|
Absurd Alhazred posted:If the SEC had stocks, I bet people higher up would have sold theirs before this disclosure.
|
#
?
Sep 21, 2017 05:36
|
|
|
|
| # ? May 26, 2024 14:28 |
|
|
Some VM escape vulnerability just patched by VMWare: https://nakedsecurity.sophos.com/2017/09/21/critical-vmware-vulnerability-patch-and-update-now/
|
|
#
?
Sep 21, 2017 11:39
|
|
|
NSA's spying is hindering their efforts to propose encryption standards
|
|
#
?
Sep 21, 2017 15:26
|
|
|
Furism posted:Some VM escape vulnerability just patched by VMWare: https://nakedsecurity.sophos.com/2017/09/21/critical-vmware-vulnerability-patch-and-update-now/ gently caress yeah burn it all down
|
|
#
?
Sep 21, 2017 16:35
|
|
|
"Eh you have to have a compromised machine to escape to the hypervisor, and because of our VPN you can't get into our network from the outside so " Spiceworks community is awful. Its like cybersecurity theater. Security cargo cult? "Do these things, scan these firewall ports and we're safe! Because intrusion = network exploits, cybersecurity = a network problem."
|
|
#
?
Sep 21, 2017 16:38
|
|
|
Spiceworks are at the initial peak in the dunning-kruger curve, and if I had to pick an emoticon to describe them, I would use 
|
|
#
?
Sep 21, 2017 16:44
|
|
|
Thanks Ants posted:Spiceworks are at the initial peak in the dunning-kruger curve, and if I had to pick an emoticon to describe them, I would use I dunno,  or  would also qualify.
|
|
#
?
Sep 21, 2017 17:56
|
|
|
Methylethylaldehyde posted:I dunno,  seems to be also fitting
|
|
#
?
Sep 21, 2017 18:10
|
|
|
When I was at the gym there was some guy on CNN talking about how firewalls aren't enough and how networks need intelligent internal monitoring, etc.
|
|
#
?
Sep 22, 2017 00:18
|
|
|
Three-Phase posted:When I was at the gym there was some guy on CNN talking about how firewalls aren't enough and how networks need intelligent internal monitoring, etc. That's what the security vendors are pushing now, how the old model was outside -> firewall -> inside and everything inside the firewall is trusted but that's not good enough anymore.
|
|
#
?
Sep 22, 2017 00:25
|
|
|
mewse posted:That's what the security vendors are pushing now, how the old model was outside -> firewall -> inside and everything inside the firewall is trusted but that's not good enough anymore. But it's never been good enough. Not for some time.
|
|
#
?
Sep 22, 2017 00:27
|
|
|
In the first year (month?) of the first firewalls list at greatcircle, people were fighting about whether perimeter defense led to internal laziness, and so forth. I'm sure it predates that, even, but those were the conversations that 16-year-old me first encountered. This was an era of squishier centers even (hosts.equiv!).
|
|
#
?
Sep 22, 2017 00:51
|
|
|
Subjunctive posted:In the first year (month?) of the first firewalls list at greatcircle, people were fighting about whether perimeter defense led to internal laziness, and so forth. I'm sure it predates that, even, but those were the conversations that 16-year-old me first encountered. This was an era of squishier centers even (hosts.equiv!). God you just reminded me of every vendor in the early '00s. No, "crunchy on the outside while gooey on the inside" is not some fantastic new aphorism you *just* came up with. STOP USING IT IN EVERY SALES PRESENTATION.
|
|
#
?
Sep 22, 2017 00:54
|
|
|
Proteus Jones posted:God you just reminded me of every vendor in the early '00s. I stopped doing security consulting in 1997 because I could count the people in the industry I wanted to work with on...something with about 30 items. Filling an opening day screening of Hackers with folks from the USENIX security symposium was a good time, though. Likely the only time the rainbow books have received a standing ovation.
|
|
#
?
Sep 22, 2017 00:57
|
|
|
Hackers was a good film and I will fight anybody who disagrees. Guy Pratt did a great job on the soundtrack.
|
|
#
?
Sep 22, 2017 01:01
|
|
|
Subjunctive posted:I stopped doing security consulting in 1997 because I could count the people in the industry I wanted to work with on...something with about 30 items. Stop making me feel my olds here. I haven't thought about USENIX in forever. Also local 2600 meet ups. Which were just a bunch of teens and 20 somethings haging out a in a food court swapping floppies. Logging onto the local BBS to get the current bridge line. drat, when did I get so old. 
|
|
#
?
