|
it's the scariest loving thing because i'm watching off-shore gas processing facilities going into production with equally lax configuration on them. they're being commissioned in korea and the company has gone hard on lowest $ tender which means they've ended up with poo poo and we're just made to produce punch-lists of poo poo which is hosed and may or may not get fixed. makes me sick to my stomach thinking i could be responsible if a system goes to piss and the onshore plant goes boom or something equally disastrous. i didn't build these systems i just tried to force people to make them not shite and do things properly (because if you're not prepared to do something properly then you shouldn't loving do it)
|
# ¿ Feb 7, 2017 18:06 |
|
|
# ¿ May 21, 2024 01:26 |
|
they might have an open git repo idk edit: nothing to see there, they're just screencapping logs from WP. also their WP install is patched to latest and they have a competent host. Pile Of Garbage fucked around with this message at 19:00 on Feb 7, 2017 |
# ¿ Feb 7, 2017 18:57 |
|
ate all the Oreos posted:coworker today: "it was giving me some kind of 'self-signed certificate' error but don't worry i took care of it" disabled https prolly lol comedy option: he/she added the self-signed cert to the default domain policy so it will be added to the trusted store on all machines
|
# ¿ Feb 8, 2017 07:11 |
|
loll
|
# ¿ Feb 8, 2017 09:17 |
|
Fergus Mac Roich posted:would this be really bad even on a company intranet site? yes because you can't revoke a self-signed cert. also other reasons that i'm not immediately remembering.
|
# ¿ Feb 8, 2017 13:05 |
|
Powaqoatse posted:out of poo, like a scarab mlyp
|
# ¿ Feb 9, 2017 18:45 |
|
work secfuck: we've just discovered that one of our EPCs is "sharing" data with us from an SMB share that's exposed to the internet. it appears they've at least configured fw policies to only allow connections from our main static NAT IP but loving lmao
|
# ¿ Feb 13, 2017 08:48 |
|
HOLY gently caress found a batch file in there which maps a drive for installing crystal reports and the batch file has a username + password right there in plain text. lol this is hilarious edit: lol found another batch file with sqlcmd lines in it, both have username + password in the clear. it looks like they have an MS SQL DB instance on this same IP laffo Pile Of Garbage fucked around with this message at 09:00 on Feb 13, 2017 |
# ¿ Feb 13, 2017 08:54 |
|
https://twitter.com/larao68/status/831297085496401920
|
# ¿ Feb 14, 2017 02:23 |
|
spankmeister posted:Notorious BGP
|
# ¿ Feb 15, 2017 01:20 |
|
Winkle-Daddy posted:All the discussion in media of file-less malware has got me interested in how this is actually accomplished. Does anyone have any links to decent write ups for how you can actually inject malicious code into memory without touching the filesystem at all? I'm not sure what the techniques for this are. pretty much all modern malware which is spread via drive-by infects clients entirely in memory before ever touching the file system, usually through arbitrary code execution using buffer overflow exploits and then chained with a privilege escalation exploit to run as system. after that they'll usually touch the file system in some way to root the machine thus ensuring that they remain resident. however after i wrote the above i saw the link you posted which clarifies "file-less" malware as simply malware which covers its tracks when interacting with the file system. so yeah, same stuff applies i guess? edit: ive been making a lot of dumb posts recently so someone please call me out if im an idiot Pile Of Garbage fucked around with this message at 19:55 on Feb 16, 2017 |
# ¿ Feb 16, 2017 19:53 |
|
Wheany posted:well on one had, i don't really need bitlocker, but on the other, doesn't everybody need it? like it probably shouldn't be a "pro" feature in cyber year 2015 maybe i'm cynical but upselling is the reason IMO. a large majority of users don't know what bitlocker is and dont care so microsoft can make it a pro feature and get more money from the people who do know and care without affecting regular users.
|
# ¿ Feb 18, 2017 12:04 |
|
ate all the Oreos posted:i actually like and use docker all the time and i'm pretty sure it's still a net negative on the world because it seems like nobody in the loving world but me knows how not to gently caress it up in laughably terrible ways i know what docker is but i've never actually used it. however whenever i hear colleagues mention it i quietly lol because of exactly that. it seems like one of those things which is easy to get into but easy to fuckup.
