|
cool new thread for a cool new world
|
# ¿ Jun 27, 2017 02:49 |
|
|
# ¿ May 2, 2024 08:39 |
|
Lain Iwakura posted:i'll let this slide for tonight but tomorrow, there better be some gently caress ups hold my beer
|
# ¿ Jun 27, 2017 07:32 |
|
off the back of that wannacry/petya/whatever garbage a lot of security projects have been approved and funded where i work, one of which is LAPS which i'll be rolling out to our entire server fleet. i think some of ya'll have done the same, any gotchas to be aware of? TIA
|
# ¿ Jul 5, 2017 04:51 |
|
oh yeah actual secfuck: today i found a couple of standalone windows servers in our environment that had their local Guest accounts enabled and they'd been added to the local Administrators group oh and they also weren't being patched but that pales in comparison. pretty sure it was a former coworker who is responsible for that fuckery but he left about 3 months ago so i cant tear his trachea out.
|
# ¿ Jul 5, 2017 11:07 |
|
Shinku ABOOKEN posted:i didnt think windows server even had a guest account yeah it does but it's disabled by default out of the box. it does have situational uses but it blows up your surface area if you don't know what you're doing.
|
# ¿ Jul 5, 2017 12:06 |
|
Perplx posted:easy file sharing so any random computer can open \\server\files pretty much that. the servers i was peeping were meant to operate as "guest print servers" that would host print queues and allow unauth anon access to them. guest being member of administrators is not a pre-req for that ofc...
|
# ¿ Jul 5, 2017 15:41 |
|
can anyone ID that fortinet firewall top-right visible top-right at 0:50? it's looks like some kind of mutant 300D
|
# ¿ Jul 5, 2017 16:21 |
|
fortinet apparently give zero fucks about their gear appearing in that vid https://twitter.com/Fortinet/status/882620985874173952 e: actually it's dumb piss who cares
|
# ¿ Jul 5, 2017 16:36 |
|
pretty sure the B-series hardware still had the matte-black exterior and they didnae switch that up until the C/D series. the specific model is hard to place from that pic because on the left-side it has 2x2 grouped interfaces and on the right it has that expansion area but neither of those features match up with current models.
|
# ¿ Jul 5, 2017 16:51 |
|
lol this is good i've been looking for more reasons why im always wrong!
|
# ¿ Jul 5, 2017 17:30 |
|
Lain Iwakura posted:https://twitter.com/KateLibc/status/882644229901529089 nah not really. it's the crazy container dinguses that will truly doom us. making arbitrary execution infinitely portable with zero safeguards yeah that's something which will end well
|
# ¿ Jul 5, 2017 18:16 |
|
yeah im poo poo at everything forever
|
# ¿ Jul 5, 2017 18:25 |
|
BangersInMyKnickers posted:not really, its gr8. thanks good to know. that's what i was leaning towards looking at the doco it's super simple. already did the schema extension earlier on, now just need to do ACEs, setup GPOs and get our SCCM dude to package the CSE. way too easy Wiggly Wayne DDS posted:essentially "look at this setup" and linking to cheese-cube posted:yeah im poo poo at everything forever
|
# ¿ Jul 5, 2017 18:56 |
|
Wrath of the Bitch King posted:It's cake, just don't be retarded and try to deploy the client to a domain controller. you mean target a DC with the group policy settings right? pushing the CSE to all machines should be fine as long as you aren't deploying any group policy settings for LAPS to those maschines.
|
# ¿ Jul 5, 2017 19:04 |
|
Wrath of the Bitch King posted:There isn't a reason for the client to exist on a DC since it would never be utilized, for obvious reasons. i would love for this to happen because then i'd actually be allowed to murder someone. bullshit aside, if your domain can be crippled by having the built-in domain administrator account password changed then you've done something wrong. from a supportability POV it is much easier to just deploy the CSE everywhere and then target via GPO (edit: especially if you're doing orchestration like we are). if someone does something as stupid as what you suggested then they get fired. out of a cannon. into the sun. edit2: i've just remembered that you have to specifically delegate privileges to the SELF security principle in the OU containing computer objects so that they can update their own LAPS-related attributes. if you don't delegate these same privileges on the Domain Controllers or any other OU then the devices associated with the computer objects within that OU will be unable to reset their local admin password as they cant update the attributes on their relevant computer object. ofc that is all moot if you delegate full write for all extended attributes or some poo poo BangersInMyKnickers posted:Will it even do something there? I assume it would rotate the domain services recovery password which creates a circular dependency but that seems like something MS would catch for and stop. apparently it will change the domain built-in administrator account password? tbh i haven't tested that scenario Pile Of Garbage fucked around with this message at 19:26 on Jul 5, 2017 |
# ¿ Jul 5, 2017 19:19 |
|
deploying servers from a single template that is role-agnostic. much easier to have the CSE pre-installed than to deploy it after the fact once the server's role has been decided. i dont understand why you "loathe the shotgun approach for systems management" when establishing a common universal baseline is the best approach to systems management in almost all situations. imo you prolly have some hangups as to the efficacy of group policy or something also dont talk to me about hosed up AD permissions. ive inherited an environment where every single ACE is 1000% pissssss but ive still seen worse than you can begin to imagine
|
# ¿ Jul 5, 2017 19:41 |
|
cool but yeah LAPS is cool, we did scope the project to implement it over a year ago but it's been in PM purgatory since then until the whole wannacry bs happened and the CFO just went and blanket approved any project that was sec related. gourd poo poo i guess but lol reactive is not appropriate attitude blah blah i shld gently caress poo poo up more often
|
# ¿ Jul 5, 2017 19:58 |
|
BangersInMyKnickers posted:Crypto Config Boogaloo 2017 Edition hey sorry this was several pages ago now but i was wondering why you're prioritising DHE with GCM over ECDHE with CBC. from what i understand GCM provides better performance than CBC but not much more on the security side whilst ECDHE is an effective mitigation against logjam attacks. happy to be wrong though!
