|
spankmeister posted:Yeah those days are long gone. Although there's plenty of crummy IoT devices out there that have zero mitigations enabled. which is to say, everything old is new again and it turns out w00w00 and aleph one are still kinda relevant
|
# ? Nov 2, 2023 21:23 |
|
|
# ? May 24, 2024 02:51 |
|
New CVSS Standard dropped https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-severity-rating-standard-released/
|
# ? Nov 2, 2023 21:37 |
|
Achmed Jones posted:which is to say, everything old is new again and it turns out w00w00 and aleph one are still kinda relevant So many patches, so little downtime allowed for patching.
|
# ? Nov 2, 2023 22:11 |
|
klosterdev posted:New CVSS Standard dropped https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-severity-rating-standard-released/ https://www.youtube.com/watch?v=4xgx4k83zzc&t=20s
|
# ? Nov 2, 2023 23:57 |
|
ACE Hardware is not having a good time https://www.reddit.com/r/sysadmin/comments/17jwvtz/ace_hardware_corp_cybersecurity_incident_10302023/ quote:Looks like ACE corporate was hit with something. We've business with some franchisees; boss asked to keep tabs on our client stuff but there's not enough details for anything actionable.
|
# ? Nov 3, 2023 21:37 |
|
People need to stop using Wordpress. That is my conclusion from 2 weeks on SOC.
|
# ? Nov 4, 2023 04:52 |
|
MustardFacial posted:People need to stop using Wordpress. You CAN secure wordpress, but it requires actually giving a poo poo, updating it properly, and hiding the admin pages behind a VPN of some sort. So, no, nobody is going to secure it.
|
# ? Nov 4, 2023 14:52 |
|
Yeah you pay someone else for that headache and get hosted wordpress.
|
# ? Nov 4, 2023 14:58 |
|
Just started my first real AppSec job after having mostly been a pentester the last few years. Diving into a brand new codebase is overwhelming.
|
# ? Nov 4, 2023 18:27 |
|
spankmeister posted:Yeah you pay someone else for that headache and get hosted wordpress. SaaS means security* as a service Actual security not included.
|
# ? Nov 4, 2023 21:46 |
|
Hint to vendors, if you're in a call with your client and they've pulled in cyber security and legal, don't try to justify why things are not really technically a vulnerability. I'm amazed by the balls on some of these people. Just fix your poo poo, guy.
|
# ? Nov 4, 2023 21:54 |
|
CommieGIR posted:You CAN secure wordpress, but it requires actually giving a poo poo, updating it properly, and hiding the admin pages behind a VPN of some sort. You mean ufw and fail2ban aren't gonna cut it??
|
# ? Nov 4, 2023 23:38 |
|
Cannon_Fodder posted:Hint to vendors, if you're in a call with your client and they've pulled in cyber security and legal, don't try to justify why things are not really technically a vulnerability. I'm amazed by the balls on some of these people. Just fix your poo poo, guy. On the other hand, most cybersecurity professionals are only barely able to interpret a Nessus scan so “this thing is vulnerable” isn’t really that important if the vulnerability isn’t exploitable.
|
# ? Nov 5, 2023 01:46 |
|
Cannon_Fodder posted:Hint to vendors, if you're in a call with your client and they've pulled in cyber security and legal, don't try to justify why things are not really technically a vulnerability. I'm amazed by the balls on some of these people. Just fix your poo poo, guy. We had a very terse conversation with a vendor two weeks ago when we found out their software had a RCE vulnerability in it, and they basically handwaved it away saying it wasn't a big deal (as we demonstrated live, on video, our exploiting it) We were not happy. Neither was our CISO.
|
# ? Nov 5, 2023 01:50 |
|
That vendor sounds like they messed up training their staff, I know if I'm in a meeting and the other side brings in lawyers I'm outta there. Lawyers talk to other lawyers.
|
# ? Nov 5, 2023 01:55 |
|
It's always fun enabling Snyk on projects. A lot of times it's noise because of how certain languages build their dependency graphs, but sometimes...it hits hard to home. I mention this, because it gets real hard to have your average developer understand what is "high" and "within acceptable risk" because "there is no path to this functionality in use". You generally just wind up with devs ignoring so the pipeline works, while someone else comes by and looks at the ignored report to make a further evaluation of risk. But also yeah, if you demonstrate an RCE to a vendor, you didn't have the right people in the meeting if it was treated that way.
