|
Oct posted:The real target seems to be the OTP code. The caller claimed to represent Wells Fargo for the sake of the social engineering narrative, but that doesn't mean they couldn't have been targeting another account altogether. Sounds like they found some historic personal information that was likely valid and pivoted from there. The OTP came directly from (the real) Wells Fargo. Thanks Ants posted:Possibly someone trying to do a SIM swap. If you'd strung them along until the SMS was sent that might have told you more. I did, and received the SMS. I'm not sure how getting a OTP from a bank where I have no relationship would help a scammer perform a SIM swap though?
|
# ? Jan 18, 2024 21:15 |
|
|
# ? May 23, 2024 12:06 |
|
The sms code might be required to open a new account. I'm not sure why they would use your phone number in that case. Maybe wf is checking that the phone number is in your name?
|
# ? Jan 18, 2024 21:23 |
|
how do you know it came from WF? isn’t that really easy to spoof?
|
# ? Jan 18, 2024 21:23 |
|
Subjunctive posted:how do you know it came from WF? isn’t that really easy to spoof? Came from their SMS short code, said "Wells Fargo will NEVER call or text you for this code. DON'T share it.". But also why would a scammer send me a fake OTP that they created and then ask me to read it back to them? I guess I am leaning towards "scammers be dumb, yo" as the reasoning. I suppose it is possible they were also creating an interaction to record my voice so that they could impersonate me to do ????? I've got identity protection services up the wazoo so this whole situation is mostly just perplexing to me and not particularly concerning.
|
# ? Jan 18, 2024 21:27 |
|
Sirotan posted:The OTP came directly from (the real) Wells Fargo. My bad, I thought they were just calling you, claiming to be Wells Fargo and the OTP was unrelated. In that case my guess is they are trying to open an account in your name and Wells Fargo require a mobile phone number, handing that over would have made it harder to argue it wasn't you opening the account since it's your real phone number.
|
# ? Jan 18, 2024 21:46 |
|
I wonder if any of the phone companies are providing identity verification services to banks. i.e. if you use this phone number, we can verify it belongs to x person. That's the only other thing I can think of.
|
# ? Jan 18, 2024 21:46 |
|
Mustache Ride posted:Yeah this has worried a few of our customers. The device has been remediated already according to those steps, and I had the IOCs from the Mandiant blog and it didn't look like the device was compromised. Thanks for the CSV though I hadn't seen those before, I'll run these against our firewall logs. Thanks again!
|
# ? Jan 19, 2024 06:12 |
|
The Fool posted:I like it when a bunch of people are in a conference room, join the room, then all join on their laptops
|
# ? Jan 22, 2024 09:45 |
|
you know that they can't
|
# ? Jan 22, 2024 16:32 |
|
Actual Teams Rooms (e.g. the things licensed as Teams Rooms and using the certified hardware) can do Bluetooth beaconing so people's laptops know they're joining the meeting from the room they're already in. Seems to work alright.
|
# ? Jan 22, 2024 16:33 |
|
at a previous company we had an internal mobile app that looked at your calendar for the phone room you were booked for and the call you were going to join, and connected it all at the push of a button so you didn’t have to dick around with the embedded-device UI was very civilized!
|
# ? Jan 22, 2024 16:57 |
|
It's impressive how good meeting room tech has got when everyone wants nothing more than to never set foot in an office again lol.
|
# ? Jan 23, 2024 18:11 |
|
ChubbyThePhat posted:It's impressive how good meeting room tech has got when everyone wants nothing more than to never set foot in an office again lol. It does help that zoom/teams conferencing stations are relatively simple to set up compared to ye olde h323 kit. We can roll a new room in a hour tops compared to days for h323.
|
# ? Jan 23, 2024 18:35 |
|
It is a bit unfortunate that we have lost the standards-based interop that came with H.323 as part of that move (yes OK, it was more theoretical than something that actually happened I will accept). It should be possible for a Teams Room to call up webexroom@company.com and for those two systems to negotiate a common set of codecs, but there's no money in these companies doing that.
Thanks Ants fucked around with this message at 19:18 on Jan 23, 2024 |
# ? Jan 23, 2024 19:15 |
|
We pay Pexip kind of a lot of money to provide that kind of interoperability for us. Most of our conference rooms now can do one touch join for Teams, Zoom, WebEx, and a few others. It's been a long, expensive journey to get here though.
|
# ? Jan 23, 2024 23:01 |
|
MustardFacial posted:The device has been remediated already according to those steps, and I had the IOCs from the Mandiant blog and it didn't look like the device was compromised. Thanks for the CSV though I hadn't seen those before, I'll run these against our firewall logs. Oh hey that Ivanti fix doesn’t actually work: https://www.bleepingcomputer.com/news/security/ivanti-vpn-appliances-vulnerable-if-pushing-configs-after-mitigation/ We’ve given up and are actively moving customers off Ivanti, lol.
