|
no you’re fine like wine
|
#
?
Oct 4, 2023 20:37
|
|
|
|
| # ? May 24, 2024 01:02 |
|
|
I've had to help clients with IE windows within Edge for bank services and SCADA in the last month. Nah, the bank isn't going to update their site any time soon, you have to use IE in a tab. SCADA server upgrade? What's that?
|
|
#
?
Oct 4, 2023 23:06
|
|
|
Subjunctive posted:Oh yeah, fuzzing is probabilistic and even with a lot of format information you asymptotically approach confidence. We used to measure fuzzing progress by how long the fuzzer ran before triggering a crash. When the guy leading it first set them up, all browsers (then Firefox, IE, Safari, Opera) died in under 15 minutes. eventually it was like weeks or months for some, and I presume even longer now. It took a lot of work to get some other vendors to take the (meticulously submitted with test cases) bugs seriously until we said that we were going to release the fuzzer tooling so our community could help us with it. MSFT kept trying to push the date back because there were so many (hundreds) of maybe-distinct IE bugs whose crashes looked exploitable via our heuristics. Oh those were the days. Heap vulnerabilities in IE galore. Especially when IE was still 32 bit and heap spraying was still effective.
|
|
#
?
Oct 4, 2023 23:08
|
|
|
spankmeister posted:Oh those were the days. Heap vulnerabilities in IE galore. Especially when IE was still 32 bit and heap spraying was still effective. The lifecycle model of IE4-7’s DOM and script runtime was utterly insane, with pointers stashed all over the place and “adjusted” refcounting and lots of COM/IVariant shenanigans. It’s a miracle that it worked at all, tbh.
|
|
#
?
Oct 5, 2023 00:34
|
|
|
Defenestrategy posted:is geofencing your network edge worth while? Anecdote time! Back in 2008 I inherited responsibility for an ftp server. It was running a commercial implementation on a PowerMac G4. I figured nobody had an exploit for that and left it alone other than only allowing ftp traffic inbound to it. I was checking the logs one day and noticed something funny. Every night, 50 random IPs in mostly France would each make one attempt to guess the password of the Administrateur account at 5-minute intervals. It didn't have an Administrateur account so I let it be. It was the politest form possible of a brute force attack, and I felt I had to respect that.
|
|
#
?
Oct 5, 2023 00:56
|
|
|
Defenestrategy posted:is geofencing your network edge worth while? If you can gurantee there's no way someone might want to use your services from outside the US then 100% it's worth it. Like others have said, geo-ip databases aren't perfect and there are 1000x ways an attacker can circumvent it but it will, at the very least, dramatically reduce the amount of noise in the network and may stop a lot of basic drive-by attacks. It's important to note that the port-knockers are usually the first step where the second step is "oh they are running a web service, lets wait a bit then try to work out what it's vulnerable to, oh it's running wordpress, lets just store that somewhere so we can exploit it when we can" The other huge one to look at besides geofencing is implementing blacklists based on public blacklisted IPs like https://www.abuseipdb.com/. Anecdotally, when I was working in a SOC, like 99% of all inbound exploits were from an IP address that appeared in that list.
|
|
#
?
Oct 5, 2023 01:05
|
|
|
abigserve posted:The other huge one to look at besides geofencing is implementing blacklists based on public blacklisted IPs like https://www.abuseipdb.com/. Anecdotally, when I was working in a SOC, like 99% of all inbound exploits were from an IP address that appeared in that list. If I was king of IT mountain I'd combine the fence with this and tell people who end up on the wrong side of this to suck it and apply for an exemption personally, unfortunately I'm getting push back about doing this from the infrastructure side because "they have things theyd rather do and its too hard and it wouldnt even do anything", even though my boss volunteered me to do it for them. I would actually happily do this, because it would cut down on the work my reports have to do scanning the ids and checking false positives by enough of a percentage to be worth my while to do the foot work for it.
|
|
#
?
Oct 5, 2023 01:13
|
|
|
meanwhile we have employees arguing for weeks on end to work from China with a (naturally) unencrypted laptop 
|
|
#
?
Oct 5, 2023 02:17
|
|
|
Defenestrategy posted:is geofencing your network edge worth while? Please also make sure that the device doing the geofencing is built to do it, and has enough power to do it well based on your traffic. I can't count the number of times back in the Dark Days when I was a firewall engineer that a customer would ask us to jam a 1000-item anti-China/Russia ACL into their shitbox ASA 5505. It always just hosed up their response times for little to no gain.
|
|
#
?
