|
evil_bunnY posted:Somebody will 100% enable it with no sensible rules. The policy should be only specific ports needed for app functionality. I feel like in these scenarios you need a control like group policy to make sure the service is always enabled and be turned back on automatically if its turned off. You also want something to alert you when someone disables the firewall so you can take actions.
|
#
?
Jun 30, 2021 16:30
|
|
|
|
| # ? May 25, 2024 17:37 |
|
|
Sickening posted:I feel like in these scenarios you need a control like group policy to make sure the service is always enabled and be turned back on automatically if its turned off. You also want something to alert you when someone disables the firewall so you can take actions. A lot of places do this, or the Windows Firewall is overridden/replaced by the EDR/AV solution.
|
|
#
?
Jun 30, 2021 17:40
|
|
|
Jesus christ:quote:Researchers from the cybersecurity company Sangfor, who were preparing to present a paper on Print Spooler bugs at a forthcoming Black Hat conference in August 2021, seem to have decided that it would be safe to disclose their proof-of-concept work earlier than intended. https://nakedsecurity.sophos.com/2021/06/30/printnightmare-the-zero-day-hole-in-windows-heres-what-to-do/
|
|
#
?
Jul 1, 2021 01:19
|
|
|
My new Cyber overlords asked us to ensure the spooler service was disabled on our DCs only.
|
|
#
?
Jul 1, 2021 01:23
|
|
|
droll posted:My new Cyber overlords asked us to ensure the spooler service was disabled on our DCs only. Several resources were recommending that pretty heavily in the past month or so. MCAS was listing it as a Identity Security Posture item for a bit as well. It shows at least the bare minimum of research was done. Lmao if something endpoint related starts loving people.
|
|
#
?
Jul 1, 2021 01:34
|
|
|
Watch businesses around the globe moan and bitch for days about "security teams" since they can't print poo poo now for a bit.
|
|
#
?
Jul 1, 2021 07:53
|
|
|
Sickening posted:I feel like in these scenarios you need a control like group policy to make sure the service is always enabled and be turned back on automatically if its turned off. You also want something to alert you when someone disables the firewall so you can take actions.
|
|
#
?
Jul 1, 2021 08:57
|
|
|
Is the print spooler service enabled by default in e.g.home laptops? Would this bug require network access to exploit?
|
|
#
?
Jul 1, 2021 11:17
|
|
|
It's auto-startup on every windows AFAIK. One thing I don't understand is how everyone keeps talking about printnightmare being a DC-specific thing.
|
|
#
?
Jul 1, 2021 13:48
|
|
|
At a guess it's bad, but on a DC it's really bad
|
|
#
?
Jul 1, 2021 13:57
|
|
|
Thanks Ants posted:At a guess it's bad, but on a DC it's really bad
|
|
#
?
Jul 1, 2021 14:08
|
|
|
If I'm reading this right:cert.org posted:can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges The "authenticated user" part means you you need a valid user identity for the attack, right? And a domain controller has the identities for everyone in your domain. Some of which are probably already compromised by hackers, but they haven't been able to do anything with a login for JoeShmo the intern. Whereas your database server shouldn't know who JoeShmo is. And that's why it's not being reported as a big deal for home users, because Ynglaur posted:Is the print spooler service enabled by default in e.g.home laptops? Would this bug require network access to exploit? Klyith fucked around with this message at 14:40 on Jul 1, 2021 |
|
#
?
Jul 1, 2021 14:36
|
|
|
The way I tested it in my homelab it required an authenticated user, its a bigger issue in that its instant privilege escalation from there.
|
|
#
?
Jul 1, 2021 15:06
|
|
|
Thanks Klyith.
|
|
#
?
Jul 1, 2021 15:45
|
|
|
https://arstechnica.com/gadgets/2021/07/google-play-dumps-apks-for-the-more-google-controlled-android-app-bundle/ E: Googles own blog, not that it's making this look any better. https://android-developers.googleblog.com/2021/06/the-future-of-android-app-bundles-is.html starting in august google requires you give them the signing key for all new apps on play store, definitely for the fraction of a percent it saves them in bandwidth and definitely not so they can comply with NSLs from multiple countries in order to deliver targeted malware to individuals of state interest. i, for one, am happy with the new reality that the entire google ecosystem is going to be secured by one underpaid AT&T customer service rep. 2FA: Something you have ($15) something you know (The target's phone number) There are absolutely ways to do this that work correctly such as requiring a legacy .apk version if you're targeting older phones that don't support their new format, or some code added to AndroidStudio that creates and includes detached signatures for the expected potential combinations (supported languages * architectures, basically) But that doesn't give them the ability to inset their code into everything published through them, which is a massive "whoopsie!" on their part that they're correcting. Harik fucked around with this message at 05:28 on Jul 2, 2021 |
|
#
?