|
# ? Nov 5, 2023 03:32 |
|
Cup Runneth Over posted:You mean ufw and fail2ban aren't gonna cut it?? Those are all I use on my own system (which admittedly no one would every try to specifically break into) and that plus disabling password SSH login ~sounds~ like it should be enough... Though I imagine a large enterprise would want some things a little more robust.
|
# ? Nov 5, 2023 03:48 |
|
If you don’t use any of the comment features in Wordpress and it’s just a CRM then you can do worse than using it to generate static pages and sticking the entire bit that executes PHP behind a proxy that only your employees can auth to.
|
# ? Nov 5, 2023 11:13 |
|
CommieGIR posted:We had a very terse conversation with a vendor two weeks ago when we found out their software had a RCE vulnerability in it, and they basically handwaved it away saying it wasn't a big deal (as we demonstrated live, on video, our exploiting it) We had a similar meeting where I demo'ed SQLi against a vendor product and they kept asking how we could fix this with the load balancer, WAF, etc and we had to just keep pointing out that it was a fundamental code issue and they had to fix their loving product. We had the source code and in the end I had to walk them to the offending line of terrible hand-rolled ORM code before they could get it fixed. Companies aren't paranoid enough about 3rd party vendors. They're giant risks for handling anything sensitive and are straight up lying about anything security related to their customers' faces to get sales/growth. There's a ton of examples of downstream vendors getting popped and losing sensitive data or being used as a pivot up. (I personally have filed critical VRPs against 3 BI / analytics vendors this year that exposed customer _external connection_ credentials to me. This poo poo is cobbled together startup code with a nice website.)
|
# ? Nov 5, 2023 13:15 |
|
The IT department in our company got a new project lead a few months ago, and he's pushing to fix the dire security situation going on currently. For unspecified reasons, I think he's maybe overshooting the target, but whatever. But one reason he kept bringing up for it is specifically key account customers potentially wanting to audit the IT stuff, because they'd like to know, in case of a cybersecurity event, how fast we could recover so that we could keep supplying to them (avoiding supply interruptions). I know that there's ISO 27001 and such, which itself makes sense, some audit certification to hand over to customers. But specific customers wanting to audit on their own, is that actually a thing? Or is he misinterpreting some stuff? (He didn't know what NodeJS was, when we had our talk with IT about our things, so I'm wary about such claims.) We're a manufacturing plant, but not an international big player. --edit: I mean, if a customer was interested in details about how his product is being manufactured, and thus wants first hand insights into the manufacturing process, that's one thing (which IMO borders into industrial espionage, because why would we want to give up details on hard/unique to manufacture products, of which we have quite a few). But how giving insight into IT infrastructure and code would be relevant, I'm not sure. Combat Pretzel fucked around with this message at 13:58 on Nov 5, 2023 |
# ? Nov 5, 2023 13:49 |
|
Combat Pretzel posted:
It can be! But I don't know how common it is. Most commonly I've seen people just accept documentation like SOC-2 reports, but I have seen some places put a right to audit into their contracts. Either because they want that extra level of assurance regarding their software supply chain or because they are being forced to get that level of assurance (usually by some kind of oversight function that is remembering a giant fuckup.) When I see organizations who don't have that kind of contractual language try to get audits of their vendor-provided IT services, most often the vendor simply ignores them or says no. Unless they're desperate to retain the contract, which sometimes happens depending on the relative sizes of the business units involved and the size of the contract.
|
# ? Nov 5, 2023 14:43 |
At places I've worked we've had people from a company come by and do like some process review and an on-site assessment, but an actual audit? Seems like something you'd handle with a SOC audit right? anyway, that sounds like a great chance to bring legal in and decide what any of that would look like to me
|
|
# ? Nov 5, 2023 15:36 |
|
CommieGIR posted:We had a very terse conversation with a vendor two weeks ago when we found out their software had a RCE vulnerability in it, and they basically handwaved it away saying it wasn't a big deal (as we demonstrated live, on video, our exploiting it) If the vendor confirms on record it's not a vulnerability then there's no reason not to publicly post the PoC.
