|
CloFan posted:To expand on my background, before I got a job at the bank I worked as an IT tech at a college for three years. Little bit of everything there, but mostly networking- I can easily see how my background there has helped the transition. This is really not as uncommon as you would think. A lot of verticals like to hire folks that have good knowledge of the associated industry first and IT knowledge second instead of the other way around.
|
| # ? Feb 20, 2013 14:17 |
|
|
|
| # ? May 21, 2013 02:28 |
|
|
Also real networking already deals with security on all levels except the specific application User credentials. nothing irritates me more than "security" guys who don't know networking, seems like it should be a prerequisite.
|
| # ? Feb 20, 2013 17:29 |
|
|
psydude posted:What are some industry publications y'all read? It'd be nice to stay on top the flavor of the month for different types of attacks. http://www.bankinfosecurity.com/ Scroll all the way down and there some other *infosecurity.com sites they run.
|
| # ? Feb 20, 2013 18:29 |
|
|
"Data Breach Today" sounds like something that would run after the farm report on PBS.
|
| # ? Feb 20, 2013 18:43 |
|
|
Jabor posted:I guess the processor MMU could gently caress around with physical addresses to do something, but I don't know why it would - that's literally why virtual memory exists. Are you aware of any existing processors where the MMU screws with addresses before the virtual memory remapping? This can impact performance in a major way, imagine a workload that's just reading and writing sequentially. If the MC put adjacent addresses on the same DIMM, any refresh kills you for however many ms. If adjacent addresses are spread over both DIMMs, a refresh only blocks half of your transactions and the rest can keep chugging along. I'm handwaving a little here, but the point is that the MC can arbitrarily assign PA's to DIMM locations and does. If you're booting on the same system it would solve some of the problems, but if you're at the point of bringing up an OS that implies some memory map munging that might not be trivial to undo. This is why I thought it was possible the attack relied on techniques similar to HDD recovery, where you're taking some data and assuming the metadata is missing but still trying to reconstruct. OSI bean dip posted:RAM does not necessarily flush out the contents after power-down but it "degrades" as soon as no more electricity is fed to it. In the case of a cold boot attack, you are unlikely to power the machine down without using normal OS means, so you end up with a more or less static snapshot of what is in memory at that time. The reason why you're freezing the memory is to slowdown the degradation of whatever is left in memory but you can still have success if you do it without cooling the chips down, it's just less likely. OSI bean dip posted:It is quite a lot of work to remove the modules and then swap them into another machine and it does require a lot more intrusion than it might be worth. If I were to go about performing a memory dump, I'd instead consider looking something that uses DMA like firewire. Thanks for the answers 
|
| # ? Feb 20, 2013 19:24 |
|
|
Lets take a moment to remind ourselves that law enforcement still don't understand computers or data security http://www.stuff.co.nz/national/cri...ks-secret-files quote:One document, an affidavit supporting a High Court application for search, seizure and surveillance warrants, records the details of an informant considered particularly reliable because of his role in an earlier case that led to the conviction of a senior gang member for violent crimes. How many times has this happened now? Also it is not just electronic security they have blundered. I remember a case a couple of years ago when some officers served a search warrant on a house. Then when they finished they left behind a paper notebook containing all kinds of confidential information including the name/contact details for the anonymous informant who supplied the evidence to get the warrant in the first place. Of course the guy whose house it was that got searched did the first thing any criminal in that situation would do and passed it on to a newspaper reporter.
|
| # ? Feb 20, 2013 21:16 |
|
|
I don't know that rank/bank matters so much for passwords, as something like 'strings -n 8 /dev/kmem' would probably work pretty well. It would gather a ton of other data but but the number passwords to try would still be less than ~95^8. What is the stripe size, so to speak, for DIMM ranks/banks? Is it tied to the platform page size? Passwords are pretty short and probably wouldn't span pages, though if you're serious there's no reason you couldn't find the same model chipset to put your stolen DIMM into.
