|
Thanks Ants posted:It's just garbage like this for people who think it's possible to separate wider societal impact from economic activity Ah yes, radical ideas like burning down the Rainforest. RADICAL.
|
#
?
Jul 9, 2021 22:20
|
|
|
|
| # ? May 25, 2024 18:02 |
|
|
Hey you know this Hitler guy was pretty bad but the Autobahn is good right?
|
|
#
?
Jul 9, 2021 22:29
|
|
|
Biden basically smiling and saying they might strike back at Ransomware operators, I like Malwaretech's response https://twitter.com/MalwareTechBlog/status/1413615855875682309?s=20
|
|
#
?
Jul 9, 2021 22:50
|
|
|
imo the US worrying Russia will take the kid gloves off is not the directionality worry would go there
|
|
|
#
?
Jul 9, 2021 22:53
|
|
|
Our nation's digital infrastructure will be utterly crippled in an actual war, but at least we generated a lot of value for the shareholders
|
|
#
?
Jul 9, 2021 23:14
|
|
|
Crowdstrike was the only thing that prevented that poo poo from wrecking a 9 million dollar Cisco phone system and possibly large swathes of servers because a goddamned hardware vendor that we're contractually obligated to MSP services with was exploited through this and attacked us. What pisses me off is their client controls weren't at least ACL'ed to authorized users/VPN clients and was essentially open to the entire loving internet. I can assure you that tunnel the MSP had to come to us was hardened as gently caress. Crowdstrike dropped it in its tracks.
|
|
#
?
Jul 10, 2021 01:55
|
|
|
Thanks Ants posted:It's just garbage like this for people who think it's possible to separate wider societal impact from economic activity, or that as long as your economy is performing well enough you can just fix all the other problems later  I didn't expect to see a "Hitler had a few good ideas" article today
|
|
#
?
Jul 10, 2021 03:58
|
|
|
I see crowdstrike mentioned a lot. It saved our asses too, a few months ago. Maybe its overpriced bs but I'm glad for it.
|
|
#
?
Jul 10, 2021 05:25
|
|
|
CommieGIR posted:Biden basically smiling and saying they might strike back at Ransomware operators, I like Malwaretech's response It's an interesting challenge, though, because by NOT doing anything in response to an event that actually impacted US infrastructure, it would more or less solidify the notion that you can continue to attack the US in any way you want utterly without consequence. Plus you assume that we don't already have state sponsored financial crime being directed at US interests (which, IMHO, is a very bad assumption). There are no good options here: Trying to pick a fight with Russia proper would be quite painful for both sides and has the potential for wildly unpredictable results. But status quo sucks and will only get worse until mid and small sized business bother to give a poo poo about security (never) or the international community crushes crypto coins into nothingness (also lol).
|
|
#
?
Jul 10, 2021 15:41
|
|
|
Ooh, maybe they could start another proxy war in the middle east, wouldn't that be fun?
|
|
#
?
Jul 10, 2021 15:58
|
|
|
The idea that russia will unleash full scale Cyber-War™️ over yet more targeted sanctions / asset seizure from the kleptocrats is stupid as gently caress. But so is the idea that Putin has his money anywhere that the US has the ability to seize.
|
|
#
?
Jul 10, 2021 16:33
|
|
|
Klyith posted:The idea that russia will unleash full scale Cyber-War™️ over yet more targeted sanctions / asset seizure from the kleptocrats is stupid as gently caress. But so is the idea that Putin has his money anywhere that the US has the ability to seize. Putin is incredibly petty, despite his outward demeanor, I would not put it past him And yeah, there's no way the Russian kleptocrats are within grasp financially. Hell, a good example is the Card Skimming schemes that are run out of Russia when the DOJ caught Roman Seleznev. They had to wait, for a while, for him to be stupid enough to leave Russia to get him, and pulled some probably extralegal poo poo to grab him https://www.youtube.com/watch?v=6Chp12sEnWk
|
|
#
?
Jul 10, 2021 18:06
|
|
|
RFC2324 posted:I know my company theoretically resells AWS, and the value add is that we manage it to some degree
|
|
#
?
Jul 10, 2021 18:11
|
|
|
evil_bunnY posted:Not just manage o364 but most often manage the transition, and processes integrating o364 to the business. I have done more 365 mail migrations than I care to admit.
|
|
#
?
Jul 10, 2021 21:18
|
|
|
klosterdev posted:Does anybody actually read The Economist for reasons other than feeling/looking smart?
|
|
#
?
Jul 10, 2021 23:59
|
|
|
speaking of ransomware https://twitter.com/bryceabdo/status/1414707394488242182
|
|
#
?
