|
Rufus Ping posted:fortunately the 1password browser extension fills properly on their own website, entirely eliminating phishing as a vector You have way too much faith in users, phishing remains a valid vector.
|
#
?
Jan 2, 2022 00:55
|
|
|
|
| # ? May 20, 2024 08:32 |
|
|
Rufus Ping posted:fortunately the 1password browser extension fills properly on their own website, entirely eliminating phishing as a vector I don't think it's a GIGANTIC flaw, I just think it's a wholly unnecessary flaw. It's not even like it's really 'one password'. It's a master password and a secret key. God forbid it was a master password and a separate cloud/account password, right? When I see something that seems dumb/flawed in a security product without reasonable justification that's going to raise the hairs on the back of my neck. I do plan to try out some method of syncing keepass first but it's entirely possible I'll just end up using 1password or bitwarden anyway, and be extra careful to mitigate that specific issue as much as seems practical.
|
|
#
?
Jan 2, 2022 01:10
|
|
|
lol KeepAss has been publicly pwned multiple times and if that isn't a bigger concern to you than some facet of the software design you don't understand the justification for, what are you doing
|
|
#
?
Jan 2, 2022 05:55
|
|
|
Guys if anybody is pretending their password solution is the end all do all secure app, they are already lying. Keepass doesn't claim their product is unhackable, nobody can make that claim. If someone phishes your master password for any password storage solution and you don't have Multifactor to delay or stop them, you are gonna get owned
|
|
#
?
Jan 2, 2022 05:58
|
|
|
Saukkis posted:But do you really need to roll your own Keepass? Do you have any cloud storage, Google Drive, Dropbox, whatever? You download and install the client, which is pretty much the same you would do with any other manager. Then create a new database, set the master password and any other security settings you want and save the database in your cloud storage folder. The biggest extra complication is deciding which browser plugin to choose, since Keepass doesn't have an official recommended one. the recommended one for ios (so 2/3rds of what i log into things on) is keepassium so that's 15 euros a year on top of all the pain of switching over, in terms of time and energy (both of which i am extremely low on) so yeah, 1Password still wins
|
|
#
?
Jan 2, 2022 06:04
|
|
|
Cup Runneth Over posted:lol KeepAss has been publicly pwned multiple times and if that isn't a bigger concern to you than some facet of the software design you don't understand the justification for, what are you doing Do you have links to any of the these? The only one I remember is "malware running on your system while keepass is running with the database unlocked can access your passwords", which is ... not a significant vulnerability in my books.
|
|
#
?
Jan 2, 2022 08:43
|
|
|
Cup Runneth Over posted:lol KeepAss has been publicly pwned multiple times and if that isn't a bigger concern to you than some facet of the software design you don't understand the justification for, what are you doing Did you mean to say 1Password? Because idk how you would "publicly own" a password manager that only runs on your computer. There is nothing to "publicly" own.
|
|
#
?
Jan 2, 2022 09:10
|
|
|
I see four CVEs. In 2010, KeePass would load a trojan horse DLL in the current working directory. In 2016, the software update feature could be MITM attacked. In 2017, the entry view panel could cause some information to be decrypted. In 2019, the CSV password import feature had an injection exploit. Also: https://keepass.info/help/kb/sec_issues.html
|
|
#
?
Jan 2, 2022 09:16
|
|
|
Four CVEs with identified workarounds and/or patches in a decade is pretty good, all things considered. I'd rather have that than the Linux/OpenBSD gambit of quietly fixing things without making mention of it in the commit log and hoping nobody notices.
|
|
#
?
Jan 2, 2022 11:27
|
|
|
Isn't it LastPass that has been owned on multiple occasions?
|
|
#
?
Jan 2, 2022 15:08
|
|
|
I mean LastPass was owned in the previous page.
|
|
#
?