|
| # ? Feb 21, 2013 01:09 |
|
|
Anyone given this a try? http://www.symantec.com/theme.jsp?t...iness-challenge There's one coming up in my area soon, if nothing else it seems like a good reason to skip class for a day.
|
| # ? Feb 21, 2013 16:33 |
|
|
Drunk Badger posted:Anyone given this a try? No but any Symantec presentation that does not end in that HORRID Gangnam Style dance by their employees should not be attended.
|
| # ? Feb 21, 2013 17:53 |
|
|
Drunk Badger posted:Anyone given this a try? Oh, a Sun Tzu quote. Nothing says we don't understand security or Sun Tzu like using Sun Tzu quotes to advertise security.
|
| # ? Feb 21, 2013 20:22 |
|
|
Powercrazy posted:Also real networking already deals with security on all levels except the specific application User credentials. nothing irritates me more than "security" guys who don't know networking, seems like it should be a prerequisite. I've been going to a lot of security meetups lately trying to get a leg up in making some contacts, and you'd be absolutely baffled how many times I've gotten a "wow, you've got a CCNA? it's awesome to see someone interested in security who also knows networking!". It's a small internal struggle not to make a  face. I'm seriously hoping its just the meetups I've been going to and not indicative of the actual state of security professionals in the area.I mean not to poop on a CCNA because I guess I do know a fair bit about a bunch of stuff now, but I've never really thought of it as anything all that impressive.
|
| # ? Feb 21, 2013 20:40 |
|
|
Martytoof posted:I've been going to a lot of security meetups lately trying to get a leg up in making some contacts, and you'd be absolutely baffled how many times I've gotten a "wow, you've got a CCNA? it's awesome to see someone interested in security who also knows networking!". It's a small internal struggle not to make a Ok, so this brings up something I've been wondering about. I'm wanting to transition from Network Engineering to Penetration testing. What are some good regular meetups to go to? I'll probably start going to my local ISSA chapter, but I'm not sure where else to look. Thoughts?
|
| # ? Feb 21, 2013 20:42 |
|
|
ming-the-mazdaless posted:Oh, a Sun Tzu quote. Nothing says we don't understand security or Sun Tzu like using Sun Tzu quotes to advertise security. Relevant: http://attrition.org/security/rant/fsck_sun_tzu/
|
| # ? Feb 22, 2013 00:10 |
|
|
Martytoof posted:I've been going to a lot of security meetups lately trying to get a leg up in making some contacts, and you'd be absolutely baffled how many times I've gotten a "wow, you've got a CCNA? it's awesome to see someone interested in security who also knows networking!". It's a small internal struggle not to make a Are you willing to relocate to DC and obtain a clearance?
|
| # ? Feb 22, 2013 00:21 |
|
|
psydude posted:Are you willing to relocate to DC and obtain a clearance? I see you mention the area and DoD quite a bit. What's your experience with the job market out there? I'm sitting the CCNA next week and already have a Sec+ and Net+ to meet the IAT II standard. From what I've heard they're clamoring pretty hard for folks who are experienced and have a clean background. I meet both criteria and am planning to start apply to net eng positions this Spring.
|
| # ? Feb 22, 2013 00:31 |
|
|
GOOCHY posted:I see you mention the area and DoD quite a bit. What's your experience with the job market out there? I'm sitting the CCNA next week and already have a Sec+ and Net+ to meet the IAT II standard. From what I've heard they're clamoring pretty hard for folks who are experienced and have a clean background. I meet both criteria and am planning to start apply to net eng positions this Spring. A lot of companies dealing with DoD are holding off on hiring right now until the whole sequestration thing gets worked out. State and the intel agencies seem to be chugging along since I guess they're able to trim down their budgets in areas other than personnel. Once the budget gets sorted out, though, I'd imagine there's going to be a metric fuckton of hiring by the DoD and other agencies that have held off. Spring will probably be a good time to be looking for a job, especially with those qualifications. We're actually looking for a new security guy right now. In particular, someone with a general background in networking and some experience with doing audits of logs and sitting in meetings and knowing/pretending to know what they're talking about. They won't be involved in the actual configuration of the devices, though.
