|
The actual problem with not having a TPM is Microsoft wanting to make it a Windows requirement, not just for bitlocker or secure boot, but because they lean on it heavily for license management now edit: it's required now for windows server, and like very strongly encouraged for Windows 10. without it you have to do some stuff to keep things like office licenses active text editor fucked around with this message at 18:36 on May 20, 2021 |
# ? May 20, 2021 18:34 |
|
|
# ? May 24, 2024 07:28 |
|
Cup Runneth Over posted:Realistic? No, probably not. Possible? Why else would you encrypt your hard drive? To be clear, I meant more in the sense of "clone the disk image and replace it" vs "some jackass steals the whole computer and someone wants to get data off" or "I want to recycle this computer but I don't want to deal with making a DBAN boot to wipe it" Basically, if you aren't actually worried about specific sensitive IP you're probably fine just doing FDE without a TPM module?
|
# ? May 20, 2021 18:37 |
|
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
|
# ? May 20, 2021 18:38 |
|
Volmarias posted:To be clear, I meant more in the sense of "clone the disk image and replace it" vs "some jackass steals the whole computer and someone wants to get data off" or "I want to recycle this computer but I don't want to deal with making a DBAN boot to wipe it" Gotcha, thanks!
|
# ? May 20, 2021 18:46 |
|
Volmarias posted:I'm not a lawyer, but I assume that since it's his product, he's pretty publicly announcing this, and the onus is on Celebrate to fix their poo poo, they have no leg to stand on. In the other hand, their clients are cops so he might get raided and have his entire everything ransacked and stolen as revenge and then be shot for "resisting arrest" so who knows. There's an interview with Moxie where he says he is often detained at airports for hours at a time often for no reason at all other than who he is. He seems pretty unfazed by it at this point.
|
# ? May 20, 2021 19:23 |
|
Anyone have a good list of mandatory controls for enterprise devices (laptops, desktops mobile, etc) that aligns to NIST and/or ISO 27001? Best I can I find is this and maybe the NIST doc on mobile. https://www.nist.gov/itl/smallbusinesscyber/securing-data-devices https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf
|
# ? May 21, 2021 20:28 |
|
evil_bunnY posted:https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/ lol: quote:On that Australian employee’s PC, someone had used a tool that pulled credentials out of the machine's memory and then reused those usernames and passwords to log into other machines on the network. They’d then scraped those computers’ memories for more usernames and passwords—finding some that belonged to more privileged administrators. The hackers eventually got to a server containing hundreds of users’ credentials. Today that credential-stealing hopscotching technique is common. But in 2011 the analysts were surprised to see how the hackers fanned out across the network. “It was really just the most brutal way to blow through our systems that I’d ever seen,” Duane says. The Cuckoo's Egg was written 20 years before that attack, probably before most of the IT people involved started their careers and there were about 10 computers in the whole of China. The whole book boils down to credential hopping, except far slower because it was one hacker reading emails over a 1200 baud modem. Also lol that the company that made the 2-factor security tokens apparently didn't use them themselves.
|
# ? May 21, 2021 22:48 |
|
EVIL Gibson posted:well that's the last time I try to be helpful. later apropos of nothing I really like your cute borg avatar
|
# ? May 21, 2021 22:52 |
|
Fun one, but who has their vCenter exposed to the internet...? Why..? https://arstechnica.com/gadgets/2021/05/vulnerability-in-vmware-product-has-severity-rating-of-9-8-out-of-10/
|
# ? May 26, 2021 04:02 |
|
Internet Explorer posted:Fun one, but who has their vCenter exposed to the internet...? Why..? they had a similar plug-in based vulnerability earlier this year. what’s old is new again. last one had a public POC less than 24 hours after being disclosed!
|
# ? May 26, 2021 04:13 |
|
Internet Explorer posted:Fun one, but who has their vCenter exposed to the internet...? Why..? While I would think most orgs wouldn't expose this to the internet, most orgs are so flat that an attacker would simply need a pivot point inside the perimeter. I would patch that pronto or take other measures.