|
# ¿ Feb 22, 2017 15:09 |
|
cinci zoo sniper posted:so, i was brosing startups... quote:SECURITY IS NOT AN OPTION! except for HTTPS i guess which their website doesnt support... e: copyright date in the footer is 2016, site is prolly long ded
|
# ¿ Feb 22, 2017 15:24 |
|
has anyone ever done research into URL shortening services like bitly? i've just noticed that raytheon is one of their customers (rtn.co) which has me interested. e: who is going to bsides next month? not me because i suck Pile Of Garbage fucked around with this message at 13:16 on Feb 27, 2017 |
# ¿ Feb 27, 2017 13:10 |
|
i'd setup an IPsec tunnel between the two servers
|
# ¿ Feb 28, 2017 04:35 |
|
i'm probably dumb but does that only affect proxysg os v6.5 or is it v6.5 and later. we're actually in the process of trying to upgrade our pair of blue coats, one is on 6.6 but the other is on 6.5 so lol
|
# ¿ Feb 28, 2017 07:51 |
|
xpost, holy lolyincoherent posted:Please regale me in your stories today of management asking you, personally, to contact Mr. Zon to ask what's up with the cloud.
|
# ¿ Mar 1, 2017 06:06 |
|
lol nice
|
# ¿ Mar 1, 2017 06:13 |
|
Thanks Ants posted:i once had a discussion with a developer who claimed that he was going to 'bolt the security on at a later date', maybe he works for you guys now? i hope that dev is now dead. loving ignorant bastard. it's exactly that attitude which is the cause of all our problems. pissssssss
|
# ¿ Mar 1, 2017 18:35 |
|
BangersInMyKnickers posted:lmbo symantec gently caress this product ftfy real talk though, if you've got on-premise exchange trend micro scanmail seems pretty OK. i've only had to install it and manage the exchange instances it's on but it seems very set-and-forget, never had any issues. ofc you shld be doing anti-spam/av/whatever at the edge before it even hits your network but lol idk
|
# ¿ Mar 1, 2017 20:28 |
|
Thanks Ants posted:he's still alive and has since become the sort of person who wears odd socks on purpose to prove how laid back he is gently caress me the mans an insufferable singularity i really do hope he dies e: mlmp
|
# ¿ Mar 1, 2017 20:42 |
|
BangersInMyKnickers posted:we're doing this because the edge is so misconfigured that it lets every possible thing through and I can't control it. and we are "standardized" on symantec so SMS was my only recourse and they block purchase of anything else ah poo poo my condolences, especially if you've got messagelabs (now symantec.cloud) as your edge MTA. that product is hot garbage. for example, they recently got more than half of their MXs blacklisted by some prominent RBLs. who the gently caress even lets that happen?
|
# ¿ Mar 1, 2017 21:29 |
|
Varkk posted:Not a security fuckup, just a regular fuckup. you're a fuckup Varkk posted:We use teamviewer host pushed out via GPO to avoid that. However we still have some external clients with no domain infrastructure where this can be an issue. edit: props to ratbert who actually pointed this out several posts up Pile Of Garbage fucked around with this message at 03:07 on Mar 3, 2017 |
# ¿ Mar 3, 2017 00:38 |
|
Truga posted:the s in iot stands for security spankmeister posted:new thread title pls mods plzz
|
# ¿ Mar 5, 2017 08:32 |
|
flosofl posted:I just managed to bully a client cert out of the help desk for my VPN app. They were going to call me on my "on-file" contact number with the passphrase to unlock the key for import. No worries guys, I managed to get it in one guess: CompanyName123 yeah, with HR whilst being sacked for violating corpsec policy!
|
# ¿ Mar 5, 2017 11:00 |
|
jammyozzy posted:Are SSL Lab screenshots still cool? I got linked to a customer portal today that immediately threw a cert error and, well: only if you name and shame. the lack of TLS 1.2 support is pretty funny, must be an ancient and or incredibly poorly configured server
|
# ¿ Mar 8, 2017 09:30 |
|
firefox v52.0 has a new captive-portal detection feature which works by sending a HTTP GET to http://detectportal.firefox.com/success.txt. however it seems to do it extremely aggressively (from looking at my session logs sometimes once every minute). i'm sure there's a secfuck in here somewhere. also it's dumb that it's requesting a literal file instead of just looking for a HTTP 200 (maybe? i'm probably dumb, could depend on how the captive portal works).
