|
Based on some tweets from Kevin Beaumont, looks like the next winners of the "Critical Threat Advisory Sweepstakes" might be anyone running FortiGate firewalls. https://twitter.com/GossiTheDog/status/1578327883847589889 Seems like Fortinet usually puts out PSIRT advisories on the first Tuesday of the month, but one for October isn't public yet.
|
#
?
Oct 7, 2022 12:25
|
|
|
|
| # ? Jun 6, 2024 22:44 |
|
|
BaseballPCHiker posted:My poo poo companies EDR agent has broke and become unresponsive on something like 25% of our hosts. do not buy FireEye, now Trellix dooooooooooont loving do it
|
|
#
?
Oct 7, 2022 13:16
|
|
|
BaseballPCHiker posted:On the topic of emails. I wasn't a huge fan when I demoed it. 90-95% of the stuff they caught was obvious commodity garbage that Google magic had already punted into spam anyways, and when I asked them if we could filter detection results based on messages that were already in spam/detected by Google they seemed oddly combative about it. We also had high false positive rates with the rest -- the combination of interacting with new users/domains + NLP deciding that they were discussing finance/payments wasn't a good signal for my particular industry, since talking to new contacts about money is pretty standard in real estate. With so many FPs that could affect time-sensitive million dollar transactions, we were not super into it. It would have been better if (a) it was easy to prove out the value of the tool over our existing tooling and (b) they had more "remediation" options besides sending to spam/trash, such as adding warning banners or de-fanging links/attachments like some competing tools do. We didn't really have the appetite for the high FPs, price point, and just trusting that the magic AI would maybe improve as we taught it.
|
|
#
?
Oct 7, 2022 19:07
|
|
|
How long ago was your demo? Only reason I ask is because they do have some context dependent banners and link de fanging now. In my admittedly limited testing it worked quite well, but my company doesnt have a ton of discussions with outsiders about financial matters, and I could easily see how that trips up their AI. That was my biggest concern if we went with them, the ability to fine tune detections and write your own seemed to be non existent.
|
|
#
?
Oct 7, 2022 19:15
|
|
|
Trusting AI to do basically anything seems a lot worse than trusting your employees to not be idiots. And I'm definitely not saying you should trust your employees to not be idiots. False positives for email spam, especially for external communication, seems like it's really bad for business, at least if you're talking emails that real people sent. I'd much rather set up a stricter separation of duties (with more steps or something) for financial stuff than trust an AI to filter out the phishing.
|
|
#
?
Oct 7, 2022 19:31
|
|
|
BaseballPCHiker posted:How long ago was your demo? Only reason I ask is because they do have some context dependent banners and link de fanging now. In my admittedly limited testing it worked quite well, but my company doesnt have a ton of discussions with outsiders about financial matters, and I could easily see how that trips up their AI. I demoed it about 2 months ago and gave them feedback about needing more granular response actions. They didn't seem particularly interested but maybe they've done more since.
|
|
#
?
Oct 7, 2022 20:06
|
|
|
Potato Salad posted:do not buy FireEye, now Trellix I really enjoyed the few weeks of them randomly not delivering our emails but logging that they had and pointing the finger at our major partner's mail server.
|
|
#
?
Oct 8, 2022 03:35
|
|
|
https://twitter.com/Laughing_Mantis/status/1579550302172508161?t=NtzSR5tHC6yPm37nsNuKUA&s=19
|
|
#
?
Oct 10, 2022 21:04
|
|
|
CommieGIR posted:https://twitter.com/Laughing_Mantis/status/1579550302172508161?t=NtzSR5tHC6yPm37nsNuKUA&s=19 Neat, I did almost this exact attack as part of a capstone project back in 2016 and the intern I'm in charge of is currently doing it as part of theirs. We both came to the conclusion that while it's a cool way of doing it there are undoubtedly cheaper and easier ways to deliver a pineapple in range.
|
|
#
?
Oct 10, 2022 21:20
|
|
|
does eliminate the possibility of the janitor you bribed turning on you but dji drones are huge snitches too
|
|
#
?
Oct 10, 2022 21:23
|
|
|
Send a courier into the lobby with a parcel, kick your embedded computer behind a plant pot
|
|
#
?
Oct 10, 2022 21:23
|
|
|
Thanks Ants posted:Send a courier into the lobby with a parcel, kick your embedded computer behind a plant pot Combine these, deliver a potted plant with an embedded computer into the lobby.
|
|
#
?
