|
hark posted:I'm not now and have never been on LastPass, but what's the deal with it? Is it just really unsecure or something? I've never seen it mentioned anywhere but here. Multiple breaches dealt badly.
|
#
?
Dec 29, 2023 16:55
|
|
|
|
| # ? May 18, 2024 18:22 |
|
|
omeg posted:Some of my colleagues investigated weird lockups of trains and found evidence of undocumented DRM that triggered if the trains were serviced by 3rd parties and not the manufacturer. There will be a talk about this at CCC later this year. Hopefully I'm not stealing your thunder by posting this because I was waiting for the talk to go live, and now it is https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains
|
|
#
?
Dec 29, 2023 17:18
|
|
|
hark posted:I'm not now and have never been on LastPass, but what's the deal with it? Is it just really unsecure or something? I've never seen it mentioned anywhere but here. They’ve gotten compromised multiple times now.
|
|
#
?
Dec 29, 2023 17:42
|
|
|
Thanks Ants posted:Hopefully I'm not stealing your thunder by posting this because I was waiting for the talk to go live, and now it is Bookmarked to watch later. Thanks!
|
|
#
?
Dec 29, 2023 17:44
|
|
|
Thanks Ants posted:Hopefully I'm not stealing your thunder by posting this because I was waiting for the talk to go live, and now it is Yeah it's fine! I've got some flu thing so sadly couldn't be there to hear it live but the talk was pretty fun.
|
|
#
?
Dec 29, 2023 17:53
|
|
|
hark posted:I'm not now and have never been on LastPass, but what's the deal with it? Is it just really unsecure or something? I've never seen it mentioned anywhere but here. Previously user vaults were able to be broken into and plain text passwords stolen
|
|
#
?
Dec 30, 2023 08:55
|
|
|
This was the writeup that scared me away from LP forever: https://infosec.exchange/@epixoip/109585049354200263
|
|
#
?
Dec 30, 2023 09:13
|
|
|
hark posted:I'm not now and have never been on LastPass, but what's the deal with it? Is it just really unsecure or something? I've never seen it mentioned anywhere but here. It was the password manager For The Rest Of Us for a decade or so but they were extremely bad with security issues for a while and eventually about a year ago it hit a critical mass of "yeah, They probably have your vault and they probably can decrypt it if they care to" and I had to spend most of my free time for like a week migrating to 1Password
|
|
#
?
Dec 30, 2023 09:29
|
|
|
Takes No Damage posted:This was the writeup that scared me away from LP forever: LastPass truly is the Brave Browser of password management tools, christ.
|
|
#
?
Dec 30, 2023 12:36
|
|
|
Thanks Ants posted:Hopefully I'm not stealing your thunder by posting this because I was waiting for the talk to go live, and now it is This talk was fantastic, can't believe the train manufacturer hosed up this much
|
|
#
?
Dec 30, 2023 15:07
|
|
|
Mustache Ride posted:This talk was fantastic, can't believe the train manufacturer hosed up this much
|
|
#
?
Dec 30, 2023 15:11
|
|
|
Mustache Ride posted:This talk was fantastic, can't believe the train manufacturer hosed up this much They actually were rather clever but didn't obfuscate the code hard enough to escape scrutiny. Any office software anti copy protection I've met beside microsoft or adobe is far more crude. I will wait for that English report, some of the PLC code explanation made me scratch my head (I worked with PLC kit but the way they explained how that specific model operated code-wise was a bit too chaotic for me) and I want to understand it more.
|
|
#
?
Dec 30, 2023 15:58
|
|
|
Kazinsal posted:LastPass truly is the Brave Browser of password management tools, christ. Wait what's wrong with Brave?
|
|
#
?
Dec 30, 2023 17:35
|
|
|
Happiness Commando posted:Wait what's wrong with Brave? There are still people who put confidence in brave?
|
|
#
?
Dec 30, 2023 17:37
|
|
|
attention tokens, in my browser? it's more likely than you think
|
|
#
?
Dec 30, 2023 19:30
|
|
|
Also the whole “being forced out of Mozilla for sexpest” thing
|
|
#
?
Dec 30, 2023 20:10
|
|
|
Installing brave browser on your work computer puts you in a watchlist in my org.
|
|
#
?
Dec 30, 2023 22:10
|
|
|
I can't even have firefox on my work computer and you have people installing brave
|
|
#
?
Dec 30, 2023 22:12
|
|
|
there's no end to the stupidity in people thinking they're good at security while installing poo poo then advocating it to others
|
|
#
?
