|
Sickening posted:Any other details ? I've no idea what the actual cause may be or how widespread it may be, no, but I can personally attest to seeing multiple cards that didn't belong to me (with nothing otherwise amiss about the account). Hopefully just some momentary misconfiguration on their part, but it doesn't hurt to be careful.
|
# ? Jan 16, 2022 00:59 |
|
|
# ? May 18, 2024 20:11 |
|
Potato Salad posted:CFR 32 and 48 are still going to contain CMMC 2.0 by rule changes to be implemented by late 2023. Did you fall out of scope or something? From what I know of the situation some CMMC rules will be added to 32/48, but they're doing a revamp of CMMC entirely to be figured out by '24? '25? Never?
|
# ? Jan 16, 2022 01:28 |
|
Company I used to work for stores DoorDash’s payment info for them, wonder if I can get any juicy gossip.
|
# ? Jan 16, 2022 01:28 |
|
Defenestrategy posted:From what I know of the situation some CMMC rules will be added to 32/48, but they're doing a revamp of CMMC entirely to be figured out by '24? '25? Never? Whatever comes out the other side is going to look like: Level 1 / Level A / Basic / Low: Basic Safeguarding that's barely more than what you used to need to throw into boilerplate parts of a TCP that don't have to do with disclosure Level 2 / Level B / Moderate / Advanced: Level 3 / Level C / High / Expert / "We at the DoD figured we could misuse this CUI thing as a vehicle for making our secret squirrel noncompetitive procurement/program trivially nondisclosable without violating Title 10, wait, hold up, the whole point was to protect federal data while also making it available to the public via ORA/FOIA, that's fine, we'll pretend we're allowed to make our own cui registry, just buy a high impact level Azure/Microsoft365 subscription": you better have millions to throw at a full SOC, in house high quality security engineering, a hunt capacity, threat intelligence analysts, and IT admins more flexible than Gumby. Or Mr Bill, as might be more appropriate. There are good reasons to secure our defense supply chain but lord, I did not anticipate that CMMC would end up being uglier than faithfully navigating export control. Potato Salad fucked around with this message at 09:36 on Jan 16, 2022 |
# ? Jan 16, 2022 09:20 |
|
tldr the renewal of any five year performance period you might have for in-scope programs is still liable to involve some kind of assessment in SPRS/eMASS, with that likelihood being directly proportional to the deemed criticality of the program my distant understanding is that pilot entities that will need Expert have been given heads up "hey, you're in scope for Level 3" in agency engagements already in the prior year Potato Salad fucked around with this message at 09:33 on Jan 16, 2022 |
# ? Jan 16, 2022 09:28 |
|
Best not use safari on MacOS and sign out of google accounts on iOS. https://www.engadget.com/safari-webkit-exploit-browser-history-google-account-200711732.html November 28th it was reported to Apple and still not fixed.
|
# ? Jan 17, 2022 00:00 |
|
that's a bit extra given that it only reveals usernames, profile pics, etc esp since aiui every ios is affected
|
# ? Jan 17, 2022 00:49 |
|
bull3964 posted:Best not use safari on MacOS and sign out of google accounts on iOS. https://github.com/WebKit/WebKit/commit/f73005ed826014988f8ee447de23927749fb56e5 When in doubt, call Apple out directly
|
# ? Jan 17, 2022 17:19 |
|
Buff Hardback posted:https://github.com/WebKit/WebKit/commit/f73005ed826014988f8ee447de23927749fb56e5 Seems to be a common theme with Apple. They are training security researchers essentially to forgo private reporting and the bounty program, going straight to public disclosure to get any traction.
|
# ? Jan 17, 2022 20:28 |
|
bull3964 posted:Seems to be a common theme with Apple. They are training security researchers essentially to forgo private reporting and the bounty program, going straight to public disclosure to get any traction. Pretty much. They've not done a great job at handling disclosure to the point of irritating half the major researchers I know of.
|
# ? Jan 18, 2022 01:19 |
|
listen, if they just ignore bugs, they'll cease to exist!
|
# ? Jan 18, 2022 05:11 |
|
Potato Salad posted:listen, if they just ignore bugs, they'll cease to exist! They're not bugs. Users are just holding the code wrong.
|
# ? Jan 18, 2022 11:45 |
|
In other stupid news, the UK Government is going all in on the "End to End Encryption bad because Criminals and think of the children" https://twitter.com/NCA_UK/status/1483403983159009280?s=20 The US (FBI especially) has been pulling these stunts as well, and in both cases is people who are woefully undereducated on how encryption mathematically works and pretending backdoors are going to be easy and not break the encryption itself or make it easier to crack.
