|
BangersInMyKnickers posted:drat, I get not supporting every latest curve or whatever but 25519 is 13 years old and the NIST curves are from what, 1996?
|
#
?
Sep 17, 2018 22:45
|
|
|
|
| # ? Apr 18, 2024 03:00 |
|
|
To be honest, I’m probably being too hard on them, since 25519 was only added to the IPsec RFCs less than two years ago. That said, it’s been supported by browsers at least that long, and it hasn’t been a TLS RFC until a few months ago (just before TLS 1.3 was released), only a draft until then. It’s a much better curve than the NIST ones, both because of its technical merits and its design documents.
|
|
#
?
Sep 18, 2018 02:11
|
|
|
anthonypants posted:Some people are working on a new Linux kernel crypto API called zinc, who just so happen to be the same folks who brought you WireGuard, and among the patches are Curve25519 implementations. But it's very new, so I wouldn't expect to see it for a while.
|
|
#
?
Sep 18, 2018 03:44
|
|
|
EVIL Gibson posted:This was brought up earlier and it's mainly because the guy making Wireguard is forcing zinc to be implemented to make Wireguard a thing. The fact that it's turning into a direct-access for the already-existant software implementations rather than a completely parallel implementation speaks volumes.
|
|
#
?
Sep 18, 2018 05:41
|
|
|
We hired a Senior Security Engineer back in March, he comes in and shits all over Qradar and gets execs to buy Splunk and lets our Qradar instance run itself into the ground. Splunk is, surprise, not done and he announced he is leaving the company and taking a new position. I'm just laughing at my boss because my team member and I told him this guy was not a good idea as he came from a military police background, openly said he was gunning to be a manager and was just not a good fit. Since he was ex military though our CIO/VP were drooling over him because they're your typical middle age American white guys. Now we have an unfinished Splunk implementation not even ingesting half our logs and nobody who knows how to run it effectively while we let Qradar, the thing we analysts knew how to operate, lapse on renewal. Thankfully I just had the "I need a promotion and raise" talk two weeks ago and it was already on track so my stock is only going up as I am now the most tenured team member who actually does their poo poo and shows up reliably. Gonna be a lot of poo poo work learning Splunk and implementing it fully in the coming months while keeping all the other plates spinning but it feels drat good to be right about my initial and continued appraisal of the guy. FlyingCowOfDoom fucked around with this message at 00:23 on Sep 19, 2018 |
|
#
?
Sep 18, 2018 16:51
|
|
|
Boy does that sound familiar as all hell. 4 1/2 years ago I was a forensics hire when a jackass ex-marine "senior security engineer" decided to pull QRadar and implement Splunk. Now I'm an "expert" splunk consultant and know more than I care to about this lovely rear end product. It can be done and utilized in a Security fashion (especially without Enterprise Security, don't buy that poo poo its worthless) well, especially if someone is there to care and feed it. But it takes a lot of work, and you have to wade through the koolaide drinking bullshit that Splunk puts out to do so. Speaking of which, Splunk .conf 2018 is at Disney World in 2 weeks (Oct 1-4). See if they'll let you go ride rides and take Splunk Classes.
|
|
#
?
Sep 19, 2018 02:33
|
|
|
Newegg got completely pwned Hey guys, you know what would make the web work so much better? If we built our security-critical websites with a bazillion cloud services such that every transaction connects to 100 external web servers, most of which we don't own and change with sufficient frequency that we don't even effectively audit them. Just pile that poo poo on there. In fact we should make that cloud so critical that if our customers try to improve their own security, by for example locking down their browser so it doesn't load or send data to random web servers, the site will break!
|
|
#
?
Sep 20, 2018 15:56
|
|
|
That's what happens when you have all your services listening on 0.0.0.0 https://twitter.com/viss/status/1042453549806870528 anthonypants fucked around with this message at 16:02 on Sep 20, 2018 |
|
#
?
Sep 20, 2018 16:00
|
|
|
Well, there but for the grace of God and Newegg’s inflated prices on Pi parts go I. Would the harvesting be prevented by using PayPal in that case? I think PayPal does the transfer themselves, right?
|
|
#
?
Sep 20, 2018 16:16
|
|
|
Yes, that would protect you.
|
|
#
?
