|
Biowarfare posted:lovely, walmart has joined the trend in retailers port scanning your device and local network and abusing webrtc heh. I'm working on a pentesting assignment for class and my professor warned us very strongly to never portscan outside the test because that could be a felony!!
|
# ¿ Sep 19, 2021 16:56 |
|
|
# ¿ May 14, 2024 11:36 |
|
RFC2324 posted:Lmao, considering the number of times I have gotten bored and tried to scan 0.0.0.0... pretty sure it was a cyoa for the universities benefit because we are using shodan in a lab. context for the class is contracted pentest work and he emphasizes making sure you know your target scope for the pentest.
|
# ¿ Sep 19, 2021 18:33 |
|
CLAM DOWN posted:Krebs loving sucks, but this entire problem is lol why so? I enjoyed his blog before I entered the field so curious on the expert opinion on him. Combat Pretzel posted:Same. I thought he's supposed to be some cybersecurity expert. Even if you're not specifically into networks, you ought to know the relation between DNS and routing tables. lol oh yeah
|
# ¿ Oct 4, 2021 21:48 |
|
if any of you could pick between Business Continuity work or GRC, which would you go with? I have potential opportunities in both fields starting as a fresh graduate with a super general Cybersecurity degree.
|
# ¿ Aug 10, 2022 19:40 |
|
that's a bummer, I had gotten the impression of BCP as being important but boring but was hoping there was some secret sauce I was missing. thanks for confirming my impression. sadly it seems to pay more as well not too sad though, I have liked doing risk work with my current internship quite a bit, and definitely can see it helping me go a more technical route down the line like some kinda jackal said. I really want to find my way to DevSec one day and the compliance and risk work seems like a good starting point. for the input
|
# ¿ Aug 10, 2022 20:42 |
|
BonHair posted:Business continuity can be fun, but as I said, it's more of a talking, meeting, management, networking (social kind) type deal, which doesn't appeal much to traditional cyber security nerds who are also computer touchers. I took on my major to get out of "networking as a job" so glad I asked. I had hoped there might be some aspects of the field that are more techy problem solving but that doesn't seem to be the case. The field focus is still interesting so maybe I'll find my way to a BCP vendor or something one day.
|
# ¿ Aug 11, 2022 01:45 |
|
wonder who gets to keep them PCI compliant now, lol
|
# ¿ Sep 8, 2022 22:19 |
|
I hope they delete the entire loving company
|
# ¿ Sep 16, 2022 05:27 |
|
isn't it, by definition, legal rear end-covering rather then necessarily true to whats on the ground.
|
# ¿ Sep 26, 2022 16:28 |
|
RFC2324 posted:I really need to get over my insecurities and lie my way into an infosec role Dude I'm not even graduated and previously worked non-IT customer support, and I nabbed a GRC role. I am sure someone in IT can make the leap to a technical job way easier then I did to a non-technical one. efb!
|
# ¿ Nov 1, 2022 18:09 |
|
Rust Martialis posted:Is it that useful? Cisco is "all" which is borderline meaningless. it says "under investigation" because its a WIP
|
# ¿ Nov 1, 2022 22:39 |
|
a scummy casino has fly-by-night security? say it ain't so.
|
# ¿ Nov 22, 2022 17:34 |
|
mastodon is unserious gibberish. e. like, do they think the feds arent already monitoring their little fiefdoms? them having an official account means literally nothing. it just means they will miss out on industry news. if you hate them, just cyberbully them. Famethrowa fucked around with this message at 21:14 on Nov 22, 2022 |
# ¿ Nov 22, 2022 21:10 |
|
how are you guys using yubikey? I've got an nfc that's currently managing authenticator codes but feel like I could do more with it.
