|
cr0y posted:I just had an OT engineer shocked, SHOCKED that we run CrowdStrike on our industrial control servers. He had an unrelated issue, and is now making enough noise that we should: I'm an OT (networking) engineer, and I would fire this person. some kinda jackal posted:If this is part of an active incident with operational impact then help triage and trouibleshoot and disable with proper incident management approval. If he's just making noise then feed him a security policy exception form to get signed off by the CIO or whoever. Let them explain why they don't need to follow policy. This is the only exception I will allow, it's been several days since the last time we had to do it
|
# ? Sep 28, 2023 18:41 |
|
|
# ? May 25, 2024 05:23 |
|
Of course if we were triaging an outage or incident or whatever and one of our infrastructure applications or whatever is actually causing an issue, fine it happens. It doesn't happen much, but it happens, I get that. What is happening here is X happens, the OT side doesn't know what, but it must be that drat corporate IT team who made us go to VMs! So they start poking around our infrastructure and find something like CrowdStrike, well wait before we went to corporates VM standard we never had AV? (Because of course they didn't, we had mission critical poo poo running on laptops running Windows XP). Therefore AV is the problem. Therefore get rid of CS. All of it, everywhere, Even on the other 99.9% of the servers that are running without issue. Also it's not the issue here either but I digress. Also not mentioning the fact that this particular manufacturing facility has been running the exact same hardware and software config for like two and a half years now.
|
# ? Sep 28, 2023 19:47 |
|
cr0y posted:Also not mentioning the fact that this particular manufacturing facility has been running the exact same hardware and software config for like two and a half years now. Evidence is the refuge of a coward.
|
# ? Sep 28, 2023 19:53 |
|
Remulak posted:My daughter was phished over text for iTunes money at 4:30 on her first day, allegedly by her boss who was in a meeting and unavailable at they time. They knew his name too. Linkedin and theharvester can generally give you most of what you need to figure out management and who is under who.
|
# ? Sep 28, 2023 23:16 |
|
BaseballPCHiker posted:Having done a lot of SCADA/HVAC work in the past I'm honestly surprised things like this dont happen more often. I've been out of that space for a few years now, but it seemed like those industries lagged behind the rest of the tech space by a decade. Yeah it's still lagging behind. I've got a family member nearing retirement that deals a lot with the controls side and the amount of bad password hygiene, default passwords or simplifying passwords or whatever is staggering to say the least.
|
# ? Sep 28, 2023 23:47 |
|
Hold onto yer butts. https://twitter.com/bagder/status/1709103920914526525
|
# ? Oct 3, 2023 21:45 |
|
JehovahsWetness posted:Hold onto yer butts. hell yes
|
# ? Oct 3, 2023 21:46 |
|
Buckling up implies I want to survive this ride What would give anyone that crazy idea
|
# ? Oct 3, 2023 21:53 |
|
I wonder if it's going to be another super edge case in terms of exploitability. I'm tired of getting my hopes up and then the vulnerability being totally unusable
|
# ? Oct 3, 2023 21:54 |
|
Here's a fun one: https://www.phoronix.com/news/Glibc-LD-Nasty-Root-Bug
|
# ? Oct 3, 2023 22:08 |
|
spankmeister posted:Here's a fun one: Same day that X11 vulnerabilities dating back to X11R2 from 1988 were identified: https://www.phoronix.com/news/XOrg-Vulnerabilities-Since-1988 Hell of a day for Linux infosec
|
# ? Oct 3, 2023 22:51 |
|
Change the motd on all servers from stupid restricted warnings to just ask the intruder, politely, to run apt update on their way out
|
# ? Oct 4, 2023 00:22 |
|
some kinda jackal posted:Change the motd on all servers from stupid restricted warnings to just ask the intruder, politely, to run apt update on their way out That was one of the ways they identified Russian vs other state actor hacking groups - The Russians would update your system after establishing persistence to lock out other groups
|
# ? Oct 4, 2023 03:29 |
|
Darchangel posted:That bolded poo poo right there. I played dumb like I didn't understand I was supposed to turn in my desktop when they gave us all laptops so now I have both
|
# ? Oct 4, 2023 07:27 |
|
Does anyone have any writeups or .. conceptual information for how an organization successfully integrates DAST into a continuous development cycle? I have an understanding of the role of SAST and pentesting here and where each is inserted and slated, but I the concept of injecting DAST tooling in any way that isn't prone to failure eludes me. I think this is just me not understanding how DAST tooling works because for it to be useful in any way I feel like it would need significant testing scope within your target deployment and I'm just not sure how that's done in reality.
some kinda jackal fucked around with this message at 14:22 on Oct 4, 2023 |
# ? Oct 4, 2023 11:59 |
|
some kinda jackal posted:Does anyone have any writeups or .. conceptual information for how an organization successfully integrates DAST into a continuous development cycle? I have understand the role of SAST and pentesting here and where each is inserted and slated, but I the concept of injecting DAST tooling in any way that isn't prone to failure eludes me. I think this is just me not understanding how DAST tooling works because for it to be useful in any way I feel like it would need significant testing scope within your target deployment and I'm just not sure how that's done in reality. would also love this as many third party vendors like to claim vuln scans are DAST when questioned...
