|
Sickening posted:Its really not a good idea to rock the boat right away. Even something as dumb as that. Humans are just weird and its usually always better to right it down and revisit it in the near future. You might be right. I've been sitting on it for a month or so now, I started two months ago. This is just my first one on one with the director, who started about a month before I did. I completely forgot we had hired an infosec VP. Hopefully it's not too bad, my manager is actually out of the country on vacation right now. I mean, I'm currently looking for other jobs, but the point of doing this (aside from the risk of tens of thousands of people having their identities stolen) was to make myself look good in case I don't find anything else by the time I'm here long enough to transfer to a different position, so hopefully that doesn't come back to bite me.
|
#
?
Jun 4, 2019 01:22
|
|
|
|
| # ? May 23, 2024 21:11 |
|
|
caption this https://zippy.gfycat.com/RawDarkIchthyosaurs.webm
|
|
#
?
Jun 4, 2019 06:19
|
|
|
Cisco network security
|
|
#
?
Jun 4, 2019 06:28
|
|
|
15 million SSN identities leaked. "No way we could have foreseen this" says CTO.
|
|
#
?
Jun 4, 2019 06:30
|
|
|
|
|
#
?
Jun 4, 2019 13:26
|
|
|
Industry Standard Best Practices
|
|
#
?
Jun 4, 2019 13:59
|
|
|
Volmarias posted:Industry Standard Best Practices "Best practices" would also involve the very best padlock money can buy, welded closed for "better security", rattling around loose in one of the drawers, not locked to anything. (You will fail the PCI audit if you misplace it.)
|
|
#
?
Jun 4, 2019 18:13
|
|
|
Just pretend the tape measure inside is a padlock. I'm gonna go with "Side-channel Attack" as my caption.
|
|
#
?
Jun 5, 2019 07:31
|
|
|
"But we passed our audit!"
|
|
#
?
Jun 5, 2019 14:44
|
|
|
well, just had a minor heart attack. someone wrote they were going to upgrade from Struts 1.17 to 1.19 just found out it was supposed to be Structs. Good good. I dislike opening nightmare library memories from the part of my brain that I've halfway killed with whiskey .
|
|
#
?
Jun 5, 2019 16:54
|
|
|
A bold plan to solve data breaches forever: just doxx everyone's SSN in five years and assume a solution will materialize out of thin air before then.  quote:Unfortunately, implementing strong authentication is difficult and expensive, and there's no incentive for credit reporting agencies, financial institutions or other bureaucracies to invest in the technology required to replace our current use of SSNs. Without a burning platform, nothing will change. But Congress can light the necessary fire by directing the publication of all SSNs in five years.
|
|
#
?
Jun 6, 2019 01:41
|
|
|
What would be the consequences of making it impossible to protect against identity theft? I mean would that basically be economic armageddon?
|
|
#
?
Jun 6, 2019 03:25
|
|
|
Farmer Crack-rear end posted:What would be the consequences of making it impossible to protect against identity theft? It's already silly to think that SSNs protect us from identity theft. I'm having difficulty seeing what our attack submarine fleet has to do with information security.
|
|
#
?
Jun 6, 2019 03:35
|
|
|
Ideally the consequences are "getting someone's SSN is no longer sufficient to commit identity theft".
|
|
#
?
Jun 6, 2019 03:35
|
|
|
Perhaps we could move away from a world where we treat it as theft and treat it as a fuckup by whoever let the person open accounts in your name?
|
|
#
?
Jun 6, 2019 03:59
|
|
|
apseudonym posted:Perhaps we could move away from a world where we treat it as theft and treat it as a fuckup by whoever let the person open accounts in your name? I was more making fun of the fact the author just assumed someone would come up with a solution before the the doxx deadline, instead of just piss around and do nothing or postpone it at the last second like what would actually happen.
|
|
#
?
