|
knox posted:Isn't the LastPass password manager excel export what LAPSUS$ used to login as superadmin? Okta claiming the group only had the ability to "reset passwords and didn't access any accounts" is pretty laughable. Some people are claiming it was a honeytoken, but apparently rumor is LAPSUS did use it to gain privilege escalation. Worth noting that LAPSUS also used Process Explorer to kill their EDR. CommieGIR fucked around with this message at 18:11 on Mar 30, 2022 |
#
?
Mar 30, 2022 16:45
|
|
|
|
| # ? May 25, 2024 13:19 |
|
|
knox posted:Isn't the LastPass password manager excel export what LAPSUS$ used to login as superadmin? Okta claiming the group only had the ability to "reset passwords and didn't access any accounts" is pretty laughable. The details still seem a little fuzzy, but it's possible that the creds were for the Okta contractor's systems--it sounds like they had privileged access to waltz about within Syke/Sitel's systems, while still only having Reset Password access to anything pushed through Okta's systems. Same with being able to kill off EDR--that was within Skye Enterprises, rather than Okta proper. Or they could be lying. Hard to say at this point. The whole thing is quite odd in how both companies are approaching it and what and when they claimed they did things--like Okta "detecting suspicious activity" from the compromised Sykes employee's account in Jan and then...not following up at all on it? Bizarre. It'll also be interesting to see what other data they scraped out of Sitel's network, since I'm gonna go ahead and bet that whatever that data was involved a lot more than whatever they got from Okta itself.
|
|
#
?
Mar 30, 2022 17:50
|
|
|
Okta is clearly lying and they have been hiding the hack for 2 months, until LAPSUS$ forced their hand. As someone outside the industry with a basic knowledge of all the systems and processed involved, it sounds like Okta is just using the fact they accessed an IT worker's computer to state "they only had the ability to reset passwords." But once they opened the excel file on that workstation and gained the login & password for superadmins, then subsequently added their own new users & an fwd: e-mail rule, that was that. I think they detected the security breach via whatever Sitel employee, and then closed out that access. It wasn't until the full report was released that the entire system & superadmin access has been revealed, which Okta seems to not even be admitting at the moment, other than sort of blaming Sitel but proclaiming responsibility for it's contractors. knox fucked around with this message at 18:13 on Mar 30, 2022 |
|
#
?
Mar 30, 2022 18:11
|
|
|
Anyone seeing much about this yet? https://threatpost.com/critical-rce-bug-spring-log4shell/179173/
|
|
#
?
Mar 30, 2022 21:17
|
|
|
Frozen Peach posted:Apparently Ubiquiti is suing Brian Krebs for defamation. Couldn't have happened to a nicer person (notdan says hi)
|
|
#
?
Mar 30, 2022 21:39
|
|
|
rafikki posted:Anyone seeing much about this yet? https://threatpost.com/critical-rce-bug-spring-log4shell/179173/ I misread this as a critical race (theory) bug, too much stupid politics discourse
|
|
#
?
Mar 30, 2022 21:42
|
|
|
Rapid7 Writeup for the new hotness: https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ Good luck everybody!
|
|
#
?
Mar 31, 2022 04:47
|
|
|
Is the cissp brain dump questions somewhat accurate?
|
|
#
?
Mar 31, 2022 06:03
|
|
|
Honestly hadn't looked at a dump before I took mine a few years. back, but if you're just annoyed with the thicc encyclopedic volume you have to pore through to study, the book that helped me most was.. uhh.. It was something like "31 days before your CISSP" but I'll be damned if I can find any evidence that this book exists. I can find the CCNA one but apparently I either hallucinated the CISSP version or they stopped publishing it? Or maybe it was that "11th hour CISSP" book I see in results. It reduced that loving bible down to a concise and manageable read and I can honestly say that every question on the test was in some way in that book. Having said that, I still walked out of that test 50/50 whether I passed or failed, so I was honestly relieved when I got the passing notice. I think they don't tell you how well you did if you pass so I can just assume I got every answer correct 
|
|
#
?
Mar 31, 2022 13:02
|
|
|
some kinda jackal posted:"11th hour CISSP" Wow this new wave of FMV nostalgia sure got weird
|
|
#
?
Mar 31, 2022 13:05
|
|
|
And much, much less entertaining
|
|
#
?
Mar 31, 2022 13:06
|
|
|
jaegerx posted:Is the cissp brain dump questions somewhat accurate? Having gotten my cissp* in 2001, what? * finished exam in 55 minutes 
Rust Martialis fucked around with this message at 13:16 on Mar 31, 2022 |
|
#
?
Mar 31, 2022 13:13
|
|
|
Just my two cents. The CISSP is nowhere near as hard as people make it out to be. Memorize the random bullshit they want you to know, "think like a manager" so dont get in depth technical and away you go. I studied way longer than I needed to for that stupid test.
|
|
#
?