Jan 2, 2022 15:16
|
|
|
Rescue Toaster posted:I don't think it's a GIGANTIC flaw, I just think it's a wholly unnecessary flaw. It's not even like it's really 'one password'. It's a master password and a secret key. God forbid it was a master password and a separate cloud/account password, right? When I see something that seems dumb/flawed in a security product without reasonable justification that's going to raise the hairs on the back of my neck. I do plan to try out some method of syncing keepass first but it's entirely possible I'll just end up using 1password or bitwarden anyway, and be extra careful to mitigate that specific issue as much as seems practical. The family and enterprise plans would let you create a dedicated “cloud account” with it’s own secret key & password to handle billing and another to handle all your passwords. I really do not get the paranoia around this. It’s clearly a design decision to make life easier for the user and they have provided easy to implement methods for mitigating if you are really that worried about it.
|
|
#
?
Jan 2, 2022 15:25
|
|
|
F4rt5 posted:Isn't it LastPass that has been owned on multiple occasions? Ah yeah that was it. Not keep rear end in any case.
|
|
#
?
Jan 2, 2022 16:07
|
|
|
Cup Runneth Over posted:I mean LastPass was owned in the previous page. Credential stuffing =/= “owned”
|
|
#
?
Jan 2, 2022 19:36
|
|
Cat Army 
|
CommieGIR posted:Guys if anybody is pretending their password solution is the end all do all secure app, they are already lying. Keepass doesn't claim their product is unhackable, nobody can make that claim. Also hope that your users don't blindly mash "approve" on every MFA prompt. The CIO of one of my clients did this...and promptly had MFA turned off as a "mitigation." 
|
|
#
?
Jan 2, 2022 22:06
|
|
|
GrunkleStalin posted:The family and enterprise plans would let you create a dedicated “cloud account” with it’s own secret key & password to handle billing and another to handle all your passwords. FWIW: avoiding ever touching the web interface could be done by signing up on a mobile device and using App Store or Google Play billing.
|
|
#
?
Jan 3, 2022 00:11
|
|
|
The Iron Rose posted:Credential stuffing =/= “owned” That's not what they're referring to.
|
|
#
?
Jan 3, 2022 00:37
|
|
|
Ynglaur posted:Also hope that your users don't blindly mash "approve" on every MFA prompt. The CIO of one of my clients did this...and promptly had MFA turned off as a "mitigation." I get about five or six random ADFS authentication screens every other week because my token expired in one of the dozen ADFS-SSO apps I have open for work on like one of three corporate devices I own. My favourite are the ones that ask you for your credentials another two or three times because the actual first screen you put your info into was actually fired at 3am and hasn’t been valid for hours. I guess I’m not saying that clicking on things blindly is excusable but I can EEEEASILY see myself thinking “oh god drat it what app is trying to log me in now?” and mashing the button if I was in Finance or Marketing or something non-technical. E: I mean my experience may be completely anecdotal and most companies have a better way of handling SSO. I dunno.
|
|
#
?
Jan 3, 2022 01:06
|
|
|
Buff Hardback posted:FWIW: avoiding ever touching the web interface could be done by signing up on a mobile device and using App Store or Google Play billing. Legit good info, thanks for sharing
|
|
#
?
Jan 3, 2022 01:17
|
|
|
Martytoof posted:I get about five or six random ADFS authentication screens every other week because my token expired in one of the dozen ADFS-SSO apps I have open for work on like one of three corporate devices I own. Session management should be more sanely implemented. If your sso is prompting you this much from the same device , your not following best practices , or you are traveling. NIST suggests the opposite of your experience.
|
|
#
?
Jan 3, 2022 01:45
|
|
|
Ynglaur posted:Also hope that your users don't blindly mash "approve" on every MFA prompt. The CIO of one of my clients did this...and promptly had MFA turned off as a "mitigation." Yup, have had a couple C suite guys AND clients do this and even a couple get popped.
|
|
#
?