Jun 6, 2019 08:14
|
|
|
Kerning Chameleon posted:I was more making fun of the fact the author just assumed someone would come up with a solution before the the doxx deadline, instead of just piss around and do nothing or postpone it at the last second like what would actually happen. People have been kicking around ways to securely validate that person X is at least the person who they claim to be, or at least the person who stole the magic token. My favorite one is more or less as follows. Your SSN now comes on a 3*5" index card, on the front is name, DOB and SSN, on the back is a grid that has day of the month (1-31) on the Y axis, and the month on the X axis. Everyone basically gets a hopefully non-PRNG generated one time pad on the back of their social security card. If you wanna sign up for that Best Buy Rewards card, you'll need to have the code for whatever day the paperwork was signed on. Designing a backend processing system that allows a credit agency to validate an SSN/code pair would be pretty easy to do, and doing it in such a way that the core code databases are airgapped and only respond with yes/no to a specially crafted request code transmitted via a bridge system running provably correct code running on a little fPGA board wouldn't be a ton harder. If someone stole your ID via the lender being compromised, at worst they can sign up for poo poo on the single day they have the code for. If the processing facility is compromised, they still only get the codes that were sent for validation, which would mean a few codes per person, max. If the backend DB is compromised, via evil maids or theft, poo poo's hosed regardless. It'll never happen, and the doxx deadline would get pushed back a dozen times just like the digital TV requirement was.
|
|
#
?
Jun 6, 2019 11:22
|
|
|
Potato Salad posted:It's already silly to think that SSNs protect us from identity theft. Well, we've been using subs to tap undersea cables for decades...  Really what I'm more thinking of is the Equifax breach, or something else on that scale. Suppose someone with that data (or an equivalent, or even bigger batch of data) decided they just wanted to watch the world burn, and posted it to numerous places on the internet, such that it would be impossible to take them all down at once before everyone had the opportunity to grab a copy. How big an impact would that have?
|
|
#
?
Jun 6, 2019 17:22
|
|
|
Farmer Crack-rear end posted:Well, we've been using subs to tap undersea cables for decades... Equifax will offer everyone one free year of credit monitoring, and direct everyone to "credit lock" their history. If they insist on freezing, it will be through an account that doesn't need the freeze PIN that can be recovered without an email with just a birthday and last four SSN digits. Yes, that's exactly what happened last time. 
|
|
#
?
Jun 6, 2019 18:15
|
|
|
And thanks to the "by accepting the free monitoring you agree this was totally not our fault" clause, this business model can last for a good while!
|
|
#
?
Jun 7, 2019 05:35
|
|
|
Anyone watch the big 3's testimony to congress a few months ago?
|
|
#
?
Jun 7, 2019 05:58
|
|
|
PBS posted:Anyone watch the big 3's testimony to congress a few months ago? No, because it's all Kabuki at best or more commonly outright, justified disdain for the people asking the questions.
|
|
#
?
Jun 7, 2019 06:23
|
|
|
Methylethylaldehyde posted:People have been kicking around ways to securely validate that person X is at least the person who they claim to be, or at least the person who stole the magic token. My favorite one is more or less as follows.... Can you post a link, or explain how this card would supposedly function? I don’t understand.
|
|
#
?
Jun 8, 2019 03:57
|
|
|
poisonpill posted:Can you post a link, or explain how this card would supposedly function? I don’t understand. Not sure which part of the plan you're struggling to understa- Methylethylaldehyde posted:3*5" index card,
|
|
#
?
Jun 8, 2019 04:14
|
|
|
Rufus Ping posted:Not sure which part of the plan you're struggling to understa- We'd have magnifying glasses on our keychains or we just break the glasses of thieves.
|
|
#
?
Jun 8, 2019 04:25
|
|
|
A vendor we are going to transfer data with via SFTP has a Problem with their self-service SFTP password generation tool. So we engaged their support. After a while of them going nowhere fast they set a password themselves and put it into some third party free online 'one time encrypted link' service. It's free, they don't have a contractual agreement with this third party. Is this fine because the free third party service claims to store everything securely without them knowing what it is being stored before it's accessed once then deleted? Or is this problematic because it could all be bs?
|
|
#
?