|
# ? May 26, 2021 04:32 |
|
Sickening posted:While I would think most orgs wouldn't expose this to the internet, most orgs are so flat that an attacker would simply need a pivot point inside the perimeter. I would patch that pronto or take other measures. Its this. Most orgs there's little to no network segmentation between your management network and your corp networks.
|
# ? May 26, 2021 04:33 |
|
For sure, I get that, but in the article they mention that there's a bunch of public facing vCenter servers on Shodan. Amazing.
|
# ? May 26, 2021 04:45 |
|
Internet Explorer posted:For sure, I get that, but in the article they mention that there's a bunch of public facing vCenter servers on Shodan. Amazing. Shodan is an amazing tool. I especially like to show people living, breathing examples of stupidity in order to scare them into compliance.
|
# ? May 26, 2021 04:52 |
|
Sickening posted:Shodan is an amazing tool. I especially like to show people living, breathing examples of stupidity in order to scare them into compliance. Turn on your monitor the next time you do it though
|
# ? May 26, 2021 04:53 |
|
Internet Explorer posted:Fun one, but who has their vCenter exposed to the internet...? Why..? You know all those things that say "Do not expose to the internet", like vSphere, or Jenkins, or Redis, or k8s. People don't read that and just deploy.
|
# ? May 26, 2021 10:21 |
|
Internet Explorer posted:Fun one, but who has their vCenter exposed to the internet...? Why..? I see it with frightening regularity in the hosting world, since customers are basically giant clevels and can demand whatever dumb insecure poo poo they want because security is so inconvenient. Like, I had to roll back a vpn security update a few weeks back to a known insecure version because they didn't want to deal with making remote workers update their clients. This was for a hospitals systems.
|
# ? May 26, 2021 16:04 |
|
I think that when you get to a certain size, "not publicly accessible" stops being real meaningful. If 20k people have access to your internal network, how safe can it be?
|
# ? May 26, 2021 22:12 |
|
Those 20k people are all on company provided devices with associated controls and usually don’t have a desire to gently caress around where they aren’t supposed to Compared to the internet even a large corporate network is downright sterile
|
# ? May 26, 2021 22:17 |
|
not to mention the fact that you shouldn't have 20k people able to hit your vcenter directly anyway, that should probably be on a secured segment of its own
|
# ? May 26, 2021 23:27 |
|
RFC2324 posted:not to mention the fact that you shouldn't have 20k people able to hit your vcenter directly anyway, that should probably be on a secured segment of its own as I routinely remind people at work, we don't ship "should", we ship "do"
|
# ? May 26, 2021 23:49 |
|
Subjunctive posted:as I routinely remind people at work, we don't ship "should", we ship "do" I'm stealing this phrase. Thanks.
|
# ? May 27, 2021 00:17 |
|
Subjunctive posted:as I routinely remind people at work, we don't ship "should", we ship "do" thats a giant and accurate oof
|
# ? May 27, 2021 01:13 |
|
Ynglaur posted:I'm stealing this phrase. Thanks. may it bring you more success than it's brought me
|
# ? May 27, 2021 01:17 |
|
The Fool posted:Those 20k people are all on company provided devices with associated controls and usually don’t have a desire to gently caress around where they aren’t supposed to Yeah, your Vcenter should be on an isolated management network only Admins can reach, and anybody on your corp network should be on a controlled device that either is on the corp network or on VPN to get to the corp network. Subjunctive posted:as I routinely remind people at work, we don't ship "should", we ship "do" Oof bit of truth indeed.
|
# ? May 27, 2021 03:39 |
|
Subjunctive posted:as I routinely remind people at work, we don't ship "should", we ship "do" Subjunctive posted:may it bring you more success than it's brought me
|
# ? May 27, 2021 15:06 |
|
evil_bunnY posted:Nobody's paying for that except faang, banks and a select few others tho. Oh sure, which is why "we don't have to worry about X because Team Q should be doing Y" is the form of question I try to guide people away from, towards "does Team Q actually do Y or do we need to worry about X?" This is the case even at places that generally pay for more adherence to "should", since it's not always just paying for it that is necessary.