Jan 3, 2022 01:56
|
|
|
Martytoof posted:I get about five or six random ADFS authentication screens every other week because my token expired in one of the dozen ADFS-SSO apps I have open for work on like one of three corporate devices I own. Your SSO setup is wack, unless the powers that be demanded token expiration to be immediate it shouldn't do that.
|
|
#
?
Jan 3, 2022 08:38
|
|
|
Yeah no for sure there is probably a lack of proper configuration. That said, I’d be surprised if people implementing this kind of desired state central source of truth SSO are doing it perfectly across the globe. If I had to guess, based on my recent experiences with multiple contractor environments, as well as our own, optimal configurations are probably few and far between… anecdotally. And of course the people who would typically need to troubleshoot and fix this are already understaffed and overworked and will give this zero priority until it just outright stops working. Again, anecdotally. But yeah, I guess I’m not really sure what point I’m trying to make anymore, just that I can see why some folks might think they’re doing the right thing when they’re really doing something dumb.
|
|
#
?
Jan 3, 2022 15:46
|
|
|
Presumably the sessions are set short to stop people logging in when their accounts have been terminated, when the way to achieve that is something like continuous access evaluation with SPs that support being told to end sessions.
|
|
#
?
Jan 3, 2022 15:50
|
|
|
Anybody know anything about Ntirety? Work with them or for them?
|
|
#
?
Jan 4, 2022 21:25
|
|
|
lol I guess I should be quite happy that AV vendors are actively trying to torch their reputations as much as possible https://twitter.com/doctorow/status/1478479483585933312
|
|
#
?
Jan 4, 2022 23:15
|
|
|
Thanks Ants posted:lol Torch their reputation while torching the planet.
|
|
#
?
Jan 4, 2022 23:21
|
|
|
navyjack posted:Anybody know anything about Ntirety? Work with them or for them? I know a sales guy and might still know a few engineers there. They used to be Hosting.com which came about from a merger of two companies (I worked at one of them) that had acquired smaller web hosts and data centers over the last 20 years. I believe its standard dedicated server hosting options plus some MSP stuff like VDI Management, monitoring, etc. This is offered to groups that maybe don't want to hire a full time AWS admin (or pay AWS prices) or need space in a HIPPA compliance facility. Probably not a bad place to build up the resume. The sales guy I know has been there since 2000 and has apparently survived every merger so I think he likes it there. I would have to check LinkedIn to see if engineers I worked with are still there are not. The last two years nearly everyone I know has changed jobs, careers, or taken leave to care for kids. I just realized that this was the job I had when I discovered SA. The frontpage and Photoshop Friday's were something we always looked forward to and eventually the HR person blocked it. Wow, this is surreal. Bonzo fucked around with this message at 00:54 on Jan 5, 2022 |
|
#
?
Jan 5, 2022 00:45
|
|
|
Bonzo posted:I know a sales guy and might still know a few engineers there. They used to be Hosting.com which came about from a merger of two companies (I worked at one of them) that had acquired smaller web hosts and data centers over the last 20 years. I believe its standard dedicated server hosting options plus some MSP stuff like VDI Management, monitoring, etc. This is offered to groups that maybe don't want to hire a full time AWS admin (or pay AWS prices) or need space in a HIPPA compliance facility. Probably not a bad place to build up the resume. Nice, thanks!
|
|
#
?
Jan 5, 2022 01:03
|
|
|
Just got an email from pwned saying that my email is in the flexbooker.com breach but to the best of my knowledge I've never actually used that service. Based on what services they provide I'm not sure why I would. Not really sure how to interpret this as just "who cares" and move on.
|
|
#
?
