|
Shumagorath posted:I can’t believe how much the DoJ has weakened since the 90’s / 00’s such that Alphabet isn’t getting busted up for controlling the #1 browser, ad business, search, and video site. It’s just so utterly poisonous; all four of those products are demonstrably worse for it, and the synergy between two of them is actively pushing society off a cliff only slightly less energetically than Facebook. It doesn't get a lot of attention, but Google has an active antitrust suit against them. https://www.justice.gov/opa/pr/justice-department-sues-google-monopolizing-digital-advertising-technologies
|
#
?
Feb 28, 2023 16:53
|
|
|
|
| # ? May 31, 2024 23:34 |
|
|
I’d be interested in some hot takes on working for defense contractors, ethics wise. I’m former Navy and sort of a hippie so I’ve always dismissed the work off hand, but I’ll be damned if an incredibly enticing offer came in to be a ISSO for one that’s got me trying to do the mental gymnastics to justify it. It’s getting increasingly more difficult to ignore the defense sector as I get further into my infosec career
|
|
#
?
Feb 28, 2023 19:18
|
|
|
it's not actually hard to avoid the defense sector. it's super easy. if you take this job, it's because you want to, not because it's unavoidable. i dont really understand what that sector could offer in terms of defensive security. mediocre pay, time cards, etc. for offensive security, they do awesome poo poo but then you have the whole "did the exploit i developed kill someone" as a live and material question, which is why i did not accept an offer from raytheon. i dont really know why somebody would do defensive security work for defense contractors if they didn't also have a positive desire to be military-adjacent. of course it also makes sense as an "i need a job" sort of thing, but this ain't that
|
|
#
?
Feb 28, 2023 19:38
|
|
|
There's a world of difference between no company being truly moral and working for a company that develops products specifically designed to be dropped on people attending a wedding.
|
|
#
?
Feb 28, 2023 19:42
|
|
|
I should specify that I’m in GRC, so in terms of that stuff the defense industry makes up 80-90% of job listings I see in my area. In GRC land the “cutting edge” is anything gov-adjacent it seems I’m gainfully employed as a GRC goon for the pharmaceutical industry right now so I guess I don’t really have an ethics foot to stand on Thanks Ants posted:There's a world of difference between no company being truly moral and working for a company that develops products specifically designed to be dropped on people attending a wedding. Yeah that’s a very very very good point. gently caress em (the defense industry, not the wedding goers)
|
|
#
?
Feb 28, 2023 19:49
|
|
|
it's possible to avoid blood money in our industry. you might just look harder, earn less, and have less bennies.
|
|
#
?
Feb 28, 2023 19:53
|
|
|
Yeah gently caress it. Not about that life. Thank you all for bringing me back from the brink. That was a close one.
|
|
#
?
Feb 28, 2023 22:36
|
|
|
App13 posted:I’d be interested in some hot takes on working for defense contractors, ethics wise. If you're looking, you might consider my firm. Come help me secure local government and critical infrastructure (hospitals, power plants, water systems, etc), we're hiring for one GRC and one DFIR role. "Former navy, sort of a hippie" is our cultural jam, as long as you don't mind punk rock; work/life balance is pretty good, and the work is honest, meaningful, impactful stuff. The work is fully remote. Clearances are nice but in no way required. Drop me a PM if you're interested. Same goes for anyone else looking in those areas.
|
|
#
?
Feb 28, 2023 23:34
|
|
|
I just got a LastPass breach incident update to the security notice e-mail of the account I closed a week ago. gg guys
|
|
#
?
Mar 1, 2023 23:45
|
|
|
Shumagorath posted:I just got a LastPass breach incident update to the security notice e-mail of the account I closed a week ago. gg guys Well if you closed the account a week ago you would still have been affected by the breach which happened much earlier, no?
|
|
#
?
Mar 2, 2023 01:18
|
|
|
I did it fellas - migrated almost 300 passwords off of Lastpass into Bitwarden. Changed about 200 of them, decided the rest was cruft I didn't care about and will leave my accounts at bobspurpletoasters.com and the like to fate. Goddamn that is an enormous pain in the rear end and I hope I never have to do it again. So many sites are just dumb or hostile about security. Lots of places with maximum password lengths Lots of places with short max lengths. 24, 20, 16, 12 are still common out there, and it is completely goddamn pointless. Almost everybody enforcing the wrong kind of password complexity requirements Almost nobody has a "delete account" option - this would really be helpful for cleaning up that cruft "Change my password" is often well hidden Some site designs don't offer it at all, and I had to use forgot-my-password flows to effect a change Bitwarden is better than LastPass at completing form fills, but not as good as recognizing change-of-password events. All in all, a land of contrasts, 2/10, do not recommend, breaches suck rear end.
|
|
#
?
