|
So what’s the state of encrypted messaging these days, then? Is there anything trustworthy anymore?
|
# ? May 18, 2018 19:21 |
|
|
# ? Apr 23, 2024 13:58 |
|
personally I use Something Awful Forums Private Messages for all my secure communication needs
|
# ? May 18, 2018 20:03 |
|
CLAM DOWN posted:personally I use Something Awful Forums Private Messages for all my secure communication needs the old security through obscurity and outdated and gay technology
|
# ? May 18, 2018 20:08 |
|
Wasn’t there something about al-qaeda or some other group communicating using comments on google drive files going undetected for years?
|
# ? May 18, 2018 20:14 |
|
andrew smash posted:Wasn’t there something about al-qaeda or some other group communicating using comments on google drive files going undetected for years? I thought it was draft's in gmail. Like, write the message but don't send it. Then the person you're communicating with logs in to the same account, writes a response. Both things have probably happened.
|
# ? May 18, 2018 20:22 |
|
Dadbod Apocalypse posted:So what’s the state of encrypted messaging these days, then? Is there anything trustworthy anymore? Signal's mobile clients are still okay. It's just the desktop clients you want to avoid.
|
# ? May 18, 2018 20:30 |
|
ozymandOS posted:Signal's mobile clients are still okay. It's just the desktop clients you want to avoid. This is correct. I only ever use the phone client. If secure communication is the goal, I’ve never understood having multiple clients attached to the same account.
|
# ? May 18, 2018 21:23 |
|
The Fool posted:Both things have probably happened.
|
# ? May 18, 2018 23:42 |
|
Proteus Jones posted:This is correct. I only ever use the phone client. If secure communication is the goal, I’ve never understood having multiple clients attached to the same account. I haven't used their new desktop client, but iirc the old chrome-extension one required the phone to be up and running, and your desktop talked securely to your phone, which then talked securely to the other party as normal. I once had to find a fallback app when Signal wasn't an option (the other party had a bricked phone). After about five minutes of research I landed on Wickr, for which you don't need a working phone number, so you can it going on a tablet or something, even for voice calls. I'm not 100% certain if their security is up to snuff (recall the total five minutes of research this choice was based on), but we weren't actually discussing national security level secrets, so hey.
|
# ? May 18, 2018 23:54 |
|
https://twitter.com/tqbf/status/997645099323424769
|
# ? May 19, 2018 02:26 |
Was the PoC using Spectre variant 1 to get information out of x86 SMM mode ever linked?
|
|
# ? May 20, 2018 11:33 |
|
PBS posted:Anyone used Phantom, Swimlane, or some other security automation tool? Had a decent play with Phantom before they were acquired by Splunk and it was amazing for automating stuff out of our SIEM. To be honest I didn't get alot of spam from them, dunno if Splunk are spammy or not. However we never got past the play/evaluation stage as the pricing was horrendously expensive. Splunk have mentioned the pricing moving to a per Casebook from a per Action model but I'm not confident that it'll be reasonable.
|
# ? May 21, 2018 01:01 |
|
I really, really like Phantom, it’s pretty amazing. I hope Splunk doesn’t gently caress it up.
|
# ? May 21, 2018 07:29 |
|
Martytoof posted:Phyeah, I learned this the hard way. Our senior recently left and our Qradar implementation is up for review/renewal and I am building my case to sink this fucker and move to Splunk. I am right there with you on loathing Qradar.
|
# ? May 21, 2018 17:03 |
|
I hope you have a gigantic wheelbarrow of money.
|
# ? May 21, 2018 17:21 |
|
BangersInMyKnickers posted:I hope you have a gigantic wheelbarrow of money. I've got 2 things going for me: 1. C's are scared and ready to listen from the good book of security because two different companies we work with got hacked recently so the checkbook is open. One got hit by ransomware so bad they had to slash and burn their entire IT infrastructure. Not having backups must be a bitch. 2. Qradar is stupid expensive, so after doing the sizing with Splunk and checking numbers we are actually going to be saving some money in the long run I just gotta get them to buy in for the initial spend. FlyingCowOfDoom fucked around with this message at 18:44 on May 21, 2018 |
# ? May 21, 2018 18:39 |
|
Splunk may be expensive as hell but it beats the poo poo out of maintaining ArcSight. I'll be so happy when I can finally offline the rest of our logger boxes and never gently caress with another connector again.
