|
CLAM DOWN posted:I never said either of those things. I simply asked a question. You're putting words in my mouth and making assumptions, and doing so in an unnecessarily hostile and unproductive way. You haven't been open to any kind of real discussion since the start, so have a good one. CLAM DOWN posted:Yup, I'm fully aware of all that. Have you used either Check Point port protection, or Bit9 Parity/CarbonBlack USB device features? Wiggly Wayne DDS posted:will only listen to people who've deployed specific variants of the same snakeoil Wiggly Wayne DDS posted:i'm just amused that you're against not trusting security software CLAM DOWN posted:e: actually gently caress that, a software solution absolutely can be "powerful", you're being wrong by immediately dismissing any software option as "lax and vulnerable", I'm curious what products you've actually tried and used in production CLAM DOWN posted:I highly recommend not dismissing things that you have never used or tried and don't know anything about. Keeping an open mind is very beneficial. i'm extremely open to discussion, but if you're going to dismiss me while not putting forward anything then there was never going to be a discussion to begin with
|
#
?
Nov 22, 2016 20:07
|
|
|
|
| # ? Apr 27, 2024 16:20 |
|
|
OSI bean dip posted:I think what he's trying to get at is that you cannot rely on a software solution to protect USB as USB in itself is flawed. I am not really joking when I say that the best method is to remove the ability for those ports to function as it is in itself the only solution that is surefire short of shredding the computer all together. Yeah for sure, but like you said before physically blocking ports is an extreme solution that also eliminates the legitimate use of USB peripherals. That's probably a very small minority of environments that would go that route, so a software solution (NB: I am not advocating or even giving a poo poo about using specific products over any other), while far from perfect and deeply flawed, is an acceptable middle ground for most enterprises. This goes beyond just attacks via USB, and gets into DLP as well, preventing external storage like unauthorized flash drives is an important part of this.
|
|
#
?
Nov 22, 2016 20:24
|
|
|
|
|
#
?
Nov 22, 2016 21:00
|
|
|
CLAM DOWN posted:Yeah for sure, but like you said before physically blocking ports is an extreme solution that also eliminates the legitimate use of USB peripherals. That's probably a very small minority of environments that would go that route, so a software solution (NB: I am not advocating or even giving a poo poo about using specific products over any other), while far from perfect and deeply flawed, is an acceptable middle ground for most enterprises. This goes beyond just attacks via USB, and gets into DLP as well, preventing external storage like unauthorized flash drives is an important part of this. Apply this very sentence to AV as well. While AV is far from perfect and deeply flawed, is an acceptable middle ground for most enterprises. Just because it's an acceptable middle ground to enterprises doesn't make it good, or correct, or hell, even actually acceptable; as most enterprises are dumpster fire garbage at infosec.
|
|
#
?
Nov 22, 2016 21:04
|
|
|
This thread in general doesn't seem to care for "middle ground." The approach seems to start with "most secure, almost regardless of practicality," and only be dragged kicking and screaming back toward usability with security tradeoffs. It might seem like an extreme position, but given the history of information security, it kinda makes sense. In the end, this thread is less about winning arguments as it is knowing the risks and accepting as few of them as possible. I mostly lurk here because even if I don't see the practicality in everything that someone like OSI might say (for example, I use VeraCrypt for my personal stuff which he has zero trust for), I become a bit less ignorant. It's that or the woodchipper, I guess.
|
|
#
?
Nov 22, 2016 21:06
|
|
|
doctorfrog posted:This thread in general doesn't seem to care for "middle ground." The approach seems to start with "most secure, almost regardless of practicality," and only be dragged kicking and screaming back toward usability with security tradeoffs. The thing that I try and preach here is that you should adopt security practices and behaviours but I am not one to every really promote the use of any specific product. I rail against anti-virus and disk encryption for the primary reason of that I know the risks of using them and have no problem pointing out their flaws. It's one thing to weigh out the pros and cons about products, but more often than not it's never about actual facts but rather gut feelings, anecdotes, or just straight-up brand loyalty. This is the most painful and frustrating aspect of my job as I have to work with people who think they know what the best security software and hardware is but are the types that don't understand that you cannot put the same password on every single thing. I don't expect people to go for the "most secure" option because I know that in practicality it's never going to work either from a support or enduser perspective. The reason why I bring up a woodchipper is that physical security is really the biggest thorn in terms of computers. Having done audits for financial institutions, I cannot begin to talk about the problems faced by making sure that some random employee doesn't go and charge their phone on the workstation that handles payment processing. The only time I never got worried about these systems was when I saw that some of them were running OS/2 and figured if anyone was going to go after those machines (not ATMs by the way) that it was only going to be three people on Earth that investigators would want to look for--this is a joke more than anything else because there are at least ten users of OS/2.  The whole point of discussing infosec is to point out the risks in everything and anything. My position on a woodchipper is extreme, but I am not lying when I say that USB is a shitshow to secure and that if you have any expectation on protecting a system, it really comes down to making physical access to that computer as painful as possible. Hell, a good example of where operational security and physical security meet was when Ross Ulbricht got arrested after being found to be running Silk Road, the FBI kept his machine from locking by sticking a Mouse Jiggler into one of his laptop's USB ports, thus defeating the full disk encryption. Physical security and computers is hard and any suggestion that USB whitelisting of any kind is going to work in all cases is foolish--not suggesting that was implied, but what I am saying is that it's not really a solution. If you want to use such a software suite, go for it, but be prepared to whitelist everything and anything. Lain Iwakura fucked around with this message at 21:33 on Nov 22, 2016 |
|
#
?
