|
So far a check of installed software in our CMDB seems to show that almost no instances of OpenSSL 3.x are in use. Baseline of about 15000 hosts. OpenSSL 3.0 was released in September 2021 so most Linux distros seem to still be on 1.x. We have a couple apps that seem to be using 3.x but it's really just a few. My concern is that app vendors roll OpenSSL into their app and it doesn't show up as an installed software on Windows or Linux. Or appliances where there's no way to get the data. But right now, it's not SO bad as the claim is it only affects version 3.x Also not sure it's even possible to use a remote scan on OpenSSL. Someone's going to need to write one like for log4j to tickle the flaw probably?
|
# ? Oct 26, 2022 09:01 |
|
|
# ? May 31, 2024 03:35 |
|
Is there a list of vendors like https://drata.com for infosec compliance type stuff? There is a clear benefit to having a single portal manage all infosec poo poo, but one needs competition and ability to integrate bespoke stacks. Always fun when vendors don't list pricing. All these trying to show their head with the OpenSSL 3.0.7 patch. MrMoo fucked around with this message at 17:02 on Oct 26, 2022 |
# ? Oct 26, 2022 17:00 |
|
Given the fact this will affect anyone using OpenSSL 3.x in their code or app, vendors should be able to state if they have affected products. Anyone seeing anything announced by a major vendor yet if they are or are not impacted?
|
# ? Oct 27, 2022 09:19 |
|
Don't know whether to be annoyed or simply impressed... One of our products has 3 built-in superadmin accounts to do stuff like validate migrations and reset regular admin accounts if they get locked/corrupted/whatever. We advise customers to use 3 unique passwords and give one to 3 different people, so of course 99% of them enter the same thing 3 times and give it all to one guy. Was just on a call with a bank and they gave half of each password to 2 employees, which I suppose makes it pretty drat secure, but listening to them try and coordinate typing them all in over a laggy webex meeting was excruciating
|
# ? Oct 29, 2022 17:16 |
|
drat. Vitali was a good follow for ransomware groups. https://twitter.com/0xc0ffee/status/1587419166155358208
|
# ? Nov 1, 2022 13:54 |
|
Just had an interview with a company for an entry level pentester role. I crushed the interview but now I’m worried that I’m woefully underqualified, and that if I accept the offer they will find out that I’m just good at talking confidently and I don’t actually know what the heck I’m doing outside of running scans, writing reports, and talking to C levels about risk. I was honest on my resume and my interview, but I’m worried that they’ll expect me to come in day one and start owning client systems day one or something. I’ve done lots of physical pen tests in the military, but this role is more web app focused to start. Any pentesters around who can talk me off (or over) the cliff?
|
# ? Nov 1, 2022 15:15 |
|
You run scans and write reports. Isn't that what most pentesters do?
|
# ? Nov 1, 2022 15:22 |
|
App13 posted:Just had an interview with a company for an entry level pentester role. I crushed the interview but now I’m worried that I’m woefully underqualified, and that if I accept the offer they will find out that I’m just good at talking confidently and I don’t actually know what the heck I’m doing outside of running scans, writing reports, and talking to C levels about risk. Will you be working with a group of red teamers or solo? This particular role is a NEVER ending amount of learning about new technologies. There simply is no way to enter the field knowing everything there is to know. Even the OSCP just scratches the surface (it's a magical world where EDR doesn't exist). I am frequently asked to perform penetration testing on technology I have never worked on before. I am realistic to my clients and (diplomatically) indicate if R&D time is required to perform the objective if I am not already familiar with it and if you do the same you will remain honest, employed, and steadily improve over time. If you are working with senior experienced people, tap their knowledge frequently. Most of us actually quite enjoy explaining how things work. You can DM me if you have specific questions. Happiness Commando posted:You run scans and write reports. Isn't that what most pentesters do? If that's the culture the pen testers at your work inspire, yes. It's better to sell the "red team" idea rather than penetration testing. People twist themselves in knots trying to separate the two, but red teaming is sometimes defined as being "objective" focused i.e. planting a flag in a devs source code, or sensitive data store, etc. This approach brings to light ACTUAL major problems instead of automated reports with numbers that are contextual-less that get forwarded to an IT team (who will hate you if you take this approach). FungiCap fucked around with this message at 15:28 on Nov 1, 2022 |
# ? Nov 1, 2022 15:25 |
|
Re: scans and reports: That’s what I thought, but then I stupidly went on /r/cybersecurity and saw a bunch of posts about how pentesting is all about novel solutions and coding your own exploits and poo poo, and while I’m sure I’ll get there eventually I’m by no means there yet
|
# ? Nov 1, 2022 15:26 |
|
Most of the cool stuff you read about is cutting edge and people just pretend to know what they're doing or how to implement. 90% of the work will most likely be your basic red team work. I just accepted an offer for another security engineer position thats a 20% pay raise and am having the same fears as you are. But Ive finally internalized that no one knows what the hell they're doing and either learns along the way or gets good at pretending. Basically everyone including myself is full of poo poo.
