|
CommieGIR posted:I was under the impression Government used CAC for everything and you'd have to remove it prior to leaving. Or they left their CAC when they jetted out. The photos I've seen didn't show the actual computer itself (likely below the desk somewhere), so it's possible it was left inserted to a CAC reader down there if they weren't using keyboard-mounted readers for whatever reason.
|
#
?
Jan 7, 2021 22:13
|
|
|
|
| # ? Jun 11, 2024 12:00 |
|
|
EDITED.
BaseballPCHiker fucked around with this message at 21:19 on Feb 2, 2022 |
|
#
?
Jan 7, 2021 22:16
|
|
|
CommieGIR posted:I was under the impression Government used CAC for everything and you'd have to remove it prior to leaving. DoD is the only department that I've seen that have implemented this fully across the board. Everyone is assigned a CaC including guards, janitors, and everyone that has reason to be in the building. The DoD invested a lot into the CAC so they will of course use it*. Courts**/Congress make up their own rules on security. Courts were especially bad because each Head Judge of each court made their own rules no matter how dumb. Do they want to make their court website to still run IIS 6.0 asp on Server 2003? they are allowed to. But they had to manage the patching and support for those systems if they did that. If there were too many finding over X years, they the US Courts in DC would step in. To get them off their old systems, they were offered VMs that were autopatched and managed by DC Courts so if they got compromised they would not be held responsible. * Worked for the contracting company that made the software to encode the CACs and visited the DoD building across the street. **Worked for US Courts doing penetration testing. Returning reports with 40+ high/criticals was a normal thing.
|
|
#
?
Jan 7, 2021 22:18
|
|
|
EVIL Gibson posted:DoD is the only department that I've seen that have implemented this fully across the board. Everyone is assigned a CaC including guards, janitors, and everyone that has reason to be in the building. Gotcha, I've never done Gov pen testing, only Banks.
|
|
#
?
Jan 7, 2021 22:25
|
|
|
Welp, they got a Democratic Senator's laptop. So many bad actors' hands that could wind up in.
|
|
#
?
Jan 7, 2021 22:32
|
|
|
DrDork posted:.
|
|
#
?
Jan 7, 2021 22:34
|
|
|
F4rt5 posted:Re-image? Nonononono. All computers, phones, networking gear, etc etc in the building must be regarded as potentially compromised and thus be discarded. You cannot rule out bad actors, and they had physical access, my dude. You're mistaking the difference between what should be done for proper and correct security (toss and re-buy) vs what they will very likely do on the grounds of expediency and price (reimage and hope for the best for anything not directly connected to a classified network). Even the government would struggle to just order up 5,000+ new computers from Dell and actually get delivery within the next 6 months right now. Supply chains are hosed. And poo poo's gotta get done in the meantime, soooo....yeah.
|
|
#
?
Jan 7, 2021 22:39
|
|
|
Did any of them stumble into a SCIF?
|
|
#
?
Jan 7, 2021 22:48
|
|
|
DrDork posted:You're mistaking the difference between what should be done for proper and correct security (toss and re-buy) vs what they will very likely do on the grounds of expediency and price (reimage and hope for the best for anything not directly connected to a classified network). Out of curiosity what is/would be the SOP for using refurbished computers from known vendors? I assume if you went and got a bunch of Refurbished Thinkpads from IBM/Lenovo that it would be as "good" a source as a brand new laptop from IBM/Lenovo. I know that you probably shouldn't source refurbs from "bobs discount laptops", but from Dell/IBM directly should be fine right?
|
|
#
?