Nov 22, 2016 21:31
|
|
|
OSI bean dip posted:I rail against anti-virus and disk encryption for the primary reason of that I know the risks of using them and have no problem pointing out their flaws. Wait do you mean disk encryption is fundamentally hosed or (I'm assuming it's this from your example) that people treat it as way better/unbreakable than it is?
|
|
#
?
Nov 22, 2016 21:36
|
|
|
There's no full security. Full disk encryption can be beaten by a mouse jiggler. Denying USB access can be beaten by a motivated guy taking pictures of documents on a screen with a cell phone. You have to conform to the "good enough" security model, and hope you never have to deal with motivated people, basically.
|
|
#
?
Nov 22, 2016 21:42
|
|
|
Inspector_666 posted:Wait do you mean disk encryption is fundamentally hosed or (I'm assuming it's this from your example) that people treat it as way better/unbreakable than it is? What is FDE going to do for you once you're in handcuffs and someone has access to your unlocked computer? Even if you epoxyed the USB ports, whoever has your machine has at least the option to keep smashing keys on the keyboard until they get what they need. Mustache Ride posted:There's no full security. Full disk encryption can be beaten by a mouse jiggler. Denying USB access can be beaten by a motivated guy taking pictures of documents on a screen with a cell phone. This is pretty much it. Betting the farm on some solution is just going to gently caress you over. You go after what you know you can defeat and then hope that the edge cases don't come to gently caress you up.
|
|
#
?
Nov 22, 2016 21:48
|
|
|
OSI bean dip posted:What is FDE going to do for you once you're in handcuffs and someone has access to your unlocked computer? Even if you epoxyed the USB ports, whoever has your machine has at least the option to keep smashing keys on the keyboard until they get what they need. OK cool, just wanted to be sure I got you.
|
|
#
?
Nov 22, 2016 21:54
|
|
|
OSI bean dip posted:What is FDE going to do for you once you're in handcuffs and someone has access to your unlocked computer? Even if you epoxyed the USB ports, whoever has your machine has at least the option to keep smashing keys on the keyboard until they get what they need. There was a really great example of this, the feds suckerpunched him and yanked the laptop out of his hands then cuffed him. Got all his data. Now you can buy little wireless dinguses that will auto-lock or force-hibernate or power off your machine if you get more than like 5-10 feet away from it, or you hit the panic button on it.
|
|
#
?
Nov 22, 2016 22:19
|
|
|
I think another thing people sometimes overlook is that security needs to work in tandem with the business. It's not just about LOCK DOWN ALL THE THINGS. It's about supporting the business to do what it does to make money, while providing as secure an environment you can given limitations on budget, technology and user workflow (although I am a big proponent of "change your loving workflow" sometimes I'm not always willing to die on that hill). It's about identifying risk and determining the potential loss due to the risk weighed against the cost of eliminating that risk. So, in some cases, yes epoxying ports and hot gluing input devices to a computer is worth the losing the convenience of USB ports, and sometimes you do the best you can with Enterprise management software. None of this field is black and white operationally. It's what levels of risk the business is willing to assume in its day to day operation. This is why every company should have some kind of semi-formalized risk analysis on their operations and systems, including all the stakeholders. It can be pain and feel like herding cats at times, but you are there to not only keep the business earning money, but allowing it to earn money with minimal obstacles to the end-user. Formalized security policies, doing risk analysis, and real incident response with RCAs and postmortems all contribute to a security culture that keeps the business safe and smoothly operating. Except AV. gently caress AV. Proteus Jones fucked around with this message at 04:18 on Nov 23, 2016 |
|
#
?
Nov 23, 2016 04:14
|
|
|
flosofl posted:Except AV. gently caress AV. That's if you can get anyone to give a poo poo.
|
|
#
?
