|
I’m surprised I didn’t learn about Phineas Fisher until I started getting a little deeper into learning about this stuff, whoever they plural or singular are, because they’re basically the closet thing to a real life Elliot Alderson. For anarchist hacktivists to chain zero days and successfully break into companies that are supposed to be the best some oil money can by, it’s an interesting story. Plus all the taunting and posting a live video of them doing one of the more simple hacks, as far as the hacking goes it’s more interesting than Mr Robot’s hacks. That being said Mr Robot is a brilliant story about alienation, power, and trauma more than it is a “hacking” show.
|
#
?
Mar 25, 2021 02:02
|
|
|
|
| # ? May 25, 2024 06:35 |
|
|
SMEGMA_MAIL posted:But why Why I do what I do or other people using it as their main OS. For the former; preference with using nvme ssd over usb and having actually good unlimited internet on its own vlan. For the latter; no clue.
|
|
#
?
Mar 25, 2021 04:11
|
|
|
Why would you ever use Kali as a base OS. It’s fun to be the person asking ambiguous questions this time around though.
|
|
#
?
Mar 25, 2021 13:11
|
|
|
Kali should be run as a VM on top of Hannah Montana Linux.
|
|
#
?
Mar 25, 2021 13:22
|
|
|
This was an interesting read https://igor-blue.github.io/2021/03/24/apt1.html
|
|
#
?
Mar 25, 2021 13:39
|
|
|
Pablo Bluth posted:Kali should be run as a VM on top of Hannah Montana Linux. 
|
|
#
?
Mar 25, 2021 15:17
|
|
|
brains posted:imo this is the only way to actually force anything to change. there have to be business consequences, a tangible impact to the bottom line, to not patching or using basic security practices. until companies are turned into pariahs for stuff like this, there won't be any industry-wide change. My industry has developed a grading system for Enterprise security. It affects your suitability to be a partner or supplier, too low and people won't do business with you. So, finally, we have a business reason coming down from the home office to get rid of the Win7 systems.
|
|
#
?
Mar 25, 2021 16:00
|
|
|
$4 for a CommieGIR fucked around with this message at 14:39 on Mar 30, 2021 |
|
#
?
Mar 30, 2021 02:31
|
|
|
CommieGIR posted:$4 for a year of Shodan access today only. poo poo, I forgot I got a lifetime a few years ago for Black Friday. Just checked, and yep still active. $4/yr is a really good price.
|
|
#
?
Mar 30, 2021 04:25
|
|
Proteus Jones posted:poo poo, I forgot I got a lifetime a few years ago for Black Friday. Just checked, and yep still active. It's $4 for life.
|
|
|
#
?
Mar 30, 2021 12:06
|
|
|
I have no idea what that is but $4 for a lifetime membership sounds good to me!
|
|
#
?
Mar 30, 2021 14:50
|
|
Absurd Alhazred posted:I have no idea what that is but $4 for a lifetime membership sounds good to me! External vulnerability scanner. Also has other slightly more morally opaque uses like being able to search for say every router that has default creds on it etc
|
|
|
#
?
Mar 30, 2021 15:01
|
|
|
I was still able to grab that deal today for anyone else interested in it.
|
|
#
?
Mar 30, 2021 16:17
|
|
|
BaseballPCHiker posted:I was still able to grab that deal today for anyone else interested in it. Yeah, the tweet saying for the next 24 hours was about 22 hours ago, so gogogogo
|
|
#
?
Mar 30, 2021 16:34
|
|
|
Someone talk me about of spending more in office 365 licensing in order to do more data classification things for security purposes.
|
|
#
?
Mar 30, 2021 19:39
|
|
|
https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/ Woof quote:"They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said. Mr. Crow fucked around with this message at 20:12 on Mar 30, 2021 |
|
#
?
Mar 30, 2021 20:10
|
|
|
*so* many power users run those things, the fallout is going to be *grrrrreat* And of course it's lastpass that enabled it. plus ça change...
|
|
#
?
Mar 30, 2021 21:05
|
|
|
Why the gently caress does an IT admin have root access to their s3 buckets and aws accounts?
|
|
|
#
?