Jul 2, 2021 05:02
|
|
|
Sickening posted:Several resources were recommending that pretty heavily in the past month or so. MCAS was listing it as a Identity Security Posture item for a bit as well. It shows at least the bare minimum of research was done. Cyber is asking that we disable write access to /system32/spooler/drivers on all print servers and endpoints now, apparently this allows users to print but not be exploited.
|
|
#
?
Jul 2, 2021 16:34
|
|
|
droll posted:Cyber is asking that we disable write access to /system32/spooler/drivers on all print servers and endpoints now, apparently this allows users to print but not be exploited. Can you link me the article they are following? I found a blog post about it and its becoming a loving chore to implement it because its not coming from a major source.
|
|
#
?
Jul 2, 2021 16:38
|
|
|
The meeting they scheduled is for Tuesday next week, I don't have any additional info. I don't know if they're following published shared knowledge or if this solution was homegrown. I asked for a copy of the GPO config they want pushed, because we are a recent acquisition (small company) by their very big company and they must already be doing this across 10,000x more workstations than me. But I probably won't have any more til next week. Security is very important but 3 day summer holidays are more important.
|
|
#
?
Jul 2, 2021 16:41
|
|
|
fwiw microsoft published official guidance: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Option 2 has been reported as working for workstations.
|
|
#
?
Jul 2, 2021 17:08
|
|
|
Kaseya falls. Supply chains are useful.
|
|
#
?
Jul 2, 2021 20:30
|
|
|
whimsicaltelegraph posted:Kaseya falls. Supply chains are useful. The somewhat panicky, information light "advisory" quote:Important Notice July 2nd, 2021 https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
|
|
#
?
Jul 2, 2021 20:50
|
|
|
THIS IS NOT WHAT I HAD IN MIND WHEN I SAID I WANT A LONG WEEKEND
|
|
#
?
Jul 2, 2021 21:12
|
|
|
Harik posted:https://arstechnica.com/gadgets/2021/07/google-play-dumps-apks-for-the-more-google-controlled-android-app-bundle/ I wonder what this means for fdroid
|
|
#
?
Jul 2, 2021 21:40
|
|
|
Tryzzub posted:THIS IS NOT WHAT I HAD IN MIND WHEN I SAID I WANT A LONG WEEKEND New thread title please.
|
|
#
?
Jul 2, 2021 21:53
|
|
|
Ynglaur posted:New thread title please. 
|
|
#
?
Jul 2, 2021 21:57
|
|
|
are you sure you're on the right account?
|
|
#
?
Jul 2, 2021 22:10
|
|
|
I hope not! re: Kaseya word on the street from an MDR friend is that it is in fact bad.
|
|
#
?
Jul 2, 2021 22:57
|
|
|
Tryzzub posted:I hope not! Hearing Ransomware rumors from some of my friends. No substantiation of course. Keep waiting for it to happen to TCS E: Hey, look who's back https://twitter.com/BleepinComputer/status/1411051117329457153?s=20
|
|
#
?
Jul 2, 2021 23:09
|
|
|
lol MSP bloodbath
|
|
#
?
Jul 3, 2021 00:36
|
|
|
I don't feel like I really understood what the implications are. Could somebody explain it to me like I'm a five year old who can code?
|
|
#
?
Jul 3, 2021 00:49
|
|
|
RFC2324 posted:are you sure you're on the right account? Looks like we finally solved the mystery of who NSA wizard really is.
|
|
#
?
Jul 3, 2021 00:52
|
|
|
Mr. Crow posted:I wonder what this means for fdroid I'm going to take a quick step back here and list some potential positive outcomes for security: with the signing key of (eventually) every app on the store, if a commonly used third-party library has a security hole it gives google the ability to mass-update everything to correct it by replacing the impacted file and re-signing. I guess.
|
|
#
?