|
# ¿ Dec 31, 2022 18:33 |
|
SlowBloke posted:I mostly use mine for azure ad passwordless creds, too few slots for totp registrations to be useful. Defenestrategy posted:Company uses it for most of our major sign in portals that support it. kinda what I was gathering, bummer. was hopeful for more consumer uses. company is whispering about switching SSO and allowing yubi so
|
# ¿ Dec 31, 2022 23:33 |
|
Sickening posted:I don't understand the "allowing" part. Its still weird to me that most defaults don't enable fido2 or whatever, but company's not having it enabled because they fear it seems wild to me. I suspect it's help desk, since SSO is company wide and they previously killed hardware tokens. easier to just troubleshoot everyone's mobile app issues.
|
# ¿ Jan 1, 2023 00:03 |
|
imagine being a security guy and being fired because you didnt catch a mistake your dev wrote into their spaghetti code lmao
|
# ¿ Jan 19, 2023 20:32 |
|
App13 posted:Strange question but we’ve got a user here who was phished by someone pretending to be a friend of his from high school asking for personal information. my company uses a video series called "Restricted Intelligence" that is targeted towards less technologically savvy users. It's engaging and relatively funny. otherwise, I really like the suggestion of contacting an autism charity (don't do autism speaks pls)
|
# ¿ Feb 1, 2023 18:06 |
|
Saukkis posted:If you want to store logins without cloud service then you want KeePass, it's the standard recommendation. more like keep rear end
|
# ¿ Feb 3, 2023 16:43 |
|
KillHour posted:Cross post I didn't believe into the rokos basilisk thing until now. "psychologically tormenting" "AIs" is incredible.
|
# ¿ Feb 10, 2023 21:06 |
|
BlankSystemDaemon posted:Hannu Rajaniemi did "person-gets-trapped-in-virtual-prison-and-tortured-for-many-lifetimes" a decade ago, and I'm sure there are older examples. did you think i was serious
|
# ¿ Feb 11, 2023 03:15 |
|
Takes No Damage posted:"This house is protected by Ring Security" lol great.
|
# ¿ Mar 16, 2023 03:06 |
|
poo poo I really need to get on freezing my credit. I see no downsides given how often breaches happen. thanks for the reminder.
|
# ¿ Mar 26, 2023 20:17 |
|
CommieGIR posted:Well well well: my company is barreling ahead on integration with chatgpts api so this is useful ammo for us to try to slow things down and get some clarity on openai's security practices. e. still feel like this is a freight train of unintended consequences we won't be able to truly mitigate. no one even knew they were building it into our product until they announced they would be rolling it out soon.
|
# ¿ Mar 29, 2023 19:35 |
|
most of the really fun flipper stuff seems to require a board attachment which is a small bummer.
|
# ¿ Apr 19, 2023 16:47 |
|
namlosh posted:Can’t look right now, but like what? Curious what the more fun uses of this device are you can do some wifi/Bluetooth fuckery with a esp32 board. deauth attacks, packet capturing, password cracking. obviously there are better purpose-built professional tools but it's not bad for teaching yourself a whole suite of fun tricks. e. should mention it's a custom firmware as well. I think they try to keep plausible deniability with wifi especially. Famethrowa fucked around with this message at 22:48 on Apr 19, 2023 |
# ¿ Apr 19, 2023 22:30 |
|
incoherent posted:lmao if you think the debt industry does any protections. They literally sell usb sticks of excel back and forth in walmart parking lots. seems like a random influencer ginning things up for whatever a mastodon retweet is. have heard nothing outside of that thread. cybersecurity influencers are the worst. like a nightmare combo of bitcoin guy and haughty greybeard.
|
# ¿ Apr 30, 2023 19:57 |
|
Diva Cupcake posted:Draft OWASP Top 10 list for LLMs just dropped. great timing, thanks for sharing. we're having big conversations right now about LLM products. also looks like a working group is forming which seems like an interesting way to get on ground floor. https://owasp.org/www-project-top-10-for-large-language-model-applications/ Famethrowa fucked around with this message at 17:14 on May 26, 2023 |
# ¿ May 26, 2023 17:02 |
|
Mantle posted:Serious question here, why is LLM06:2023 - Overreliance on LLM-generated Content classified as a vulnerability? Shouldn't a user's use of the output be outside of the responsibility of the application if the output is produced according to the rules of the system? I thought the same thing but came around to it. It feels borderline but LLM really seems like it'd grease the skids when it comes to bad decisions since it is even more thoughtless then combing StackExchange. not much different then requiring security training or phishing tests imo.