|
# ? Jan 18, 2022 19:22 |
|
Next you'll be telling me not to use Dual_EC_DRBG for my encryption needs and that I can't just blindly trust NIST recommendations
|
# ? Jan 18, 2022 21:23 |
|
CommieGIR posted:The US (FBI especially) has been pulling these stunts as well, and in both cases is people who are woefully undereducated on how encryption mathematically works and pretending backdoors are going to be easy and not break the encryption itself or make it easier to crack. They're perfectly aware of the second-order consequences of such legislation. They just don't care because the consequences will be felt by (1) companies/devs trying to figure out how to not have their services broken, and (2) normal human customers of the various services. Neither of which impact them, the LEOs, in any negative way, but it sure would make their jobs a lot easier.
|
# ? Jan 18, 2022 22:04 |
|
DrDork posted:They're perfectly aware of the second-order consequences of such legislation. They just don't care because the consequences will be felt by (1) companies/devs trying to figure out how to not have their services broken, and (2) normal human customers of the various services. Neither of which impact them, the LEOs, in any negative way, but it sure would make their jobs a lot easier. It likely wouldn't make their jobs easier, because only the most basic of criminals wouldn't use proper encryption. So they'd catch easy crimes, not actual criminals easier.
|
# ? Jan 18, 2022 22:12 |
|
CommieGIR posted:It likely wouldn't make their jobs easier, because only the most basic of criminals wouldn't use proper encryption. So they'd catch easy crimes, not actual criminals easier. You had them at "catch easy crimes".
|
# ? Jan 18, 2022 22:15 |
|
CommieGIR posted:It likely wouldn't make their jobs easier, because only the most basic of criminals wouldn't use proper encryption. So they'd catch easy crimes, not actual criminals easier. Tbh, that is probably half the point.
|
# ? Jan 18, 2022 22:15 |
|
CommieGIR posted:In other stupid news, the UK Government is going all in on the "End to End Encryption bad because Criminals and think of the children" so.... has no one patiently explained to these idiots that end to end encryption is useful because it helps prevent unwanted interception of signals. Including that of law enforcement agency's to undercovers or each other, or politicians to their campaigns, paramours, and bagmen?
|
# ? Jan 18, 2022 22:25 |
|
Well obviously LEOs would be exempt. But yeah the politicians will be in for a rude awakening when they realize the impact on themselves after the fact.
|
# ? Jan 18, 2022 22:49 |
|
Current poo poo job just gave me the most petty cherry on my poo poo sundae that is this place. They refuse to use AWS Secrets Manager because it "costs to much". A secret is 40 cents a month....
|
# ? Jan 18, 2022 22:54 |
|
BaseballPCHiker posted:Current poo poo job just gave me the most petty cherry on my poo poo sundae that is this place. We'll see how much a breach will cost.
|
# ? Jan 18, 2022 22:57 |
|
*Ignore, will PM
Hughmoris fucked around with this message at 23:27 on Jan 18, 2022 |
# ? Jan 18, 2022 23:07 |
|
BaseballPCHiker posted:Current poo poo job just gave me the most petty cherry on my poo poo sundae that is this place. Systems manager parameter store is free in most circumstances
|
# ? Jan 19, 2022 00:06 |
|
CommieGIR posted:We'll see how much a breach will cost. I brought that up! It fell on deaf ears however. Mind you I've been here 3 months. In that time twice AWS has reached out to us and told us that EC2 instances we're running are getting multiple abuse reports submitted against them. Each time I'm ready to call and all hands on deck to figure out what exactly is going on and each time they've simply shut them down and called it good. I honestly wonder at what point AWS steps in. Happiness Commando posted:Systems manager parameter store is free in most circumstances
|
# ? Jan 19, 2022 01:58 |
|
Just make sure you are documenting all this for CYOA. Because as soon as a breach does happen, and they try to use their Cyber Insurance, they are going to point fingers. Document it, get your Manager's sign off on risks the business refuses to own or mitigate.