Nov 23, 2016 06:15
|
|
|
I've seen an idea somewhere of using U2F yubikey to generate encryption keys. This device works by signing given challenge with its internal private key and returning the signature. So challenge could be saved as salt, and returned signature used to derive key of needed length. Is that sound?
|
|
#
?
Nov 23, 2016 13:37
|
|
|
Inspector_666 posted:Doesn't PoisonTap exploit poor HTTP(S) implementation more than anything else? Or is the main concern here that you have hashes you can work against on your own time. I don't think plugging that hole would make USB any less of a dumpster fire security-wise, though.
|
|
#
?
Nov 23, 2016 21:23
|
|
|
g0del posted:HTTPS mostly defeats poisontap. It works because all major OSes automatically bring up a USB network interface (poisontap pretends to be one), and they all automatically send a DHCP request to the device to get an IP. The bigger problem is that when poisontap responds and claims that 0.0.0.0 is it's subnet, the OS believes it and starts routing everything through poisontap. Everything else is taking advantage of insecure HTTP cookies and some poisoning the browser's cache (and some tricks involving DNS poisoning which rely on a specially modified DNS server that the poisontap guy runs), but poisontap as it exists would stop working if the OS would simply ask the user before it grabbed an IP for a new, strange network interface. HTTPS can still be vulnerable to downgrade attacks. HSTS needs to be enabled on the server side to deny protocol downgrade. I have now fulfilled my nitpick quota of the day (I also annoyed someone at work with "Well, technically...")
|
|
#
?
Nov 23, 2016 21:34
|
|
|
The idea of super-gluing all the USB ports in any company I've ever worked at is hilarious. You'd be laughed out of the room with a suggestion like that. At a place that requires a higher than normal level of security, sure. For most companies though, being that inflexible just isn't politically possible.
|
|
#
?
Nov 23, 2016 21:44
|
|
|
Internet Explorer posted:The idea of super-gluing all the USB ports in any company I've ever worked at is hilarious. You'd be laughed out of the room with a suggestion like that. At a place that requires a higher than normal level of security, sure. For most companies though, being that inflexible just isn't politically possible. Outline the security risks inherent with the various practices in place at the firm, document processes and ways to mitigate those risks, make a presentation to the board/owner, and get them to sign off on whatever they decide on. Blammo, rear end is covered, and if someone decides that a 64 gb flash drive full of tax documents needs to be express mailed to Romania, well that's not on you. On something like a TS/compartmentalized system, or machines running SCADA for secure facilities, I can totally see getting standard COTS stuff then welding it into a vented crate or adding epoxy to all the ports.
|
|
#
?
Nov 23, 2016 21:53
|
|
|
flosofl posted:HTTPS can still be vulnerable to downgrade attacks. HSTS needs to be enabled on the server side to deny protocol downgrade. Pretty much everything client-side if its been patched within the last year is going to require 3DES as a minimum, downgrade attacks won't get you far. DES/RC4/null is disabled on most everything that isn't some legacy server-side garbage. Cert fuckery is going to require admin rights on the target machine to allow for easy MITM interception without every website and application throwing cert errors.
|
|
#
?
Nov 23, 2016 21:54
|
|
|
BangersInMyKnickers posted:application throwing cert errors.
|
|
#
?
Nov 23, 2016 21:56
|
|
|
I only surf with the safest of antivirus applications which strip all certificate validation from my browser
|
|
#
?
Nov 23, 2016 22:03
|
|
|
I only browse with IE in high security mode. e: Through a SSH cut-through using a private key, obviously.
|
|
#
?
Nov 23, 2016 22:05
|
|
|
lol just lol if you don't browse the internet only from a segregated VM with no access in/out
|
|
#
?
Nov 23, 2016 22:10
|
|
|
BangersInMyKnickers posted:Pretty much everything client-side if its been patched within the last year is going to require 3DES as a minimum, downgrade attacks won't get you far. DES/RC4/null is disabled on most everything that isn't some legacy server-side garbage. Cert fuckery is going to require admin rights on the target machine to allow for easy MITM interception without every website and application throwing cert errors. They're talking about ssl strip, not a protocol downgrade, and that only works on things that default to http (aka poo poo you type into the browser that's not on an HSTS list). Applications besides browsers are generally unaffected unless they're dumb and relying on the http -> https redirect.
|
|
#
?
Nov 23, 2016 22:48
|
|
|
CLAM DOWN posted:lol just lol if you don't browse the internet only from a segregated VM with no access in/out Yeah, Qubes is pretty alright.
|
|
#
?