|
# ? Nov 5, 2023 16:08 |
|
Harik posted:If the vendor confirms on record it's not a vulnerability then there's no reason not to publicly post the PoC. We ended up getting them to fix it through lawyers.
|
# ? Nov 5, 2023 17:22 |
|
Okta got popped bc a user with access to a service account was signed into their work Chrome browser with their personal account
|
# ? Nov 7, 2023 03:30 |
|
Actually, the root cause is their processes aren’t robust enough to prevent that https://nitter.net/amyngyn/status/1072576388518043656
|
# ? Nov 7, 2023 03:36 |
Evis posted:Actually, the root cause is their processes aren’t robust enough to prevent that Yeah, that was the gist of the Ars article
|
|
# ? Nov 7, 2023 03:42 |
|
rafikki posted:Yeah, that was the gist of the Ars article Fair, it was meant to be a response to klosterdev’s post but you posted just before I did.
|
# ? Nov 7, 2023 04:44 |
|
klosterdev posted:Okta got popped bc a user with access to a service account was signed into their work Chrome browser with their personal account a thousand CISOs just started panicking
|
# ? Nov 7, 2023 04:50 |
|
Yeah why even restrict access to a very important account in some way, just have it so you can pop the creds out of a compromised Google account. When it goes bad blame an employee. Afaik the default behaviour for Chrome is that it will connect itself to the first Google account that logs into a Google service without asking, and enable all the sync options.
|
# ? Nov 7, 2023 05:01 |
|
Sarern posted:When I see organizations who don't have that kind of contractual language try to get audits of their vendor-provided IT services, most often the vendor simply ignores them or says no. Unless they're desperate to retain the contract, which sometimes happens depending on the relative sizes of the business units involved and the size of the contract. I am
|
# ? Nov 7, 2023 07:00 |
|
Thanks Ants posted:Afaik the default behaviour for Chrome is that it will connect itself to the first Google account that logs into a Google service without asking, and enable all the sync options. I had to make up a 'business' burner account just so I could connect to meetings for work without automatically grabbing my personal account and blasting my contact info to random customers
|
# ? Nov 7, 2023 07:03 |
|
I don't know enough sysadmin things, can you easily allow chrome but block email login?
|
# ? Nov 7, 2023 07:15 |
|
Yes, there's an option to block profile login in Chrome. There's also options to block the built-in password manager, the syncing of plugins, etc. [edit: also Edge has the ability to automatically sign into a work account and avoid this problem ] Internet Explorer fucked around with this message at 07:26 on Nov 7, 2023 |
# ? Nov 7, 2023 07:20 |
|
Famethrowa posted:I don't know enough sysadmin things, can you easily allow chrome but block email login? I assume it’s here somewhere: https://chromeenterprise.google/policies/
|
# ? Nov 7, 2023 07:28 |
|
Yes it can all be controlled, this is what Okta should have done. The one thing I can’t find a Chrome policy for is their “quiet notifications” thing where sites asking for push notifications just badge in the address bar rather than popping something up, I can only find a control to either enable notifications or disable them.
|
# ? Nov 7, 2023 07:35 |
|
Just block push notifications except for a specific allowlist of sites, there is no legitimate use case for a random website to have that ability.
|
# ? Nov 7, 2023 09:19 |
|
I cold turkey severed any use of my personal credentials on a work device a while ago and really the only scenario where it annoys me is when I need to watch something on youtube because I pay for premium so totally forget ads exist for long stretches of time.
|
# ? Nov 7, 2023 12:42 |
|
|
# ? May 24, 2024 02:51 |
Jabor posted:Just block push notifications except for a specific allowlist of sites, there is no legitimate use case for a random website to have that ability. I personally love it when people click 'Allow Notifications' on a random site and they start getting 'YOU HAVE BEEN HACKED DO NOT POWER DOWN YOUR LAPTOP" ads in the windows notification panel
|
|
# ? Nov 7, 2023 14:28 |