|
# ¿ Mar 8, 2017 15:35 |
|
Wiggly Wayne DDS posted:ya abusing captive portals is in the cia's docs where they outline that the https cert for captive.apple.com is a big pain in the rear end and they'd never be able to source it Truga posted:well https returns bad domain with cloudflare cn, so unless they're doing some http header magic, it's probably bad yeah they definitely appear to be doing it in the clear, i can see the requests for straight plain HTTP on tcp/80. and as Truga said the endpoint is listening on tcp/443 but has a bad cert so unlikely they're using HTTPS e: my dumb idiotfucker tweet about the thing: https://twitter.com/GarbageDotNet/status/839476937441476608 Pile Of Garbage fucked around with this message at 16:58 on Mar 8, 2017 |
# ¿ Mar 8, 2017 16:54 |
|
apseudonym posted:Captive portals are garbage so you have to test http if you plan to send anything plaintext, since they may let HTTPS through unmolested but then gently caress up HTTP. Pretty much everyone does this but usually only when you move networks or if something looks particularly off. i've actually been dealing with some cisco anyconnect VPN fuckery recently and yeah captive portals are turbo retarded. things become immensely more complicated if you're directing users to use a VPN that implements split-tunnel or even split-DNS.
|
# ¿ Mar 8, 2017 17:00 |
|
i didnt need to see that...
|
# ¿ Mar 8, 2017 20:29 |
|
fisting by many posted:what is going on with that child's spine no spines where we're going
|
# ¿ Mar 8, 2017 20:58 |
|
Shaggar posted:code signing is cool and good and its good for people to think about it even if its for silly poo poo like a text editor. ive seen np++ installed (yes installed, not just the portable exe) on a hilarious number of dev and prod application servers (usually SAP). unfortunately i do not have the clout to stop them so it's at least nice that the np++ dev is conscious of security
|
# ¿ Mar 9, 2017 07:21 |
|
Ask Slashdot: Should You Use Password Managers?https://ask.slashdot.org/comments.pl?sid=10340101&cid=54003917 posted:By "Password Manager" do you mean.. https://ask.slashdot.org/comments.pl?sid=10340101&cid=54003667 posted:Haha, no. For the same reason you don't keep all your valuables in one safe. hrm https://ask.slashdot.org/comments.pl?sid=10340101&cid=54004807 posted:Should I trust my IP TV: Yes! lol what a dingus there's also plenty of comments where people are bragging about their super unique passphrase algo. morons. ofc it is slashdot afterall
|
# ¿ Mar 9, 2017 08:35 |
|
im still using password safe with a local DB on an encrypted volume because it works for me. it would probably be convenient having browser integration or whatever
|
# ¿ Mar 10, 2017 06:58 |
|
Volmarias posted:Uncompressed mp3s? ...WAVs?
|
# ¿ Mar 14, 2017 05:31 |
|
can someone explain to me what fortinet is doing here using a weird CN for the cert of their UTM sig update service? also lol trying to run SSL Labs against update.fortiguard.net returns internal errors
|
# ¿ Mar 15, 2017 14:26 |
|
corporations shouldn't need to be encouraged to do the right thing. maybe governments could implement stricter auditing regimens in conjunction with enhanced whistleblowing protections and setup federal bug-bounty programs which encourage security conscious developers to come-forward and report secfucks in the products they're developing? kinda like what the FDA does i guess
|
# ¿ Mar 15, 2017 15:36 |
|
flakeloaf posted:that just creates space for an unethical person in a less-regulated place to step up and occupy the niche. like when you shoot all the skunks in your garden and raccoons move in and you say "man do i wish i had the skunks back" imo carrier-level blocking sets a dangerous precedent and would not be effective. sure you could block the majority of layer 4 C&C traffic but what about layer 7 C&C which is piggybacking off a legit service like twitter? unless you want SSL intercept with deep-packet inspection then holy pisssss
|
# ¿ Mar 15, 2017 15:43 |
|
|
# ¿ May 21, 2024 01:26 |
|
there's been zero motivation from governments to even form a somewhat rudimentary framework of standards and oversight for the industry. as the public cannot mentally attribute damages from criminal enterprise to their fridge or smart TV there is no mass public outcry calling for change. unless someone actually dies horribly from an IoT toaster/lawnmower then we more than likely will not see much movement in the space. and if someone does die then lookout here cum the lobbyists.
|
# ¿ Mar 15, 2017 16:01 |