|
Cup Runneth Over posted:They didn't fix anything They started sanitizing input for the first loving time.
|
# ? May 19, 2021 23:03 |
|
|
# ? May 25, 2024 06:05 |
|
CommieGIR posted:This. Its amazing how many, modern, hugely technical companies still fail to have PROPER backups. sorry, backups are no longer in our budget because our accountants have found that paying one ransom is cheaper than paying for competent staff and redundant storage
|
# ? May 19, 2021 23:11 |
|
https://twitter.com/fs0c131y/status/1395037571265216514 Stay safe out there, folks!
|
# ? May 19, 2021 23:25 |
|
Cup Runneth Over posted:https://twitter.com/fs0c131y/status/1395037571265216514 It's surprising to me that the people sending these emails go to the trouble of setting up the slightly off domain and matching the design of a chase email but can't find anyone who can write a paragraph of English without making grammatical mistakes. I used think it was to get dumb people to self-select as marks, but this kind of attack seems to be meant to work on anyone.
|
# ? May 19, 2021 23:42 |
|
CommieGIR posted:This. Its amazing how many, modern, hugely technical companies still fail to have PROPER backups.
|
# ? May 19, 2021 23:51 |
|
evil_bunnY posted:The restore part is always the kicker. How do you restore, and where to. Testing your backups is important and often isn't done even by big firms.
|
# ? May 19, 2021 23:53 |
|
Also, a question. What is the rationale for advising against forcing users to reset their passwords periodically? Articles I've read claim they lead to easier-to-remember passwords that are less secure, but considering how common password reuse is and the fact that most people have probably had their login information leaked by some source or another, it would seem like a prudent way to keep people from using their LinkedIn password with their work credentials. They may not change it much, but surely a close match is better than an exact match? Also, is there consensus on having employees use randomly generated passwords and a password manager? Having separate credentials for each service used at work would limit the damage from a successful breach and wouldn't add much friction to people's workflows (assuming they are mostly using browser/cloud based services like most office staff). I suppose it represents a single point of failure, but having one set of credentials for SSO would more or less be the same. Sorry if this is dumb, I'm just starting out.
|
# ? May 20, 2021 00:05 |
|
Biowarfare posted:sorry, backups are no longer in our budget because our accountants have found that paying one ransom is cheaper than paying for competent staff and redundant storage Shows the ransomware groups are selling a good product. Capitalism at work
|
# ? May 20, 2021 00:13 |
|
BrianRx posted:Also, a question. What is the rationale for advising against forcing users to reset their passwords periodically? Articles I've read claim they lead to easier-to-remember passwords that are less secure, but considering how common password reuse is and the fact that most people have probably had their login information leaked by some source or another, it would seem like a prudent way to keep people from using their LinkedIn password with their work credentials. They may not change it much, but surely a close match is better than an exact match? Password rotation comes from a back of the napkin calculation in the late 80s about how long it would take to crack the contents of a stolen passwd file. Not only is it no longer realistic to worry about someone cracking your password if the authentication mechanism isn't stupid as heck, but as mentioned it leads to password reuse, which means that it's the same password but with maybe 1 bit of entropy changed each time (hunter2 to hunter3, etc). NIST has now officially recommended that you not do this anymore. As far as multiple passwords for services go, it's a good idea, but others can speak on how to do that because I just make the mops, I don't actually do the janitoring.
|
# ? May 20, 2021 00:13 |
|
BrianRx posted:It's surprising to me that the people sending these emails go to the trouble of setting up the slightly off domain and matching the design of a chase email but can't find anyone who can write a paragraph of English without making grammatical mistakes. I used think it was to get dumb people to self-select as marks, but this kind of attack seems to be meant to work on anyone. It's meant to elicit a panic response so you won't look that much into the grammatical or spelling errors.
|
# ? May 20, 2021 00:33 |
|
evil_bunnY posted:The restore part is always the kicker. How do you restore, and where to. True, and yeah if you are not testing your backups at random, may god have mercy on your soul.