Jan 6, 2022 18:23
|
|
|
Got asked to do a study into what it would take to convert our network to a zero trust structure. I've been doing the requisite googling and I've basically only found advertising crap from the standard vendors and a white paper on what it is, is there a better resource anyone has for this? My understanding thus far is that in Zero Trust you're assuming everything is compromised, rather than assuming that a given service should be fine so you try to prevent lateral compromise by forcing health and auth checks every time you want to access something and you back this up by putting an intrusion detection sensor on every connection? Seems really really really expensive to implement. Defenestrategy fucked around with this message at 03:37 on Jan 7, 2022 |
|
#
?
Jan 7, 2022 03:34
|
|
|
Yes. Zero trust is just: "Trust nothing on the network, segment asuch as possible, enforce MFA and Authentication everywhere, utilize Network Access Controls, enforce Least Privilege Access" etc. It's a lot of best practices and policy, but vendors have latched onto it as something to be solved with a single tool and it's almost always a band aid for the above.
|
|
#
?
Jan 7, 2022 04:10
|
|
|
If it helps, we ended up doing Zscaler to cover a lot of Zero Trust principles at our shop for user access. Launched right at the start of covid lockdowns, and it's been a nice pivot off VPN. Users machines get device posture assessments, SSO with MFA, fairly granular segmentation of what resources they can reach internally, the usual network filtering, sandboxing, dlp, etc. The term is a bit loaded so defining goals and objectives for all your different use cases is important.
|
|
#
?
Jan 7, 2022 05:24
|
|
|
all of the above is true. to make it actually scale with sso and all that, youll often want some sort of proxy that can be shared, have acls defined per-service, etc. this is where products come into play - most shops don't want to write their own web and ssh proxies
|
|
#
?
Jan 7, 2022 06:26
|
|
|
Achmed Jones posted:ssh proxies Whats this? Just going by the name it sounds like a jump host, but context implies its more complex?
|
|
#
?
Jan 7, 2022 06:39
|
|
|
yeah it's basically that plus per-service ACLing, which is where thigns get more complicated. you don't normally want to have service owners janitor user lists and all that per-host, so you want acls to be implemented at the proxy layer, and for the proxy to be the only means by which it's possible* to access the hosts * pace extreme breakglass poo poo i guess maybe
|
|
#
?
Jan 7, 2022 06:55
|
|
|
RFC2324 posted:Whats this? Just going by the name it sounds like a jump host, but context implies its more complex? A big difference is that it's totally transparent to the end user, you don't manually connect to a jump host and then again to your actual target machine. You just ssh at hostname normally, but the DNS records for all your internal hosts actually point to the ssh proxy. Other than that they mostly serve the same purpose. Instead of every machine needing to know about every other machine in your org that it can be ssh'd into from, they are all locked down to only accept sessions from the ssh proxy, and the proxy is in charge of enforcement.
|
|
#
?
Jan 7, 2022 07:00
|
|
|
Jabor posted:A big difference is that it's totally transparent to the end user, you don't manually connect to a jump host and then again to your actual target machine. You just ssh at hostname normally, but the DNS records for all your internal hosts actually point to the ssh proxy. cool, thanks
|
|
#
?
Jan 7, 2022 07:44
|
|
|
More JNDI goodness https://www.zdnet.com/article/jfrog-researchers-find-jndi-vulnerability-in-h2-database-consoles-similar-to-log4shell/ H2 database, not LOG4J
|
|
#
?
Jan 7, 2022 07:56
|
|
|
|
| # ? May 20, 2024 08:32 |
|
|
Have a look at the marketing stuff from Cloudflare if you want an idea of the sort of things involved in Zero Trust that isn't just pure advertising https://www.cloudflare.com/teams/ It's not really something enabled purely on the network though, it's done in applications. If you have some legacy application with a Win32 client and a server and it's integrated with AD logins using Kerberos then you probably want to tackle that by deploying some sort of VDI solution and then putting things like conditional access on the authentication to the VDI service. This is a good read as well, and the MS solutions are decent enough if you're already a Windows shop https://www.microsoft.com/en-gb/security/business/zero-trust
|
|
#
?
Jan 7, 2022 09:03
|
|