Mar 4, 2023 05:48
|
|
|
I never like leaving accounts to rot. Taking out the digital trash is satisfying and my password migration was a great opportunity to have my various e-mail aliases in that many fewer places. I definitely agree with you that LastPass was the king of recognizing password creation and changes, but wow if they weren’t terrible at the rest. Just shutter the vault business and get into malicious javascript (but I repeat myself….) Come to think of it I kinda wish I’d gone full Proton and aliased everything instead of having however many buckets my current provider allows.
|
|
#
?
Mar 4, 2023 05:54
|
|
|
Do that and you'll learn how many sites think the + character isn't allowed in email addresses. 
|
|
#
?
Mar 4, 2023 12:35
|
|
|
I migrated my passwords to Dashlane recently and one thing about the Dashlane iOS mobile app that’s miles ahead of LastPass is it will recognize when you’re autofilling on a site that isn’t associated with your password and ask if you want to link it. I originally began using LastPass from a Keepass migration. I didn’t have any URLs linked to my Keepasd logins, so it’s great to have Dashlane prompt me to clean up those missing details. Work has migrated us from LastPass to 1password, so I’m experiencing using both services. 1password has a cleaner look and its OTP integration is great for shared work accounts (definitely less safe for security but gently caress it, it’s not my data anyway). However, I’m really hating the desktop app integration with the browser extension.
|
|
#
?
Mar 4, 2023 21:40
|
|
|
Thanks, Microsoft. You fuckin' turds.
|
|
#
?
Mar 15, 2023 17:00
|
|
|
AlternateAccount posted:Thanks, Microsoft. You fuckin' turds. What now?
|
|
#
?
Mar 15, 2023 17:04
|
|
|
Sickening posted:What now? 9.8 cve for outlook
|
|
#
?
Mar 15, 2023 17:10
|
|
|
I thought you were talking about CVE-2023-23415, which is a Remote Code Execution vulnerability in Microsoft's Ping, but yea, the Outlook one isn't great either.
|
|
#
?
Mar 15, 2023 17:12
|
|
|
Wizard of the Deep posted:I thought you were talking about CVE-2023-23415, which is a Remote Code Execution vulnerability in Microsoft's Ping, but yea, the Outlook one isn't great either. The outlook one is horrible. https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/ If you have exchange online, i would run that script asap.
|
|
#
?
Mar 15, 2023 17:26
|
|
|
Sickening posted:If you have exchange online, i would run that script asap. Start now. It's not fast.
|
|
#
?
Mar 15, 2023 17:31
|
|
|
AlternateAccount posted:Start now. It's not fast. You are using a shared compute spaces that a lot of orgs are all now using all at once.
|
|
#
?
Mar 15, 2023 17:35
|
|
|
Well, I suppose we were due. Obviously if you allow 445 outbound to the internet, fix that. but in this case since the path to the attacker server is attacker defined it's leveragable if they have a foothold elsewhere on your network to send the NTLM hash to while triggering it externally via e-mail. Pretty neat, would use in an assessment, 10/10. FungiCap fucked around with this message at 17:43 on Mar 15, 2023 |
|
#
?
Mar 15, 2023 17:35
|
|
|
|
|
#
?
Mar 15, 2023 17:46
|
|
|
FungiCap posted:Well, I suppose we were due. A lot of people working from home these days. And this all hinges on if windows firewall allows this by default, which I am pretty sure it does.
|
|
#
?
Mar 15, 2023 17:49
|
|
|
Do we have a cool name for this one yet, I propose "Look out!"
|
|
#
?
Mar 15, 2023 17:52
|
|
 isn’t NTLM old and busted and known to be vulnerable or was it some other dumb MS authentication I was disabling when I used to do windows OS work
|
|
|
#
?
Mar 15, 2023 17:55
|
|
|
i am a moron posted:
You're going to have to be more specific with some other dumb Microsoft authentication, but yes ntlm is deprecated. It's reported that this has been around for a year, mostly targeting European industrial control and military.
|
|
#
?
Mar 15, 2023 18:03
|
|
|
POC exists, it's simple to execute. Patch now, it will definitely be exploited. https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ NTLM authentication is horrible and outdated but still exists everywhere because Microsoft values backwards compatibility over security.
|
|
#
?