|
| # ? Feb 22, 2013 00:42 |
|
|
psydude posted:A lot of companies dealing with DoD are holding off on hiring right now until the whole sequestration thing gets worked out. State and the intel agencies seem to be chugging along since I guess they're able to trim down their budgets in areas other than personnel. Once the budget gets sorted out, though, I'd imagine there's going to be a metric fuckton of hiring by the DoD and other agencies that have held off. Spring will probably be a good time to be looking for a job, especially with those qualifications. That's what I'm betting on. I'm hoping that with CEH (and the OSCP) I can nail something withing the DoD involving Pentesting once this budget thing gets sorted out.
|
| # ? Feb 22, 2013 00:58 |
|
|
psydude posted:Are you willing to relocate to DC and obtain a clearance? One of these things I'm more than open to, the other is never ever going to happen. Clearance 
|
| # ? Feb 22, 2013 03:09 |
|
|
Man I'd be interested in some government work, if not just to take care of my massive student loan debt 10 years sooner due to the forgiveness program. Honestly though, I don't like security as much as I did networking. I'll stick with what I've got because it's good experience and good money, but I don't see myself in this role for a career. I really need to talk my bosses into getting some certs on the employer's dime..
|
| # ? Feb 22, 2013 03:53 |
|
|
psydude posted:We're actually looking for a new security guy right now. In particular, someone with a general background in networking and some experience with doing audits of logs and sitting in meetings and knowing/pretending to know what they're talking about. They won't be involved in the actual configuration of the devices, though. What does something like that pay? That's in DC? Is it actually a GS job?
|
| # ? Feb 22, 2013 08:29 |
|
|
Oh god, that is great. Thanks.
|
| # ? Feb 22, 2013 09:19 |
|
|
Martytoof posted:One of these things I'm more than open to, the other is never ever going to happen. It only requires a secret, which is difficult not to get because they don't bother doing any interviews. The only reason I've heard of someone getting rejected for one was due to excessive speeding tickets. Ninja Rope posted:What does something like that pay? That's in DC? Is it actually a GS job? If you're experienced in the position, six figures. If you're relatively new to security stuff, most likely just shy of 100k. It's for a contractor, but an incredibly small (like 6 person) contractor. I work directly with the owner of the company at the client site.
|
| # ? Feb 22, 2013 12:20 |
|
|
psydude posted:It only requires a secret, which is difficult not to get because they don't bother doing any interviews. The only reason I've heard of someone getting rejected for one was due to excessive speeding tickets. Or if you actually disclose stuff. I was definitely rejected for a Secret (rather, the DOE equivalent) for 
|
| # ? Feb 22, 2013 14:45 |
|
|
psydude posted:It only requires a secret, which is difficult not to get because they don't bother doing any interviews. The only reason I've heard of someone getting rejected for one was due to excessive speeding tickets.
|
| # ? Feb 22, 2013 15:01 |
|
|
Ninja Rope posted:I don't know that rank/bank matters so much for passwords, as something like 'strings -n 8 /dev/kmem' would probably work pretty well. It would gather a ton of other data but but the number passwords to try would still be less than ~95^8. Ninja Rope posted:What is the stripe size, so to speak, for DIMM ranks/banks? Is it tied to the platform page size? Passwords are pretty short and probably wouldn't span pages, though if you're serious there's no reason you couldn't find the same model chipset to put your stolen DIMM into. Cold boot attacks have a maximum life of minutes. More time than it takes me to go find chipsets
|
| # ? Feb 22, 2013 16:19 |
|
|
fivre posted:Or if you actually disclose stuff. Had you like just toked up the day before or something? I know a ton of people who used drugs a ton in college and highschool who were able to get TS/SCIs no problem despite disclosing their use. Depending on the agency, the policy is generally 1-2 years between the last use.
