|
Thanks Ants posted:Did they like to think it was the equivalent of the MTAC room in NCIS It was part flexing the fact that some leaders gave them some small authority to have instances of total privacy while also trying to keep up an image. There use to be and maybe still is, some over reaching application of "need to know" without applying a smidge of context. Take for an example simple incident response processes. I had someone leave an org fairly recently that took this to an extreme. Had an incident of malware that was a big nothing burger? No, that isn't a reason to shut down your coworker who is asking about details (out of curiosity) but also isn't part of the IR. Its not an excuse to weaponize the smallest bit of authority to be an extreme rear end in a top hat.
|
# ? Sep 22, 2023 19:25 |
|
|
# ? May 24, 2024 14:08 |
|
gallop w/a boner posted:Apologies if this has been discussed in last few hundred pages. My company uses 1Password, and from any research I've ever done that always comes out either at or near the top of any list of paid password management solutions.
|
# ? Sep 22, 2023 23:55 |
|
Either 1Password or Bitwarden I think and 1Password has better shared-vault stuff.
|
# ? Sep 23, 2023 01:01 |
|
Sickening posted:I remember when I was starting my career some infosec team had a "room" in the facility that only they could enter. They joked proudly about how I (desktop support guy) could not enter the room or even know what was in the room. I at the time thought this was a very serious thing. When Rackspace moved into the castle, there was a NOC setup with a secure door on it that only certain badges could get into. I think it lasted all of 3 weeks before they removed it. Now the abuse people, they had to be a private room cause they had to look at the awful poo poo on the internet. e: it turned out for the worse when they removed it cause that's where most of the food was put out and bands played and the slide was right there and there was loving karaoke. AND THE loving COFFEE SHOP ptsd. jaegerx fucked around with this message at 01:47 on Sep 23, 2023 |
# ? Sep 23, 2023 01:40 |
|
1Password is excellent for business because of the shared vaults and what you can do to secure password sharing in your company with them. I never miss an opportunity to shill for it.
|
# ? Sep 23, 2023 07:05 |
|
Keeper is better for business if you’re an entra id shop. Apps work well, ability to transfer a users vault to another user when they leave the company. 1password’s sso is super busted and crap. When you try to deploy it to 500 peeps it falls on it’s face.
|
# ? Sep 23, 2023 17:16 |
|
you'd think after apple's internal adoption that sao would get unfucked
|
# ? Sep 23, 2023 17:26 |
|
Nitr0 posted:Keeper is better for business if you’re an entra id shop. Apps work well, ability to transfer a users vault to another user when they leave the company. seems to work fine for us at ~10000 people, at least 2500 sharing one vault?
|
# ? Sep 23, 2023 17:29 |
|
We use passwordstate and it kinda sucks. The core functionality works well, it’s just missing all of the quality of life features of a 1password or bitwarden.
|
# ? Sep 23, 2023 17:56 |
|
Bitwarden's SSO is quite clunky in the sense that you have to create your own onboarding instructions because the email invites that are sent out just confuse people.
|
# ? Sep 23, 2023 17:59 |
|
Subjunctive posted:seems to work fine for us at ~10000 people, at least 2500 sharing one vault? shrug. saw the proof of concepts from my teams about a year ago and 1password had some janky "scim bridge" that you had to deploy in kubernetes in azure. The sso didn't work correctly, so everyone still had their own master passwords. sharing between teams was flawed when you didn't want to share a specific entire "vault" but single folders or records. I used 1password for about 7 years personally and it did a good job, but I'm not quite sure who is deploying it in enterprise.
|
# ? Sep 23, 2023 18:16 |
|
Oh, we still have master passwords (but usually use Touch ID on laptops), the SSO isn’t used to unlock that. I don’t know how that would work.
|
# ? Sep 23, 2023 22:01 |
|
Subjunctive posted:Oh, we still have master passwords (but usually use Touch ID on laptops), the SSO isn’t used to unlock that. I don’t know how that would work. Kinda the entire point behind sso and 2fa. A user shouldn’t need additional prompting if they’ve already been authed and verified. Conditional Access says that this user is working from home, has already performed 2fa, and their ip and hardware hasn’t changed for 30 days. Probably fine for little to no prompting.
|
# ? Sep 24, 2023 19:04 |
|
What’s y’all’s favorite phishing incidents over the past 2 - 3 years? I have to make a skit for security awareness month
|
# ? Sep 25, 2023 09:33 |
|
if you don't answer MGM to that I don't know what to say
|
# ? Sep 25, 2023 09:40 |
|
Every "class" will do that one, rightfully so it's hilarious, weren't there a few T-Mobile ones when they had massive data breaches? You should find one that happened to your company before you were hired. I'm sure that would go over super well.
|
# ? Sep 25, 2023 09:47 |
|
GrunkleStalin posted:What’s y’all’s favorite phishing incidents over the past 2 - 3 years? MGM is tempting but I have to go with the poor Azure sod who let Wasn't the Okta federation free-mint issue also footholded by phishing followed by a fraudulent phone call with a helpdesk? That was at least a month or two ago which honestly may as well be the ancient past.
|
# ? Sep 25, 2023 10:37 |
|
GrunkleStalin posted:I have to make a skit for security awareness month If you "have" to then that sucks, but IMO it's either something mildly funny and creative or it's literally just an other to:all email that no one will ever read, so have fun with it. I mean it won't matter anyway, but whatever. I did one of these as a video a few years ago with my friends where we dressed up in old timey burglar outfits with fake moustaches and a sack stuffed with pillow with "corporate secrets" sharpied on, and did stupid poo poo like tailgating badge-ins, finding unlocked computers, etc. and each time there was a jump cut to the CEO picking up his desk phone and saying "THEY STOLE WHAT??" Reiterating that it was stupid, but at least we had fun for a week.