Sep 20, 2018 16:24
|
|
|
I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die.
|
|
#
?
Sep 20, 2018 17:40
|
|
|
Diametunim posted:I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die. Auditing is a huge part of infosec? Crazy
|
|
#
?
Sep 20, 2018 17:41
|
|
|
Diametunim posted:I just want to die. The true PCI experience. One of the auditors slipped me this one when I first met him. "You know what PCI stands for, right?" "Payment Ca--" "Pain Commences Immediately". "Ha ha, good joke" Yeah.. "joke"..
|
|
#
?
Sep 20, 2018 17:57
|
|
|
Diametunim posted:I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die. That feeling of dread and gently caress-me is a big reason people usually go with third party payment processers. Removing the risk and no longer having to deal with audits is well worth the % take the third party takes. This is why you NEVER do a PCI self assessment and mark yourself as compliant because the company is most definitely unless they know they are. Do you know where in your network the payment processers and the external users are segregated. No? Oh, sweet summer child, you are most definitely not compliant in ways you cannot believe.
|
|
#
?
Sep 20, 2018 19:00
|
|
|
EVIL Gibson posted:That feeling of dread and gently caress-me is a big reason people usually go with third party payment processers. But..but thats 2%-4% of transaction monies not kept by us! *hand-waves the entire cost of the apparatus to BE PCI compliant*
|
|
#
?
Sep 20, 2018 19:10
|
|
|
EVIL Gibson posted:That feeling of dread and gently caress-me is a big reason people usually go with third party payment processers. I was so glad the day we switched to a platform that uses point 2 point encryption directly from pin pad to gateway. (Verifone Point). The card data is collected on the pad and sent directly to Verifone's gateway and then onto our processor from there. Card data never touches our POS system, the POS only gets a go/no-go status from the pad and that's it. Even manual card number entries have to be done on the pad itself. Each pad is individually authenticated and encrypted with its own certificate. Getting a new pad added requires the involvement of no less than 3 different companies (POS provider, Gateway provider, and processor) and several days if not weeks for them to order and setup the certificates, authorize the pad to the gateway, etc.. As the merchant we have zero access to any of this process, which is fine by me!
|
|
#
?
Sep 20, 2018 19:37
|
|
|
Consumers: "How could it possibly get worse than the newegg breach?!" Canada: hold my poutine https://www.privacyfly.com/articles/ncix_breach/
|
|
#
?
Sep 20, 2018 19:54
|
|
|
incoherent posted:Consumers: "How could it possibly get worse than the newegg breach?!" 
|
|
#
?
Sep 20, 2018 19:59
|
|
|
incoherent posted:Consumers: "How could it possibly get worse than the newegg breach?!" lmao https://www.eteknix.com/ncix-database-servers-sold-at-auction-without-being-wiped/ quote:Craigslist seller claiming to have NCIX’ Database servers for only $1500 CAD...“18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks.”. quote:From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china.
|
|
#
?
Sep 20, 2018 20:00
|
|
|
Oh man that hurts my head
|
|
#
?
Sep 20, 2018 20:05
|
|
|
I guess I'm getting my CC replaced asap
|
|
#
?
Sep 20, 2018 20:06
|
|
|
I bet the NCIX infosec team bitched about their PCI audits too!
|
|
#
?
Sep 20, 2018 20:08
|
|
|
Subjunctive posted:I bet the NCIX infosec team bitched about their PCI audits too! If you've ever worked for a company ran by a Chinese national there was no bitching. Just compliance. This makes perfect sense (even the mainland Chinese hookers). incoherent fucked around with this message at 20:20 on Sep 20, 2018 |
|
#
?
Sep 20, 2018 20:17
|
|
|
incoherent posted:If you've ever worked for a company ran by a Chinese national there was no bitching. Just compliance. This makes perfect sense (even the mainland Chinese hookers). I've seen places where their previous folks just checked all the boxes on the PCI forms "YES" and submitted them, merchant doesn't care. As long as the automated vulnerability scan comes back ok, you're good.
|
|
#
?