Jan 8, 2021 00:31
|
|
|
Defenestrategy posted:Out of curiosity what is/would be the SOP for using refurbished computers from known vendors? I assume if you went and got a bunch of Refurbished Thinkpads from IBM/Lenovo that it would be as "good" a source as a brand new laptop from IBM/Lenovo. I know that you probably shouldn't source refurbs from "bobs discount laptops", but from Dell/IBM directly should be fine right? In a secure / government application? Pretty simple, usually: No. That they come directly from Dell/Lenovo helps, but doesn't really fix the problem that there's no way to verify that someone didn't flash a BIOS or otherwise dick with things at a very low level before trading them in. The refurb shops generally aren't ever going to go into sufficient detail in their cleaning process to make government customers happy, because it's expensive to do so, most other customers don't care that much, and the government really really likes buying new stuff with long warranties anyhow (IIRC Dell's refurb warranty is only 100 days, unsure about Lenovo). I mean, at a previous job contracting for a large government customer, we weren't allowed to use refurb / used cables for the above reason, despite it being pretty damned hard to slip something into what's effectively just a couple of threads of glass. e; that said, Congress IT might just do whatever the gently caress here, since I doubt they had any real ready-made plans for how to forcibly replace every bit of tech gear in the entire Capital all at once during a pandemic that's been loving up product availability for almost a year now and ain't resolving itself in the next few weeks.  and I am glad I am not part of it.
DrDork fucked around with this message at 00:42 on Jan 8, 2021 |
|
#
?
Jan 8, 2021 00:37
|
|
|
CommieGIR posted:I was under the impression Government used CAC for everything and you'd have to remove it prior to leaving. There isn't a regulatory vehicle to capture the hill itself in all the security standards the DIB is subject to
|
|
#
?
Jan 8, 2021 00:44
|
|
|
DrDork posted:In a secure / government application? Pretty simple, usually: So I suppose "from factory" laptops are certified not-tampered with before being boxed and sent to whom ever? I suppose you have to extend some level of trust to certain high level manufacturers that they don't have an adversary on their manufacturing line screwing with stuff, otherwise you wouldn't be able to get anything done.
|
|
#
?
Jan 8, 2021 00:56
|
|
|
Defenestrategy posted:So I suppose "from factory" laptops are certified not-tampered with before being boxed and sent to whom ever? I suppose you have to extend some level of trust to certain high level manufacturers that they don't have an adversary on their manufacturing line screwing with stuff, otherwise you wouldn't be able to get anything done. Yeah, you gotta trust someone at some point. Dell and such do get asked about their supply chain security, though, and "took this unit back from some rando off the street" is not gonna make auditors happy on that front. But if you want to know why TSMC is trying to build a $12B fab in Arizona, it's because "built this chip on US soil" makes certain customers a lot happier than "built this in Taiwan and packaged it in China" does. But a gain, maybe Congressional IT works with a different set of rules--I've never worked for them directly, and a lot of different segments of government seem to have different ideas about these things.
|
|
#
?
Jan 8, 2021 01:06
|
|
|
Congress is basically a company made up entirely of do-you-know-who-I-am CEOs, convincing them to consent to sacrifice some convenience for security is almost certainly a near-impossible task when making their life more difficult means the funding for your job dries up.
|
|
#
?
Jan 8, 2021 01:13
|
|
|
 loving UP YOUR MFA MADE ME FAIL THE MILITARY THIS IS AFFECTING PRODUCTION
|
|
#
?
Jan 8, 2021 01:16
|
|
|
Chris Krebs and Alex Stamos have been hired by SolarWinds to do crisis response. https://twitter.com/GossiTheDog/status/1347344788471881730
|
|
#
?
Jan 8, 2021 02:56
|
|
|
Friend recently got locked out of their Twitter account -- despite a complex password they changed regularly, and 2FA enabled, which makes it hard to believe they got phished. The hacker then proceeded to change the email, change the phone number, and deactivate the account. Any ideas on recovering it? Twitter's recovery process requires you to either have access to the account to change your password, or access to the email associated with the account-- which is now the hacker's.
|
|
#
?
Jan 9, 2021 01:41
|
|
|
Was your friend perhaps trying to incite violence against the American democratic process and recently got banned? 
|
|
#
?