Mar 31, 2022 14:07
|
|
|
CISSP is a completely worthless cert and I think less of people who put it on their linkedin/email signature/etc.
|
|
#
?
Mar 31, 2022 16:58
|
|
|
I haven't put it in my signature or ever really identify as one, but I sure as gently caress paste it all over linkedin and my resume because it's a recruiter/hiring keyword; Not that I'm actively looking but you never know what's around the corner. Full agree that it's worthless outside of getting paid though. If anyone is doing CISSP for any reason other than money I would actively say don't bother and focus on something technical. That's just my take though, others are free to disagree.
|
|
#
?
Mar 31, 2022 17:02
|
|
|
US GOV (well, mostly DOD but everyone mostly follows them) messed up with the CISSP and made it a "level 3" for both technical skill AND management which massively inflated the value of the cert. CISSP needs to be removed from IAT level 3 completely. I've met CISSPs who can't even explain some very simple modern computing concepts. That said I have a CISSP but would never mention that to anyone unless it was related to job negotiation. I am actually embarrassed to associate with other holders most of the time for the reason you all have mentioned.
|
|
#
?
Mar 31, 2022 17:04
|
|
|
I honestly don't think I could tell you one thing I learned in CISSP training outside of the CIA triangle or that there's some kind of fence and camera requirement for facilities, not that I could tell you what the requirements are in any useful detail. It was legitimately not a good use of my time (again, outside of getting paid, but we're all whores on linkedin so there's no judgment from me on anyone who does plaster that all over their bio) I mean, I don't know, that could also just speak to what an awful memory I have.. I'm sure there are people who retained that information while still not considering it useful, and I'm just really forgetful.
|
|
#
?
Mar 31, 2022 17:09
|
|
|
Once I had that cert it opened up a TON of doors for me to pivot from enterprise networking into security. Like a night and day difference. Day to day work I lean on my ops/networking background, CISSP does nothing to help me once I get the job. I hate their CPE's, I hate renewing the drat thing, but I'll keep doing it just to get my foot in the door places. Also big ol' LOL at those who think their poo poo doesnt stink once they have the CISSP.
|
|
#
?
Mar 31, 2022 17:16
|
|
|
I found the CISSP to not be a terribly hard test, but I did study a lot. I don’t think I really learned anything with it but it’s a check box for hr and I was shooting for a promotion. My bosses are in Europe and I’ve learned that on the other side of the Atlantic they don’t really care about it. They’d rather see an advanced degree.
|
|
#
?
Mar 31, 2022 17:21
|
|
|
some kinda jackal posted:I haven't put it in my signature or ever really identify as one, but I sure as gently caress paste it all over linkedin and my resume because it's a recruiter/hiring keyword; Not that I'm actively looking but you never know what's around the corner. It's very useful is as a signal when job searching because your audience when interviewing is generally not peers. It's leadership and HR and they still value it. It's also not terribly hard to study for so might as well.
|
|
#
?
Mar 31, 2022 17:39
|
|
|
If your work pays for it then it's a no brainer too.
|
|
#
?
Mar 31, 2022 17:44
|
|
|
Speaking of no brainer... Delete Java.
|
|
#
?
Mar 31, 2022 19:56
|
|
|
some kinda jackal posted:Speaking of no brainer... Would if I could.
|
|
#
?
Mar 31, 2022 20:49
|
|
|
As to why I’m asking infosec questions. We hired a questionable cso that keeps purchasing from companies he’s previously worked for. He bought us appriver despite us using gmail and I just noticed today that he only changed the mx records dns for our .com and not our .org. Both places go to us. Hence my cissp brain dump cause I honestly thought it was a hard test and I’m just in shock about how stupid those questions are. E: had to say mx records. jaegerx fucked around with this message at 03:33 on Apr 1, 2022 |
|
#
?
Apr 1, 2022 03:31
|
|
|
The test has this stupid mind game quality of “sometimes more than one answer is correct so you have to find the MOST correct answer” which is really the only thing that I thought was legitimately hard about it. I’m a horrible test taker and get anxious about stuff like that.
|
|
#
?
Apr 1, 2022 03:50
|
|
|
That's just a way for them to cover their asses on the fact that some of the questions are completely nonsensical
|
|
#
?
Apr 1, 2022 03:56
|
|
|
jaegerx posted:As to why I’m asking infosec questions. We hired a questionable cso that keeps purchasing from companies he’s previously worked for. He bought us appriver despite us using gmail and I just noticed today that he only changed the mx records dns for our .com and not our .org. Both places go to us. They're just configuring it for maximum availability in case Appriver ever goes down, people can just email the .org addresses and still get through 
|
|
#
?