Mar 30, 2021 21:22
|
|
|
Did they? Or did the IT admin give them a key to a door and once past the door they did some other fun stuff like use his local windows admin priviledges to uninstall Rapid7 and AV then install a keylogger on someone elses' machine so on and so forth.
|
|
#
?
Mar 30, 2021 21:50
|
|
|
droll posted:Did they? Or did the IT admin give them a key to a door and once past the door they did some other fun stuff like use his local windows admin priviledges to uninstall Rapid7 and AV then install a keylogger on someone elses' machine so on and so forth. Either is likely and its probably pointless which way it was. At the end of the day an exposure of a username and password was all that was needed to start the chain and that is the part I fight against the hardest. I am trying to make username and passwords on their own, mean as little as possible in my day to day. They are just so poo poo as a security mechanism.
|
|
#
?
Mar 30, 2021 22:39
|
|
|
Does this mean their AWS accounts weren't secured using MFA? Also damnit, now I have to go change my home router's password and maybe not install firmware updates until this shakes out.
|
|
#
?
Mar 30, 2021 23:27
|
|
|
Ynglaur posted:Also damnit, now I have to go change my home router's password and maybe not install firmware updates until this shakes out. Did you not when this was first announced in January?
|
|
#
?
Mar 30, 2021 23:38
|
|
|
Ynglaur posted:Does this mean their AWS accounts weren't secured using MFA? The default MFA implementation on AWS only requires it for console logins, not API keys.
|
|
#
?
Mar 30, 2021 23:49
|
|
|
trashy owl posted:Did you not when this was first announced in January? Not my router, no. I don't use their cloud service for configuration. I did change my Ubiquiti online account passwords, of course.
|
|
#
?
Mar 31, 2021 00:53
|
|
|
Isn't AWS a dumpster fire of badly configured permission due to the spiderweb of services and configurations?
Pablo Bluth fucked around with this message at 02:06 on Mar 31, 2021 |
|
#
?
Mar 31, 2021 02:04
|
|
|
Most of AWS's permissions structure isn't that bad, but it's true that a lot of companies try to get real fancy with stuff and mess things up because they don't spend the time/resources to fully understand what they're doing. Or they link in some other platform with gaping security holes. There's also basically nothing any cloud provider can do if you manage to let someone get ahold of your root-level credentials and don't have 2FA on or allow direct API access to your accounts. I mean it makes it sound like the attackers got ahold of his LastPass keychain. That's a nightmare scenario.
|
|
#
?
Mar 31, 2021 02:12
|
|
|
Well, they sell you infrastructure, not security. That's extra.
|
|
#
?
Mar 31, 2021 02:18
|
|
|
Pablo Bluth posted:Isn't AWS a dumpster fire of badly configured permission due to the spiderweb of services and configurations? Google the “shared responsibility model” Also no, it is not. There’s lots of neat things you can do with AWS accounts, though I will say nothing beats properly used and configured GCP projects for scope segregation.
|
|
#
?
Mar 31, 2021 02:18
|
|
Cat Army
|
Pablo Bluth posted:Isn't AWS a dumpster fire of badly configured permission due to the spiderweb of services and configurations? Most of their example policies are trash. Don't use their built in policies or any policy out of their documentation without reading each line. Lots of crap with full s3 access.
|
|
#
?
Mar 31, 2021 02:41
|
|
|
Pablo Bluth posted:Isn't AWS a dumpster fire of badly configured permission due to the spiderweb of services and configurations? Let me put it this way, if what you just posted was true, this would mean everything else in the tech world is the 55 gallon barrel of poo poo being burned in the desert. Guy Axlerod posted:Most of their example policies are trash. Don't use their built in policies or any policy out of their documentation without reading each line. Compared to Azure, AWS default policies are iron clad in comparison. I find all the public clouds start out way to lenient in security policies and its mostly with them trying not to gently caress up the new user experience. I feel like if aws's native vulnerability scanning detects its own defaults, they should no longer be the default. Sickening fucked around with this message at 04:10 on Mar 31, 2021 |
|
#
?