|
# ? May 20, 2021 00:38 |
|
BrianRx posted:It's surprising to me that the people sending these emails go to the trouble of setting up the slightly off domain and matching the design of a chase email but can't find anyone who can write a paragraph of English without making grammatical mistakes. I used think it was to get dumb people to self-select as marks, but this kind of attack seems to be meant to work on anyone. I don't see much wrong with the language on this one - maybe just "an unusual activity" is odd and would be better with "some", but I think plenty of native speakers wouldn't even pick up on it. It's miles more convincing than most.
|
# ? May 20, 2021 01:29 |
|
CommieGIR posted:True, and yeah if you are not testing your backups at random, may god have mercy on your soul. as someone who works in hosting, your provider is NOT testing your backups without you requesting a specific event to do so. Just have them restore one file per server every 3 months to see if they work
|
# ? May 20, 2021 01:33 |
|
BrianRx posted:Also, a question. What is the rationale for advising against forcing users to reset their passwords periodically? Articles I've read claim they lead to easier-to-remember passwords that are less secure, but considering how common password reuse is and the fact that most people have probably had their login information leaked by some source or another, it would seem like a prudent way to keep people from using their LinkedIn password with their work credentials. They may not change it much, but surely a close match is better than an exact match? I would never do this without also checking against haveibeenpwned's public database for password breaches. Some providers like Okta even make this a checkbox feature. Here's a sample implementation for AD that was recommended by Troy Hunt: https://jacksonvd.com/checking-for-breached-passwords-ad-using-k-anonymity/
|
# ? May 20, 2021 03:27 |
|
BrianRx posted:Also, a question. What is the rationale for advising against forcing users to reset their passwords periodically? Articles I've read claim they lead to easier-to-remember passwords that are less secure, but considering how common password reuse is and the fact that most people have probably had their login information leaked by some source or another, it would seem like a prudent way to keep people from using their LinkedIn password with their work credentials. They may not change it much, but surely a close match is better than an exact match? My team has deployed enterprise password managers like 1Password pretty much everywhere I've worked. Between being able to enforce master password requirements, 2FA, warning people if they use the same password between sites, and other security features it's a pretty good value add and mitigates some of your concerns about it being a single point of failure. Also when people inevitably share credentials for service accounts and the like, it gives them a better place to do it than a wiki page or Google Doc that they shared with the entire company.
|
# ? May 20, 2021 03:59 |
|
Having worked for the government on the other side of the house where all these systems have rotating password requirements it quickly leads to people just writing down their passwords on their desk, getting locked out and sharing accounts, and just iterating on passwords in a way that many password crackers are designed to exploit anyway. And well not actually being able to just do their job at all. I spent several nights at the nursing station waiting on hold with IT for hours unable to do patient care, get up to help since we're super short staffed, whoops lol they hung up on me since I didn't answer and now it's 2-4 more hours of cisco music. Luv 2 work at military hospitals. Just teach people to use a password manager with one good password and put 2FA on everything important. Blows my mind the DOD still hasn't considered password managers. Butter Activities fucked around with this message at 04:01 on May 20, 2021 |
# ? May 20, 2021 03:59 |
|
SMEGMA_MAIL posted:Having worked for the government on the other side of the house where all these systems have rotating password requirements it quickly leads to people just writing down their passwords on their desk, getting locked out and sharing accounts, and just iterating on passwords in a way that many password crackers are designed to exploit anyway. doesn't the DOD have CACs or whatever those cards are that make all that fairly redundant anyway?
