|
You're only able to use that system for anything 7000-series and newer, and only on mobile CPUs. Not really sure why they'd make it so loving confusing and go half way with it.
|
#
?
Jul 26, 2023 14:42
|
|
|
|
| # ? May 24, 2024 21:13 |
|
|
Now that I'm WFH my iPhone with MS Authenticator basically never leaves my nightstand during the day, so I was wondering if there's a non-disaster way to share the same TOTP codes across two trusted iOS devices? Short of physically scanning the same QR code on two different devices to store individually. I'm not married to MS Authenticator, that's just what I've been using for forever and have no real good reason to stick with it. There's inherent risk in storing the authentication material in a shared database but there's also an inherent risk in me leaving SMS MFA enabled on services because I'm too "in the middle of something" and don't want to go to the bedroom to grab the phone off the charger for ten seconds. This is one of those questions where I have to assume the answer is either "yeah you clod, suchandsuch app has been doing this securely for five years and everyone but you knows about this" or "no you clod, how are you even employed in an information security capacity" and I'll be embarrassed either way so I might as well ask.
|
|
#
?
Jul 26, 2023 23:26
|
|
|
authy can support multiple devices, though it depends on how you/your org feel about cloud services. scanning the code or otherwise importing the key to a wholly offline app is also fine, assuming you don't import it anywhere stupid
|
|
#
?
Jul 26, 2023 23:39
|
|
|
Bitwarden also supports TOTP and syncs across devices, obviously depends on your comfort levels with storing passwords and 2FA in the same app.
|
|
#
?
Jul 27, 2023 00:28
|
|
|
Thanks gang. For the time being i'm trying to keep my MFA and passwords separate, otherwise Apple is working on making authenticator codes available in iCloud Keychain which has been a mixed experience in the limited tokens I've chosen to test out (seems to be available on my Mac but my iPad doesn't offer to prompt on the same site for reasons I can't understand). I'll give Authy a shot.
|
|
#
?
Jul 27, 2023 00:34
|
|
|
If your risk model is people snagging the OTP seeds out of an online database then you can do a lot worse than printing the QR codes out and shoving them in a binder. The answer is probably to have as much stuff linked to single sign-on as possible, with some sort of adaptive element based on the device you're accessing from so that other than for critical applications you don't see the prompt if you're using a managed laptop that you've authenticated to with biometrics. If you aren't the person responsible for your identity platform then you're back juggling separate accounts and OTP codes. Thanks Ants fucked around with this message at 00:47 on Jul 27, 2023 |
|
#
?
Jul 27, 2023 00:38
|
|
|
ShoeFly posted:Bitwarden also supports TOTP and syncs across devices, obviously depends on your comfort levels with storing passwords and 2FA in the same app. Though note that functionality is behind their paywall. Believe the situation is the same for 1Password: https://support.1password.com/one-time-passwords/
|
|
#
?
Jul 27, 2023 03:54
|
|
|
Nm
|
|
#
?
Jul 27, 2023 04:09
|
|
|
anyone know anything more about clop compromising deloitte and other big 4 firms?
|
|
#
?
Jul 27, 2023 06:09
|
|
|
Takes No Damage posted:Though note that functionality is behind their paywall. Believe the situation is the same for 1Password: Ah of course, I self-host so didn’t notice
|
|
#
?
Jul 27, 2023 11:53
|
|
|
just a kazoo posted:anyone know anything more about clop compromising deloitte and other big 4 firms? deloitte is denying impact but they got listed, pwc confirmed "limited" client data leakage, EY claims they were affected but that most systems weren't and are investigating, nothing from kpmg
|
|
#
?
Jul 27, 2023 17:19
|
|
|
just a kazoo posted:anyone know anything more about clop compromising deloitte and other big 4 firms? for what it's worth two of four have sent email to defense industrial base contacts thusfar
|
|
#
?
Jul 30, 2023 07:07
|
|
|
https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ I really dont feel like chasing this poo poo down today. Im sure almost no one in my org has setup VPC endpoints properly as it is.
|
|
#
?
Aug 3, 2023 14:43
|
|
|
Anyone going to DEFCON this year want to meet for dinner/know of any good after parties?
|
|
#
?
