|
In an enterprise context, how risky is it allowing BYOD Android devices to be used for Push/SMS/Voice 2FA and email access? Is BYOD just a joke in the first place and you don't allow it period? But if you do allow it, what is your policy on Android version/security updates?
|
#
¿
May 17, 2019 05:28
|
|
|
|
| # ¿ May 15, 2024 00:40 |
|
|
So no concerns if they're running a device that no longer receives security updates? I'm wondering if we need to get Finance to change our T&E policy to allow for partially or fully paying for new phones every 2 years, since we don't give out company phones and require them to log in. Bald Stalin fucked around with this message at 08:18 on May 17, 2019 |
|
#
¿
May 17, 2019 08:14
|
|
|
BangersInMyKnickers posted:If they're using the native activesync connector you should be getting the android version running on the other end. Collect those logs, audit them once or twice a year, and cut off the most egregiously out of date devices and tell them to update or upgrade Yes I have full insight, our mfa service requires a small app on their device so I know we have old android devices out there. If we cut them off because we require a minimum version of android, but we also explicitly won't reimburse them for a new phone or at least partially reimburse, that's a dick move, no? They can say "I can't afford a new phone but you require me to have it to log in to our systems. Either pay for a new phone for me, give me a phone, or disable the 2fa requirement when logging in to applications." I wonder what goons opinion on this is, I feel like I need to have management change company policy to reimburse for phones since we currently require byod and 2fa leveraging the device they bring. Or just accept the risk and allow old android 6 or android 7 devices?
|
|
#
¿
May 17, 2019 19:24
|
|
|
We pay a $75 a month stipend for cell phones but we don't reimburse for buying a whole new device.
|
|
#
¿
May 17, 2019 21:12
|
|
|
Apparently Google is being sued due to the 'someone has signed into your account' false positive that triggered thousands of people-hours in various company security teams? Apparently Roche freaked the gently caress out, and they're huge.
|
|
#
¿
May 23, 2019 21:42
|
|
|
A vendor we are going to transfer data with via SFTP has a Problem with their self-service SFTP password generation tool. So we engaged their support. After a while of them going nowhere fast they set a password themselves and put it into some third party free online 'one time encrypted link' service. It's free, they don't have a contractual agreement with this third party. Is this fine because the free third party service claims to store everything securely without them knowing what it is being stored before it's accessed once then deleted? Or is this problematic because it could all be bs?
|
|
#
¿
Jun 8, 2019 04:43
|
|
|
They're our Purchase Ordering system. We were going to automate user provision/deprovision. So it's user metadata like names email department job title manager, not actual financials, but still... It was L1 support deciding to put the password into this 3rd party service not an engineer. We can't reset it ourselves. I asked them to reset it and send to me via some other method but who the gently caress knows how the password is getting regenerated and passed around their systems.
|
|
#
¿
Jun 8, 2019 05:18
|
|
|
scientists and research assistants are notorious for buying lab instruments that come with rando win7 machines 'thrown in' on the $100,000+ equipment order and not telling IT. Then they use USB flash drives to transfer the data to their machine for analysis. Then they ask service desk for help 18 months later when the machine shits the bed and its 'urgent'.
|
|
#
¿
Jun 8, 2019 22:27
|
|
|
evil_bunnY posted:Get out of my head. "Hi can you come help us in the formulations lab ASAP? We have an engineer from Japan on-site today to install our specialized HPLC that we bought 3 months ago but didn't tell you and he has to fly back in 2 hours but there's no network port on this side of the lab and the PC doesn't have wifi oh and it's win7 sp2 and needs to connect to the internet" hows that?
|
|
#
¿
Jun 10, 2019 17:10
|
|
|
CLAM DOWN posted:I once had a family member ask me if I could "hack faster wifi onto her phone" so in this day and age words really are meaningless Hack means to write quick code to solve a problem. So they were asking for a quick fix, so they were using it half-correctly?
|
|
#
¿
Jun 11, 2019 17:57
|
|
|
CLAM DOWN posted:Hack my balls you gently caress man this is me right now https://www.youtube.com/watch?v=bcAACOrgVKE
|
|
#
¿
Jun 11, 2019 18:07
|
|
|
The Fool posted:ADFS and SAML is my crusade We enshrined this in policy. Any new SaaS application must support SAML. We've now helped 3 small boutique SaaS vendors implement SAML support. Usually we're able to get them to do it for about $2k one-time fee written into the SoW, meeting them half-way on their costs.