Sep 22, 2017 01:02
|
|
|
Proteus Jones posted:Stop making me feel my olds here. I haven't thought about USENIX in forever. Also local 2600 meet ups. Which were just a bunch of teens and 20 somethings haging out a in a food court swapping floppies. Logging onto the local BBS to get the current bridge line. Thing is that wasn't even that long ago.
|
|
#
?
Sep 22, 2017 01:14
|
|
|
Cup Runneth Over posted:Thing is that wasn't even that long ago. I'm half joking. I'm not decrepit yet. But some of that was from more than 25 years ago for me.
|
|
#
?
Sep 22, 2017 01:37
|
|
|
Time to put machine learning IPSes on every internal router and switch.
|
|
#
?
Sep 22, 2017 01:39
|
|
|
Lain Iwakura posted:Time to put machine learning IPSes on every internal router and switch. Bruce Schneier has been talking about this at least since 2014.
|
|
#
?
Sep 22, 2017 02:14
|
|
|
Curious, and I think this is the best place for this query: My $company's internal IT has recently started deploying a lot of DLP tools and whatnot. Since I run a lot of VMs from my lab, and those are not managed by internal IT, and do have internet access: does $company see that VM's web traffic? Is there some sort of encapsulation once traffic passes from guest to host, and upstream? Is the answer the same for all hypervisors, from workstation to ESXi, also counting KVM, HyperV, etc.
|
|
#
?
Sep 22, 2017 06:10
|
|
|
Alfajor posted:Curious, and I think this is the best place for this query: If you did that at my company you'd be destroyed, man, you're making me twitch. To answer your odd question, it's not like traffic from a VM is hidden or encapsulated to be hidden from view or anything. They will still see it. Hopefully they do HTTPS inspection too.
|
|
#
?
Sep 22, 2017 06:14
|
|
|
Absurd Alhazred posted:Bruce Schneier has been talking about this at least since 2014. It was partly a joke. Identifying traffic internally is a bit problematic if you're in a flat network hell. The only system I've considered for dealing with the mess is to use this garbage but it's another barrel of laughs to manage and it's just throwing more garbage on the fire.
|
|
#
?
Sep 22, 2017 07:11
|
|
|
Lain Iwakura posted:It was partly a joke. Identifying traffic internally is a bit problematic if you're in a flat network hell. The only system I've considered for dealing with the mess is to use this garbage but it's another barrel of laughs to manage and it's just throwing more garbage on the fire. they sure handle noscript gracefully
|
|
#
?
Sep 22, 2017 07:31
|
|
|
"Smart Networks" are way off. It's hard enough for devices to detect DDoS on the spot. All these DDoS migitation devices (like Arbor) have learning phases to use as a baseline and will block (or raise alarms) for weird patterns but there are tons of false-positives. And those are dedicated devices. Traditional NGFW are imperfect (or really poo poo, hello Palo Alto) but still pretty good - much like your front door. But it's all they are. Anybody with enough determination can find another way in. As we know, it's just a matter of means. The main problem companies need to solve is that there are still way too many people who consider that "security is expensive", "we don't need that", "we are safe", "nobody's going to hack us" and all that bullshit. Once THAT is solved at least we'll have a good foundation to build up from. But if the foundations are poo poo, your building is going to crumble pretty quickly no matter how much cement you use. EU's GDPR is a good incentive into that direction Companies that collect or deal with European citizen data (even if the company does not operate in EU ; just handling the data is enough) can be fined up to €20M or 4% of annual revenue, whichever is the biggest, if they get hacked and it turns out they didn't apply due diligence or care. Not patching a 2.5 month old vuln would definitively fall into that, to use Equifax as a comparison. This will force companies to invest more into security, which is great, and maybe that'll drive better and "real-er" new tech breakthroughs? Thanks Ants posted:Hackers was a good film and I will fight anybody who disagrees. Guy Pratt did a great job on the soundtrack. It got me interested in the technical side of computers (programming, Linux, ...) when I was like 12. I only played games or made music before that, and I feel that movie opened my eyes to what can be done with _any_ computer.
|
|
#
?
Sep 22, 2017 08:23
|
|
|
Lain Iwakura posted:It was partly a joke. Identifying traffic internally is a bit problematic if you're in a flat network hell. The only system I've considered for dealing with the mess is to use this garbage but it's another barrel of laughs to manage and it's just throwing more garbage on the fire. Is it though? I work mostly on the lab side but the vendors say that they can hook into Active Directory to figure out who's behind a given IP. And then based on that they know which Groups they are part of, and you can apply rules to that ("Marketing can access social media all the time ; other groups only during lunch." ; "Devs can use ssh to github, nobody else" ; "Finance can only use HTTPS and we'll DLP the poo poo out of that" ; etc..). Are you saying that in real life this doesn't work? Genuinely interested.
|
|
#
?