|
| # ? Feb 22, 2013 16:46 |
|
|
JawnV6 posted:Cold boot attacks have a maximum life of minutes. More time than it takes me to go find chipsets This is primarily the reason why cold boot attacks are not going to be something you should ever really worry about. If the attacker is determined and has targeted you, then the attack will be doable, but in most cases, if the laptop is stolen, it's unlikely that they're going to think about yanking out the modules. It's definitely something that should be prepared for, but I'd be more concerned about having DMA exposed before anything else. I should one of these days go and try the Firewire method out.
|
| # ? Feb 22, 2013 17:28 |
|
|
Powercrazy posted:Also real networking already deals with security on all levels except the specific application User credentials. nothing irritates me more than "security" guys who don't know networking, seems like it should be a prerequisite. People with networking knowledge who don't know how to perform basic security functions can be frustrating as well. * I was recently asked to perform an analysis against a particular thing/vulnerability in a large network space of ours. It required writing a few scripts (not my function), identify a few (100k+) end points (not my function), report on the validity of a vuln (not my job) in an area I should have no touch in. All because the super secret squirrel government folks said it was super critical and 'omghax' were perpetrated (they weren't, as there is as of yet no exploit published). I was engaged to do this by a senior leader of another team in my div, without going through my chain of leadership to deliver on something he knew full well his team couldn't do. They are the network security team, and are now christened the notwork security team. In any case, I did it and quickly calmed the panic. Earlier today I was sitting in on our team call, and I'll be hosed if some rear end valve that was one of the recipients of my findings didn't pass my work off as his own. I don't want credit; but that doesn't mean I want to hear that people are passing my work off as their own especially when it's a known fact that they can't do it themselves. *There is no secret sauce recipe skill set in security. There is room for a variety of people, but there are foundation skills and I expect everyone, even the guys with networking super skills, to conform to.
|
| # ? Feb 22, 2013 17:51 |
|
|
psydude posted:Had you like just toked up the day before or something? I know a ton of people who used drugs a ton in college and highschool who were able to get TS/SCIs no problem despite disclosing their use. Depending on the agency, the policy is generally 1-2 years between the last use. Actually yes. First time too! The stated statutory limit in the rejection letter was 1 year. I recall a decision on the DOD records page that factored in use after being denied a clearance, but I think the person in question had used while holding a clearance also.
|
| # ? Feb 22, 2013 18:39 |
|
|
ming-the-mazdaless posted:People with networking knowledge who don't know how to perform basic security functions can be frustrating as well. *  He's otherwise a really bright guy, too.
|
| # ? Feb 22, 2013 18:47 |
|
|
DoD Clearance is primary based on two things for a entry level clearance (Secret or Non-DoD "Person of Trust"): 1) Debt to Income Ratio - Someone with a lot of debt is more likely to something illegal to relieve that burden. 2) Criminal Background - I know people with DUIs that have held TS SCI without issue, and I myself have had several speeding tickets and never had an issue holding my clearance. Just don't have anything really criminal per se - robbery, battery, etc The biggest thing to remember is it is better to disclose and get denied, than to withhold and they find out you lied, because that will mark you even worse if you ever apply again.
|
| # ? Feb 22, 2013 19:22 |
|
|
Misogynist posted:Just yesterday I had to explain to our network manager that the credit card PIN pad used by one of our departments to manually process CC transactions couldn't sit on the same subnet as all the desktop computers in that department. Why? Is it a PCI Compliance thing or is it a commonsense thing?
|
| # ? Feb 22, 2013 19:32 |
|
|
ming-the-mazdaless posted:People with networking knowledge who don't know how to perform basic security functions can be frustrating as well. * If you don't know network security then you don't know networking.