|
# ? Oct 4, 2023 14:13 |
|
Like to me it FEELS like DAST should be the security equivalent of unit testing in the sense that it can't just be "I pointed a web vulnerability scanner against my landing page" -- there has to be some more introspection you give the tool, app flows, specific test cases, etc., but I'm doing a lot of assuming here. If I'm right I guess I'd love to see a sample of how this is done conceptually, along with some sample tools because just googling around I get a lot of what I see is my "can't just be" scenario type tools, where maybe you plug in a credential to give the tool one level introspection into your app but nothing particularly methodical.
|
# ? Oct 4, 2023 14:26 |
|
some kinda jackal posted:Like to me it FEELS like DAST should be the security equivalent of unit testing in the sense that it can't just be "I pointed a web vulnerability scanner against my landing page" -- there has to be some more introspection you give the tool, app flows, specific test cases, etc., but I'm doing a lot of assuming here. My shop primarily produces API's so our DAST tooling is geared toward that, general web dast tools like zap or burp didn't seem to do an amazing job. The commercial tool (look at noname, apisec, etc) we use ends up consuming the schema of your api's (swagger, api gateway integration, etc), you give it a few different credentials to test with and it, with some guidance, it will generate playbooks, basically test scripts/unit tests, that look for specific scenarios, usually owasp api top 10. Say broken object authorization, post with user a and then get with user b and if it finds the data then you've got an issue. The whole system can be controlled via api with a cli, so we wrote cicd jobs that dev teams include after they push to staging. It's take a bit of time to run and some care and feeding if the api's change dramatically. SAST won't find the gross logic errors the permeate API's so basically it's a way for us to be comfortable that teams don't introduce any major issues between pen test engagements. Also a backstop against lovely pen testers. Nukelear v.2 fucked around with this message at 14:53 on Oct 4, 2023 |
# ? Oct 4, 2023 14:47 |
|
Ya ya ya ya this is the content I crave, firsthand experience, thank you. We're also in the API game but simultaneously every other game as well, but even seeing a small use case is super helpful. Thank you!
|
# ? Oct 4, 2023 15:00 |
|
do DAST tools do fuzzing, generally? can you guide them with format and other information?
|
# ? Oct 4, 2023 15:29 |
|
Subjunctive posted:do DAST tools do fuzzing, generally? can you guide them with format and other information? The ones I've used do. Beyond just feeding the app out of spec data types, we have some industry specific identifiers that we look for so we build tests that attempt to get/put data in that format.
|
# ? Oct 4, 2023 16:07 |
|
Subjunctive posted:do DAST tools do fuzzing, generally? can you guide them with format and other information? Yes, but not a true replacement for a human doing fuzzing, of course.
|
# ? Oct 4, 2023 17:54 |
|
A human doing fuzzing seems like it would be really slow! Do you mean that a tool that ran atop AFL and was invoked by a developer isn’t DAST? We lived and died by fuzzing on Firefox and it was always automated via dozens (hundreds?) of custom generators, not having people think up random things to feed the CSS parser by hand. How do you do regression testing if you have humans doing it?
|
# ? Oct 4, 2023 18:11 |
|
Subjunctive posted:A human doing fuzzing seems like it would be really slow! Do you mean that a tool that ran atop AFL and was invoked by a developer isn’t DAST? You don't you are 100% correct, but we still do human fuzzing for initial launches to verify. even often testing the DAST results manually, but we don't do it for every release.
|
# ? Oct 4, 2023 18:44 |
|
Subjunctive posted:dozens (hundreds?) of custom generators,
|
# ? Oct 4, 2023 18:54 |
|
evil_bunnY posted:isn’t this what most people mean when they say a “human doing it” I don’t know, I thought it meant “have people type random malformed poo poo into Postman”. we’d have just used AFL if it had existed at the time! if running a pile of generators (whether expressed as AFL config or bespoke code) is “having a human do it” then I don’t know what would constitute having a machine do it
|
# ? Oct 4, 2023 19:04 |
|
cat /dev/urandom | firefox
|
# ? Oct 4, 2023 19:07 |
|
A good example of "A human doing it" is the recent libwebp vulnerability. Despite being fuzzed six ways from sunday as part of the QA process, the bug wasn't found and it's presumed it came out of careful code review.. Here's a good writeup about it: https://blog.isosceles.com/the-webp-0day/
|
# ? Oct 4, 2023 19:12 |
|
is geofencing your network edge worth while? Our IDS has been showing people poking at random open ports and poo poo, nothing directed just the general background noise from random countries that have no business looking at our network, and the vast majority is the usual suspects, Africa, Eastern Europe, SE Asia,etc. While yea, a serious nerd is gonna be hopping in from an end point in America I feel that increasing the barrier to entry is worthwhile, if only to shut noise down. For context our company shouldn't have any incoming from outside of the US.