|
# ? May 27, 2021 17:32 |
|
Subjunctive posted:Oh sure, which is why "we don't have to worry about X because Team Q should be doing Y" is the form of question I try to guide people away from, towards "does Team Q actually do Y or do we need to worry about X?" This is the case even at places that generally pay for more adherence to "should", since it's not always just paying for it that is necessary. Never forget the "if X happened, Team Q would be the prime suspects (and they wouldn't like that)" angle. Also users are the worst and they will break any guidelines eventually. So make sure they can't. Network segments is one tool here.
|
# ? May 27, 2021 19:25 |
|
lol when I worked for an MSSP in a previous life you have no idea how many times we were used as a "logging and monitoring" checkmark when all a client wanted to pay for was sending /var/log/secure to our bog standard SIEM. "why yes our environment is logged* and monitored*" I resigned after six months. Imagine having your fingerprints anywhere near that dumpster fire some kinda jackal fucked around with this message at 19:30 on May 27, 2021 |
# ? May 27, 2021 19:26 |
|
Subjunctive posted:Oh sure, which is why "we don't have to worry about X because Team Q should be doing Y" is the form of question I try to guide people away from, towards "does Team Q actually do Y or do we need to worry about X?"
|
# ? May 27, 2021 21:27 |
|
A service team today tried to tell my Security team that the XSS we ticketed them about "wasn't really an issue because users would see it was a strange URL and not click it." That conversation went about as well for them from that point forward as you'd expect.
|
# ? May 27, 2021 22:06 |
|
DrDork posted:"wasn't really an issue because users would see it was a strange URL and not click it." we've solved phishing
|
# ? May 27, 2021 22:08 |
|
Serious Hardware / Software Crap › The Infosec Thread: users would see it was a strange URL and not click it
|
# ? May 27, 2021 22:10 |
|
I found a cisco admin console in shodan in my orgs ASN, exposed to the world under a public IP. I reached out to one of the network guys, who pointed me to a specific network admin. When I told him it was exposed, he argued. Fine. I show him proof and he still argues. His reasoning? He can't get to it. I then have to explain routing tables and nat to a person whose job is to do network things. Enjoy doing that in off hours fuckstick.
|
# ? May 27, 2021 22:12 |
|
Martytoof posted:I resigned after six months. Imagine having your fingerprints anywhere near that dumpster fire
|
# ? May 27, 2021 23:23 |
|
Has anyone done a SABSA course/exam? The material looks interesting and in line with my current responsibilities. It seems like it might be less of a worthless piece of paper than CISSP was. E: Worthless in the useful sense, not monetary sense
|
# ? May 28, 2021 00:13 |
|
Sickening posted:I found a cisco admin console in shodan in my orgs ASN, exposed to the world under a public IP. I reached out to one of the network guys, who pointed me to a specific network admin. When I told him it was exposed, he argued. Fine. I show him proof and he still argues. His reasoning? He can't get to it. I then have to explain routing tables and nat to a person whose job is to do network things. I have a couple clients I have I found on Shodan, most cleared up my findings quick, expect one who said it was okay because he was the only one who knew. Was fun when I showed him it on the public net, on Shodan, in front of his manager. He didn't know what Shodan was. CommieGIR fucked around with this message at 02:40 on May 28, 2021 |
# ? May 28, 2021 02:37 |
What is this Shodan you guys are speaking of and how can I incorporate it into my infosec lifestyle?
|
|
# ? May 28, 2021 15:08 |
|
cage-free egghead posted:What is this Shodan you guys are speaking of and how can I incorporate it into my infosec lifestyle? https://www.shodan.io/ A webcrawler for all the exposed services and servers out there on the world wide web
|
# ? May 28, 2021 15:11 |
|
|
# ? May 24, 2024 07:28 |
|
|
# ? May 28, 2021 15:46 |