Jul 13, 2021 18:01
|
|
|
Cup Runneth Over posted:speaking of ransomware I think the record for APT I've found in clients who got ransomed was 8 months prior to the event. But they got everything too, so really worked out for them. Thank goodness for backups. The backups were also compromised, but we retrieved the data.
|
|
#
?
Jul 13, 2021 18:22
|
|
|
Let me know if this is offtopic for the thread but the other InfoSec thread more geared towards newbies seems to be dead so I thought I'd post it two q's here. Password Managers I'm looking for a new password manager because I'm not too happy with dashlane recently (and its expensive I think for what it is). I believe 1Password was one of the big recommendations but I'm also looking at BitWarden. Hesitant about LastPass because I've heard there was some type of security failure? My absolute minimums with a password manager is of course multi platform (phone + PC + laptop etc.), can use fingerprint reader on phone, some type of "family" subscription and way to manage and share access/notes/passwords to different users, password generators, notes, "ID managers" (i.e. so i can use throwaway info easily when signing up for frivolous things) Managing Emails and Usernames Is there a way to like, easily generate/manage throwaway emails that can all forward to one account, but can then be deleted or "disconnected" if spammed/compromised? It seems like more and more these days maybe it makes sense to treat usernames almost as a credential too, and I want to keep my "real name" email address for more professional things. Unless someone has ideas on how to make a socially acceptable / professional personal email address that isn't full name, but also isn't "bostonbruinsfan2314234@gmail.com"for or in-person things (like when asked for email for like, car rentals and stuff, I dont want to give them an email with my name on it but I also am embarrassed to give them some video gamer handle or something.) Learning about infosec stuff I posted this in the other thread but also wanted to summarize it here. I'd like to learn more infosec stuff as a non-CS/IT professional, just at first as a hobby/interest but also maybe to someday get a job in the field. Im' not naive to think I could get into very technically heavy roles but maybe "knowledge worker" adjacent bullshit jobs in the industry in governance or something. I figured if my goal is this type of position, actual technical certs would probably be pointless, so you know, im down with self learning, web blogs, coursera etc. Any advice for good places to start other than just reading about infosec failures and scoffing along with others despite having no actual right to do so.
|
|
#
?
Jul 16, 2021 16:22
|
|
|
Oysters Autobio posted:Is there a way to like, easily generate/manage throwaway emails that can all forward to one account, but can then be deleted or "disconnected" if spammed/compromised? It seems like more and more these days maybe it makes sense to treat usernames almost as a credential too, and I want to keep my "real name" email address for more professional things. Unless someone has ideas on how to make a socially acceptable / professional personal email address that isn't full name, but also isn't "bostonbruinsfan2314234@gmail.com"for or in-person things (like when asked for email for like, car rentals and stuff, I dont want to give them an email with my name on it but I also am embarrassed to give them some video gamer handle or something.) I have a vanity domain hosted at fastmail.com for my personal email, and when I have to register for a site that I'd rather didn't have my real email, I just register a new alias with the name of the site @ my vanity domain. IIRC unlimited aliases are included in the basic plan, and I suspect that's common since it's not like they take up a lot of compute cycles.
|
|
#
?
Jul 16, 2021 17:46
|
|
|
Zorak of Michigan posted:I have a vanity domain hosted at fastmail.com for my personal email, and when I have to register for a site that I'd rather didn't have my real email, I just register a new alias with the name of the site @ my vanity domain. IIRC unlimited aliases are included in the basic plan, and I suspect that's common since it's not like they take up a lot of compute cycles. I have similar one at pobox (now fastmail), and just before they sold they told me that my account was one of the top email spam destinations and wanting to cancel my account - receiving like 200k emails a month because of the anything@domain alias. After a bit of back and forth turns out they were saving all the emails in the spam system that failed spamhaus rbl lookups.
|
|
#
?
Jul 16, 2021 17:53
|
|
|
Even easier, I use a catchall instead of manually creating aliases. If one of the "alias" gets poisoned, it's easy to create a rule to handle it. However, the biggest benefit to using this "alias" thing is to identify vendors that leak or sell my PII.
|
|
#
?
Jul 16, 2021 17:53
|
|
|
1. 1password and bitwarden are both fine. use one of those 2. use gmail plus addressing, run your own domain (eg using fastmail), or use cotse.net or a similar service. i think buying a domain and using google's gsuite thing will let you forward arbitary blah@yourdomain.com to whatever the catchall is 3. "infosec" is too broad. if you want to learn about hacking poo poo, practice that. if you want to learn about network security, that's a different thing. application security is different. logging best practices is another thing. and secure coding/sdlc type stuff, etc etc. for my money you'd probably learn the most doing one of the oscp type labs, because it'd more or less take you from application escape to host hardening for privesc, then to network stuff for the pivot. that wont help you actually know how to design secure systems, but at least you'll know what you're trying to avoid
|
|
#
?