Oct 10, 2022 21:25
|
|
|
at my old job you couldn't get at our internal wifi from the lobby since we used a shared lobby and we were a few floors up
|
|
#
?
Oct 10, 2022 21:25
|
|
|
On the subject how do you go about limiting the range of your wifi intentionally for enterprises, do you play with the transmitter power? Put up signal dampeners?
|
|
#
?
Oct 10, 2022 21:26
|
|
|
Lower the tx power of the radios, increase the number of APs to compensate.
|
|
#
?
Oct 10, 2022 21:41
|
|
|
Also directional antennas can sometimes be useful for APs near the perimeter of your space. But yea, many small APs with power levels set to just what's necessary to cover their area are better than fewer larger APs in basically every way other than the obvious cost of more APs and associated wiring. On top of less signal "leakage" you also get better performance since less clients are fighting over any given AP.
|
|
#
?
Oct 10, 2022 22:24
|
|
|
Just have new office chairs with embedded computers delivered.
|
|
#
?
Oct 11, 2022 20:31
|
|
|
Rojo_Sombrero posted:Just have new office chairs with embedded computers delivered. finally a way to stay warm with the thermostat set to 60
|
|
#
?
Oct 11, 2022 20:48
|
|
|
Saw a commercial during the game last night of an office chair over 1k with a heating and cooling system. Bout lost my poo poo laughing.
|
|
#
?
Oct 11, 2022 21:27
|
|
|
Office chairs without heating and cooling are more than 1k, sounds like a bargain
|
|
#
?
Oct 11, 2022 21:31
|
|
|
taqueso posted:Office chairs without heating and cooling are more than 1k, sounds like a bargain
|
|
#
?
Oct 11, 2022 23:48
|
|
|
Anyone ever heard of Feisty Duck? I'm looking to spend some training budget they have a 4-day course on TLS and PKI. Primarily looking to re-write our encryption standard for our architects and developers. https://www.feistyduck.com/training/practical-tls-and-pki
|
|
#
?
Oct 12, 2022 18:53
|
|
|
Wasn't sure to ask this here or in the programming thread but it seems more security focused so here I am. For a support case I have assigned to me, I need the ability to see what one program is sending to another. The problem is the packets are encrypted and the normal tool we use is well not that easy to set up for the customer and does not seem to want to capture what we want it to. It goes by the name Fiddler Classic if anyone is familiar with that and can maybe point me in the direction of guides they have used in the past. However, I am more versed in Wireshark and using pre-master secret keys to do any logging, but I am not sure if the customer's IT would go for something like that. Do I have other options available to me or should I push to get approval for Wireshark?
|
|
#
?
Oct 12, 2022 23:48
|
|
|
Has there been any recent investigation journalism been done on the Joseph Sullivan case? I have talked to my CISO today over this issue and this case is loving wild.
|
|
#
?
Oct 18, 2022 16:46
|
|
|
So I have kind of a governance-ish question. Has anyone had any experience in translating a set of policy/standard documents into a more humanized or checklist-ish form that makes them easier to consume or at least scope at a high level? My experience has always been that corporate/security policies say a lot of things, but they're a constantly evolving wordy set of documents that literally no one will read, least of all the people who actually need to know what they've been agreed to comply with, by management. "policy training" is a glib answer IMO. Easy to say, but from experience all it does is put busy technical people in a training session they don't have time for and won't pay attention to. You could show a blank powerpoint for an hour and sill have 95% attestation from participants that say they've been trained and fully understand the material. I'm thinking of a pragmatic way to "coles notes" policies. You'll never get 100% clarity from this, but I'm at the point where I literally want to just put all our policies into an excel checklist and input them into projects or initiatives because every time I think "no, certainly they've considered X because it's explicitly in our policies", I get back an initial draft architecture where I read through it and .. well,  I've stepped up my game in being verbose about requirements to match all the big hitters I see, so honestly maybe that's the answer -- "be more detailed in your requirements", but I guess that's a myopic view. If I'm not the one involved in a project then maybe it doesn't get done, or a the requirements become confusing because they're worded differently by different architects, or .. any number of things. At a high level I kind of want to propose some solution to this rather than complaining about it, so lacking any great out of the box options I think I'm literally just going to take a week and sift through the policies and make them into an excel checklist with a linkback to specific policy document PDFs and standards, maybe to our repository of architecture patterns that might touch on existing implementations/solutions. It may not speak to specific implementation details, but at least it'll give people a resource where they can say "ok yeah I see we haven't even TALKED about how we're going to solve for 12.5.2 so we should probably figure that out before it gets redflagged right before launch" It's also 7am and I'm full of caffeine and kind of shower-thought-ing. And to be clear, I know you're never going to solve for lack of common sense. If you've got nerds just doing stupid stuff like opening ports to ANY:ANY then that's a systemic mindset problem, not a policy verbosity problem, but I'm thinking of some of the more esoteric expectations. Zil posted:Wasn't sure to ask this here or in the programming thread but it seems more security focused so here I am. If there's no mutual TLS authentication or certificate pinning/validation, then I suppose any MITM proxy would do the job here. mitmproxy specifically will do http, websocket, or even straight TCP stream, so that may be an option, and you can probably run it in a container for ease. If your apps are in a lower environment and you can funnel them through a proxy, that might work. If you're touching production traffic then that's obviously more complicated (both logistically, and make sure you're not going to see anything you're not prohibited from seeing), and your best bet probably WOULD be to sniff the wire with wireshark as you suggest, though I have no actual experience with that. And obviously if your traffic is payload encrypted then you're SOL, but it sounds like you've got this tracing going on elsewhere so likely no issues there? some kinda jackal fucked around with this message at 12:30 on Oct 19, 2022 |
|
#
?