|
# ¿ Jul 8, 2017 07:10 |
|
just got this lovely e-mail from symantec today: we've got a wildcard cert issued by geotrust before that june 1st date and it's used in lots and lots of places. us i guess.
|
# ¿ Jul 12, 2017 03:28 |
|
fyi, manufacturers limit GPS performance so as to not exceed the limits defined in the MTCR annex (https://www.state.gov/t/avc/trty/187155.htm):quote:Item 11 - Category II if your hardware can operate in excess of those limits then it is not considered dual-use and is effectively a missile system which makes it subject to arms manufacturing/export rules and non-proliferation treaties. you'd probably end up in very serious trouble if you produced such a system in the US without a defence contract
|
# ¿ Jul 26, 2017 14:54 |
|
patriot pac-3 has drone shoot-down capability within a very broad altitude envelope. you better be packing some badass ruskie EW/traditional countermeasures fdriend fake edit: holy lol, this bit from the patriot wiki article is a proper fuckup (https://en.wikipedia.org/wiki/MIM-104_Patriot#Failure_at_Dhahran): quote:A government investigation revealed that the failed intercept at Dhahran had been caused by a software error in the system's handling of timestamps.[46][47] The Patriot missile battery at Dhahran had been in operation for 100 hours, by which time the system's internal clock had drifted by one-third of a second. Due to the missile's speed this was equivalent to a miss distance of 600 meters.
|
# ¿ Jul 26, 2017 17:02 |
|
i was semi-joking about using patriot for drone shoot-down. sure, it has the capability (allegedly) but it certainly is not cost effective. also unless something has changed the patriot SOP is to fire 2 missiles at each target which is kind of insane against a drone, especially in any urban setting (sure the second missile is sent a self-destruct command if the first missile takes out the target but it's still dangerous). IMO for anti-drone systems we'll probably just see existing naval CIWS (US phalanx, russian kashtan/pantsir-m) deployed on land. anything that is a drone and can get past a modern CIWS battery isn't a drone, it's a cruise missile. e: just to clarify i'm talking about drones that aren't capable of stand-off engagement or engagement beyond line-of-sight. pretty much anything not made by raytheon or GA i guess... Pile Of Garbage fucked around with this message at 17:53 on Jul 26, 2017 |
# ¿ Jul 26, 2017 17:44 |
|
afaik it's only enforced via technical means, as in the manufacturers are selling drones with firmware that says "do not take-off if you're inside these coords"
|
# ¿ Jul 26, 2017 18:06 |
|
just looks like a regular scam message? e: fb
|
# ¿ Jul 26, 2017 21:18 |
|
Ciaphas posted:not last i checked, no, the team doesn't have any sa members on it lol the fuckin sa member directory oracle checking in here or some poo poo. a shittier fishmech
|
# ¿ Jul 26, 2017 21:29 |
|
do they hand out cards with USB connectors on them and/or RFID/NFC chips? e: the vegas strip is the most shameful attack vector by far
|
# ¿ Aug 1, 2017 15:19 |
|
BangersInMyKnickers posted:my fiber ISP isn't using link encryption so if you plug in directly to their box you also get a copy off all the traffic destined to the other houses on your segment whoopsiedoodles guess nobody noticed because the wan link on everyone's router just drops it what box and what service are you on about?
|
# ¿ Aug 1, 2017 18:30 |
|
how is your service delivered? is it IP end-to-end like real GPON or is it VDSL/HFC?