Oct 5, 2023 03:03
|
|
|
Famethrowa posted:meanwhile we have employees arguing for weeks on end to work from China with a (naturally) unencrypted laptop that’s fine as long as it’s empty when they get on the plane, and you burn it when they get back before it goes on the network
|
|
#
?
Oct 5, 2023 03:20
|
|
|
Subjunctive posted:that’s fine as long as it’s empty when they get on the plane, and you burn it when they get back before it goes on the network Just wipe it and dump it in the airport trash. Problem solved.
|
|
#
?
Oct 5, 2023 14:13
|
|
|
I just realized that Raivo OTP, a 2FA app for iOS, was sold to some shady company. What's the next best thing? I'm half-tempted to say gently caress it and just use the Passwords app now that it does OTP, but that doesn't allow exports, which isn't ideal.
|
|
#
?
Oct 5, 2023 16:12
|
|
|
I use Authy.
|
|
#
?
Oct 5, 2023 16:20
|
|
|
more falafel please posted:I use Authy. 2nd'ing Authy. Also makes transferring OTP between phones easy.
|
|
#
?
Oct 5, 2023 18:51
|
|
|
I use Yubikey Authenticator
|
|
#
?
Oct 6, 2023 18:47
|
|
|
Wasn’t there some sort of vulnerability with Authy or did that turn out to be nothing?
|
|
#
?
Oct 6, 2023 20:04
|
|
|
I found this amusing, watch til the end https://www.tiktok.com/@that_investor/video/7286955841541000490
|
|
#
?
Oct 7, 2023 05:19
|
|
|
lol jesus reported for posting psychic damage
|
|
#
?
Oct 7, 2023 05:36
|
|
|
Bald Stalin posted:watch til the end There is always more, and it is always worse █ ⛓
|
|
#
?
Oct 7, 2023 06:13
|
|
|
Bald Stalin posted:I found this amusing, watch til the end Lol. The last sentence is worth it.
|
|
#
?
Oct 8, 2023 18:57
|
|
|
Bald Stalin posted:I found this amusing, watch til the end ^^ you weren't kidding about the last sentence being stunningly, remarkably just uhhh
|
|
#
?
Oct 9, 2023 04:05
|
|
|
Well I just sat the SABSA foundations exam and I'm 50/50 on whether I passed. It's two separate "tests", one is focused at the strategy/planning/governance model and the other is more of the logistics of implementing the strategy related to security architecture. I aced the second logistic exam but mathematically I 50/50 "guessed" at enough on the first that I'm not sure if I'll have to re-sit it. The first test felt like of those maddening types of exams where you have to remember a whole framework's lingo to get the answer right, to place a deliverable or activity on their convoluted 6x6 matrix that has like five layers superimposed. If anyone is sitting SABSA Foundations, for the F1 part of the exam I'd recommend that all the stuff about the matrix and deliverables that you go "blah blah blah, they'll never ask me to specifically identify what's in the Contextual->Logical cell" -- yeah, that's kind of what they'll do. I don't want to make it sound like that was ALL it was, but I think the pass score is like 85% and it's a 48 question multiple-choice, so it just takes a few of those "oh come on..." questions to knock you down to having to sit it again. On the flip side, a LOT of questions were either super obvious, to the point where I'd guess you could all get them right without even once looking at the material, or so easily narrowed down to 2/4 that you can roll the dice. Would I recommend this? It's kind of a nice framework for collecting requirements and acting on them, and it does organize your thinking and kind of enforce completeness, but the approach is going to take a lot of organizational buy-in to be of any use IMO. But since I'm trying to formalize my practice I think it's worth the effort.
|
|
#
?
Oct 12, 2023 13:15
|
|
|
Tryzzub posted:https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-pci-dss.html Thank you for this. It has been a lifesaver even if I have had to modify the built in PCI-DSS profile to more accurately fit our deployment.
|
|
#
?
Oct 13, 2023 17:50
|
|
|
I've been watching too many TV shows and the idea of digital forensics keeps popping up. Anyone here have experience working a digital forensics gig? If so, what's the reality of the work like?
|
|
#
?
Oct 14, 2023 01:30
|
|
|
Hughmoris posted:I've been watching too many TV shows and the idea of digital forensics keeps popping up. I did multiple courses in college and had to do some minor digital forensics stuff for %current_job, but from that experience it's pretty dull. The big thing is maintaining chain of custody and order of volatility, and the rest is just using the tools you have to go snooping through files. I feel it would be interesting work if you where working on serious criminal poo poo, but chances are you're probably doing a lot of post mortem on break ins or boring guy might have exfiltrated company secrets. Defenestrategy fucked around with this message at 01:52 on Oct 14, 2023 |
|
#
?