Jan 9, 2021 01:49
|
|
|
Cup Runneth Over posted:Friend recently got locked out of their Twitter account -- despite a complex password they changed regularly, and 2FA enabled, which makes it hard to believe they got phished. The hacker then proceeded to change the email, change the phone number, and deactivate the account. Any ideas on recovering it? Twitter's recovery process requires you to either have access to the account to change your password, or access to the email associated with the account-- which is now the hacker's. “Friend” eh? Either some information you got was not factual or their sim was cloned. There is a small chance of social engineering there at Twitter but I haven’t heard of them have a place to call. Sickening fucked around with this message at 01:58 on Jan 9, 2021 |
|
#
?
Jan 9, 2021 01:55
|
|
|
DrDork posted:Was your friend perhaps trying to incite violence against the American democratic process and recently got banned? Not a chance. Someone logged into their account and started posting people's addresses and slurs and poo poo, then deleted. Sickening posted:“Friend” eh? Either some information you got was not factual or their sim was cloned. There is a small chance of social engineering there at Twitter but I haven’t heard of them have a place to call. For real this time, friend. I didn't even have 2FA enabled on Twitter; I corrected that today, though apparently it wouldn't make a difference. Sim cloning them seems like a total waste because they're a nobody. Didn't someone post a big bitcoin scam on a bunch of famous, verified accounts a while back by gaining access to some internal Twitter tool? It's kind of baffling why they would waste something like that on trolling some random person's account, though.
|
|
#
?
Jan 9, 2021 02:39
|
|
|
|
|
#
?
Jan 9, 2021 02:46
|
|
|
Not to my knowledge! Again, basically just a completely random nobody, they have no idea who they pissed off.
|
|
#
?
Jan 9, 2021 02:50
|
|
|
Cup Runneth Over posted:Not to my knowledge! Again, basically just a completely random nobody, they have no idea who they pissed off. It’s probably someone they know who has access to their phone or something. I really doubt this is some kind of huge new vulnerability in the wild to own your random friend. I would wager it’s more likely your friend got owned while not having mfa enabled and has said it was enabled out of embarrassment.
|
|
#
?
Jan 9, 2021 03:00
|
|
|
Sickening posted:It’s probably someone they know who has access to their phone or something. I really doubt this is some kind of huge new vulnerability in the wild to own your random friend. Or your friend got phished, put mfa into a scam site, "failed", put it into the real site the second time, and didn't realize.
|
|
#
?
Jan 9, 2021 03:36
|
|
|
Volmarias posted:Or your friend got phished, put mfa into a scam site, "failed", put it into the real site the second time, and didn't realize. They're adamant they never clicked any links, and they said they used Google Auth so it couldn't have been a SIM hijack. Anyway, if none of you have any suggestions on breaking Twitter's vicious cycle of "just log into your account/your hacker's email to tell us it's been hacked" customer support, I'll just have to chalk it up as a mystery and hope someone else can help them out.
|
|
#
?
Jan 9, 2021 05:06
|
|
|
Was this a valuable name / one word / common word / "cool name" / etc? If he had like, a 1 letter name, or @crypto, or something, there is a nontrivial chance that his mobile provider and twitter were both social engineered and hijacked
Impotence fucked around with this message at 05:49 on Jan 9, 2021 |
|
#
?
Jan 9, 2021 05:47
|
|
|
Biowarfare posted:Was this a valuable name / one word / common word / "cool name" / etc? If he had like, a 1 letter name, or @crypto, or something, there is a nontrivial chance that his mobile provider and twitter were both social engineered and hijacked Nope, nothing valuable about it, and from the attacker's behavior they didn't seem particularly sophisticated. It looked like a troll; for all I know they were targeted at random simply for being an established account that they could hijack and tweet racist messages from to shock people. They also attempted to impersonate the victim for a while, then started breaking Twitter Rules presumably to get them suspended, then eventually deactivated (not suspended, deleted). But frankly, it doesn't matter to me much why they were hit, and I'm only mildly curious how it was done. Mostly I'm astonished at how much of a cold shoulder Twitter Support gives to stuff like this if you aren't a verified account with 100k followers and you get fully owned. There doesn't appear to be any way whatsoever to open a ticket with them to try to get the account back if the hacker changed all your personal details and locked you out; am I missing something?
|
|
#
?