Dec 31, 2023 00:16
|
|
|
evil_bunnY posted:gently caress up is a very generous interpretation isn’t it? It was deliberate malfeasance in a whole bunch of places. I was thinking more from an forensic/legal perspective. The fact that they didn't disclose these features in the documentation to certifiers and then put checks in to stop government approved maintenance with multiple federal train operators in multiple countries... Yeah they're hosed
|
|
#
?
Dec 31, 2023 00:54
|
|
|
The geofencing and the built-in timer that they coded the dates wrong on to disable the train between certain dates should be enough of a slam dunk that they’d do everything possible to avoid going before a judge. I wonder how many other Polish rail operators have had issues with the same manufacturer and are waiting to sue them.
|
|
#
?
Dec 31, 2023 01:01
|
|
|
Raymond T. Racing posted:Also the whole “being forced out of Mozilla for sexpest” thing lol wait really? that's, uh, well actually not that surprising exactly considering the nfts
|
|
#
?
Dec 31, 2023 01:21
|
|
|
The Fool posted:I can't even have firefox on my work computer and you have people installing brave I was more of making a joke as only a small part of the org right now has the ability to install software. I remember my CISO specifically wanting a list of people with brave because they were automatically suspect before the wild west times ended.
|
|
#
?
Dec 31, 2023 01:23
|
|
|
Thanks Ants posted:Hopefully I'm not stealing your thunder by posting this because I was waiting for the talk to go live, and now it is This was a great watch. Thank you.
|
|
#
?
Dec 31, 2023 02:12
|
|
|
Famethrowa posted:lol wait really? that's, uh, well actually not that surprising exactly considering the nfts oh first it was just views on same sex marriage that got him kicked out at Mozilla, then he was covid truthing in 2020
|
|
#
?
Dec 31, 2023 02:35
|
|
|
About to pilot Yubikeys. Anyone have any tips or things they wished they'd known? All Windows/iOS devices using
|
|
#
?
Jan 8, 2024 23:28
|
|
|
Give everybody two keys, one to keep at home, so they can still self-service when they lose one. Unless your deployment is aiming to run them alongside a phone app. If you have a 24x7 helpdesk and can verify that people calling in are who they claim to be and issue access passes or whatever then you don't need to lean so heavily on self service.
|
|
#
?
Jan 8, 2024 23:37
|
|
|
give everyone, at the minimum, one nano-style key for every corp-issued workstation, and one keychain-style one. do not lean on making people plug crap in every time they log in - instead they should just be giving up one usb slot at all times to a permanently-plugged-in nano-style key if "always have something plugged in to a usb port" is a problem, well, you see how that's a problem even if you're expecting people to fumble with their keys every time they log in getting a new (unenrolled) key should be absolutely trivial
|
|
#
?
Jan 8, 2024 23:41
|
|
|
Achmed Jones posted:give everyone, at the minimum, one nano-style key for every corp-issued workstation, and one keychain-style one. do not lean on making people plug crap in every time they log in - instead they should just be giving up one usb slot at all times to a permanently-plugged-in nano-style key Thanks, we are going to do a nano for every machine and a keychain for home for everyone. Definitely want to make it as slick as possible. I will make sure the new key thing should be trivial--are you saying no scrutiny whatsoever if someone loses like 5 of em? Just trying to figure out what the bad incentive is (other than having to use access passes). Thanks Ants posted:Give everybody two keys, one to keep at home, so they can still self-service when they lose one. Unless your deployment is aiming to run them alongside a phone app. Any tips on how to have our helpdesk verify people to hand out a Temporary Access Pass? We have an MSP and even now they don't really scrutinize folks who move to a new phone and need to re-set up Microsoft Authenticator (which will go away). They should have an idea to be better but I'd love to show them what high-functioning looks like. Can't really think of much other than pre-shared keys (distribution would be a problem) or verify calls some way, which is exactly why I disabled SMS/phone verification for MFA.
|
|
#
?
Jan 9, 2024 04:55
|
|
|
Thanks Ants posted:Give everybody two keys, one to keep at home, so they can still self-service when they lose one. Unless your deployment is aiming to run them alongside a phone app. This first bit, and charge people for a new one if they lose both. Also, if you're on Entra and using some kind of MAM, let me know if you find a way to make them play nice with Android phones. I was so close to mandating these as the only MFA choice before I figured out that I'd be locking executives out of phone email.
|
|
#
?