Jul 16, 2021 18:01
|
|
|
Yeah I run Google Workspaces with a couple domains and create aliases as needed (you can set up Gmail to use a bunch of domains with just 1 user license). Costs me $12 a month with the 2TB Drive storage option. Registering a domain is very cheap, like $25 for 4 years or some poo poo.
|
|
#
?
Jul 16, 2021 20:10
|
|
|
Oysters Autobio posted:
I'm a trained linguist with close to zero real tech/computer knowledge (I can't program a hello world in any language for instance), and I work in infosec consulting. My advice is to look into governance stuff. In my experience, the most important thing to protecting your stuff is figuring out who is responsible for it (preferably both operationally and management wise) and then figuring out how important each bit is and why. This sounds like ground floor, and it is, but realistically that's what a lot of businesses need to figure out. I/the consulting firm I work at basically use ISO 27001 as the framework for this, and it's good. Get a copy of the standard, and try to understand the whole management system part of it. Next step is figuring out how to protect your stuff. That's where you look to ISO 27002 and, for each control, figure out who's responsible and what the minimum level should be. In this framework, you want to set up role based rules like "the system administrator should confirm that all users with admin rights have a legitimate need for them at least every month". Third step is getting it to actually work across the business, and then comes the whole spiral of improvements. Or do I've heard, most businesses don't get that far. In this kind of infosec, the most important thing is pretending to understand a lot of stuff, and being able to connect management and computer touchers (and others, like HR and physical security) in some capacity. Being able to a) pretend to be interested in why DB2 is superior to SQL and b) put on a suit and explain to the CFO why having that one guy being the only one who can operate the key system is bad, that's the kind of skill set you need.
|
|
#
?
Jul 16, 2021 20:16
|
|
|
Oysters Autobio posted:Is there a way to like, easily generate/manage throwaway emails that can all forward to one account, but can then be deleted or "disconnected" if spammed/compromised? It seems like more and more these days maybe it makes sense to treat usernames almost as a credential too Everyone else posted:use email forwards with vanity domains If you're thinking about treating the email address tied to accounts as part of your credentials, the logical thing you're worried about is that compromised email can be used for passwords reset / automated recovery on those accounts. So looking at this only from the security side, while ignoring the spam & privacy part: a forwarder is doubling your attack surface. If an attacker takes over the domain they can change the forwarding to their own email, and if they get your true email account the forwarder is no help. I feel like the best way to cover email security is to tie important stuff to a single email address secured by a strong password & MFA. (Edit: I don't think this is particularly likely to happen, mind you. But in theory...) There's also the aspect that on many systems it can be super frustrating to change the email associated with an account because that's also the login username. So if you lose that ability for normal reasons -- because you want to stop paying for the service, fastmail goes out of business, or whatnot -- that might also make dealing with all those accounts much more hassle. For spam & privacy, being able to generate whatever random aliases that forward to your main email seems pretty cool. More than I care about it; at this point I hardly get email spam even when I do give out the real one. SMS text spam otoh... Klyith fucked around with this message at 21:30 on Jul 16, 2021 |
|
#
?
Jul 16, 2021 21:28
|
|
|
Wow, it sure is too bad no domain registrars let you use a strong password and MFA. Really a damned shame.
|
|
#
?
Jul 16, 2021 22:10
|
|
|
Oysters Autobio posted:Managing Emails and Usernames I dunno about "easily," but if you buy a vanity domain + a DigitalOcean droplet and set them up (something I assume everyone here is capable of doing without instructions), you can install postfix and set up virtual addresses to forward the mail to your real email address. I did this because I was setting up vanity domains anyway, because it's fun, and to reduce my search engine profile by creating a separate email address for every website. This way you don't have to worry about losing control of the provider, since it's you, and depending on your choice of domain name it costs $5-10/mo that you'd probably be spending anyway because droplets are handy.
|
|
#
?
Jul 16, 2021 22:27
|
|
|
astral posted:Wow, it sure is too bad no domain registrars let you use a strong password and MFA. Really a damned shame. I worked with some youtubers/streams in the past that were at high risk for hijacks, and turns out many registrars can be SE'd into turning off 2FA and then asking for a password reset, even when there are account notes saying to never, ever reset. Understandably this goon's threat model is probably not that high, but 2FA is really lovely when support has the ability to turn it off at all. It's great if it's correctly enforced at all times and all touchpoints, but if you can just call in and ask for your domain to be pushed to another account at the same registrar without having to provide your non-SMS, non-voice, 2FA token value, it just feels pointless. Impotence fucked around with this message at 22:36 on Jul 16, 2021 |
|
#
?
Jul 16, 2021 22:31
|
|
|
The two factors are something you know and someone at tech support 
|
|
#
?