|
|
#
¿
Jun 13, 2019 01:39
|
|
|
Volmarias posted:Huh, it just keeps guessing "f@rts69" over and over again. Because it learned which accounts use this password. It's correct each time.
|
|
#
¿
Jun 15, 2019 22:04
|
|
|
Google Push 2FA seems like a flaky service. I tried initiating from my work G Suite and my personal Gmail just now, not popping up on my just-rebooted android. This has happened once before last month, it just started working on its own again 30mins later. edit: it just started working again. Flaky as gently caress. Bald Stalin fucked around with this message at 22:26 on Jul 7, 2019 |
|
#
¿
Jul 7, 2019 22:16
|
|
|
Anyone here ever used Zoom on a Mac or support Mac users? https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
|
|
#
¿
Jul 9, 2019 20:11
|
|
|
What do y'all do about browser extensions in your organizations? Are they an attack vector and if so are you blocking/locking down your browsers? We push a Chrome config down with G Suite with our own company Bookmarks and extensions for our software but we allow users to install their own extensions and log in to Chrome with their personal gmail. Plus they can Firefox too. I'm seeing chatter than browser extensions can basically be turned into keyloggers and poo poo?
|
|
#
¿
Jul 22, 2019 16:36
|
|
|
Subjunctive posted:Browser extensions have privileges roughly equivalent to an application they install. You can definitely get hosed that way. Thank you. So it really needs to be considered and not ignored. We took away local admin rights, we should probably take away extension free for alls. Tier 1 support got a ticket last week that a user was getting random popups when browsing. It was a bad extension. Can a browser extension steal a password? stevewm posted:We use Chrome.... UBlock is installed by default, and another extension we use for Gmail attachments is whitelisted so it can be installed if needed. Outside of that users cannot install additional extensions. We also only allow sign-in to Chrome with our own domain and password syncing is disabled. We also push some managed bookmarks down. This is all done via GPO. How is your team planning to address Google stopping uBlock? I heard they're introducing changes that render them (adblockers) ineffective. Bald Stalin fucked around with this message at 17:35 on Jul 22, 2019 |
|
#
¿
Jul 22, 2019 17:30
|
|
|
duz posted:Yes, it can access anything on the page. You used to be able to exfiltrate local files without the user's knowledge as well. Or install things, but that was more noticeable with the default Windows security settings. There's more controls now and I haven't bothered digging into them to see how to get around them. Then my organization needs to create an extension whitelist and lock down our browsers. I have lots of work to do! *sigh* Bald Stalin fucked around with this message at 23:16 on Jul 23, 2019 |
|
#
¿
Jul 23, 2019 23:14
|
|
|
Subjunctive posted:True in all aspects. I gave my boss the extension security rundown and he agreed. He also then asked what extensions we should whitelist including password managers. I have to find a way of generating a report of what extensions users have on their Chrome browsers on company-owned laptops but not necessarily logged in to company-owned g suite accounts with them. Just to get an idea of what we're possibly going to break or what we have to whitelist, to go into company-wide comms about the whole initiative. He also asked me to recommend 2 or 3 password managers that we will in turn recommend to users after he said "we probably need to whitelist people's lastpass extensions" and I said "oh the internet told me lastpass sucks!"
|
|
#
¿
Jul 25, 2019 03:57
|
|
|
If y'all had to recommend not one but at least 2 paid password managers to consumers, what would you recommend in addition to 1password?
|
|
#
¿
Jul 26, 2019 18:04
|
|
|
Powered Descent posted:Or (since it turns out it's actually pretty hard to decrypt traffic like that), make it PD's Internet Cafe, where I also provide the workstations. That way I can run an internal CA, push out my own root cert, and extremely effectively MITM every bit of everyone's communications. Is it legally fine for me to do this? Can I, for my own amusement, peruse the transaction history that was displayed to you when you logged into your bank account? What about if I publish it? Or publish everything I've captured, credentials, passwords and all? Did you have the customer sign something before they used your service which included telling them this would happen?