Sep 22, 2017 08:25
|
|
|
Alfajor posted:Curious, and I think this is the best place for this query: This post is triggering me on so many levels. Your traffic will appear no different than any other traffic on the network. The only encapsulation which will be present is whatever you put in so unless you are routing to the internet at large through a VPN or other tunnel then they will have visibility to anything they could capture from a regular endpoint. In either case, hopefully your lab is on a verifiably discrete network with zero connection points to your corporate assets. If not you really should get that rectified ASAP for your own liability's sake as well as obvious ramifications for the company. If your company has to undergo any formal audits you will be nailed to a wall. some kinda jackal fucked around with this message at 13:14 on Sep 22, 2017 |
|
#
?
Sep 22, 2017 13:10
|
|
|
wrong thread lol
|
|
#
?
Sep 22, 2017 13:25
|
|
|
Furism posted:Can't you load the private key in Wireshark and still decrypt it on the fly? Genuine question, as I've only done it with recorded HTTPS myself. This is the attack that forward security prevents, right?
|
|
#
?
Sep 22, 2017 15:04
|
|
|
Furism posted:Some VM escape vulnerability just patched by VMWare: https://nakedsecurity.sophos.com/2017/09/21/critical-vmware-vulnerability-patch-and-update-now/
|
|
#
?
Sep 22, 2017 15:12
|
|
|
Furism posted:Is it though? I work mostly on the lab side but the vendors say that they can hook into Active Directory to figure out who's behind a given IP. And then based on that they know which Groups they are part of, and you can apply rules to that ("Marketing can access social media all the time ; other groups only during lunch." ; "Devs can use ssh to github, nobody else" ; "Finance can only use HTTPS and we'll DLP the poo poo out of that" ; etc..). Are you saying that in real life this doesn't work? Genuinely interested. It does work and I've actually set it up. The problem is not in terms of setting it up but actually supporting it--what is overlooked with these solutions is the need for having a support team that can navigate this and a user base that is willing to accept it. It's really meant for specific environments and I have yet to come across one personally that would be an ideal candidate--even at my org I couldn't recommend it. The only time I can say that you can safely do something this or have something 'smart' tag your network is in industrial control systems where you know exactly how much and what sort of traffic you have to begin with. Good luck dealing with it if you have a corporate network that relies heavily on cloud-based services.
|
|
#
?
Sep 22, 2017 16:51
|
|
|
Via YOSPOS Sec gently caress threadJewel posted:nice NICE NICE NICE Also: https://twitter.com/me_irl/status/911328527248699392
|
|
#
?
Sep 22, 2017 22:01
|
|
|
Proteus Jones posted:Via YOSPOS Sec gently caress thread
|
|
#
?
Sep 22, 2017 22:03
|
|
|
anthonypants posted:Also: Always. Never forget the Adobe position on non-local storage in TYOOL 2017: https://helpx.adobe.com/photoshop/kb/networks-removable-media-photoshop.html posted:Technical Support strongly recommends working in Photoshop directly on the local hard disk. To prevent data loss, save files to your hard disk first. Then transfer them to the network or removable drive in the Finder or in Windows Explorer. To retrieve files, copy them in the Finder or in Windows Explorer from the network or removable drive to your hard disk.
|
|
#
?
Sep 22, 2017 22:08
|
|
|
Every day, more dumpster fires https://twitter.com/troyhunt/status/911287697448198145
|
|
#
?
Sep 22, 2017 22:19
|
|
|
Technology was a mistake. I want off this wild ride.
|
|
#
?
Sep 22, 2017 22:31
|
|
|
Only a matter of time before somebody finds a crippling security flaw in caves and camp fires
|
|
#
?
Sep 22, 2017 22:37
|
|
|
Thanks Ants posted:Only a matter of time before somebody finds a crippling security flaw in caves and camp fires Not much confidentiality in smoke signals
|
|
#
?
Sep 22, 2017 22:50
|
|
|
Grassy Knowles posted:Not much confidentiality in smoke signals I don't think we have anything to worry about unless someone has a grudge against Alice and Bob
|
|
#
?
Sep 22, 2017 23:20
|
|
|
|
| # ? May 26, 2024 14:28 |
|
|
Truly, Adobe Security is the Adobe software of security.
|
|
#
?
Sep 23, 2017 00:29
|
|