? I was pretty surprised to see how lowly rated Google’s was on the app store.
|
# ? Feb 27, 2021 23:00 |
|
Mr. Crow posted:If you're so paranoid about installing work poo poo in a VM (from employee perspective, not employer) you should probably find a new employer. I have gone from like 4 seperate machines down to one and I will never go back.
|
# ? Feb 27, 2021 23:03 |
Head Bee Guy posted:Is there a preferred multi factor authentication app? Duo is pretty good, Authy gets a lot of good press from our DevOps guys.
|
|
# ? Feb 27, 2021 23:04 |
|
Head Bee Guy posted:Is there a preferred multi factor authentication app? I just moved my codes from Authenticator Plus to Authy, so I really hope Authy is still recommended.
|
# ? Feb 27, 2021 23:04 |
Head Bee Guy posted:Is there a preferred multi factor authentication app? I moved mine into 1Password
|
|
# ? Feb 27, 2021 23:07 |
|
I want to move to Authy, but some sites seem to make it so difficult, only allowing one active set at a time. An issue that I understand Authy makes irrelevant, but its still a pain with Google Auth. At least non of my work stuff uses it anymore.
|
# ? Feb 27, 2021 23:11 |
Signing into your Google account on your phone and using the device as the 2nd factor is the easiest thing for me. I wish more places did push notifications as 2FA tbh, or like how MS auth does it.
|
|
# ? Feb 27, 2021 23:13 |
|
CyberPingu posted:Signing into your Google account on your phone and using the device as the 2nd factor is the easiest thing for me. Duo does push, Google does it, Facebook is really pretty nice about it(it asks for codes, but you can just push yes on the app). if only they didn't fall back on SMS if actual secure 2fa fails
|
# ? Feb 27, 2021 23:15 |
RFC2324 posted:Duo does push, Google does it, Facebook is really pretty nice about it(it asks for codes, but you can just push yes on the app). Yeah we use Duo for work. It's pretty good though some of their enterprise stuff is annoying. I've disabled and 2FA wherever possible.
|
|
# ? Feb 27, 2021 23:17 |
|
Duo was acquired by Cisco over a year ago IIRC. It works but I wonder if its getting expensive. Push is interesting. Now you're training users to stop and think if they're getting a push notification when they're not trying to log into something (their password was compromised). Duo has an API you can hook into for running simulations. Make the originating IP of the push be in Russia, then if they hit report or accept it, it can IM them on slack with a custom message about the exercise.
|
# ? Feb 27, 2021 23:23 |
|
Combat Pretzel posted:Where did that even come from? My initial idea was that I didn't want a secondary device on my work desk at home, ending up in running two keyboard next to each other. I offered my employer to run a VM image, if they insisted on a controlled environment (among other things a bunch of VPN and identity apps from Check Point Software that I certainly don't want to be running on a host), which they denied. Then the thread piled on with reasons why that's bad. It wasn't directed at you but the initial conversation before it started discussing why am employer might not want it. My bad
|
# ? Feb 28, 2021 00:36 |
|
Mr. Crow posted:It wasn't directed at you but the initial conversation before it started discussing why am employer might not want it. My bad That said, I can partially understand it. If someone gets my login data, he can login into the web interface of the VPN server of my employer (why the gently caress is that even enabled?!) at vpn.domain.tld (the hell?) and download a provisioned VPN client. Combat Pretzel fucked around with this message at 00:50 on Feb 28, 2021 |
# ? Feb 28, 2021 00:47 |
|
Combat Pretzel posted:All those various employers can't be completely stupid all at once. hmm, hmm
|
# ? Feb 28, 2021 00:50 |
|
Combat Pretzel posted:Oh OK. Yea, I don't understand it either, since it seems popular to run a remote desktop client on your own device. At least that's the impression I got looking around among friends. All those various employers can't be completely stupid all at once. Combat Pretzel posted:Where did that even come from? My initial idea was that I didn't want a secondary device on my work desk at home, ending up in running two keyboard next to each other. I offered my employer to run a VM image, if they insisted on a controlled environment (among other things a bunch of VPN and identity apps from Check Point Software that I certainly don't want to be running on a host), which they denied. Then the thread piled on with reasons why that's bad. No, if someone compromises your VM's host, it is completely game over for that VM. It is completely unprotected space, and you can kill or falsify any protection, full disk encryption, retrieve anything you want out of memory or disk like certificates, private keys, etc. The security software needs to run at or above the layer here, which means you have to run all your VPN and checkpoint keylogging crap on the host if you want to run your actual remote-desktop application inside your VM. If you restrict checkpoint to looking inside the VM, then there is no way for it to know that the entire VM is already pre-compromised due to the host being compromised. This is why infosec does not want you doing this, because no matter how protected the VM image is, it has absolutely no way to defend itself and no way to know just how hacked to bits it is. Impotence fucked around with this message at 01:01 on Feb 28, 2021 |
# ? Feb 28, 2021 00:56 |
|
Nothing like escaping the sandbox by popping the hypervisor
|
# ? Feb 28, 2021 01:17 |
|
Microsoft Authenticator works well for me so far. It backs up to OneDrive too, though I haven't done a full restore since that functionality rolled out.