|
# ? Jan 19, 2022 02:02 |
|
CommieGIR posted:Just make sure you are documenting all this for CYOA. Because as soon as a breach does happen, and they try to use their Cyber Insurance, they are going to point fingers. Document it, get your Manager's sign off on risks the business refuses to own or mitigate. Its maddening and I need to learn to just let it go. I literally had a discussion today with a manager where we are adding in a resolved(ignored) closure code to Jira tasks for ignored GuardDuty findings in the ONE account I was able to get that service turned on for. I got hired to do AWS security. The org desperately needs someone to take charge and start implementing basic best practices. The small team I am a part of is fully on board with things, the larger org is not. I feel like I got sold a bag of lies! They're a good(ish) company. Excellent benefits, good pay, super cheap and good insurance, treat people right, etc. But they just dont want to pay a dime for security. Its like they hire someone for this and then they just pat themselves on the back. EDIT: Sorry for the rant I'll move future bitching to the other thread. This isnt really anything new in security. Just got to let it go, collect the paychecks and move on with my life.
|
# ? Jan 19, 2022 02:12 |
|
Hire a consultant to tell them that? It's amazing and sad how often humans trust something from outside the tribe vs someone inside the tribe.
|
# ? Jan 20, 2022 03:26 |
|
Yup. Once you get hired it means you were dumb enough to work "here."
|
# ? Jan 20, 2022 05:06 |
|
Ynglaur posted:Hire a consultant to tell them that? It's amazing and sad how often humans trust something from outside the tribe vs someone inside the tribe. lmao it's amazing at how much money some of my employers have spent on external parties to tell them exactly what someone they already pay said to do.
|
# ? Jan 20, 2022 15:15 |
|
We are going through that right now at my job so many wasted dollars
|
# ? Jan 20, 2022 17:03 |
|
Martytoof posted:lmao it's amazing at how much money some of my employers have spent on external parties to tell them exactly what someone they already pay said to do. I'm a consultant and my customers will hire consultants from other companies just to get a second opinion on my advice. If it's what they want to hear, you only need to tell them once. If it's not, they will go out and pull a Fox News and find the one person on earth with valid credentials who says HTTP is just fine and HTTPS is a scam by Verisign.
|
# ? Jan 20, 2022 17:23 |
|
This company is paying Amazon a huge sum of money to basically walk them through AWS's Well-Architected Framework, that is in the works. But Ithey dont seem to want to actually do anything with the recommendations. The problem is they dont want to pay for anything and its seriously so maddening. I have completely given up. I've been in IT long enough to know that everything will never be perfect, you'll always fight the battle of security vs convenience and cost, and that you're a cost center to a business. But this place is the worse run org I've ever been a part of in 10+ years.
|
# ? Jan 20, 2022 17:33 |
|
BaseballPCHiker posted:This company is paying Amazon a huge sum of money to basically walk them through AWS's Well-Architected Framework, that is in the works. But Ithey dont seem to want to actually do anything with the recommendations. My favorite tool for illustrating this is the HIPAA WALL OF SHAME https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Even if they're not under HIPAA regulations, the point is to show that poo poo happens regularly and has real consequences (to the extent that the legal fiction of a company being forced to pay the legal fiction of money counts as real consequences). Edit: I highly recommend expanding them and browsing the descriptions. quote:The covered entity (CE), Jackson County Health Department, reported that an employee failed to use the blind carbon copy function and inadvertently emailed the electronic protected health information (ePHI) of 1,000 individuals to unauthorized recipients. The ePHI involved included names, email addresses, and vaccination information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE sanctioned and retrained the responsible employee on the proper methods of protecting and safeguarding ePHI.
|
# ? Jan 20, 2022 17:45 |
|
Ive complained enough, and I dont want to doxx myself so I'll try to stop here. But let me just say that this place should fail audits for cyberinsurance, and was in the news in the last 5 years for an "incident", and it'll absolutely happen again sooner or later.
BaseballPCHiker fucked around with this message at 17:53 on Jan 20, 2022 |
# ? Jan 20, 2022 17:48 |
|
Is it still probateable to just post a meme because I think this one is pretty on the nose…
|
# ? Jan 20, 2022 18:40 |
|
why would anybody actually pay for a cwpp or "cnapp" best i can tell they're six figure products that tell you to loving patch your poo poo
|
# ? Jan 21, 2022 00:42 |
|
Martytoof posted:Is it still probateable to just post a meme because I think this one is pretty on the nose… oh I see you work with me
|
# ? Jan 21, 2022 00:49 |
|
Martytoof posted:Is it still probateable to just post a meme because I think this one is pretty on the nose… Infosec101.png
|
# ? Jan 21, 2022 03:00 |
|
|
# ? May 18, 2024 20:11 |
|
Martytoof posted:Is it still probateable to just post a meme because I think this one is pretty on the nose… ICS dog
|
# ? Jan 21, 2022 06:54 |