Apr 1, 2022 10:15
|
|
|
Wondering if you guys can help with a possible interview question. Would a shodan query pinging IOT devices show up in network logs? If so, which logs and what would it look like?
|
|
#
?
Apr 1, 2022 17:34
|
|
|
Not sure you can give an answer without context really. Is there an organisation that would log all ping traffic to IoT devices but also have them in a position where they can be pinged by Shodan? As for where the logs end up, it depends on the logging platform that is in use.
|
|
#
?
Apr 1, 2022 17:42
|
|
|
navyjack posted:Wondering if you guys can help with a possible interview question. Would a shodan query pinging IOT devices show up in network logs? If so, which logs and what would it look like? Really depends on the logging setup. Are you logging all connection requests? Are the IoT devices exposed in such a way that inbound connections are accepted?
|
|
#
?
Apr 1, 2022 17:50
|
|
|
CommieGIR posted:Really depends on the logging setup. Are you logging all connection requests? Are the IoT devices exposed in such a way that inbound connections are accepted? This is the answer, yeah. Logging setup is basically* a finding a balance between logging every package and request everywhere and not buying every hard disk in the world to contain your logs. In this case, the answer is going to depend on whether the iot things are connected to the internet, if anyone cares who tries to find them and how big an idiot the network guy is. *Advanced level includes  privacy , performance and not logging for Java because that will give everyone access to all your systems.
|
|
#
?
Apr 1, 2022 18:11
|
|
|
Do they mean ping or "ping"? And do they mean a shodan query, or a scan/spider used to build their index? Or does shodan do some revalidation in real time?
|
|
#
?
Apr 1, 2022 18:21
|
|
|
I am gonna defend the CISSP a bit and say that it tests primarily for subjective thinking and decision making in a security context. It’s not deeply technical but it does require you to have enough knowledge to evaluate potential solutions and come up with a “best” answer. Committing the sin of broadly generalizing, I’ve worked in IT a long time, and security is the worst subgroup of people who are smart, technical, and capable, but only in relatively fixed and defined pathways. Any kind of subjective decision making or strategic thinking is difficult and having a CISSP means that at least to some degree, you can think along those pathways effectively. Commence the savaging.
|
|
#
?
Apr 2, 2022 00:18
|
|
|
So I agree in principle, that the subject matter should make you more a somewhat more rounded professional; In all fairness, I joke about that security fence thing but, I mean, while I certainly can’t recite any of that material now, I at least know that it exists so I at least know enough to say “ok there’s other stuff I should consider” when I”m in that situation. Maybe I can sum up my CISSP complaint in a different way then. I think that of most practitioners, myself included, a CISSP tells me nothing more than your company thought you were important enough to spend $6000 on a 3 day bootcamp. I think in my career I’ve worked with one person who I legitimately could describe as knowing that material really well and practicing it on a regular basis, and he was definitely more on the compliance and audit side of the house. So, I don’t know, I mean I still think it’s a mostly pointless certification and that its only real use should be to try to get yourself a fat raise, but saying it has ZERO value is probably a little flippantly unfair, I’ll concede. I think I’m just very checked out on corporate security at this point though. In my head I can rewrite the same basic points about like.. every engagement I’ve ever had with Deloitte or IBM or any big name consulting house. So much security theatre and while most of my experiences have been negative I won’t say I’ve never gotten value out of these kinds of things, so there’s a little bit of this and that everywhere. I think I’m just rambling at this point. It’s Friday evening and the longest possible time between now and having to touch the corporate security poop with a stick so I should be offline enjoying a drink
some kinda jackal fucked around with this message at 00:49 on Apr 2, 2022 |
|
#
?
Apr 2, 2022 00:45
|
|
|
Fair. I came in knowing most of the technical and just had to kinda study how they wanted me to think. I cannot imagine people boot camping their way through it, but I guess they do. Drinks it is.
|
|
#
?
Apr 2, 2022 01:59
|
|
|
My cso is a complete idiot so I’m gonna brain dump it to pass and add it to my signature like he does. Yes. He’s a cso that has his certs in his signature.
|
|
#
?
Apr 2, 2022 02:23
|
|
|
I put every cert in my signature, including MCDST
|
|
#
?
Apr 2, 2022 15:56
|
|
|
If I make it to the signature line in just a single email in my inbox, it’s an unusual day.
|
|
#
?
Apr 2, 2022 16:07
|
|
|
I'm gonna put my European Computer Driving Licence (ECDL) in my sig
|
|
#
?
Apr 2, 2022 16:11
|
|
|
|
| # ? May 25, 2024 13:19 |
|
|
I'll have to add my Sewing Machine Operator License from 3rd grade.
|
|
#
?
Apr 2, 2022 16:20
|
|