Mar 15, 2023 18:05
|
|
|
okay thats insanely cool
|
|
#
?
Mar 15, 2023 18:10
|
|
|
Proud Christian Mom posted:okay thats insanely cool Reminds me of doing {s /con/con in AOL
|
|
#
?
Mar 15, 2023 18:13
|
|
|
Fuzzy recollection here, but can't anyone on the domain dump out NTLM hashes or does it require local / domain admin? I found this but it's a bit dated: https://0xdedinfosec.github.io/pages/windows-decryption/ ... and then the main weakness being that you can hashcat your way through NTLM with a toaster?
|
|
#
?
Mar 15, 2023 18:15
|
|
|
Shumagorath posted:Fuzzy recollection here, but can't anyone on the domain dump out NTLM hashes or does it require local / domain admin? Generally, you need to be admin/system to pull the hashes from a windows computer, but that's just the local hashes. What most hackers want to do is obtain NTLM hashes of other users in the network that may have access to their end-goal (whatever it may be, domain admin account for example). There have been many ways to do this in the past, like with a tool called responder that can be mitigated. NTLM hashes are a weak algo and you can achieve very high hash rates for cracking, but beyond that, even if you don't crack them they are usable via pass-the-hash. This is a new way to pull NTLM hashes, and can be triggered remotely (and SPECIFICALLY for the user you want to steal from) which is what makes it unique and interesting. Edit: Sorry to answer your question directly, no a normal domain user can't just pull NTLM hashes of other users in the domain with regular permissions without some type of exploitation (unless it's cached locally and they have local admin). FungiCap fucked around with this message at 18:32 on Mar 15, 2023 |
|
#
?
Mar 15, 2023 18:18
|
|
|
Enticing SMB authentications does not give you plain NTLM hashes. It's a challenge-response thing. Having the hash is as good as the password, but an NTLMv2-SSP often needs to be cracked before it is useful. Yes you can relay NTLM in some cases but usually not from the outside.
|
|
#
?
Mar 15, 2023 18:32
|
|
|
spankmeister posted:Enticing SMB authentications does not give you plain NTLM hashes. It's a challenge-response thing. Having the hash is as good as the password, but an NTLMv2-SSP often needs to be cracked before it is useful. Yes you can relay NTLM in some cases but usually not from the outside. This makes me wonder if this was just one link in the chain and the attacker already had something else compromised that could be used to pivot.
|
|
#
?
Mar 15, 2023 18:34
|
|
|
cr0y posted:This makes me wonder if this was just one link in the chain and the attacker already had something else compromised that could be used to pivot. 100% a golden pivot opportunity. Falcon Crowdstrike engineer stating they aren't sure it will be detected if used right now : ).
|
|
#
?
Mar 15, 2023 18:46
|
|
|
FungiCap posted:100% a golden pivot opportunity. Falcon Crowdstrike engineer stating they aren't sure it will be detected if used right now : ). Furthermore if something else was already compromised that could host SMB to receive the malicious call from the mail client. In big environments I wouldn't think that outbound SMB to the public internet would be open but you know... Yea, pretty nasty all around.
|
|
#
?
Mar 15, 2023 18:53
|
|
|
Considering deploying a firewall policy to block all 445 outbound traffic from company machines to non-private IP space. Like... just in general, seems like common sense.
|
|
#
?
Mar 15, 2023 19:32
|
|
|
AlternateAccount posted:Considering deploying a firewall policy to block all 445 outbound traffic from company machines to non-private IP space. Like... just in general, seems like common sense. Its something that is easy to say but not easy to actually do. Workstation firewall management can be a lot of loving pain in the rear end poo poo to configure and support. I would say a lot of companies end up with results of being too restrictive and creating too many support tickets, or not being restrictive enough and getting into these situations.
|
|
#
?
Mar 15, 2023 19:45
|
|
|
That's why you should block outbound 445 at the perimeter, not on individual machines. Business need for your dudebro marketing software rawdogging smb over the internet? Tough luck, get a vpn.
|
|
#
?
Mar 15, 2023 19:49
|
|
|
|
| # ? May 31, 2024 23:34 |
|
|
How does blocking at the perimeter work when 90% of your userbase is at home? Some ISPs do, but that's obviously not something you want to rely on. InfoSec isn't my area of speciality, but to me, relying on the perimeter seems old and dated.
|
|
#
?
Mar 15, 2023 19:52
|
|