|
# ? Oct 4, 2023 19:16 |
|
We recently implemented geofiltering and cut down on inbound crap by a lot. 10/10 would recommend.
|
# ? Oct 4, 2023 19:18 |
|
spankmeister posted:A good example of "A human doing it" is the recent libwebp vulnerability. Despite being fuzzed six ways from sunday as part of the QA process, the bug wasn't found and it's presumed it came out of careful code review.. Do you mean that a human fuzzed libwebp to find the bug? It sounds like you’re saying that it wasn’t due to fuzzing at all, human or mechanical, but I have to admit that I don’t quite follow.
|
# ? Oct 4, 2023 19:22 |
|
Defenestrategy posted:is geofencing your network edge worth while? Cuts down on the noise but isn't going to stop a determined attacker. Also it can cause problems because the geoip databases aren't perfect. (Whatever you do, keep them up to date)
|
# ? Oct 4, 2023 19:25 |
|
Subjunctive posted:Do you mean that a human fuzzed libwebp to find the bug? It sounds like you’re saying that it wasn’t due to fuzzing at all, human or mechanical, but I have to admit that I don’t quite follow. Sorry I wasn't being entirely clear. I'm saying that even if you have good code coverage fuzzing you still don't cover everything. This bug could have potentially been found with fuzzing but you'd need to have a lot of knowledge about the file formats to make the test cases. Which is as close to "manual fuzzing" as you'd practically want to be. In this case it was probably manual code review but that wasn't really what I was trying to point out. Sorry for being unclear.
|
# ? Oct 4, 2023 19:28 |
|
spankmeister posted:Sorry I wasn't being entirely clear. I'm saying that even if you have good code coverage fuzzing you still don't cover everything. This bug could have potentially been found with fuzzing but you'd need to have a lot of knowledge about the file formats to make the test cases. Which is as close to "manual fuzzing" as you'd practically want to be. In this case it was probably manual code review but that wasn't really what I was trying to point out. Sorry for being unclear.
|
# ? Oct 4, 2023 19:31 |
|
spankmeister posted:Cuts down on the noise but isn't going to stop a determined attacker. Also it can cause problems because the geoip databases aren't perfect. (Whatever you do, keep them up to date) I'm aware, I just want to increase the barrier to entry to "having compromised or bought something in america". The second one I didn't know of, I thought IP address blocks where handed out by ICANN? Do they shuffle the blocks around?
|
# ? Oct 4, 2023 19:32 |
|
Oh yeah, fuzzing is probabilistic and even with a lot of format information you asymptotically approach confidence. We used to measure fuzzing progress by how long the fuzzer ran before triggering a crash. When the guy leading it first set them up, all browsers (then Firefox, IE, Safari, Opera) died in under 15 minutes. eventually it was like weeks or months for some, and I presume even longer now. It took a lot of work to get some other vendors to take the (meticulously submitted with test cases) bugs seriously until we said that we were going to release the fuzzer tooling so our community could help us with it. MSFT kept trying to push the date back because there were so many (hundreds) of maybe-distinct IE bugs whose crashes looked exploitable via our heuristics. Now everyone fuzzes as a matter of course, but at the time it was pretty exciting to bring it to more visibility and use on some major software. Got to announce them in a DefCon talk and everything!
|
# ? Oct 4, 2023 19:38 |
|
Subjunctive posted:“have people type random malformed poo poo into Postman”. Subjunctive posted:MSFT kept trying to push the date back because there were so many (hundreds) of maybe-distinct IE bugs whose crashes looked exploitable via our heuristics.
|
# ? Oct 4, 2023 19:44 |
|
evil_bunnY posted:hahahahhaha Well I’m curious now! CommieGIR, what does the human fuzzing you do at releases entail?
|
# ? Oct 4, 2023 19:45 |
|
Defenestrategy posted:I'm aware, I just want to increase the barrier to entry to "having compromised or bought something in america". The second one I didn't know of, I thought IP address blocks where handed out by ICANN? Do they shuffle the blocks around? IP space is actively traded because IPv4 allocations are rather limited. I remember a story about some guy who traveled to the US and was detained by CBP for hours and hours because he filled out his online customs form from a Jordanian or Lebanese IP. Only it wasn't one of those, it was an IP block that his ISP (T-mobile or something iirc) recently bought that IP block from the middle eastern ISP, and the geoIP database that CBP used wasn't up to date. I tried finding an article about this incident but wasn't successful. If anyone else knows what I'm talking about and can dig up a link, I'd be much obliged.
|
# ? Oct 4, 2023 19:52 |
|
|
# ? May 25, 2024 05:23 |
|
evil_bunnY posted:oh god IE was SUCH a piece of poo poo rude
|
# ? Oct 4, 2023 20:08 |