Jul 3, 2021 01:03
|
|
|
Absurd Alhazred posted:I don't feel like I really understood what the implications are. Could somebody explain it to me like I'm a five year old who can code? Kaseya is an RMM tool that allows managed services providers to remotely manage their clients’ IT infrastructure. It’s essentially a centralized console with highly privileged access to potentially hundreds of their customers’ “crown jewels”. This ransomware is using it as a launch point. It has the potential to lock up thousands of small to mid-size companies. Diva Cupcake fucked around with this message at 01:10 on Jul 3, 2021 |
|
#
?
Jul 3, 2021 01:08
|
|
|
Absurd Alhazred posted:I don't feel like I really understood what the implications are. Could somebody explain it to me like I'm a five year old who can code? MSPs are basically outsourced IT departments, typically for for small to medium businesses that want managed systems but don’t want to pay for a full-time staff to do the management. MSPs also sometimes take over specific functions in larger organizations. Kaseya VSA is a management platform that basically does remote administration, including patch management. Lots of MSPs use it, especially for smaller clients where they’re not going to have someone on-site most of the time. There’s some kind of compromise of Kaseya VSA that allows REvil to push an “update” to Kaseya clients that’s actually just ransomware. So, REvil has the ability to mass-push ransomware through trusted channels to lots and lots of small businesses that don’t have any IT expertise of their own, and who are dependent on service providers who operate on a capacity planning model that assumes simultaneous disasters at every single client couldn’t possibly happen.
|
|
#
?
Jul 3, 2021 01:08
|
|
|
Space Gopher posted:There’s some kind of compromise of Kaseya VSA that allows REvil to push an “update” to Kaseya clients that’s actually just ransomware. So, REvil has the ability to mass-push ransomware through trusted channels to lots and lots of small businesses that don’t have any IT expertise of their own, and who are dependent on service providers who operate on a capacity planning model that assumes simultaneous disasters at every single client couldn’t possibly happen. I've always wondered if there's been an MSP that's gotten owned and that ended up cascading to a ton of business'.
|
|
#
?
Jul 3, 2021 01:12
|
|
|
 This is making me feel like the Internet is a goon project. Concept: a world-wide, distributed network that can continue working even in the event of a nuclear war Reality: A handful of points-of-failure can shut the whole thing down because people don't want to do their own server maintenance.
|
|
#
?
Jul 3, 2021 01:37
|
|
|
Defenestrategy posted:I've always wondered if there's been an MSP that's gotten owned and that ended up cascading to a ton of business'. Yes happens a lot, been ramping up in the last couple years. The Kaseya one is a bigger deal since it was utilizing the provider of the MSP management software. 
Maneki Neko fucked around with this message at 01:43 on Jul 3, 2021 |
|
#
?
Jul 3, 2021 01:40
|
|
|
Absurd Alhazred posted:Reality: A handful of points-of-failure can shut the whole thing down because people don't want to do their own server maintenance. It's the Catch-22 of small/medium budget IT: if you out-source part(s) of it, you're now pretty much blindly accepting the security posture of those companies as your own--some are ok, some are trash, and it's often real hard to tell which is which until it's too late. Keep it all in-house, and chances are real high that your tiny IT department will get overwhelmed, miss stuff, not know what they're doing sufficiently to build things correctly, etc. You're pretty much just hosed either way. MSPs get a lot of action because they can be cheaper than in-house as well as providing an easy hand-off when it comes time to make that cyber insurance claim. Make good cold backups, that's about the best you can do half the time.
|
|
#
?
Jul 3, 2021 01:51
|
|
|
Absurd Alhazred posted:A handful of points-of-failure can shut the whole thing down because people don't want to do their own server maintenance. Get a grip. This is not some kind of karmic retribution on small to medium sized companies that do not have the staff and/or know how to run part or even all of their IT dept.
|
|
#
?
Jul 3, 2021 01:51
|
|
|
|
| # ? May 25, 2024 17:37 |
|
|
Paying $1,000,000 for a MSSP that scans, detects and reports but not paying for someone to fix the poo poo they find is really paying off. Ask me how I know.
|
|
#
?
Jul 3, 2021 03:21
|
|