|
# ? May 22, 2018 04:22 |
|
Diametunim posted:Splunk...never gently caress with another connector again. They're called add-ons
|
# ? May 23, 2018 03:22 |
|
Splunk has its own share of bullshit. It's all an exercise in determining which technology is going to annoy you most on any given day.
|
# ? May 23, 2018 16:38 |
|
I really extremely like Splunk (and to lesser extents, ELK / Graylog). But whatever you do, do not loving get the the Cloud offering. Do not let finance shout you down about capex vs opex. Get on prem if you value sanity, and quick turn arounds on support tickets. It absolutely has its cons, but i'll take it over the other two things i've used: McAfee (was powerful, just an absolute pain in the rear end to do anything.) InsightIDR (not even a SEIM, just marketed as one. It was much better as UserInsight if you had a completely different SEIM system)
|
# ? May 23, 2018 16:57 |
|
McAfee has a siem? Oh my god I wouldn’t touch that with a 10 foot pole
|
# ? May 23, 2018 17:52 |
|
geonetix posted:McAfee has a siem? Oh my god I wouldn’t touch that with a 10 foot pole I was once forced to use McAfee Vulnerability Scanner aka Foundstone at a job. I hated that poo poo with a passion. I was not when it was disconnected.
|
# ? May 23, 2018 18:45 |
|
Martytoof posted:Splunk has its own share of bullshit. It's all an exercise in determining which technology is going to annoy you most on any given day. After all the Qradar bullshit I am ready for a different flavor, and thankfully our new Senior has worked with it for close to a decade so he will be doing all the heavy lifting and dashboard creation. Jowj posted:I really extremely like Splunk (and to lesser extents, ELK / Graylog). But whatever you do, do not loving get the the Cloud offering. Do not let finance shout you down about capex vs opex. Get on prem if you value sanity, and quick turn arounds on support tickets. Whew, good to know we're going the right direction with on prem.
|
# ? May 23, 2018 19:39 |
|
since this thread is now discussing monitoring, I was wondering if there was anything good to recommend for monitoring websites in AWS. Not looking for anything intensive, just something that will let me see usage trends(and if I need to enlarge the instance size) and maybe alert me to potential compromises. No more than 20-30 systems hosting sites unless someone is getting so much traffic I need to set them up for autoscaling instead of just increasing instance size.
|
# ? May 23, 2018 20:09 |
|
What do you want that cloudwatch doesn't give you? Cloudwatch isn't that in depth, but I you have it already. My next go to suggestion is datadog.
|
# ? May 23, 2018 20:27 |
|
Guy Axlerod posted:What do you want that cloudwatch doesn't give you? Cloudwatch isn't that in depth, but I you have it already. My next go to suggestion is datadog. I've actually not looked into cloudwatch, tbh. I'm having trouble believing that Amazon is providing every solution i need with no effort so just keep ignoring their offerings time to go read up on it, thanks
|
# ? May 23, 2018 20:56 |
|
I recommend outsourcing your monitoring to an incompetent MSSP and just assuming everything is okay.
|
# ? May 23, 2018 21:00 |
|
Martytoof posted:I recommend outsourcing your monitoring to an incompetent MSSP and just assuming everything is okay. I run a reputable company here, not a F500
|
# ? May 23, 2018 21:14 |
|
RFC2324 posted:I've actually not looked into cloudwatch, tbh. I'm having trouble believing that Amazon is providing every solution i need with no effort so just keep ignoring their offerings The graphs you get on the EC2 console are basically what you'll get out of cloudwatch out of the box.
|
# ? May 23, 2018 21:20 |
|
RFC2324 posted:I run a reputable company here, not a F500 Someone's not living on the edge some kinda jackal fucked around with this message at 21:47 on May 23, 2018 |
# ? May 23, 2018 21:36 |
|
Speaking of incompetent MSSPs and the SIEMs they run, thoughts on AlienVault?