|
# ? May 20, 2021 04:29 |
|
When I was contracting literally every dod and tsa computer I got near was cac+username/password
|
# ? May 20, 2021 04:47 |
|
Of course, not every office took opsec seriously and would just leave their cac card in the reader all day every day
|
# ? May 20, 2021 04:48 |
|
RFC2324 posted:doesn't the DOD have CACs or whatever those cards are that make all that fairly redundant anyway? the cacs are setup to require a pin to get to login to enter a password. if you have no cac, you don't do anything. what the cac adds is that the vast majority* require their cacs to be checked to a live online CA to first check to see if the signing is good. then it takes the cac signature and checks to see where that user is supposed to be assigned to physically. office workers should be reporting to the office they are working at. it's more useful on the field. if a stolen soldier's cac is used to try to get on a base on the east coast but that soldier has been set to "on leave" or assigned to another base somewhere else, that person holding the stolen card gets arrested immediately or instantly gets a gun pointed to their head if in a rough area abroad. it doesn't even need to check online all the time. It just has to reference of which signatures are on base the last time it was updated. I can go into more, but I was the same way as you until I learned about the back end poo poo. If you want, you can even get the root CA certs and check out all the CAs you install. They like their backups (but still replace them when they retire card types.) https://militarycac.com/dodcerts.htm EVIL Gibson fucked around with this message at 05:11 on May 20, 2021 |
# ? May 20, 2021 05:06 |
|
Yes, but all the systems say in healthcare or random training vendors have nothing to do with the DOD system and thus don’t integrate with the DOD domain and CAC system. Those all have goofy password schemes, and those are at least for someone like me who effectively worked just as a nurse would in a civilian hospital were massive barriers to doing my job. Because it was very very easy to lock yourself out of the charting system, since you had to constantly enter it and were in hurry, and IT would take anywhere from 2-6 hours (I am not kidding) of you being on hold to unlock it password sharing was basically required. All the 2FA and “policy” in the world can’t compensate for making it impossible for users to follow good practices while doing anything that resembles their intended job is my point. Butter Activities fucked around with this message at 05:33 on May 20, 2021 |
# ? May 20, 2021 05:29 |
|
EVIL Gibson posted:
It’s funny, that is basically the only source on how to install DOD certs, at least in the Navy there was no official explanation or training on this, and it’s hit or miss if the certs are installed correctly on DOD images we used. Easy for someone who understands basic cryptography at a high level and has used an ssh key before, not exactly easy for a random E-nothing to figure out. Which also meant that DOD personnel were trained to effectively click through and ignore certificate warnings.
|
# ? May 20, 2021 05:38 |
|
Volmarias posted:Password rotation comes from a back of the napkin calculation in the late 80s about how long it would take to crack the contents of a stolen passwd file. Not only is it no longer realistic to worry about someone cracking your password if the authentication mechanism isn't stupid as heck, but as mentioned it leads to password reuse, which means that it's the same password but with maybe 1 bit of entropy changed each time (hunter2 to hunter3, etc). NIST has now officially recommended that you not do this anymore. SMEGMA_MAIL posted:Having worked for the government on the other side of the house where all these systems have rotating password requirements it quickly leads to people just writing down their passwords on their desk, getting locked out and sharing accounts, and just iterating on passwords in a way that many password crackers are designed to exploit anyway. Cool, thanks for the answers all. So it isn't that rotated passwords are less secure, they just typically aren't different enough to make them more secure than static passwords and so are a waste of energy to enforce? Or am I still missing something? Seems like it would be trivial to check if a new password is a close fuzzy match of the old one. Albinator posted:I don't see much wrong with the language on this one - maybe just "an unusual activity" is odd and would be better with "some", but I think plenty of native speakers wouldn't even pick up on it. It's miles more convincing than most. I might be being too critical because it was presented as fake, but the phrase you pointed out stuck out, as did the URL ending "servicing" (vs "service"). I agree that it's very convincing, which is why I commented. The only other tell is the transposed domain the email was sent from, which I probably wouldn't have noticed if it was in my inbox. I'm super anal about language (not that I'm a great writer), so I think the phrasing would still have given me pause.
|
# ? May 20, 2021 09:36 |
|
BrianRx posted:Cool, thanks for the answers all. So it isn't that rotated passwords are less secure, they just typically aren't different enough to make them more secure than static passwords and so are a waste of energy to enforce? Or am I still missing something? Seems like it would be trivial to check if a new password is a close fuzzy match of the old one. It's far more difficult to keep thinking of new strong passwords every few weeks than it is to think of one really long strong one. Inevitably people start adding numbers etc. There was a study done on password databases that contained history and the entropy of passwords decreases the older the account becomes.
|
# ? May 20, 2021 10:20 |
|
well that's the last time I try to be helpful. later
|
# ? May 20, 2021 12:39 |
|
EVIL Gibson posted:well that's the last time I try to be helpful. later I have no idea how you interpreted that as an attack on you in an any way but go off.
|
# ? May 20, 2021 12:56 |
|
I honestly haven't thought about non-corporate windows machines in forever and my friend asked me yesterday if he needs anything above and beyond MS Defender on his new laptop. Last I remember reading Defender was pretty legit and a good standalone protection; is this still the recommendation?