Jun 8, 2019 04:43
|
|
|
Ranter posted:A vendor we are going to transfer data with via SFTP has a Problem with their self-service SFTP password generation tool. So we engaged their support. After a while of them going nowhere fast they set a password themselves and put it into some third party free online 'one time encrypted link' service. It's free, they don't have a contractual agreement with this third party. Is this fine because the free third party service claims to store everything securely without them knowing what it is being stored before it's accessed once then deleted? Or is this problematic because it could all be bs? Depends on your risk tolerance and the reputation of the site. At some point we all blindly put a little trust into third parties. Can you use that password to set a new one? PBS fucked around with this message at 05:00 on Jun 8, 2019 |
|
#
?
Jun 8, 2019 04:56
|
|
|
You already know the answer. Do not trust rando third parties you've never heard of to proxy passwords to you. This post also reminded me that I am on like week infinity of handling the conversation "we need access to an SFTP site to drop weekly reports to you" "ok send me a public key and we will configure it immediately" *days pass* "is our account ready yet?" "you did not send us a key so nope, please do that and we will set it up right away, here is an easy to follow tutorial, does that help?" *repeat until heat death of the universe*
|
|
#
?
Jun 8, 2019 05:01
|
|
|
Ranter posted:A vendor we are going to transfer data with via SFTP has a Problem with their self-service SFTP password generation tool. So we engaged their support. After a while of them going nowhere fast they set a password themselves and put it into some third party free online 'one time encrypted link' service. It's free, they don't have a contractual agreement with this third party. Is this fine because the free third party service claims to store everything securely without them knowing what it is being stored before it's accessed once then deleted? Or is this problematic because it could all be bs? If the data you are transferring is at all important in any way, sever your ties with this vendor.
|
|
#
?
Jun 8, 2019 05:11
|
|
|
They're our Purchase Ordering system. We were going to automate user provision/deprovision. So it's user metadata like names email department job title manager, not actual financials, but still... It was L1 support deciding to put the password into this 3rd party service not an engineer. We can't reset it ourselves. I asked them to reset it and send to me via some other method but who the gently caress knows how the password is getting regenerated and passed around their systems.
|
|
#
?
Jun 8, 2019 05:18
|
|
|
Ranter posted:They're our Purchase Ordering system. We were going to automate user provision/deprovision. So it's user metadata like names email department job title manager, not actual financials, but still... Sounds like a great way to glean phishing material, if nothing else.
|
|
#
?
Jun 8, 2019 05:20
|
|
|
Ranter posted:A vendor we are going to transfer data with via SFTP has a Problem with their self-service SFTP password generation tool. So we engaged their support. After a while of them going nowhere fast they set a password themselves and put it into some third party free online 'one time encrypted link' service. It's free, they don't have a contractual agreement with this third party. Is this fine because the free third party service claims to store everything securely without them knowing what it is being stored before it's accessed once then deleted? Or is this problematic because it could all be bs? From your quote it looks like its https://onetimesecret.com/ or something similar. It looks like this secret i made is gone but who really knows. Secret site knows what both companies probably are from ip logs (one created secret and possibly also done on same box that will have sftp port open while one that looked at secret is the pusher and should have no listen ports open) I would not advise putting the legit password to sftp in the site. at the very least, a temporary password would be encrypted in a 7zip file in a txt file, sent to you using confirmed email, opened, used, and then immediatly set the password to something else agreed upon. i would recommend something like a pub/priv key exchange between the two (make that as complicated as you want) along with password exchange encrypted using the third parties priv key and yadda yadda yadda this is assuming the data transfer has high risk and would di significant damage if it is leaked.
|
|
#
?