Nov 24, 2016 05:09
|
|
|
For anyone who uses a VPS provider you may be interested to know this. I guess wiredtree and liquid web are merging. I have a wiredtree account which they ported to the liquid web system. When I tried to log in to the new system it failed so I got in touch with support and they informed me that my password was too long so they truncated it for me so I should be able to log in now with the last two characters of my password lopped off. I must say it feels super great to know that my master account password on a pretty big hosting provider was stored unencrypted and may still be in their new system. When I asked them about it in the support ticket they hand waived it away saying that the support agents cannot access passwords through their admin console. I see liquid web advertises on their front page that they offer HIPAA hosting, PCI compliant hosting and have clients such as Symantec, Motorola, Eddie Bauer and Chevy.
|
|
#
?
Dec 1, 2016 21:59
|
|
|
Squibbles posted:For anyone who uses a VPS provider you may be interested to know this. I guess wiredtree and liquid web are merging. I have a wiredtree account which they ported to the liquid web system. When I tried to log in to the new system it failed so I got in touch with support and they informed me that my password was too long so they truncated it for me so I should be able to log in now with the last two characters of my password lopped off. When I worked at an ISP, the passwords were stored in plaintext because we had to send them to other systems that couldn't do shared authentication. I do not miss those days.
|
|
#
?
Dec 1, 2016 22:03
|
|
|
Taking the dumb CISSP tomorrow. Wish me luck.
|
|
#
?
Dec 1, 2016 22:20
|
|
|
OSI bean dip posted:When I worked at an ISP, the passwords were stored in plaintext because we had to send them to other systems that couldn't do shared authentication. This is the account that you use to log in to their system and check tickets, reboot the server and things like that, it's not the root password of the server (thankfully) but it's also where you go to handle billing and whatnot
|
|
#
?
Dec 2, 2016 01:50
|
|
|
fyallm posted:Taking the dumb CISSP tomorrow. Wish me luck. You'll be fine. Just keep up with the CPE's and have your work pay for 3 years at a time, and you'll never have to take it again.
|
|
#
?
Dec 2, 2016 03:06
|
|
|
fyallm posted:Taking the dumb CISSP tomorrow. Wish me luck. Good luck. I took it on Monday. It is indeed a dumb exam. Just remember to answer everything as if you're stuck in an elevator with your idiot CEO.
|
|
#
?
Dec 2, 2016 04:21
|
|
|
fyallm posted:Taking the dumb CISSP tomorrow. Wish me luck. It's pretty easy. The part of the Conrad book that explains the order of importance of "values" basically gives you the key to the exam.
|
|
#
?
Dec 2, 2016 04:43
|
|
|
psydude posted:It's pretty easy. The part of the Conrad book that explains the order of importance of "values" basically gives you the key to the exam. "The horror. The horror."
|
|
#
?
Dec 2, 2016 04:56
|
|
|
I like the part with the crazy kernel.
|
|
#
?
Dec 2, 2016 13:06
|
|
|
Squibbles posted:... When I tried to log in to the new system it failed so I got in touch with support and they informed me that my password was too long so they truncated it for me so I should be able to log in now with the last two characters of my password lopped off. I decided to increase the security of my PayPal account last week. I tried to use a 40 character one generated by KeePass. PayPal wouldn't accept it but allowed a shorter one. One of the biggest payment processors in the world, there. I looked at their 2FA options, hoping that I could augment my lovely short password with something like Google auth but they have rolled their own system that sends you a text message. I didn't trust them to implement it properly if the best they can do is <30 character passwords, so I left it inactive. PayPal. One of the biggest payment processors in the world.
|
|
#
?
Dec 3, 2016 14:47
|
|
|
apropos man posted:I didn't trust them to implement it properly if the best they can do is <30 character passwords, so I left it inactive. lol
|
|
#
?
Dec 3, 2016 15:10
|
|
|
Visions of trying to log into PayPal and waiting for a text message that never comes.
|
|
#
?
Dec 3, 2016 15:56
|
|
|
Same, but me logging into your account.
|
|
#
?
Dec 3, 2016 15:58
|
|
|
I can't find anything at all about 2-factor anywhere in my account pages. Only options on Security tab are Password, Security questions, Customer service PIN and Stay logged in for faster purchases.
|
|
#
?
Dec 3, 2016 16:44
|
|
|
|
| # ? Apr 27, 2024 16:20 |
|
|
Eh, Paypal's implementation could be better. You can still fall back to using your generic secret questions, plus I think SMS MFA is just stupid anyway when you could implement a TOTP solution but I guess it's better than nothing.Forgall posted:I can't find anything at all about 2-factor anywhere in my account pages. Only options on Security tab are Password, Security questions, Customer service PIN and Stay logged in for faster purchases. Are you adblocking anything? Just checked and mine is Gears Icon -> Security, and there I have "Password", "Security Questions", "Mobile PIN", "Customer Service PIN", "Security Key", and "Stay logged in bla bla"
|
|
#
?
Dec 3, 2016 16:58
|
|