Mar 31, 2021 04:05
|
|
|
Dumpster fire was perhaps too strong. I'm not a AWS user (other than one time playing with the free tier) but when I listen to the Risky.Biz infosec podcast, misconfigured AWS seems to be a perennial problem. Perhaps I'm just remembering the early years too much and it's better it's now more mature?
|
|
#
?
Mar 31, 2021 08:24
|
|
|
The early years were a dumpster fire because of default perms, the current years can be a dumpster fire when people open their buckets to make poo poo work.
|
|
#
?
Mar 31, 2021 08:34
|
|
|
Guy Axlerod posted:The default MFA implementation on AWS only requires it for console logins, not API keys. i wouldn't be surprised if the admin used lastpass for mfa too, in which case it doesn't matter where it's enabled 
|
|
#
?
Mar 31, 2021 10:52
|
|
|
Jeoh posted:admin used lastpass for mfa
|
|
#
?
Mar 31, 2021 10:57
|
|
|
Pablo Bluth posted:Dumpster fire was perhaps too strong. I'm not a AWS user (other than one time playing with the free tier) but when I listen to the Risky.Biz infosec podcast, misconfigured AWS seems to be a perennial problem. Perhaps I'm just remembering the early years too much and it's better it's now more mature? These aren't mutually exclusive issues. AWS's permissions setups and whatnot are pretty reasonable and can be used to make your account/resources very secure. But they're also powerful and let you do a lot of interesting things--if you know what you're doing, you can leverage that into even more security. If you don't know what you're doing, you can inadvertently open holes you might not be aware of. Or, as is the case for basically everything in IT, you don't have the resources to do a full well thought out build up front, so you put together something that works "for now" and then never get around to circling back and actually fixing up all the rough edges and now it's 5 years later, it's in Prod and is a dependency for 10 other things, and everyone who originally worked on the thing has left and no one even remembers the "fix this later" issues. A big part of AWS's issues in terms of popping up in the news repeatedly about "misconfigured X" is that when you have millions of customers with thousands of configurations each, the shear law of numbers says that some dude is going to gently caress stuff up somewhere. Doubly so when AWS has intentionally tried to court a very wide audience, and not just True Tech Professionals.
|
|
#
?
Mar 31, 2021 14:30
|
|
|
The thorny part of the problem is that if you've misconfigured things in such a way that your systems don't have sufficient access, it's usually obviously broken and a solution is pretty clear. But if you've misconfigured things in such a way that access permissions are too broad, you usually don't find that out until far too late.
|
|
#
?
Mar 31, 2021 14:46
|
|
|
evil_bunnY posted:*so* many power users run those things, the fallout is going to be *grrrrreat* Unfortunately recently they've been making it harder to do things this way, some of the newer firewall products can't be connected to an external controller so your options are SSO or managing them entirely individually. I only use the WAPs and switches which haven't gone this way but between this and the new version of their camera system only running on their own branded hardware the writing is on the wall for people who were sold by the self-hosting abilities.
|
|
#
?
Mar 31, 2021 15:31
|
|
|
wolrah posted:This actually gets to one of the reasons a lot of people liked UniFi gear. I run my own hosted controller for my client systems. It existed before they even had a SSO system, and it still runs independently today. My total threat from this breach is that someone could potentially log in to my account on their lovely forums. I don't have a home network right now, but the last couple I have built have been unifi. I see its time to find an alternative
|
|
#
?
Mar 31, 2021 15:46
|
|
|
RFC2324 posted:I don't have a home network right now, but the last couple I have built have been unifi. Eh, just don't use their central cloud management. You can setup Unifi and UNMS locally with no ties to Ubiquiti other than updates. Honestly still a hard product to beat.
|
|
#
?
Mar 31, 2021 16:19
|
|
|
|
| # ? May 25, 2024 06:35 |
|
|
CommieGIR posted:Eh, just don't use their central cloud management. You can setup Unifi and UNMS locally with no ties to Ubiquiti other than updates. Honestly still a hard product to beat. If they are moving to push everyone into the cloud the way the poster I quoted seemed to be saying, then its a problem. And yeah, Unifi has been what I recommended for years, especially since the cloud management was so relatively easy and cheap
|
|
#
?
Mar 31, 2021 16:25
|
|