Jul 17, 2021 07:50
|
|
|
astral posted:Wow, it sure is too bad no domain registrars let you use a strong password and MFA. Really a damned shame. The biggest Italian registrar (Aruba.it) won’t even let you use SMS OTP so yes?
|
|
#
?
Jul 17, 2021 12:43
|
|
|
BonHair posted:The two factors are something you know and someone at tech support On this note Has someone you know been implemented anywhere? Like I dunno an app buzzes someone else to let you into an account when you attempt a log on? I know there's a lot of problems with this sort of security but it sounds like something that exists.
|
|
#
?
Jul 17, 2021 17:10
|
|
|
Defenestrategy posted:On this note How would this work? The app buzzes some random person and they call you to ask if it's really you logging in? You designate which neighbors you want to annoy and wave at their house while you log in?
|
|
#
?
Jul 17, 2021 17:23
|
|
|
RFC2324 posted:How would this work? The app buzzes some random person and they call you to ask if it's really you logging in? You designate which neighbors you want to annoy and wave at their house while you log in? For example lets say you want into $enterprise_app You attempt to log in to $enterprise_app $enterprise_app buzzes whoever is designated, probably some unlucky dude in IT dude presses button and $enterprise_app logs you in. You could probably add a bunch of usage stats to give the dude on the other end some info and maybe the ability to talk to the guy on the other end I realize there's a bunch of issues with this kind of system, but it seems like one of those ideas that someone's implemented to hilarious results.
|
|
#
?
Jul 17, 2021 17:42
|
|
|
Defenestrategy posted:On this note Not quite right, but my old employer had password resets that you could only order from a colleague's account. The invoice system had something like someone you know though, whenever you had something you needed reimbursed, you had to pick someone to approve it. The point was obviously not security as we know it, but the same principle could be used: pick someone close by on a drop-down, and they get the app buzz (and can choose to approve if they know/like you).
|
|
#
?
Jul 17, 2021 17:42
|
|
|
Defenestrategy posted:On this note Google has a setting that will allow you to confirm via a very large screen on your phone whether that's actually you logging into your account from a new machine. It's a pretty decent middle ground.
|
|
#
?
Jul 17, 2021 17:43
|
|
|
Mantle posted:Even easier, I use a catchall instead of manually creating aliases. If one of the "alias" gets poisoned, it's easy to create a rule to handle it. However, the biggest benefit to using this "alias" thing is to identify vendors that leak or sell my PII. Biowarfare posted:account notes saying to never, ever reset. evil_bunnY fucked around with this message at 17:50 on Jul 17, 2021 |
|
#
?
Jul 17, 2021 17:47
|
|
|
Defenestrategy posted:For example lets say you want into $enterprise_app Without them walking to your desk to make sure its you then its just someone blindly hitting approve/deny and is in fact less safe than my company vpn that will call your phone and ask if its really you
|
|
#
?
Jul 17, 2021 18:05
|
|
|
Defenestrategy posted:On this note This is just a shittier version of two-person requirements for specific actions, which are common in lots of places. I've worked in environments where you had to have two sets of eyes on every single production SQL query on sensitive systems - almost everything you'd need to do was just set up with pre-baked parameterized queries that went through code review and deployment, but anything that involved custom queries for troubleshooting had to go to an approval tool and get signoff from another user. When you're specifically talking about system logins, it's less common, because anything that justifies that level of effort probably also justifies approving specific actions instead of just "let this user do some stuff." But, Hashicorp Vault allows for something like it. You can configure the system so that multiple people need to auth in before the vault is unsealed.
|
|
#
?
Jul 17, 2021 18:34
|
|
|
Space Gopher posted:This is just a shittier version of two-person requirements for specific actions, which are common in lots of places. I've worked in environments where you had to have two sets of eyes on every single production SQL query on sensitive systems - almost everything you'd need to do was just set up with pre-baked parameterized queries that went through code review and deployment, but anything that involved custom queries for troubleshooting had to go to an approval tool and get signoff from another user. I didn't realize Hashicorp Vault did that. That's nice for things like break glass accounts or your root AWS account credentials. Just curious, can it support different authentication providers? E.g. "Oops our corporate Active Directory just got pwned, so shut off access to Hashicorp Vault from that AD domain, but you have to login with two Okta accounts to do this." I'm probably not explaining this very well, but hopefully it mostly makes sense.
|
|
#
?
Jul 17, 2021 19:10
|
|
|
|
| # ? May 25, 2024 18:02 |
|
|
Defenestrategy posted:For example lets say you want into $enterprise_app lol If you've ever done 1 pagerduty shift you would know this is a TERRIBLE idea.
|
|
#
?
Jul 18, 2021 18:14
|
|