Jun 8, 2019 05:24
|
|
|
Rufus Ping posted:Not sure which part of the plan you're struggling to understa-  The card has the months across the 3" part, and the days on the 5" part, so it's basically size 12 font across the whole thing. I'll see if I can dig up the whitepaper I found on it a while back. Sorry if that was unclear, 5x3 index card sounds weird to my American brain. poisonpill posted:Can you post a link, or explain how this card would supposedly function? I don’t understand. The card gives you 365 unique 4 digit passwords, each of which is only good for the one day it's paired with. If you wanna get a credit card or whatever, you include the July 17th code (5202) that corresponds to the day you signed the paperwork. The code, SSN, and name/DOB/location details are sent to a secure site (credit agency), and the SSN/code pair is further authenticated (via some API talking to the social security office or whatever) to guarantee that either you're the guy you're supposed to be, or you managed to scam a picture of the back of the card in addition to stealing their identity. It makes casual tax office identity theft substantially harder, because without that card you can't validate your ID for a job or credit application. They can always call you back and say "we need the code from Sept 13th (7504) as well to verify that you're you", and that still wouldn't appreciably reduce the useful entropy of the card. It adds a non-digital 2 factor authentication code that's extremely robust vis a vis random 0 day exploits harvesting turbotax returns, and contains enough depth to avoid most attacks on things like the CCV on a CC or whatever. And any old person or non-tech-having luddite can read a number off a laminated index card, vs. a 2 factor app or whatever. Plus if they're generated properly from non-PRNG sources like radioisotope decay, they're basically one-time pads with all the inherent benefits they have. Methylethylaldehyde fucked around with this message at 08:18 on Jun 8, 2019 |
|
#
?
Jun 8, 2019 07:48
|
|
|
Maneki Neko posted:I've seen some rumblings of proof of concept vulnerabilities out there for the big ol' RDP bug that was patched recently, anyone seen anything public? https://github.com/zerosum0x0/CVE-2019-0708 My group just spent about three weeks going building by building, floor by floor, lab by lab. First I patched several hundred machines remotely. Then got allocated resources and deadlines based on the 1900 odd machines we knew would be vulnerable to this. Then we hit the labs and started discovering machines we hadn't known about. Then the list grew to 3200+ systems and management started wondering why we weren't done yet. We have enough machines that are still on the network but we have no idea of their physical location that we might actually be able to sell using the exploit with the patch as payload. That involves level of approval not located on this continent, so we'll probably have to start banning MAC addresses and waiting to see who screams. Ranter posted:Apparently Google is being sued due to the 'someone has signed into your account' false positive that triggered thousands of people-hours in various company security teams? Apparently Roche freaked the gently caress out, and they're huge. That explains a couple of things I wasn't paying attention to due to BlueKeep remediation. mllaneza fucked around with this message at 09:18 on Jun 8, 2019 |
|
#
?
Jun 8, 2019 09:14
|
|
|
Methylethylaldehyde posted:
|
|
#
?
Jun 8, 2019 13:30
|
|
|
Dare I ask why you need to physically go log on to thousands of machines one by one in order to patch them?
|
|
#
?
Jun 8, 2019 17:18
|
|
|
Docjowles posted:Dare I ask why you need to physically go log on to thousands of machines one by one in order to patch them? Sounds to me like they have nothing in the form of management or documentation.
|
|
#
?
Jun 8, 2019 22:09
|
|
|
scientists and research assistants are notorious for buying lab instruments that come with rando win7 machines 'thrown in' on the $100,000+ equipment order and not telling IT. Then they use USB flash drives to transfer the data to their machine for analysis. Then they ask service desk for help 18 months later when the machine shits the bed and its 'urgent'.
|
|
#
?
Jun 8, 2019 22:27
|
|
|
Ranter posted:scientists and research assistants are notorious for buying lab instruments that come with rando win7 machines 'thrown in' on the $100,000+ equipment order and not telling IT. Then they use USB flash drives to transfer the data to their machine for analysis. Then they ask service desk for help 18 months later when the machine shits the bed and its 'urgent'.
|
|
#
?
Jun 10, 2019 14:37
|
|
|
|
| # ? May 23, 2024 21:11 |
|
|
|
|
#
?
Jun 10, 2019 14:49
|
|