|
# ? May 23, 2018 21:55 |
|
Diva Cupcake posted:Speaking of incompetent MSSPs and the SIEMs they run, thoughts on AlienVault? I have thoughts on AlienVault None of them are good
|
# ? May 23, 2018 22:06 |
|
If you were designing your own password manager from the ground up, what would be your most critical feature(s)? My company has an annual program where you/your team can take a week to work on any project your heart desires, so long as you present the project at the end. One of my security developer colleagues wants to write a password manager for said project and the more input the better, naturally. I've already given my list, but I would appreciate any useful, professional opinions and I will deliver them as community input -- via PM if you don't want to clutter up the thread. Yes, I know this largely goes against the very name of the thread, but there would be a proper SDLC review team if it looks promising enough to take out of incubation. We now return you to your regularly-scheduled QRadar grousing.
|
# ? May 23, 2018 23:13 |
|
keseph posted:If you were designing your own password manager from the ground up, what would be your most critical feature(s)? don't roll your own crypto
|
# ? May 23, 2018 23:26 |
|
So got something I could use some sanity checking on, On a scale of 1 to Equifax how bad is this situation: An application vendor is demanding that Octopus deployment system "Tentcle" is installed on our client's server, It's set up in listening mode on its default port and uses a cert to verify the vendor before giving it LocalSystem access, The cert that it uses to verify is SHA1 based, Valid for 100 years and is self-issued, It's also only using the thumbprint of the cert, not any full CA chain etc. They want this so they can auto-update their software remotely rather than gaining supervised access from our helpdesk, I'm primarily concerned about handing over LocalSystem level access on a PDC to a remote party using authentication that I feel is pretty dicy being SHA1 only and the version of the Octopus software is nearly 1 year behind current. I think the level of access and autonomy is overkill for the reason they want it but i'm getting considerable pressure to just sign off on it to make the issue go away edit:// This is all taking place over the internet too not a vpn link etc etc Beccara fucked around with this message at 23:56 on May 23, 2018 |
# ? May 23, 2018 23:44 |
|
The application vendor should at least be able to give you an IP range of their office locations that they might be connecting from so you can ensure the service isn't listening to the world - you have no guarantees that the authentication is implemented in a sane way and you don't want your logs filled up with random noise. What environment are they auto-updating? I'd be less concerned about some stuff running relatively isolated from the rest of the network than I would be if the deployment system had the ability to nuke and pave an unrelated critical service.
|
# ? May 23, 2018 23:51 |
|
Thanks Ants posted:The application vendor should at least be able to give you an IP range of their office locations that they might be connecting from so you can ensure the service isn't listening to the world - you have no guarantees that the authentication is implemented in a sane way and you don't want your logs filled up with random noise. Even with an IP lock, The vendor would have powershell ability via Octopus with LocalSystem privileges on a AD PDC. They could remove applications, take data out of our environment, delete files etc etc without any real trace, All without us knowing they even did anything :/ We're effectively handing over the same level of access we have to a vendor
|
# ? May 23, 2018 23:59 |
|
I think that you would worry about it literally every day, and your heart knows what that means. You deserve better.
|
# ? May 24, 2018 00:01 |
|
Beccara posted:Even with an IP lock, The vendor would have powershell ability via Octopus with LocalSystem privileges on a AD PDC. They could remove applications, take data out of our environment, delete files etc etc without any real trace, All without us knowing they even did anything :/ We're effectively handing over the same level of access we have to a vendor I mean, you shouldn't even have level of access. Even if you can do the things, audit logs should be getting generated and getting sent to a log server so that there is always record of who did the thing.
|
# ? May 24, 2018 00:15 |
|
|
# ? Apr 23, 2024 13:58 |
|
Yeah definitely not on a domain controller. I can't imagine your clients obligations to their customers/suppliers regarding data protection can be met with that sort of unrestricted 3rd-party access either.
|
# ? May 24, 2018 00:21 |