|
|
#
¿
Aug 2, 2019 17:36
|
|
|
We're implementing a HRIS including payroll, all in one. I'm the only IT person on the project. HR are refusing to give me full admin access during development/testing, instead insisting that we do this incremental 'restrict all your access as much as possible until you hit a wall and then we'll take a day or two figuring out how to give you the additional access you need to get this ready by go-live date, but also go-live date will NOT be pushed out even if the IT aspects of this aren't ready' because they're worried I'm going to look up people's SSN and salary. I'm domain admin, admin of everything in our environment. I can do all sorts of poo poo to get to this data anyway. But this isn't the funny part to me. Now they've decided because it's also payroll that there's SOX implications and so HR/Payroll shouldn't be assigning their own elevated permissions in the HRIS, instead IT will receive a ticket/approval and then grant the access in HRIS to the HR/Payroll worker. So now my deliberately restricted custom role in HRIS can assign permissions. Including full admin permissions. To myself...
|
|
#
¿
Sep 4, 2019 22:17
|
|
|
Defenestrategy posted:According to an FBI guy that came and gave a talk to the InfoSec department at my school; The Chinese are scouring college campuses for people like us(IT/CS nerds), and they'll give you tuition assistance, and a stipend to grab any kind of government/dod contractor job, also that they'll bribe you with northwards of 250k to pass on information, but that was being a cheap date and you should ask for more. Proving once again Bernie is right to push for free college education.
|
|
#
¿
Sep 18, 2019 05:12
|
|
|
mllaneza posted:We had an instrument vendor tell us that their software didn't really support Win10, but they could usually get it running on 32-bit Win 10. So I tried to get a machine set up with a 32-bit LTSC image. It turns out that HP doesn't do 32-bit Win 10 drivers any more, so we had to have them set up a system. Usually we hate vendor machines, but we had no choice here. lab instrument vendors need to gently caress off with their "we only support windows 7" bullshit. Linux is fine but there are literally cutting edge scientific instrument vendors that only support win7. That's insanity.
|
|
#
¿
Sep 29, 2019 04:47
|
|
|
does accessing the email require 2fa?
|
|
#
¿
Oct 6, 2019 20:53
|
|
|
Originally got my cell phone in Oakland CA. No longer live in that rough as guts neighborhood. 12 years later got cussed out something shocking by some tough dude that didn't know spammers spoof numbers. Went something like: me: hello angry man: yo who dis? me: you called me... angry man: cocksucker you called my motherfucking phone now who are you??! me: yo mommas new boyfriend, bitch* *i didn't say this bit
|
|
#
¿
Oct 16, 2019 22:06
|
|
|
I found this amusing, watch til the end https://www.tiktok.com/@that_investor/video/7286955841541000490
|
|
#
¿
Oct 7, 2023 05:19
|
|
|
Remembering the time our boss had us implement rapid7 ($$$$$$$) then we didn't have enough resources to act on anything. Big tick from the board though.
|
|
#
¿
Nov 16, 2023 00:03
|
|
|
I'm looking to switch from IT infrastructure/ops to entry level security. Despite having some tangential security responsibilities in my prior role, tons of Identity management experience and broad general knowledge/experience in IT infra, I suspect I'm not getting past the recruiter filter much due to no cert. What's a relatively simple cert that might get me passed this hurdle in some cases?
|
|
#
¿
Nov 16, 2023 23:12
|
|
|
Kicking off my security+ learning, and have just found out there's a new exam as of last month, 701. All the materials I have are 601 and new 701 stuff is pricey to buy rn. Reckon I can just go with all the good 601 material I have and see how I go, or does anyone know if there's major changes that this will lead to loving up?
|
|
#
¿
Dec 5, 2023 01:49
|
|
|
Studying Security+ after 15 years in IT Ops/Infra and it's very cool. "Oh THAT'S what that's called" "Oh THAT'S why we did that" "Oh THAT'S what my boss told us to do incorrectly with massive risk"
|
|
#
¿
Mar 2, 2024 08:55
|
|
|
|
| # ¿ May 15, 2024 00:40 |
|
|
Yanis Varoufakis deep dives a lot of what you're talking about spankmeister. He wrote a book (on Spotify if you have premium and don't wanna pay more) called Technofeudalism. He's hyperbolic about how it's a new era separate from Capitalism, but he goes into great detail about US Capital dominating the tech space, Europe failing to compete resulting in what you're alluding to, and China building its own seperate tech (the great firewall wasn't just about censoring Chinese people googling Tiananmen Square). Now companies like MS are able to extract rent in whole new ways, amongst other things.
|
|
#
¿
Apr 13, 2024 07:55
|
|