Sep 21, 2018 05:22
|
|
|
About 10 years ago, someone fraudulently used my credit card that I had on file at Newegg... on a Newegg purchase. It wasn't used anywhere else, and the purchase didn't show up on my Newegg account. I called Newegg to dispute it, they said "tough poo poo buddy, talk to your bank." So I did, and the bank did a chargeback. Haven't been back since. Luckily, there's a Microcenter close by, so I don't exactly miss them much. I always thought the circumstances were strange, but now...
|
|
#
?
Sep 21, 2018 05:35
|
|
|
Happy National Credit Freeze Day, my fellow Americans! 
|
|
#
?
Sep 21, 2018 07:00
|
|
|
https://twitter.com/mipsytipsy/status/1043293574815608833
|
|
#
?
Sep 22, 2018 02:23
|
|
|
Charity is straight up amazing, fwiw.
|
|
#
?
Sep 22, 2018 02:36
|
|
|
Anyone have any experience building remote testing appliances? Got a potential gig coming up that is asking for one. I was going to slap Ubuntu on an intel nuc or laptop and build it from there, maybe using an OpenVPN service or even an autossh script to autoconnect back to my lab on bootup. Didn't know if that was a good way to go about it or if I'm missing something obvious/easier. Full disk encryption might be a bit of a pain, but I suppose just handing the client a password and having them decrypt the disk isn't the worst thing in the world.
|
|
#
?
Sep 25, 2018 17:59
|
|
|
isn't this what browserstack (https://www.browserstack.com/live) basically is? Hell you could charge the gig your ~cloud~ costs and put it aws, at least it would be consistent for you across many gigs.
|
|
#
?
Sep 25, 2018 20:42
|
|
|
In other news, ncix data is now being actively exploited. I got this from when I bought something when they expanded to the US yearrrrs ago.quote:Hello!
|
|
#
?
Sep 26, 2018 00:11
|
|
|
incoherent posted:In other news, ncix data is now being actively exploited. I got this from when I bought something when they expanded to the US yearrrrs ago. Ah, fake blackmail. That’s a pretty clever use of stolen account info.
|
|
#
?
Sep 26, 2018 00:15
|
|
|
I'm scared of these damps, I just got dry
|
|
#
?
Sep 26, 2018 00:29
|
|
|
Mustache Ride posted:Boy does that sound familiar as all hell. 4 1/2 years ago I was a forensics hire when a jackass ex-marine "senior security engineer" decided to pull QRadar and implement Splunk. Now I'm an "expert" splunk consultant and know more than I care to about this lovely rear end product. It can be done and utilized in a Security fashion (especially without Enterprise Security, don't buy that poo poo its worthless) well, especially if someone is there to care and feed it. But it takes a lot of work, and you have to wade through the koolaide drinking bullshit that Splunk puts out to do so. Splunk shop here, leaving ArcSight for ES. They openly admit ES's out of the box content is still poo poo that hasn't been touched in years. Our ArcSight environment is a garbage fire not because of the product (there's definite problems with the product) but because of the processes and group charged with having to maintain it over the years it's been here. Funnily enough, the same group is charged with maintaining Splunk, guess how well that has gone. I'm going to .conf, they are having the theme park night at ... Universal.
|
|
#
?
Sep 26, 2018 20:15
|
|
|
Has anyone done a POC with Apache Metron? I’m genuinely curious about it but I don’t have the time or manpower to deep dive.
|
|
#
?
Sep 27, 2018 03:35
|
|
|
https://twitter.com/mikko/status/1045280662981431297
|
|
#
?
Sep 27, 2018 13:27
|
|
|
What the gently caress is going on in the image associated with that story? Is it...someone in a mouse suit on the floor in a dark kitchen? 
|
|
#
?
Sep 27, 2018 16:51
|
|
|
I just assume someone went to a stock photo service and said "I need something creepy"
|
|
#
?
Sep 27, 2018 17:20
|
|
|
isn't a bear the "mascot" someone came up with for that APT team or whatever?
|
|
#
?
Sep 27, 2018 17:32
|
|
|
|
| # ? Apr 18, 2024 03:00 |
|
|
BangersInMyKnickers posted:isn't a bear the "mascot" someone came up with for that APT team or whatever?
|
|
#
?
Sep 27, 2018 17:34
|
|