Aug 7, 2023 14:51
|
|
|
App13 posted:Anyone going to DEFCON this year want to meet for dinner/know of any good after parties? I'll be there. I'll be getting in on Wednesday and doing some dinners throughout the week, shoot me a PM. As for parties, I'm terribly lame and haven't been, although there's a link and a google calendar.
|
|
#
?
Aug 7, 2023 20:26
|
|
|
Lol got stopped at the new turbine looking scanners at TSA for "excessive electronic density".
|
|
#
?
Aug 7, 2023 21:25
|
|
|
|
|
#
?
Aug 7, 2023 21:57
|
|
|
Mustache Ride posted:Lol got stopped at the new turbine looking scanners at TSA for "excessive electronic density". Did you reply with a "I never asked for this"?
|
|
#
?
Aug 8, 2023 07:14
|
|
|
For various reasons we're needing to jettison sharepoint for a site to host documents and need to deal with various fedramp and nist compliance stuff so anyone got suggestions for good stuff to take a look at?
|
|
#
?
Aug 8, 2023 20:10
|
|
|
Bitwarden, Keepass, or 1password? I use a PC, Mac and iPhone.
|
|
#
?
Aug 8, 2023 20:23
|
|
|
Os Furoris posted:Bitwarden, Keepass, or 1password? I use a PC, Mac and iPhone. 1password is great ime
|
|
#
?
Aug 8, 2023 20:24
|
|
|
1password is the best imo
|
|
#
?
Aug 8, 2023 20:27
|
|
|
Os Furoris posted:Bitwarden, Keepass, or 1password? I use a PC, Mac and iPhone. Thirded. It even got the "this makes my life easier" vote of confidence from the wife, which is the opposite of all the other horrible tech poo poo I subject the family to. If you need the family or team features, it's killer. I used it for years as an individual and it's been great.
|
|
#
?
Aug 8, 2023 20:28
|
|
|
1Password suits my needs
|
|
#
?
Aug 9, 2023 16:41
|
|
|
My company is in the process of getting fedramp certified. They chose Qualys for web app scanning and after having the product since may, we just got our first successful scan (their SaaS servers kept running out of memory). Anyway, I opened the scan results and they’re loving useless. To get any value you have to download the scan report as pdf to view the actual output from the scans. How do people manage with useless tools like this apart from just buying Tenable or Rapid7 next budget cycle?
|
|
#
?
Aug 9, 2023 17:03
|
|
|
Speaking of, massive rif at rapid7 today.
|
|
#
?
Aug 9, 2023 17:05
|
|
|
Mustache Ride posted:Speaking of, massive rif at rapid7 today. Awesome. We're currently in the middle of a big POC with them that already has not been going well. Wonder if we lost anybody to this.
|
|
#
?
Aug 9, 2023 17:13
|
|
|
Mustache Ride posted:Speaking of, massive rif at rapid7 today. It’s been a rough 24 hours to say the least. Lots of really talented people lost their jobs and everyone else is just on edge. Luckily most of the folks I know who were laid off have good networks and probably won’t be unemployed for long but the whole thing is just super lovely.
|
|
#
?
Aug 9, 2023 23:01
|
|
|
stoopidmunkey posted:My company is in the process of getting fedramp certified. They chose Qualys for web app scanning and after having the product since may, we just got our first successful scan (their SaaS servers kept running out of memory). Anyway, I opened the scan results and they’re loving useless. To get any value you have to download the scan report as pdf to view the actual output from the scans. How do people manage with useless tools like this apart from just buying Tenable or Rapid7 next budget cycle? Fun fact, with Qualys if you submit a false positive report - you lose access to the information and explanation you submitted. So if that issue is going to be reoccurring every time you run a scan, you need to collect that evidence and re-write the explanation again whenever the granted exception expires, which is usually every 6 months.
|
|
#
?
Aug 10, 2023 02:33
|
|
|
Os Furoris posted:Bitwarden, Keepass, or 1password? I use a PC, Mac and iPhone. Bitwarden. You can also host your own instance or pay for cloud storage, which is significantly cheaper than 1Password.
|
|
#
?
Aug 10, 2023 20:52
|
|
|
anyone here have any experience with wazuh particularly in a kubernetes/eks environment? we are looking for a replacement for threatstack for one of our orgs, which is getting sunset by F5 in october, and it seems like it could be needs suiting.
|
|
#
?