|
# ? May 20, 2021 14:14 |
|
We already know frequently rotating passwords is bad and encourages poor passwords, so when the DOD will catch up with reality we'll never know.
|
# ? May 20, 2021 14:16 |
|
Martytoof posted:I honestly haven't thought about non-corporate windows machines in forever and my friend asked me yesterday if he needs anything above and beyond MS Defender on his new laptop. Last I remember reading Defender was pretty legit and a good standalone protection; is this still the recommendation? Antivirus sucks, Defender is the best of a bad bunch because it's free, comes with your OS, and is decently effective. I believe that's the recommendation.
|
# ? May 20, 2021 14:17 |
|
Martytoof posted:I honestly haven't thought about non-corporate windows machines in forever and my friend asked me yesterday if he needs anything above and beyond MS Defender on his new laptop. Last I remember reading Defender was pretty legit and a good standalone protection; is this still the recommendation? Don't set them up as a local admin, leave defender running and don't turn off UAC. Also don't give them the admin password if, uh, they're a certain age.
|
# ? May 20, 2021 14:21 |
|
Cup Runneth Over posted:Antivirus sucks, Defender is the best of a bad bunch because it's free, comes with your OS, and is decently effective. I believe that's the recommendation. +1 for Defender. It's good enough for all intents and purposes. Also, as stated above, remove admin rights. If it's a kid, setup the Microsoft Parental Controls app.
|
# ? May 20, 2021 14:21 |
|
Sorry to clarify I'm not doing any tech support for my friend, they just wanted to know if they should invest in anything besides defender. Beyond that basic recommendation I'm not sticking my fingers anywhere near being "the computer guy" But yeah, sounds like it's still on-par with what I remembered. Defender should be sufficient but ain't nothing going to stop someone who's just being reckless. This is a grad student so I'm hoping they have some common sense but I guess we all find ways to be surprised some kinda jackal fucked around with this message at 14:31 on May 20, 2021 |
# ? May 20, 2021 14:29 |
|
Martytoof posted:Sorry to clarify I'm not doing any tech support for my friend, they just wanted to know if they should invest in anything besides defender. Beyond that basic recommendation I'm not sticking my fingers anywhere near being "the computer guy" Defender, alongside uBlock Origin on their Chrome should catch 90% of the poo poo thrown at them. Make sure they have the Windows Reputation-based protection enabled too:
|
# ? May 20, 2021 15:21 |
|
What's the recommended software for full volume encryption?
|
# ? May 20, 2021 17:07 |
|
Whatever your operating system uses by default (bitlocker, luks, etc)
|
# ? May 20, 2021 17:31 |
|
Rufus Ping posted:Whatever your operating system uses by default (bitlocker, luks, etc) My computer doesn't appear to have a TPM, which Bitlocker complains about. That a problem?
|
# ? May 20, 2021 17:35 |
|
Cup Runneth Over posted:My computer doesn't appear to have a TPM, which Bitlocker complains about. That a problem? Is someone stealing your HD to crack it at their leisure a realistic concern? If not, no, you probably don't need a TPM.
|
# ? May 20, 2021 17:49 |
|
Cup Runneth Over posted:My computer doesn't appear to have a TPM, which Bitlocker complains about. That a problem?
|
# ? May 20, 2021 17:51 |
|
Rufus Ping posted:Whatever your operating system uses by default (bitlocker, luks, etc) If we're talking about the system drive itself, then yes, this is the best option by far. For an external drive or a USB stick or something like that, Veracrypt works extremely well, and your encrypted device can even be portable between OSes.
|
# ? May 20, 2021 17:58 |
|
|
# ? May 25, 2024 06:05 |
|
Volmarias posted:Is someone stealing your HD to crack it at their leisure a realistic concern? If not, no, you probably don't need a TPM. Realistic? No, probably not. Possible? Why else would you encrypt your hard drive? evil_bunnY posted:What's the threat? I guess local law enforcement busting down my door to confiscate my collection of illicit IRA pepes as evidence in a criminal trial for resisting arrest. But truthfully it just feels like a thing I should get around to.
|
# ? May 20, 2021 18:12 |