Jan 9, 2021 06:11
|
|
|
Your friend took ambien, posted racist poo poo and is using the I was hacked defense.
|
|
#
?
Jan 9, 2021 06:40
|
|
|
When the email address on your twitter account gets changed, you get an email to the old address telling you about it. That email tells you what to do if you were hacked and it wasn't you trying to change it.
|
|
#
?
Jan 9, 2021 06:54
|
|
|
droll posted:Your friend took ambien, posted racist poo poo and is using the I was hacked defense. I was talking to him in real time as the hacked account was posting and he was telling people to report it so that would be weird Jabor posted:When the email address on your twitter account gets changed, you get an email to the old address telling you about it. That email tells you what to do if you were hacked and it wasn't you trying to change it. Thanks, I'll tell him to look into this if he hasn't already.
|
|
#
?
Jan 9, 2021 06:57
|
|
|
Love to spend the last 2 nights on call dealing with some dickhead ddosing us with a botnet.
|
|
|
#
?
Jan 9, 2021 09:43
|
|
|
I work in a DOD hospital and another issue is that a lot of computers don’t actually lock when you pull your CAC, even though they should. We also have an exception in that we finally got explicit permission to leave our computers at the nursing station unattended because often the computers are so slow to lock/unlock there is no way we could do patient care remotely efficiently or respond to emergencies. Obviously before that policy, people did it anyway and it’s pretty a common habit in the military.
|
|
#
?
Jan 9, 2021 13:13
|
|
|
One of my favorite examples when talking about usable security is nursing station computers. Styrofoam cups over proximity sensors, anti-idle scripts, the works. A little more fun than the same slide of tire tracks/footprints going around a gate, anyway.
|
|
#
?
Jan 9, 2021 18:39
|
|
|
Ellipson posted:One of my favorite examples when talking about usable security is nursing station computers. Styrofoam cups over proximity sensors, anti-idle scripts, the works. A little more fun than the same slide of tire tracks/footprints going around a gate, anyway. What does Styrofoam over prox sensors do? Stop people from attempting to lift the wireless exchange?
|
|
#
?
Jan 9, 2021 19:37
|
|
|
Defenestrategy posted:What does Styrofoam over prox sensors do? Stop people from attempting to lift the wireless exchange? Fools the sensor into thinking that a person is at the desk, so it doesn't lock the system when the nurse walks away.
|
|
#
?
Jan 9, 2021 19:39
|
|
|
Defenestrategy posted:What does Styrofoam over prox sensors do? Stop people from attempting to lift the wireless exchange? 
|
|
#
?
Jan 9, 2021 19:49
|
|
|
I was confused about what he was talking about, thought he was talking about an NFC or other some such tap to log on/enter thing, not a REX/keep alive thingy. Now to answer your second question, no I dunno how a styrofoam cup would prevent leakage of signal, but it wouldn't be the most insane thing I've seen/heard of.
|
|
#
?
Jan 9, 2021 21:06
|
|
|
https://www.amazon.com/mouse-jiggler-usb/s?k=mouse+jiggler+usb
|
|
#
?
Jan 9, 2021 23:26
|
|
|
Amazon accidentally sent me 20 of those when I ordered 1. People love them as gifts.
|
|
#
?
Jan 9, 2021 23:40
|
|
|
|
| # ? Jun 11, 2024 12:00 |
|
|
Defenestrategy posted:I was confused about what he was talking about, thought he was talking about an NFC or other some such tap to log on/enter thing, not a REX/keep alive thingy. TBH I wish my job had more off the wall poo poo like this instead of getting people to upgrade OSS and getting people to remove creds from code/configuration files, so I don't blame you
|
|
#
?
Jan 10, 2021 00:28
|
|