|
# ? Nov 1, 2022 15:59 |
|
App13 posted:Re: scans and reports: I've worked at places where pen testers got root to the domain using years old exploits, did nothing to fix them, then the pen testers got root to the domain the next year. I think you'll be fine. Good luck and congrats on crushing the interview.
|
# ? Nov 1, 2022 16:23 |
|
Internet Explorer posted:I've worked at places where pen testers got root to the domain using years old exploits, did nothing to fix them, then the pen testers got root to the domain the next year. I think you'll be fine. Good luck and congrats on crushing the interview. I really need to get over my insecurities and lie my way into an infosec role
|
# ? Nov 1, 2022 17:40 |
|
RFC2324 posted:I really need to get over my insecurities and lie my way into an infosec role I've seen your posts in this thread and the other security thread and I doubt you would need to lie at all. Vacancies are everywhere for multiple roles and aren't going away. If any of you are reading this and want to switch, trust me, you can. The number of complete do-nothings with 0 technical ability litter this field and I would love to see the technical to non-technical ratio lowered. For people interested in red teaming, this introduction video series by Mudge is fantastic. There is a lot of specific things about Cobalt Strike but the concepts actually apply to any C2 and are universal. At my old job we had a red team of about 4 people and developed our own C2 and this stuff was still relevant. (Warning, he talks really slow, you might wanna 1.5x the speed of the videos). https://www.youtube.com/watch?v=q7VQeK533zI Also, if anyone here has decent close to the metal programming language skills, writing your own malware loader can be really awesome and educational. Here's some methodology that I used in my own work to create malware that walks right past Crowdstrike Falcon (and likely a lot more): https://vanmieghem.io/blueprint-for-evading-edr-in-2022/ FOR EDUCATIONAL PURPOSES ONLY. I'm not responsible for anyone's evil here.
|
# ? Nov 1, 2022 18:05 |
|
RFC2324 posted:I really need to get over my insecurities and lie my way into an infosec role Dude I'm not even graduated and previously worked non-IT customer support, and I nabbed a GRC role. I am sure someone in IT can make the leap to a technical job way easier then I did to a non-technical one. efb!
|
# ? Nov 1, 2022 18:09 |
|
I know there's a lot more attention to impostor syndrome, and I think that's great. I also like the framing of "adults in the room." That's us. We're the adults in the room. Whether that's in your career, your personal life, your activism... It's good to keep an open mind and not discount what others are bringing to the table. But also, what you're bringing to the table is just as valid. Don't let others make decisions on your behalf just because you think they're the adult in the room. You're the adult in the room as well.FungiCap posted:I've seen your posts in this thread and the other security thread and I doubt you would need to lie at all. Vacancies are everywhere for multiple roles and aren't going away. If any of you are reading this and want to switch, trust me, you can. Well said.
|
# ? Nov 1, 2022 18:14 |
|
this latest OpenSSL vuln rules
|
# ? Nov 1, 2022 18:17 |
|
CLAM DOWN posted:this latest OpenSSL vuln rules I love the scrambling. One org is trying to be cheap and skip vuln scanning and is instead trying to rely on their IAC code to determine what is vuln. I love it.
|
# ? Nov 1, 2022 18:19 |
|
Yeah, server side I'm not seeing too much of an issue for us. Given that there's a pretty narrow set of constraints to trigger. That's in addition to being limited to v3 which I don't think has been deployed on any prod systems at this time:code:
E: I mean obviously, we're going to mitigate where applicable. But this strikes me as more a of "walk, don't run" kind of situation for us at least. Proteus Jones fucked around with this message at 18:40 on Nov 1, 2022 |
# ? Nov 1, 2022 18:38 |
|
It definitely doesn't seem as bad as Heartbleed / Log4j at first glance.
|
# ? Nov 1, 2022 18:43 |
|
I'm glad I called in today. I can just patch my home network and call it done
|
# ? Nov 1, 2022 19:00 |
|
Will an openssl server verify a client certificate when offered but not requested or required? If I start blasting my cert around on every request am I forcing validation on the servers?
|
# ? Nov 1, 2022 19:08 |
|
https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md an incomplete but still good list for finding affected products
|
# ? Nov 1, 2022 20:48 |
|
Tryzzub posted:https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md Is it that useful? Cisco is "all" which is borderline meaningless.