|
| # ? Feb 22, 2013 19:32 |
|
|
OSI bean dip posted:This is primarily the reason why cold boot attacks are not going to be something you should ever really worry about. If the attacker is determined and has targeted you, then the attack will be doable, but in most cases, if the laptop is stolen, it's unlikely that they're going to think about yanking out the modules. It's definitely something that should be prepared for, but I'd be more concerned about having DMA exposed before anything else. Someone who has planned ahead surely could have the model ready and waiting, and if not just put the DIMMs it into any old PC to keep the memory refreshing while you find the correct model. Perhaps it's a good thing the memory is soldered to newer Macs. OSI bean dip posted:I should one of these days go and try the Firewire method out. Speaking of, doesn't LightPeak (or Thunderbolt or whatever) expose a Firewire interface?
|
| # ? Feb 22, 2013 21:47 |
|
|
Ninja Rope posted:Someone who has planned ahead surely could have the model ready and waiting, and if not just put the DIMMs it into any old PC to keep the memory refreshing while you find the correct model. Perhaps it's a good thing the memory is soldered to newer Macs. Oh. Of course, but I am thinking about typical situations. If someone has planned ahead, you're absolutely right. This attack isn't going to be as commonplace as it would be far easier to use other methods to get at the data. quote:Speaking of, doesn't LightPeak (or Thunderbolt or whatever) expose a Firewire interface? It's DMA-based so it's possible to have this occur. In fact, eSATA and PCI-based memory card readers could be vulnerable to this sort of attack. USB doesn't use DMA however.
|
| # ? Feb 23, 2013 00:52 |
|
|
JawnV6 posted:I'm also getting the impression the original Princeton attack was geared towards recovering a specific encryption key. Seems like that's an easier problem than trying to recreate something that might span a couple pages.
|
| # ? Feb 23, 2013 01:03 |
|
|
quote:
Pretty much: http://www.breaknenter.org/projects/inception/
|
| # ? Feb 23, 2013 01:20 |
|
|
I want to learn more about spam. It's an interesting organically evolving system/anti-system. Is there anywhere out there that maps/classifies/fingerprints spam? A spam petri dish collection? My spambox seems to consist of some fairly disparate areas of interest: - things I actually did sign up for, but are poor quality, a la https://en.wikipedia.org/wiki/Bacn - tech recruiter bs. Some even from the company that hired me! - Casino scams - Apparently well-crafted camgirl scams that defeat GMail's spam filter quite reliably - Russian travel agencies (the bulk of what I receive) - The occasional 419 - Less so now that I've graduated, but requests for paper submissions to dubious academic conferences Nothing in the pharma realm, which is supposedly the bulk of spam. All odd though. Does anyone data mine who gets what spam?
|
| # ? Feb 23, 2013 10:09 |
|
|
Powercrazy posted:Why? Is it a PCI Compliance thing or is it a commonsense thing? On the other hand, in the case of PEDs, it is a fairly pedantic and paranoid requirement, and I can see why it wouldn't cross somebody's mind. The primary value is probably in combining this with appropriate firewall policy to make sure that if someone tampers with the device, they're not able to send copies of the magstripe data off to Russia or something. Misogynist fucked around with this message at Feb 23, 2013 around 18:06 |
| # ? Feb 23, 2013 18:02 |
|
|
|
| # ? May 21, 2013 02:28 |
|
|
Misogynist posted:It's one of those gray areas that's often ignored because the PCI PED (PIN Entry Device) standards are aimed squarely at device manufacturers, but the base PCI-DSS standards themselves are very clear that anything transmitting cardholder data is to be operated in a sequestered cardholder data environment on the network. Most retail organizations install POS systems into a separate network in order to facilitate this. Yea I'd certainly say it would be pragmatic to have at LEAST logical separation and physical separation if you can manage it. When you are trying to be compliant it often behooves you to go above and beyond lest the auditors are having a lovely day. I was just hoping this wasn't one of those "common sense" theoretical sniffing attacks that would only be relevant if your switch was from the early 90's, so thanks for the info. That type of early 90's security mentality is what I deal with daily and I don't appreciate it at all.
|
| # ? Feb 25, 2013 14:58 |
|