Jan 9, 2024 06:39
|
|
|
Hed posted:Any tips on how to have our helpdesk verify people to hand out a Temporary Access Pass? We have an MSP and even now they don't really scrutinize folks who move to a new phone and need to re-set up Microsoft Authenticator (which will go away). They should have an idea to be better but I'd love to show them what high-functioning looks like. Can't really think of much other than pre-shared keys (distribution would be a problem) or verify calls some way, which is exactly why I disabled SMS/phone verification for MFA. Not really - if someone has lost both their tokens and access to their password reset methods then you probably want their line manager to be vouching for them before you hand over the keys to their account to whoever happens to be on the phone. You could do things like insist on a video call where someone holds up ID but then you're dealing with PII and it's an MSP so you don't really want that. Are there third parties who handle this? Someone must work at a place big enough where ID verification is outsourced and they use ID photos that are stored on file to verify people, like how some banks work before letting you open an account.
|
|
#
?
Jan 9, 2024 11:48
|
|
|
Thanks everyone for the tips. Will let you know how it goes. I agree mandating managers have to vouch would be best.Silly Newbie posted:This first bit, and charge people for a new one if they lose both. We're lucky to sidestep this because we pay for company phones and they're all iPhones and work decently well with InTune, at least for what we're doing.
|
|
#
?
Jan 9, 2024 15:03
|
|
|
I don't know if you mean charge their department or what, but I would not charge employees for lost/broken equipment. It depends on the state, but there's a good chance that doing that is against the law. The cost is minor. It's a cost of doing business. Don't try to punish people by charging them money for work poo poo.
|
|
#
?
Jan 9, 2024 15:57
|
|
|
Agreed with the above, loss or destruction of company property is a management issue and not something for IT to start collecting money over. If someone making fistfuls of cash for the company gets through a laptop every 8 months because of the amount of travelling it does either wears it out or presents more opportunities for it to be stolen then that's just a cost of business.
|
|
#
?
Jan 9, 2024 16:20
|
|
|
Internet Explorer posted:I don't know if you mean charge their department or what, but I would not charge employees for lost/broken equipment. It depends on the state, but there's a good chance that doing that is against the law. I am required by my state to report reckless losses that need to be repaid I have one very rarely done so, only very rarely is it completely unavoidable that the loss/destruction was due to something that never should have been considered in the first place
|
|
#
?
Jan 9, 2024 16:34
|
|
|
Internet Explorer posted:I don't know if you mean charge their department or what, but I would not charge employees for lost/broken equipment. It depends on the state, but there's a good chance that doing that is against the law. Yeah, the only time I can recall that anyone was ever even punished for it at my company was when they left their laptop on a train while logged into their account and on VPN using the train's wifi. Every other time was way more "poo poo happens" and the price the employee paid was "work sucked for a bit until they got their replacement."
|
|
#
?
Jan 9, 2024 16:49
|
|
|
disaster pastor posted:Yeah, the only time I can recall that anyone was ever even punished for it at my company was when they left their laptop on a train while logged into their account and on VPN using the train's wifi. Every other time was way more "poo poo happens" and the price the employee paid was "work sucked for a bit until they got their replacement." i specifically haven't bashed an employee for something like this because we'd MUCH prefer to have the employee feel safe coming forward promptly to alert us of the loss and potential compromise nobody really ever MEANS to forget equipment somewhere. You have to do something particularly wilfully dumb for me to sigh heavily, staple the loss's police report to documentation, and forward a notice to our business office
|
|
#
?
Jan 9, 2024 18:57
|
|
|
Potato Salad posted:i specifically haven't bashed an employee for something like this because we'd MUCH prefer to have the employee feel safe coming forward promptly to alert us of the loss and potential compromise It was their third equipment loss and they didn't come forward at first, somebody got to it before the screen locked and kept trying to go to blocked websites, so the web filter team pinged their manager, who went and found them working on a desktop instead. So part of the bashing was absolutely "you've done this before and you know how it works, why didn't you tell me?" In general, yes, I agree with you that the priority is that the company knows what happened, and that having an open and nondisciplinary process is the best way to ensure that.
|
|
#
?
Jan 9, 2024 19:26
|
|
|
The moment you start trying to cover your tracks is when things get infinitely worse
|
|
#
?
Jan 9, 2024 19:28
|
|
|
|
| # ? May 18, 2024 18:22 |
|
|
Looking to learn more about GRC, and primarily the Governance portion. Anyone have any good reads/videos/etc?
|
|
#
?
Jan 9, 2024 19:31
|
|