Oct 14, 2023 01:46
|
|
|
I did contract digital forensics for a few groups, it's normally pretty mundane stuff. I still do forensics during IR scenarios, it's a little more exciting during actual security incidents versus criminal forensics.
|
|
#
?
Oct 14, 2023 02:35
|
|
|
Serious criminal poo poo is even more boring, plus you have to go to court. Murder trials take so loving long, then there will be mistrial and it all starts over. You finish the technical work and then court drags on for literal years. As a bonus at some random point in the future there will be an appeal and you've got to do it again. Take really really good notes. You won't remember poo poo about the case when it comes back five years later. Oh and the really amazing part is when one of the guys you put away escapes from prison and then is recaptured a couple of streets from your house with a bunch of drugs and guns. I'm never doing DF for criminal poo poo again.
|
|
#
?
Oct 14, 2023 02:56
|
|
|
I've had to do forensic analysis of compromised devices as part of incident response situations and it's extremely tedious and usually somewhat depressing. Dozens of hours of digging through someone's life because everyone has their personal, financial, and health information saved on their computers these days. Or at least, the audience that owns the devices I'm often having to dig through after they get a pop up and then call Windows Tech Support and give them full remote access of their computer. I can't really say I enjoy it.
|
|
#
?
Oct 14, 2023 04:49
|
|
|
I'm done with red teamers at my organization. These douche bags social engineer some moron with a phish/vish then start moving laterally to some shitbox share drives where they access some random rear end excel sheets then claim they were accessing sensitive data. Then we have to jump on an after action call where they gloat and justify their job and make us look like shitbags. Then we ask for a purple team exercise to help strengthen our defense but they decline because that would probably hurt their next engagement. Every quarter we waste poo poo tons of time and energy IR'ing their lovely red team engagement. Just so frustrated with them.
|
|
#
?
Oct 14, 2023 04:58
|
|
|
Red teams are mostly a waste of time. I say this as a professional red teamer. Almost everyone would get better value from a wide scoped authenticated security review. Nobody wants those though because they're worried they'll look bad. Your red team sucks by the way. If they're gloating and making the reporting/debrief an adversarial process then they're bad at what they do. poo poo is better for everyone when there is more collaboration and advocacy for the security function from the consultants. Hell, most of the reports I write are "things are pretty bad, but the internal IT staff knew that already anyway, they've done incredibly well with the resources they have available, more resources and support from senior management will be required should any improvement be desired". Written way more politely and wanky, but poo poo, nobody benefits from the consultants being fucks about it. yoloer420 fucked around with this message at 07:05 on Oct 14, 2023 |
|
#
?
Oct 14, 2023 07:01
|
|
|
I'm new to the space, but that seems to be the concern with our infra teams per our discussions. Red Team starts from "compromised device within the firewall" and suddenly they're finding lots of stuff! I, too, am a master thief when invited in and with the house unlocked.
|
|
#
?
Oct 14, 2023 15:08
|
|
|
Cannon_Fodder posted:I'm new to the space, but that seems to be the concern with our infra teams per our discussions. Red Team starts from "compromised device within the firewall" and suddenly they're finding lots of stuff! I, too, am a master thief when invited in and with the house unlocked. Its not 2001 anymore. You can't put that much reliance on the "perimeter". Actually, stop pretending there is one and quit thinking of your org as a house.
|
|
#
?
Oct 14, 2023 15:35
|
|
|
Cannon_Fodder posted:I'm new to the space, but that seems to be the concern with our infra teams per our discussions. Red Team starts from "compromised device within the firewall" and suddenly they're finding lots of stuff! I, too, am a master thief when invited in and with the house unlocked. When they did red team work at FB they always started by silently disabling a couple elements of defense for the red team, so that they’re testing more than the first line. You want to know what your response is like to an actual incident, which really only happens if there’s something you didn’t expect or an error made. The alternative available to larger organizations is to buy a zero-day and burn it on the red team before reporting it, I guess. Also, a compromised device being behind the firewall is not a super-unlikely occurrence over the lifetime of an organization. someone’s going to bring their laptop to work to download anime faster and now their discord bot can pivot onto the network. a credential leaks, you don’t patch “log4j outlook facebleed 2” quite quickly enough, whatever. someone in IT gets treated rudely by an exec one time too many and decides to hurt things. The red team is not doing the performance review of other people’s work any more than a QA team is doing a performance review of programmers. They’re acting like a good tester or lawyer: if this sort of compromise happens, we get an outcome we might not want. It sounds like their findings here are useful, in that they expose that your network security is very perimeter-dependent. You (or someone in the business) may decide that they would prefer an attacker have to do some meaningful work after establishing presence. Or you may decide that you can make the perimeter perfect, which I guess is also a thing you can do. But don’t do it on my network, please!
|
|
#
?