|
# ? Sep 25, 2023 11:43 |
|
I want to hear stories of someone being phished because they held an executive role and their MFA method was a phone call to their landline, which someone was busy wiretapping at the local pedestal.
|
# ? Sep 25, 2023 11:57 |
|
What's the deal with 1PassWord? My app version (100% locally stored) just works and doesn't cost me anything, but for new users it's paid only?
|
# ? Sep 25, 2023 13:32 |
|
bolind posted:What's the deal with 1PassWord? My app version (100% locally stored) just works and doesn't cost me anything, but for new users it's paid only? congratulations on staying on version 3 and not paying attention to any of the product announcements from the company that makes your password manager they're on 8 now and yes, it's been cloud hosted and subscription based for a long time now
|
# ? Sep 25, 2023 13:42 |
|
GrunkleStalin posted:What’s y’all’s favorite phishing incidents over the past 2 - 3 years? One of our accountants got whacked wirh "hi *accountant* this is ceo *ceo* im in a meeting and need 200$ of google play carda asap please handle this, i am in a meeting so pleaae do not call me." And she went out and dare I say got this random hotmail address 200$ of googleplay cards. So you know phishing attempts really do not have to be complicated affairs.
|
# ? Sep 25, 2023 14:35 |
|
My favorite is the IT tech that got popped when someone called in to reset their password and it wasn't until he hung up that he realized it was his password he reset.
|
# ? Sep 25, 2023 14:43 |
|
Lots of companies would be happy for a successful phish to only cost them $200 of google play fun money
|
# ? Sep 25, 2023 14:54 |
|
Mustache Ride posted:My favorite is the IT tech that got popped when someone called in to reset their password and it wasn't until he hung up that he realized it was his password he reset.
|
# ? Sep 25, 2023 15:01 |
|
Thanks Ants posted:Lots of companies would be happy for a successful phish to only cost them $200 of google play fun money Yea, from what I understand everyone was sympathetic to the situation especially probably because it was their own money they used to get the play cards instead of the companies. They and their department won a trip to defens brand new anti-phishing training for a day.
|
# ? Sep 25, 2023 15:09 |
|
geonetix posted:if you don't answer MGM to that I don't know what to say MGM, Colonial Pipeline, and the Microsoft Azure Key hack.
|
# ? Sep 25, 2023 17:24 |
|
CommieGIR posted:MGM, Colonial Pipeline, and the Microsoft Azure Key hack. https://www.cybersecurityconnect.com.au/commercial/9600-ransomed-vc-group-claims-hack-on-all-of-sony-systems Apparently Sony as of today.... I doubt it's as big as they're claiming it to be though time will tell.
|
# ? Sep 25, 2023 21:15 |
|
GrunkleStalin posted:What’s y’all’s favorite phishing incidents over the past 2 - 3 years? There was one recently where the attacker spammed the target with 2fa requests until the target got fatigued and caved in. I thought that one was pretty funny. E: I remember now it was Uber! https://forums.somethingawful.com/showthread.php?threadid=4008273&pagenumber=118&perpage=40&userid=0#post526306381 Mantle fucked around with this message at 22:11 on Sep 25, 2023 |
# ? Sep 25, 2023 22:03 |
|
Mantle posted:There was one recently where the attacker spammed the target with 2fa requests until the target got fatigued and caved in. I thought that one was pretty funny. I believe that was the Uber hack.
|
# ? Sep 25, 2023 22:12 |
|
What is the least lovely free and cross platform remote desktop control software for LAN/vpn use? I have a windows pc in my home office that I sometimes remote into. I'm not a fan of using RDP because that takes over my login session and forces me to log back in when I use it locally. I've historically used VNC with an encryption plug-in, but now that my client device is Linux I'm struggling to reconfigure it in a way that works. And I see that TeamViewer is free for personal use but they self-owned (?) pretty hard a few years ago. Are all solutions just differently lovely, or is there a clear winner?
|
# ? Sep 25, 2023 23:33 |
|
Screen connect has a free tier for 3 machines https://docs.connectwise.com/Connec...o_your_instance
|
# ? Sep 26, 2023 00:23 |
Happiness Commando posted:What is the least lovely free and cross platform remote desktop control software for LAN/vpn use? VNC works perfectly fine in Linux if you for some reason need to get into a desktop instead of a shell session. Outside of a Linux VDI or desktop (which is where we use it) idk where that'd be tho.
|
|
# ? Sep 26, 2023 01:13 |
|
chrome remote desktop is quite good. i work for google though, other people's tolerance to installing google stuff might reasonably be lower
|
# ? Sep 26, 2023 01:25 |
|
VNC + Tailscale
|
# ? Sep 26, 2023 02:19 |
|
Achmed Jones posted:chrome remote desktop is quite good. i work for google though, other people's tolerance to installing google stuff might reasonably be lower This is what I use as a backup to rdp and it's wonderful
|
# ? Sep 26, 2023 04:02 |
|
Thanks Ants posted:Lots of companies would be happy for a successful phish to only cost them $200 of google play fun money A Starbucks employee I know pulled $1500 and went out and bought gift cards because they were phished. Things were figured out before anything changed hands though. I literally listened to her tell the story, near tears the whole time, and I still cannot comprehend how that happened.
|
# ? Sep 27, 2023 02:14 |
|
CVE-2023-5129 is going to be fun
|
# ? Sep 27, 2023 11:33 |
|
WebPEEPEE-POOPOO
|
# ? Sep 27, 2023 11:36 |
|
|
# ? May 24, 2024 14:08 |
Fart Amplifier posted:CVE-2023-5129 is going to be fun "Yay"
|
|
# ? Sep 27, 2023 12:20 |