|
Something you have (a password written down), and something you know (how to answer the phone).
|
# ? Nov 2, 2021 23:42 |
|
|
# ? May 31, 2024 01:26 |
|
Subjunctive posted:Something you have (a password written down), and something you know (how to answer the phone). I literally LOL'd.
|
# ? Nov 2, 2021 23:54 |
|
KillHour posted:The new place my SO works for implements two factor on their VPN with an automated phone call. To a softphone. On the same computer you're connecting from. if it's Duo, then go into the Duo settings and change the number to your cell phone and set it as the primary contact.
|
# ? Nov 3, 2021 00:00 |
|
MustardFacial posted:if it's Duo, then go into the Duo settings and change the number to your cell phone and set it as the primary contact. Fortinet but I'm not going to have her do anything that isn't in her handbook. I'm not their security consultant and I'm not sticking my dick in that.
|
# ? Nov 3, 2021 00:33 |
|
ah so you aren't passionate about infosec? if you aren't loving your security software and/or hardware what are you even doing?
|
# ? Nov 3, 2021 00:39 |
|
KillHour posted:The new place my SO works for implements two factor on their VPN with an automated phone call. To a softphone. On the same computer you're connecting from. lol this is like whenever I log into an Apple service for the first time in a while and I get the prompt for a verification code which is sent to all my iCloud joined machines .... including the same machine I'm trying to log in from.
|
# ? Nov 3, 2021 01:15 |
|
Achmed Jones posted:ah so you aren't passionate about infosec? if you aren't loving your security software and/or hardware what are you even doing? I pictured my fortinet rep when I read this and shuddered
|
# ? Nov 3, 2021 01:47 |
|
Achmed Jones posted:ah so you aren't passionate about infosec? if you aren't loving your security software and/or hardware what are you even doing? do you know how much licensing on the dong module is? *shudder*
|
# ? Nov 3, 2021 02:46 |
|
RFC2324 posted:do you know how much licensing on the dong module is? *shudder* There was a dongle joke right there and you whiffed it.
|
# ? Nov 3, 2021 03:00 |
|
KillHour posted:There was a dongle joke right there and you whiffed it. ptsd from the actual pricetags on those
|
# ? Nov 3, 2021 03:02 |
|
Subjunctive posted:Something you have (a password written down), and something you know (how to answer the phone). and something you are (sitting at your desk)
|
# ? Nov 3, 2021 04:45 |
|
Cup Runneth Over posted:and something you are (sitting at your desk) It's a laptop
|
# ? Nov 3, 2021 07:02 |
KillHour posted:It's a laptop
|
|
# ? Nov 3, 2021 11:34 |
|
Embed a Yubikey in your cat, now your cat is your multifactor
CommieGIR fucked around with this message at 13:47 on Nov 3, 2021 |
# ? Nov 3, 2021 12:42 |
|
Nice, handing your second form of authentication to anyone with easy access to a laser pointer.
|
# ? Nov 3, 2021 13:17 |
So that's what the "get your cat chipped" conversations are about.
|
|
# ? Nov 3, 2021 13:39 |
|
They're getting vaccines now?
|
# ? Nov 3, 2021 13:43 |
|
lol https://twitter.com/Bing_Chris/status/1455887485276393472
|
# ? Nov 3, 2021 14:23 |
|
Now do Black Cube.
|
# ? Nov 3, 2021 15:49 |
Positive Technologies are the people that've been reversing engineering Intel chips and found several unfixed vulnerabilities, so surely that has absolutely nothing to do with including them on that list.
|
|
# ? Nov 3, 2021 15:51 |
|
I am sure this has been covered before but... What's the verdict on HSMs like the yubikey? I know they are obviously "excellent security" I am just trying to determine how much better they are than Google authenticator for MFA. This is for me personally, and not any enterprise or high value protection. My main issue is that, I 100% always have my phone on me, I don't always have my keys on me, and I am not sure how to quantify how much more secure an HSM is over more traditional MFA via an Android app. While I know that phones can be attacked, I feel like if I am under that sort of coordinated attack by a motivated actor I have my hands full no matter what. I'm curious what you guys are doing on a personal level?
|
# ? Nov 3, 2021 16:45 |
|
If my phone got stolen, lost or broken then I would be dead in the water. I have a couple of Yubikeys linked to my Google account for this reason - one stays at home and the other is in my bag.
|
# ? Nov 3, 2021 17:03 |
|
cr0y posted:I am sure this has been covered before but... yubikey is actually impossible to phish, code based TOTP is phishable if you're not paying attention. I have a 5Ci on my keys, the 5NFC that it's replacing at home, plus a 4 that I have for work testing purposes
|
# ? Nov 3, 2021 17:07 |
Buff Hardback posted:yubikey is actually impossible to phish, code based TOTP is phishable if you're not paying attention.
|
|
# ? Nov 3, 2021 17:14 |
|
Thanks Ants posted:If my phone got stolen, lost or broken then I would be dead in the water. I have a couple of Yubikeys linked to my Google account for this reason - one stays at home and the other is in my bag. Google authenticator has an export option which generates a big QR code that I am thinking you could screenshot and stash away somewhere safe as a backup for this scenario. I think my point is that I still feel that phone based MFA is still good enough for average Joe blow me, but it's why I asked, I realize my understanding of the attack surface might be flawed. I actually just bought a yubi 5 nfc to tinker with, which got me thinking about my strategy. Buff Hardback posted:code based TOTP is phishable if you're not paying attention. Hm how does that usually work? Tell me if I am close: An actor already has a password and targets you for a TOTP code via some web form or whatever, at which point some automated script trips and executes a highjack while the code is still valid? cr0y fucked around with this message at 18:08 on Nov 3, 2021 |
# ? Nov 3, 2021 18:02 |
|
If an attacker has to do combinations of social engineering, advanced hardware exploitation, and stealing my property to get at my company date…. They have earned it.