Aug 11, 2023 01:21
|
|
|
i ran wazuh's hids stuff but that was 5+ years ago. never messed with their siem platform (idk if it even existed then tbh)
|
|
#
?
Aug 11, 2023 02:24
|
|
|
I applied for Cybersec Analyst position and got it (been a sysadmin for years and always security-first, but never actually done an infosec job). I was hyped for it from the beginning but then when my future manager called me to tell me that I got it and what to expect he mentioned that I'd be enrolled in a couple SANS courses, some SEIM training, I'd have to get my CISSP at some point, what my colleagues specialize in and mentioned that one of them has a SANS Challenge Coin. Since then imposter syndrome has hit hard and now I'm wondering if I am even capable of doing this to their level. I'm 2 years younger than the manager and at least 5 years older than everyone else on my team. I haven't even started and I'm already feeling behind an unable to catch up. There is so much stuff I don't know how to do, and even more that I only have a general understanding of.
|
|
#
?
Aug 15, 2023 16:43
|
|
|
MustardFacial posted:I applied for Cybersec Analyst position and got it (been a sysadmin for years and always security-first, but never actually done an infosec job). I was hyped for it from the beginning but then when my future manager called me to tell me that I got it and what to expect he mentioned that I'd be enrolled in a couple SANS courses, some SEIM training, I'd have to get my CISSP at some point, what my colleagues specialize in and mentioned that one of them has a SANS Challenge Coin. Security teams can feel that way sometimes. It will take you about a week to realize that most infosec personal aren't as a competent as you might think.
|
|
#
?
Aug 15, 2023 16:51
|
|
|
Sickening posted:Security teams can feel that way sometimes. It will take you about a week to realize that most infosec personal aren't as a competent as you might think. Extremely this. Just like in any part of IT or any job really, there are a lot of people going through the motions and the minority of them will be those individuals you are comparing yourself to in your head.
|
|
#
?
Aug 15, 2023 16:57
|
|
|
Every day I'm amazed I've managed to trick people into believing I have a marketable skill, going on a decade plus now. Welcome to the gang. Joking aside, you'll get comfortable with your role naturally IMO. Everyone else already is, which is why they're probably more confident. Don't be afraid to lean on your peers during your transition period. It can feel debilitating, like you're deferring to them for knowledge and reinforcing your impostor syndrome, but a lot of this profession is also knowing how to work within the confines, relationships, and expectations set out by people who have come before you. How you provide a service can matter as much as the service you provide, and if you're unsure of either it can feel very shaky. some kinda jackal fucked around with this message at 17:03 on Aug 15, 2023 |
|
#
?
Aug 15, 2023 16:57
|
|
|
Also be aware that people with a lot of certs might be skilled at getting certs but not at practice. Your least obvious skill is probably also that you've seen a lot of real actual fuckups and stuff in your career, which means you have way better imagination at how people will circumvent security.
|
|
#
?
Aug 15, 2023 17:14
|
|
|
MustardFacial posted:I applied for Cybersec Analyst position and got it (been a sysadmin for years and always security-first, but never actually done an infosec job). I was hyped for it from the beginning but then when my future manager called me to tell me that I got it and what to expect he mentioned that I'd be enrolled in a couple SANS courses, some SEIM training, I'd have to get my CISSP at some point, what my colleagues specialize in and mentioned that one of them has a SANS Challenge Coin. Congrats! And also, you'll be fine. Deep breaths. After a few weeks you'll be wondering why everyone you work with is so bad at their job. :-D
|
|
#
?
Aug 15, 2023 17:18
|
|
|
The CISSP is an anomaly among certifications. It isn't technically challenging at all but holds more water than it should because its price and adoption. Sans stuff pricing is also extreme but seems less embarrassing from a difficulty perspective.
|
|
#
?
Aug 15, 2023 17:35
|
|
|
|
| # ? May 24, 2024 21:13 |
|
|
MustardFacial posted:mentioned that one of them has a SANS Challenge Coin. I'm extraordinarily proud of my SANS challenge coin, not just because I got 1st place in the CTF but because it's blade runner themed which rules  
|
|
#
?
Aug 15, 2023 17:51
|
|