|
# ¿ Aug 1, 2017 18:34 |
|
lol you're probably on VDSL and there's multiple VCs. that would cause a fuckton of spurious traffic. e: i wish i spuriously dead
|
# ¿ Aug 1, 2017 18:35 |
|
lol ok i guess i missed when you said PON also i didnt know what PON is. maybe you should report this insanity or something idk
|
# ¿ Aug 1, 2017 18:49 |
|
BangersInMyKnickers posted:I am a little concerned with reprisal as a customer. Not really sure the best way to prove the point without giving them a pcap from my house and then they would know at minimum what node segment I'm on. They're still the best ISP available reprisal as a customer? reprisal by the company against you for being a customer? i'm pretty sure any instance of them loving you up for attempting disclosure would be prosecutable. try and get a field tech on-site, one who is trained for PON instead of just PSTN garbage (sounds like you'll get one who is well trained most likely). go from there
|
# ¿ Aug 1, 2017 19:03 |
|
hobbesmaster posted:
australia where our consumer protection laws aren't exactly garbage i guess? BangersInMyKnickers posted:Both seem like fun, viable possibilities in this situation regardless of them being the ones who installed the tap in my house. Is this something I can run through the FCC? nfi about FCC but just get a tech on-site to replicate the fault (yeah yeah i know), the tech will talk the magic words back to whatever dinguses do provisioning on the backend and maybe things will get sorted?
|
# ¿ Aug 1, 2017 19:07 |
|
anthonypants posted:they're worried that if they deliver a pcap of their network traffic to their isp, they will deduce that they have been hacked and send fbi agents to their house. how have you not been on the internet for the past decade lol thanks for shooting down all my ideas you cold war mccarthy weirdo, no one suggested handing over a pcap, what do you suggest?
|
# ¿ Aug 1, 2017 19:18 |
|
probably secfuck: our customer only supports one browser internally (IE11). apparently unmanaged and unpatched chome installs on endpoints is a big security issue for said customer (at least according to their head wizard). in this situation you'd think the best option would be to restrict chome on endpoints using something like applocker. well, the head wizard thought differently and instead decided to get our SCCM guys to package an enterprise version of chome that's updateable via SCCM and managed via group policy. this packaged version of chome was then deployed to the whole fleet. so, instead of having to worry about a handful of dinguses who have chome installed we now have to worry about the entire loving fleet. to make things worse an e-mail was sent to all personnel telling everyone about the chome deployment so they know that it's there. oh and the issue of deploying an unsupported browser has been "solved" by effectively blacklisting "*.companyname.com" in chome via group policy so that they cant access internal websites using the browser. e: oh yeah they also packaged it with abp instead of ublock origin which is dumb
|
# ¿ Aug 10, 2017 12:45 |
|
security is just a thing that you should think about and do whenever you do any IT thing. delegating perms in AD? hmm maybe i can do this in a fine-grained per-attribute manner to support principal of least-privilege! creating an ACL on an ASA? hmm maybe i should determine the specific ports that are required instead of just doing an allow all! delegating perms on a server? hmm maybe this service account designed to run a script via scheduled task doesn't need local admin and instead i can delegate the specific user right for executing a batch task so it won't run in an elevated context! importing a PFX key pair on a server? hmm maybe i should un-tick the "mark private key exportable" option! delegating perms in a thing? hmm these built-in roles are fine but what if i created specific roles to delegate perms supporting least privilege principal! it's just small dumb poo poo that everyone does every loving day that makes security secure
|
# ¿ Aug 10, 2017 18:33 |
|
stoopidmunkey posted:Sec fuckup I just became privy to: Our ticket tracking software has an asset management component. The vendor requires a service account that can ssh into a server and needs sudo access. All their tools it runs can get the same data over snmp, but they want ssh access (hard-coded password) and sudo. They say it's safe if you restrict the account in /etc/sudoers is that a requirement from the vendor or from servicenow? we use servicenow and it seems p good compared to other ticketing software on the front-end at least. however now that i think on it there are some extremely janky bits on the back-end. we need to pull user satisfaction survey results in bulk for monthly reporting and the only way they could do that is with the special snow ODBC driver which is so garbage that the server it is installed on has to be rebooted daily because it just completely dies in the rear end after X number of hours.
|
# ¿ Aug 12, 2017 03:48 |
|
speaking of usernames, it appears that if you work for SHI (samsung heavy industries) you can just pick whatever the gently caress you want for your @samsung.com e-mail address so if you deal with them on the reg then you will see some weird poo poo in your SMTP transport logs. based on a bunch of internal systems doco i found for their internal stuff a while back their e-mail addys match their UPNs so their e-mail is effectively their username for most SSO stuff. i think DSME (daewoo shipbuilding & marine engineering) does this as well, maybe it's a SK thing...
|
# ¿ Aug 21, 2017 19:22 |
|
Notorious BGP
|
# ¿ Aug 29, 2017 16:22 |
|
anthonypants posted:there's apparently a new ublock origin for firefox that you have to remove and reinstall? lol https://twitter.com/ronindey/status/902645903210815489 yeah FF went to poo poo performance and stability wise after upgrading to v55 and removing/reinstalling ublock fixed it up. still better than chome
|
# ¿ Aug 30, 2017 02:30 |
|
|
# ¿ May 2, 2024 08:39 |
|
a fool and his butts are soon to be parted
|
# ¿ Sep 2, 2017 05:24 |