Oct 19, 2022 12:26
|
|
|
some kinda jackal posted:So I have kind of a governance-ish question. Has anyone had any experience in translating a set of policy/standard documents into a more humanized or checklist-ish form that makes them easier to consume or at least scope at a high level? My personal tip, if you are translating legalese to human on laws or other legally binding document, is don't. If you misinterpret a law and provide wrong even by omission infos, your rear end is on the line so have someone from legal at your side from start to finish with every transaction done in writing. If it's internal regulations, you might want to provide a draft to hr and legal before mass distribution. SlowBloke fucked around with this message at 06:14 on Oct 20, 2022 |
|
#
?
Oct 19, 2022 15:18
|
|
|
Agreed, you can do the translation of policy requirements determined by your in-house lawyers into Intune settings or whatever, but it's not your job to understand the law and write checklists. Ask for help, if no help arrives then you can't do that task.
|
|
#
?
Oct 19, 2022 15:26
|
|
|
Maybe not the answer youre looking for, and maybe Im mixing up terms but here goes. Policies = Long winded business jargon doc that no one will read. Standards = Much shorter, X requires Y, sort of checklist doc. At least thats how I've approached it in my career the few times Ive had to do something similar.
|
|
#
?
Oct 19, 2022 15:27
|
|
|
some kinda jackal posted:
Yeah we are going to end up using wireshark, it is just we had an update this week that blew up our queue so this project kind of got placed on hold for a bit. Thanks for confirming what I thought we needed to do.
|
|
#
?
Oct 19, 2022 15:38
|
|
|
jackal, what are you actually trying to do? there's probably some policy that's being ignored that is bumming you out. ok, cool, so you want to enforce the policy. figure out what the policy is that is being violated, then figure out why and how. is it an end-user behavior type thing? if so, maybe better to enforce the policy by making it so they can't do that thing than it is to give them another document. is it a developer-makes-mistakes sort of thing? maybe better to enforce with a git hook or presubmit or whatever that fails if it detects they're doing Thing X. If you can't do that, maybe a githook reminder that comments "Reviewers: Please ensure that this does not create novel cryptographic solutions! Remember that we only use libsodium here at the butt factory" will be more effective than another document for people who also have adhd to read and forget about because they're trying to write their code. If you can be more specific, we can probably help you address the problem you're observing, but you probably get the general idea
|
|
#
?
Oct 19, 2022 15:49
|
|
|
BaseballPCHiker posted:Maybe not the answer youre looking for, and maybe Im mixing up terms but here goes. this is the same approach we have, works well; our systems/dev folks see the technical details in the standards only and know what to apply also, https://twitter.com/socradar/status/1582733456278069249?s=20&t=7BLFEnwRY2yyiuu2hAMP-Q good luck have fun everyone! (although their search tool seems pretty broken) Tryzzub fucked around with this message at 16:04 on Oct 19, 2022 |
|
#
?
Oct 19, 2022 16:01
|
|
|
jesus gently caress that blog post is exhausting
|
|
#
?
Oct 19, 2022 16:05
|
|
|
Jeoh posted:jesus gently caress that blog post is exhausting Christ you weren't kidding
|
|
#
?