|
# ? Jan 24, 2024 14:25 |
|
Thanks Ants posted:It is a bit unfortunate that we have lost the standards-based interop that came with H.323 as part of that move (yes OK, it was more theoretical than something that actually happened I will accept). It should be possible for a Teams Room to call up webexroom@company.com and for those two systems to negotiate a common set of codecs, but there's no money in these companies doing that. Any MTR kit can receive a webex, zoom or bluejeans invite and get into the call natively without any interop requirement. https://learn.microsoft.com/en-us/microsoftteams/rooms/third-party-join
|
# ? Jan 24, 2024 22:42 |
|
Mustache Ride posted:Oh hey that Ivanti fix doesn’t actually work: https://www.bleepingcomputer.com/news/security/ivanti-vpn-appliances-vulnerable-if-pushing-configs-after-mitigation/ Yes, I saw this. After my initial IR, it has been taken out of my hands and the higher ups have it now. we'll see what they choose to do.
|
# ? Jan 29, 2024 22:33 |
|
Thanks Ants posted:You could considering packaging something up that you deploy that runs the customisation with the CLI config tool https://developers.yubico.com/yubikey-manager/ I'll ask our MSP to look into how to do this. Apparently the Yubikey Manager has to be run elevated now because the Windows APIs around configuration are protected. My backup option is to just put a Raspberry Pi with a udev rule on it to disable the fast-OTP and post it in a common area of our offices.
|
# ? Jan 30, 2024 00:06 |
|
lol new Ivanti zero day just dropped. https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US Maybe just migrate to another VPN appliance at this point.
|
# ? Jan 31, 2024 19:02 |
|
Man they're really having a hell of a time over there aren't they?
|
# ? Jan 31, 2024 19:04 |
|
What is that, the 4th? 5th? this month?
|
# ? Jan 31, 2024 19:21 |
|
Just change the name again instead of fixing it
|
# ? Jan 31, 2024 23:06 |
|
If anyone wasn't already sold by the thread title... https://www.youtube.com/watch?v=7h7QG7W14qs
|
# ? Feb 1, 2024 06:56 |
|
After your 4th critical CVE you should legally have to put sarcasm air quotes around the word "secure" if your affected product name includes it.
|
# ? Feb 1, 2024 16:25 |
|
some kinda jackal posted:After your 4th critical CVE you should legally have to put sarcasm air quotes around the word "secure" if your affected product name includes it. Congrats you made my department laugh.
|
# ? Feb 1, 2024 17:55 |
|
Defenestrategy posted:Congrats you made my department laugh. literally the most value i've provided to a team in years
|
# ? Feb 1, 2024 19:43 |
|
just sent a quick note to our security folks thanking them for not selecting Ivanti
|
# ? Feb 2, 2024 00:23 |
|
Okta continues to pay off. https://blog.cloudflare.com/thanksgiving-2023-security-incident quote:We’ve written about this before but, in summary, we were (for the second time) the victim of a compromise of Okta’s systems which resulted in a threat actor gaining access to a set of credentials. These credentials were meant to all be rotated.
|
# ? Feb 2, 2024 02:42 |
|
That's remarkably frank language.
|
# ? Feb 2, 2024 05:50 |
|
Implies they’re rotating them by having a person click a button and someone didn’t do it
|
# ? Feb 2, 2024 09:40 |
|
Thanks Ants posted:Implies they’re rotating them by having a person click a button and someone didn’t do it This is exactly how I read that.
|
# ? Feb 2, 2024 17:57 |
|
Okta got hacked over and over and their response has apparently been to rectify their stock price with layoffs. Let’s see how that works out trying to secure extremely valuable data for like half of corporate america with 10% less help.
|
# ? Feb 6, 2024 18:48 |
|
Layoffs bad obviously, but if they're laying off like sales and marketing folks I don't think it moves the needle on their relative security posture.
|
# ? Feb 6, 2024 19:15 |
Sales are revenue while ops are not
|
|
# ? Feb 6, 2024 19:35 |
|
Submarine Sandpaper posted:Sales are revenue while ops are not Sales are not only revenue and thus why sales has been a major part of these layoffs.
|
# ? Feb 6, 2024 20:47 |
Sickening posted:Sales are not only revenue and thus why sales has been a major part of these layoffs. Yeah that perception is not as hard set as it used to be. Especially as more stuff goes electronic (or at least it should be), inside sales gets way smaller.
|
|
# ? Feb 6, 2024 20:58 |
|
It's going to be so funny if they manage to lay off the one guy that was the insider threat entirely by accident.
|
# ? Feb 6, 2024 21:06 |
|
https://getpocket.com/explore/item/the-u-s-economy-is-booming-so-why-are-tech-companies-laying-off-workers TL;DR they want to squeeze the employees theyve already got for as much as they can.
|
# ? Feb 7, 2024 16:12 |
|
|
# ? May 23, 2024 12:06 |
|
Volt Typhoon advisory. TLDR: Phishing-resistant MFA for everything. https://twitter.com/cisajen/status/1755299381316645041?s=46
|
# ? Feb 7, 2024 22:37 |