|
# ¿ May 28, 2023 04:10 |
|
Kazinsal posted:BRB setting up a streaming service where you have to beat the Ocarina of Time water temple every time your IP changes tbh would probably be easier troubleshooting when my moms router goes out.
|
# ¿ May 31, 2023 17:53 |
|
some kinda jackal posted:Yeah, that’s the one, thanks!! I have no idea what to do with this information but know that you basically saved me from an unhealthy amount of google searching random terms today. basically every pseudo influencer has a youtube video of them wearing an anonymous mask holding it up with the title "HOW TO HACK" so if you ever forget again, there you go.
|
# ¿ Jun 13, 2023 17:15 |
|
some kinda jackal posted:There are infosec influencers? oh man, it's so bad out there. they lean on the anonymous branding so hard.
|
# ¿ Jun 13, 2023 17:50 |
|
that sounds like a bog standard internet of poo poo security risk, just amplified by its creepiness. lol again at his posts.
|
# ¿ Jun 14, 2023 16:10 |
|
sterster posted:Trying to throw together some appsec security training for developers. Besides Mutillidae (I go this running and accessable from the network but as soon as someone makes an xss request or something similar the connection gets dropped by my machine :/ ) and DVWA. Also did WebGoat (this seems to only be local machine available ) . Does anyone have a docker based vuln application I can host for this. Or suggestions on how you go about doing hands on 'hack the box' type stuff. its not as clean and nice as Juice Shop, but if you want docker specific vulnerability exercises I've used VulHub. https://github.com/vulhub
|
# ¿ Jun 27, 2023 23:20 |
|
just a kazoo posted:anyone know anything more about clop compromising deloitte and other big 4 firms? deloitte is denying impact but they got listed, pwc confirmed "limited" client data leakage, EY claims they were affected but that most systems weren't and are investigating, nothing from kpmg
|
# ¿ Jul 27, 2023 17:19 |
|
Head Bee Guy posted:Do you guys like your jobs? not digging grc right now. third party risk makes me want to die. e. but, the love of the field and all that it offers so far makes it feel worth it Famethrowa fucked around with this message at 06:19 on Aug 16, 2023 |
# ¿ Aug 16, 2023 06:12 |
|
our phishing awareness training once included references to phishing attacks pretending to raise money for Ukraine and created a shitstorm of accusations that we were promoting Russian propaganda. nevermind that charity scams were traced to Russian APT groups
|
# ¿ Aug 20, 2023 16:56 |
|
has anyone had to deal with clients using AI transcription services on Zoom? there's no notice or warning, just an AI attendee with the clients name uploading a recording to an unknown service with no known NDA. is there a way to block connections with this plugin activated? how tf do you govern this?
|
# ¿ Aug 23, 2023 21:00 |
|
Thanks Ants posted:Make it your client's problem if they are under NDA with you - it's no different to them running the session through OBS and capturing the whole thing. yeah, I'm just not so sure on the enforcement. we have thousands of clients and hundreds of account managements. I don't trust them to report this client behavior.
|
# ¿ Aug 23, 2023 21:29 |
|
|
# ¿ May 14, 2024 11:36 |
|
Wiggly Wayne DDS posted:zoom were trying to force ai training on everything but backed down after a few days: https://blog.zoom.us/zooms-term-service-ai/ it's a third party service. zoom will at least pop up a consent form. in this instance, our customer service person joined a call, saw the customers name in attendance, and started talking to them but noticed they weren't responding. emailed the customer, and they said "oops! we forgot can we reschedule?" so it's not opt in, there's no notification, and it masqueraded as the customer contact. we don't even know what tool it was. who knows who got the beginning of that call and what their data usage policy is. gently caress AI.
|
# ¿ Aug 23, 2023 23:02 |