Oct 14, 2023 16:05
|
|
|
Cannon_Fodder posted:I'm new to the space, but that seems to be the concern with our infra teams per our discussions. Red Team starts from "compromised device within the firewall" and suddenly they're finding lots of stuff! I, too, am a master thief when invited in and with the house unlocked.
|
|
#
?
Oct 14, 2023 16:21
|
|
|
Totally understood, I wasn't stating that there should only be one layer. These are complaints from my infra guys when they're getting raked over the coals for Red Team findings. I'm the schlub that has to make the argument now that these findings are of paramount importance, despite the risk assessment completely ignoring the fact that we weren't breached. I guess I was just venting.
|
|
#
?
Oct 14, 2023 16:44
|
|
|
Most important thing you can do IMO is try to reconcile the people venting and make it seem like less of an adversarial relationship. Everybody's lives are gonna be more stressful if the network team feels like the red team is pulling the other one to make them look bad, and the red team feels like the network team thinks they're a waste of time and money. Nobody should be getting raked over the coals. Just fix poo poo.
|
|
#
?
Oct 14, 2023 17:30
|
|
|
Sickening posted:Its not 2001 anymore. You can't put that much reliance on the "perimeter". Actually, stop pretending there is one and quit thinking of your org as a house. Its this. As annoying as red teams and pen tests are, they can and do point out the serious flaws in your internal security. The perimeter is not gonna stop anything, it just stops the easy stuff. You need someone poking and prodding at what you've built, and hopefully someone who can bring those findings to you for remediation rather than, say, a threat actor who will exploit them. Cup Runneth Over posted:Most important thing you can do IMO is try to reconcile the people venting and make it seem like less of an adversarial relationship. Everybody's lives are gonna be more stressful if the network team feels like the red team is pulling the other one to make them look bad, and the red team feels like the network team thinks they're a waste of time and money. Nobody should be getting raked over the coals. Just fix poo poo. Also this - Red teams should be partners and collaborators. But to be honest most security teams struggle with building relationships both internally but especially externally with the rest of the org.
|
|
#
?
Oct 14, 2023 17:40
|
|
|
Everyone posted:digital forensics insights... Thanks for the digital forensic insights. My career is taking a weird turn into the infosec world, so I'm trying to see what specialized areas could be fun and lucrative. If I were to get into forensics it would be at the Federal/DoD level, which may be a bit different than local law enforcement stuff. My employer is all about paid training and it looks like SANS has a few courses on the topic, might see if I can attend one next year.
|
|
#
?
Oct 14, 2023 18:01
|
|
|
The culture you build in security should be to embrace findings with positivity. Having a green scorecard is the goal but is far more likely a symptom of your company having blind spots. Findings being used to cause conflict should be shut down most times. Otherwise, you are creating a culture where people will avoid bringing awareness to problems or going out of there way to hide them. Of course you are going to find situations where the dirty laundry is caused purposeful neglect and or purposeful recklessness, I have no choice but to poo poo on those people because i can't help it.
|
|
#
?
Oct 14, 2023 18:13
|
|
|
|
| # ? May 24, 2024 01:02 |
|
|
Sickening posted:The culture you build in security should be to embrace findings with positivity. Having a green scorecard is the goal but is far more likely a symptom of your company having blind spots. Our sec teams are all almost all ex-product devs / sre / devops people so anytime we have and incident, finding, pentest, etc any follow-on requests are accompanied by an offer for one us to pitch in hours to get it fixed, make a PR or whatever. We get that security requests can really gently caress up a roadmap and we pitch in as much as we can so sec doesn't get seen as the bad guys. (We stress that we're an engineering org and are part of product development / corp infra it and we're here to help. Our relationships with the rest of the company is good enough that teams will proactively bring us design plans and poo poo for feedback really early in the process rather than trying to get a green check right at the end. It does help that we're probably heavy on graybeards.) I feel like there's a gulf where security at mid-size places where infosec is a bureaucratic / CYA thing and not an engineering group so end up just being blockers / waving red nessus scans around like assholes. JehovahsWetness fucked around with this message at 21:11 on Oct 14, 2023 |
|
#
?
Oct 14, 2023 21:08
|
|