|
# ? Nov 1, 2022 21:55 |
|
Rust Martialis posted:Is it that useful? Cisco is "all" which is borderline meaningless. it says "under investigation" because its a WIP
|
# ? Nov 1, 2022 22:39 |
|
to NLCS credit they also provide a link to the respective company security advisory cisco have included some products in their advisory which are known unaffected
|
# ? Nov 1, 2022 22:56 |
|
Proteus Jones posted:I'm kind of curious as to the what constitutes a "malicious" email, but I can understand why no details at this time. Have you SEEN the email address RFC? You can have comments in your email address. poo poo is wild.
|
# ? Nov 2, 2022 00:07 |
|
Volmarias posted:Have you SEEN the email address RFC? You can have comments in your email address. poo poo is wild. Did no one ever comment on that?
|
# ? Nov 2, 2022 00:12 |
|
RFC2324 posted:Did no one ever comment on that? They specifically requested it!
|
# ? Nov 2, 2022 00:38 |
|
Tryzzub posted:to NLCS credit they also provide a link to the respective company security advisory The list is nice, but definitely use it more as a collection of links to the vendor advisories. Volmarias posted:Have you SEEN the email address RFC? You can have comments in your email address. poo poo is wild. Of course, I should have known it's some crazy poo poo like that. No one except 0.001% of people ever use this, but let's stuff it into the SHALL statements just to shut them up.
|
# ? Nov 2, 2022 00:50 |
|
Rust Martialis posted:Given the fact this will affect anyone using OpenSSL 3.x in their code or app, vendors should be able to state if they have affected products. RHEL 9 ( https://access.redhat.com/errata/RHSA-2022:7288 ) and Fedora 36, 37, and Rawhide are affected. RHEL is updated and I believe Fedora is as well (they had to wait to implement the fix due to embargo) quote:Note, as all Fedora work is public, Fedora could not prepare updates
|
# ? Nov 2, 2022 17:00 |
|
Does anyone itt have an informed opinion on the usefulness of Microsoft Defender on Android? It comes with O365 and has been available for a few months.
|
# ? Nov 5, 2022 16:28 |
|
Ynglaur posted:Does anyone itt have an informed opinion on the usefulness of Microsoft Defender on Android? It comes with O365 and has been available for a few months. Defender's been a decent product elsewhere, I haven't seen any results from the Android one yet, but they do seem to know what they are doing.
|
# ? Nov 5, 2022 23:38 |
|
Ynglaur posted:Does anyone itt have an informed opinion on the usefulness of Microsoft Defender on Android? It comes with O365 and has been available for a few months. Hit and miss. Blocks some stuff, doesn't recognise some malware. The group policy options aren't great.
|
# ? Nov 6, 2022 03:43 |
|
Crime on a Dime posted:Hit and miss. Blocks some stuff, doesn't recognise some malware. The group policy options aren't great. Breaks a specific instrument control app a few hours after every time Windows Defender AV updates virus definitions I didn't believe it until the second time it happened. But here we are.
|
# ? Nov 6, 2022 10:15 |
|
Ynglaur posted:Does anyone itt have an informed opinion on the usefulness of Microsoft Defender on Android? It comes with O365 and has been available for a few months. It's a decent way to enforce web blocklists, other than that it's pretty useless. It's a way to checkbox "we have a antivirus on our phones", nothing else.
|
# ? Nov 6, 2022 11:37 |
|
SlowBloke posted:It's a decent way to enforce web blocklists, other than that it's pretty useless. It's a way to checkbox "we have a antivirus on our phones", nothing else. What do you do about that checkbox on iOS?
|
# ? Nov 6, 2022 11:50 |
|
I'd try and make a point about how MDM reports the device to be compliant and not jailbroken (if you can even do that now), maybe you've disabled Safari and push everything through a managed browser, limit the apps on the device etc.
|
# ? Nov 6, 2022 13:19 |
|
Arivia posted:What do you do about that checkbox on iOS? Defender ATP for iOS, same feature set as ATP for Android.
|
# ? Nov 6, 2022 14:03 |
|
The ancient door locks in my apartment building are set to be replaced with a "cloud-based, intelligent system" It seems that after I stepped down as a board member, there is not one goddamn person with any sort of technical understanding left. loving glad I'm moving out in a year or so. E: Of course it's putting control of our door locks in the hands of AWS, amazing! KozmoNaut fucked around with this message at 15:35 on Nov 7, 2022 |
# ? Nov 7, 2022 15:32 |
|
|
# ? May 31, 2024 03:35 |
|
“Lookout work” on iOS for the super locked down bank issued phone I have
|
# ? Nov 7, 2022 15:57 |