Oct 19, 2022 16:19
|
|
|
Yeah, sorry, I'm on my way out to an appointment but I may have used the word policy and standard interchangeably and articulated terribly. I'll try to do better when I get in. Definitely no intention of translating legal language or anything like that. I'm going to be really abstract, but a hypothetical example might be something like a compute or application security standard that says something like, your servers will be hardened to CIS L2, or your will leverage an approved identity provider for centralized account management, or.. I'm just making things up but you get the idea. I guess my goal would be a way to itemize these requirements in an easy to reference sheet such that I can reference them against projects without just attaching 40 page documents. And then when the project sends me their proposed architecture to review and verify, I'm constantly penciling in controls which may or may not be cumbersome depending on when the discussion is happening. I think as I talk it out, the real problem is the security requirements delivery of a project phase. I should be able to realistically give a wholistic list of requirements to a project to meet, instead of trying to determine which have to be explicitly spelled out and which can be assumed to be implicit, and that's on me. I hate to type and run since I feel I might be putting my foot in my mouth, but I guess I'll chew on it when I get back 
|
|
#
?
Oct 19, 2022 16:35
|
|
|
lol it's a clickbait site scanning for open buckets and then jumping up and down about it with their clickbait bullshit that's pretty much what you expect when you go to a site called soc radar dot i o
|
|
#
?
Oct 19, 2022 16:37
|
|
|
some kinda jackal posted:Yeah, sorry, I'm on my way out to an appointment but I may have used the word policy and standard interchangeably and articulated terribly. I'll try to do better when I get in. Definitely no intention of translating legal language or anything like that. youre holding it wrong. they aren't supposed to "harden servers to cis l2" they're supposed to "create all servers from FOO puppet template" (which happens to be hardened to that level). you dont throw policy at workers, you throw implementations at them that security practitioners (and/or legal) have confirmed conform to the policies at work, the policy for corp services is pretty big. what it mostly means is "you have to be behind our beyondcorp proxy, and your ACL has to look like _this_". that's it. when end-users are reading policies instead of using approved interfaces you've got it backwards
|
|
#
?
Oct 19, 2022 16:41
|
|
|
Achmed Jones posted:lol it's a clickbait site scanning for open buckets and then jumping up and down about it with their clickbait bullshit gonna fire up a Shodan session for open ports and call it ScareyBleed You should be scared! And pay me money!
|
|
#
?
Oct 19, 2022 17:29
|
|
|
Achmed Jones posted:youre holding it wrong. they aren't supposed to "harden servers to cis l2" they're supposed to "create all servers from FOO puppet template" (which happens to be hardened to that level). you dont throw policy at workers, you throw implementations at them that security practitioners (and/or legal) have confirmed conform to the policies Strong agreement here. Doesn't have to be Puppet, obviously, but if you really care about it being exactly right every time, checklist is never going to be half as satisfactory as code.
|
|
#
?
Oct 19, 2022 17:46
|
|
|
I think the important thing, which is also what the thread is saying I think, if that you need to have more layers in your security framework. You need some top level policy which sets out the stuff management and maybe legal understands. Strategic level. Then you need something that actually sets some measurable requirements and, importantly, designates responsibility for each part. I would call this security rules or security handbook, but whatever fits is good. I would base these rules on a standard, but make sure they have the specifics of your organisation (your roles and your minimum requirements). This is the tactical level that maybe some real computer touchers might and might not see. The most important is the actual implementation in existing (or new) processes. Exactly who needs to do exactly what, when and maybe a bit why. If you can put it into git or whatever, that's even better. It's a long haul getting people to actually do the thing, but you have to be at the right level to explain exactly that it is you need. This is procedures and manuals, or, as mentioned, workflows. This is the operational level, which management should not care about, but which makes real sense for the people doing work. And then you want to verify that your procedures are being followed. Set up some controls that verify that people are actually closing ports or forcing password resets or whatever. It's difficult to reward people for not making insecure poo poo, so you have to hit them with their mistakes (so they can improve).
|
|
#
?
Oct 19, 2022 18:19
|
|
|
|
| # ? Jun 6, 2024 22:44 |
|
|
BonHair posted:I think the important thing, which is also what the thread is saying I think, if that you need to have more layers in your security framework. ... This sounds exactly like what they were asking though. They know they need this, they're asking for help from anyone who was able to do it.
|
|
#
?
Oct 19, 2022 18:59
|
|