|
# ? Nov 3, 2021 18:07 |
|
cr0y posted:Hm how does that usually work? Tell me if I am close: An actor already has a password and targets you for a TOTP code via some web form or whatever, at which point some automated script trips and executes a highjack while the code is still valid? Thats correct and basically what happened in the recent Coinbase "hack" as I recall. They spear-phished some people to steal the tokens in time to login with compromised creds.
|
# ? Nov 3, 2021 18:13 |
|
cr0y posted:Google authenticator has an export option which generates a big QR code that I am thinking you could screenshot and stash away somewhere safe as a backup for this scenario. https://malicioussitethatsnotactuallygoogle.com asks for a OTP code, you type it in, attacker quickly uses the information they've gotten from the phishing page to log in to the real page with U2F/FIDO2/WebAuthn, https://malicioussitethatsnotactuallygoogle.com can't ask for the credential for https://google.com because not the same origin.
|
# ? Nov 3, 2021 18:14 |
|
Thanks this has done wonders for my paranoia
|
# ? Nov 3, 2021 18:20 |
|
If you're paranoid, use a Yubikey and don't stress further about it. What people often forget is there's another less technical way of getting access to your data if they really want it. If the Mossad wants to log into your account that has U2F, then they'll just show up to your house with a set of jumper cables and a car battery and ask really nicely for you to unlock it please.
|
# ? Nov 3, 2021 19:24 |
Sickening posted:If an attacker has to do combinations of social engineering, advanced hardware exploitation, and stealing my property to get at my company date…. They have earned it.
|
|
# ? Nov 3, 2021 19:26 |
|
Theres always an XKCD.
|
# ? Nov 3, 2021 19:29 |
|
Ya I'm not super concerned because I am a garbage person and have nothing of value, but I'm now more aware of needing a better way to backup my TOTP secrets. Another curiosity that I don't know much about, are TOTP secrets stored in something like a TPM on modern phones? I feel like trying to lift those strings would be more of a target than spear phishing the TOTP codes themselves. Now I'm just curious how that trust chain works. cr0y fucked around with this message at 19:43 on Nov 3, 2021 |
# ? Nov 3, 2021 19:37 |
BaseballPCHiker posted:
EDIT: The earliest occurrence I know of is a sci.crypt post in 1990. BlankSystemDaemon fucked around with this message at 19:48 on Nov 3, 2021 |
|
# ? Nov 3, 2021 19:38 |
|
I thought it was generally understood no one without far more serious concerns really cared about anything but RCEs, malware, phishing, paper trails, and database compromises. Maybe local law enforcement if you're spicy.
|
# ? Nov 3, 2021 19:38 |
|
At a high level, whats the feeling on the infosec job market over the next few years? From the outside looking in, it seems like the land of opportunity but I don't know anyone in the field and its hard to tell media bs from reality. Is it as hot as cloud work seems to be? My new job that I start soon will have me right on the fringe of infosec. I hope to pick up a DoD clearance and a couple of security certs (Security+ and probably CISSP) to pair with it over the next 12 months and then reevaluate the market.
|
# ? Nov 3, 2021 19:40 |
|
Hughmoris posted:At a high level, whats the feeling on the infosec job market over the next few years? From the outside looking in, it seems like the land of opportunity but I don't know anyone in the field and its hard to tell media bs from reality. Is it as hot as cloud work seems to be? You sort of sound like me. I'm infrastructure but work in industrial control systems on a team that was built to harden/modernize my companies OT stuff. The market seems pretty drat hot my where I sit, so much so that I am basically being dragged kicking and screaming into a pseudo-security role.
|
# ? Nov 3, 2021 19:46 |
Cup Runneth Over posted:I thought it was generally understood no one without far more serious concerns really cared about anything but RCEs, malware, phishing, paper trails, and database compromises. Maybe local law enforcement if you're spicy.
|
|
# ? Nov 3, 2021 19:53 |
|
Hughmoris posted:At a high level, whats the feeling on the infosec job market over the next few years? From the outside looking in, it seems like the land of opportunity but I don't know anyone in the field and its hard to tell media bs from reality. Is it as hot as cloud work seems to be? The market is insane. My career trajectory has been Helpdesk > SysAdmin > Network Engineer > Security. I only got my foot in the door security wise because I went out and got my CISSP. Ive doubled my salary in the past 4 years going from SysAdmin to an InfoSec position. I'm about to start a job in a week and a half right now as an AWS Security Specialist. My current, soon to be former boss, has told me I'll be making another $50-60k a year easily if I job hop again with my current skillset and another year or two of experience. Its insane. I will say, your experience and background is exactly what we are looking for as well. People who just come out of school with some sort of InfoSec degree have not been good hires for my org. We want people who have worked in the industry for a bit, who have a broad set of skills, and who later on decided to work in security.
|
# ? Nov 3, 2021 19:54 |
|
|
# ? May 31, 2024 01:26 |
|
Speaking from the US. Infosec / Cybersecurity is hot right now, as with the rest of IT and will probably continue to remain so in the coming decade. If you want to work in government, it's safe (job security wise) and the biggest sector. Luckily if you don't want to work for the gov, the growth of cyber security in other sectors that historically have neglected it (cough healthcare) has been greatly accelerated by rampant crypto ransom campaigns over the last few years. This is all my speculation of course, IANAE (I am not an economist).
|
# ? Nov 3, 2021 20:02 |