|
# ? Feb 28, 2021 01:33 |
|
Biowarfare posted:No, if someone compromises your VM's host, it is completely game over for that VM. It is completely unprotected space, and you can kill or falsify any protection, full disk encryption, retrieve anything you want out of memory or disk like certificates, private keys, etc. I don't think anyone is arguing for why an employer wouldn't want to allow employees running VMs as opposed to dedicated hardware? I think we all understand that, from the employers perspective, it's needlessly increasing your attack vectors. There was talk about "the absurdity" of installing anything work on a personal device because reasons like "if the DOJ subpoenas your company you're out a laptop" and buddy if that's happening that's the least of your problems.
|
# ? Feb 28, 2021 02:09 |
|
Mr. Crow posted:"if the DOJ subpoenas your company you're out a laptop" and buddy if that's happening that's the least of your problems. really depends on your industry. I was warned not to be surprised when it happens at my new job.
|
# ? Feb 28, 2021 02:30 |
|
Mr. Crow posted:I don't think anyone is arguing for why an employer wouldn't want to allow employees running VMs as opposed to dedicated hardware? I think we all understand that, from the employers perspective, it's needlessly increasing your attack vectors. Unless you did some shady poo poo I don't think it's your problem necessarily, except for the part where you're out a laptop.
|
# ? Feb 28, 2021 02:57 |
|
Hopefully, if employee computers getting subpoenaed is a regular occurrence, they've got plenty more fresh devices to issue.
|
# ? Feb 28, 2021 03:01 |
|
I just don't want to install anything work related on a personal device because I've seen the level of access "posture assessment" and "DLP" and "hostscan" give you. And VPN logs.
|
# ? Feb 28, 2021 03:10 |
|
Gab leaked https://twitter.com/NatSecGeek/status/1365416337493868544?s=20
|
# ? Feb 28, 2021 03:13 |
|
Zorak of Michigan posted:Hopefully, if employee computers getting subpoenaed is a regular occurrence, they've got plenty more fresh devices to issue. Yeah... that's why we said not to use your personal computer.
|
# ? Feb 28, 2021 04:11 |
|
CommieGIR posted:Gab leaked Right-wing nazi-haven platforms just can't catch a break, can they?
|
# ? Feb 28, 2021 05:57 |
|
Mr. Crow posted:There was talk about "the absurdity" of installing anything work on a personal device because reasons like "if the DOJ subpoenas your company you're out a laptop" and buddy if that's happening that's the least of your problems.
|
# ? Feb 28, 2021 10:06 |
|
Combat Pretzel posted:That said, I can partially understand it. If someone gets my login data, he can login into the web interface of the VPN server of my employer (why the gently caress is that even enabled?!) at vpn.domain.tld (the hell?) and download a provisioned VPN client.
|
# ? Feb 28, 2021 14:24 |
|
CommieGIR posted:Nothing like escaping the sandbox by popping the hypervisor Is there a known real world case where this actually happened? Obviously it’s been demonstrated at CTF’s and such but it’s such a difficult thing to do that it seems unlikely that it’s a significant concern for most users and small companies, compared to a hacker finding and just going after the host directly or something.
|
# ? Feb 28, 2021 15:36 |
|
evil_bunnY posted:what's 2fa precious lmao Also, the password policy over here is ten letters, all lowercase, no special characters, because otherwise you can't keep the passwords in sync with the lowest common denominator, which is our AS400 based system, that for some reasons insists on these restrictions. That's why I keep alluding that them insisting on a work sponsored device isn't for the right reasons.
|
# ? Feb 28, 2021 17:38 |
|
I wish this entire industry would shut the gently caress up about passwords.
|
# ? Feb 28, 2021 17:40 |
|
Sickening posted:I wish this entire industry would shut the gently caress up about passwords. You knew it was inevitable. I just want ssh keys for my vpn connection, even if it also needs the 2fa(tbh, even after years, I get a kick out of push authentication)
|
# ? Feb 28, 2021 17:51 |
Sickening posted:I wish this entire industry would shut the gently caress up about passwords. Passwords are amazing but suck because people are creatures of habit and there's no way of changing that. Also apparently the tech world cant stop storing them insecurely
|
|
# ? Feb 28, 2021 18:51 |
|
CyberPingu posted:Also apparently the tech world cant stop storing them insecurely But accidentally uploading your orgs root password to github is so much fun!
|
# ? Feb 28, 2021 19:17 |
|
CyberPingu posted:Passwords are amazing but suck because people are creatures of habit and there's no way of changing that. They aren't amazing. And if I ever hear someone talk about "password complexity" again ever in my life it will have been too soon.
|
# ? Feb 28, 2021 19:47 |
|
Sickening posted:I wish this entire industry would shut the gently caress up about passwords.
|
# ? Feb 28, 2021 19:50 |
|
|
# ? May 31, 2024 08:21 |
Sickening posted:They aren't amazing. And if I ever hear someone talk about "password complexity" again ever in my life it will have been too soon. In a perfect world they work. But the problems come from our inability to use them properly.
|
|
# ? Feb 28, 2021 19:53 |