|
mystes posted:Honestly if they don't understand this part already and they're supposed to be doing a security audit you're hosed anyway. They are so blindingly stupid I don't even know where to begin. At this point we are including the CTO so he can give his personal OK on this. The other problem they don't seem to grasp is that every server has a different private key (because I'm not a god damned moron.) So either we give them 20+ private keys, or we change the private key on all of our servers to THE SAME PRIVATE KEY.
|
#
?
Nov 8, 2019 01:11
|
|
|
|
| # ? Apr 29, 2024 09:20 |
|
|
mystes posted:Honestly if they don't understand this part already and they're supposed to be doing a security audit you're hosed anyway. There's probably no point trying to explain it to them. Tell them their services won't be necessary as they are clearly unable to identify bad practices.
|
|
#
?
Nov 8, 2019 02:11
|
|
|
ratbert90 posted:They are so blindingly stupid I don't even know where to begin. At this point we are including the CTO so he can give his personal OK on this. Do you guys have a CISO? Because yeah, I'd wash my hands of dealing with them and tell my C level I wouldn't be responsible for that poo poo show.
|
|
#
?
Nov 8, 2019 02:18
|
|
|
lmao get you an audit company that knows their poo poo, they have proven they're not competent enough to help you and whatever poo poo they run would be a liability
|
|
#
?
Nov 8, 2019 02:43
|
|
|
MononcQc posted:lmao get you an audit company that knows their poo poo, they have proven they're not competent enough to help you and whatever poo poo they run would be a liability Audit companies are all poo poo. I haven't ran into a single one that is competent. A year ago we were going to have an audit on a new product, so I purposefully put selinux in permissive mode just to see if they caught it. They did not. When I asked them why, the "lead security expert" stammered for a bit and then said "The scanner doesn't scan for SELinux." They are all so dumb and bad.
|
|
#
?
Nov 8, 2019 02:58
|
|
|
The fact that they're using Alienvault just shows they're pretty crappy on the scale of 0-"can competently access secure systems"
|
|
#
?
Nov 8, 2019 03:06
|
|
|
This poo poo absolutely wouldn't be allowed in the Information Security Policy at my job. In this case the company would probably decide, with the CISO's approval, to stop all cooperation with this audit company.
|
|
#
?
Nov 8, 2019 07:26
|
|
|
ratbert90 posted:Audit companies are all poo poo. I haven't ran into a single one that is competent. Yeah, this is why the person asking for the private key doesn't know what they're doing. It's security auditing sold the same way all lovely B2B stuff is sold. They just want to sell a contract, have someone run the scanning software, send someone out with a list of "problems" and "vulnerabilities" generated by that software that can helpfully be fixed for $TEXAS per hour billed hours. This happened to me a few years back. A person on their way out paid for a security audit, and my very first meeting at this new gig was the one where the vendor was delivering the list of vulnerabilities they had found. It was just an automated scan that found none of the actual vulns I knew existed at that point. The vendor was really confused because the person who hired them was really gung ho about it, and then I came in with "Let's think about this carefully and come up with a real security model that's based on real hardening of the infrastructure rather than trying to play whack-a-mole with random suspected vulns...." Part of their scam was they would do these security "audits" for extremely cheap as a way of generating future work. So when I just took the report and said, "Thank you very much. I'll get right on addressing these and the other ones you didn't find," they were very sad. ErIog fucked around with this message at 08:02 on Nov 8, 2019 |
|
#
?
Nov 8, 2019 07:52
|
|
|
It's pretty out of control how much money is being poured into security people that run Nessus, print out a report and go "all this stuff is broken. I will not propose any solutions but rather shoot down any that you propose."
|
|
#
?
Nov 8, 2019 10:20
|
|
|
Methanar posted:Tell them their services won't be necessary as they are clearly unable to identify bad practices. MononcQc posted:lmao get you an audit company that knows their poo poo, they have proven they're not competent enough to help you and whatever poo poo they run would be a liability
|
|
#
?
Nov 8, 2019 11:35
|
|
|
easiest job ever. just send a form email security audit status: FAILED reason: you thought I was competent to audit you lmao
|
|
#
?
Nov 8, 2019 11:50
|
|
|
can someone quote the part of the post where the incompetent auditor was named so that we can avoid them?
|
|
#
?
Nov 8, 2019 11:58
|
|
|
Subjunctive posted:can someone quote the part of the post where the incompetent auditor was named so that we can avoid them? its all the auditors, op
|
|
#
?
Nov 8, 2019 13:09
|
|
|
absolutely wild bug in US telecom network last night. found a r/relationship_advice reddit post in which someone got a text from their boyfriend at 4am about some random poo poo that he claimed he didn't send, and wasn't on his phone. all the replies are like "actually I/a ton of people all over twitter also got a text early last night" and after drilling into it people figured out the texts were all either duplicates or unsent texts from February 14 in specific. what the ffffffuck lol how can this happenquote:According to a post from 92 Moose, an FM radio station in Maine, U.S. Cellular confirmed that the ghost texts are the result of a glitch in telecommunications infrastructure, specifically to the "cross carrier messaging system," which is a joint venture that the four major phone carriers committed to in late October.
|
|
#
?
Nov 8, 2019 14:02
|
|
|
somewhere a thread got unstuck and started processing its long-stalled queue, lol
|
|
#
?
Nov 8, 2019 14:13
|
|
|
yea at an old job we had a customer email receipt queue get stuck like that i remember we discussed whether to just shitcan the emails or force them through (they were a year+ old iirc). i think we dumped them cause we didnt want to deal with all the customers freaking out
|
|
#
?
Nov 8, 2019 14:17
|
|
|
https://gizmodo.com/why-are-people-suddenly-getting-mysterious-text-message-1839702950 posted:During an internal maintenance cycle last night, 168,149 previously undelivered text messages were inadvertently sent to multiple mobile operators’ subscribers.
|
|
#
?
Nov 8, 2019 14:36
|
|
|
quote:William Hurley, Chief Marketing and Product Officer, Syniverse 
|
|
#
?
Nov 8, 2019 14:41
|
|
|
So far this morning the Auditors have yet to respond back to us on the email chain. 
|
|
#
?
Nov 8, 2019 19:13
|
|
|
“this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it” is great and hilarious
|
|
#
?
Nov 8, 2019 19:28
|
|
|
Carbon dioxide posted:This poo poo absolutely wouldn't be allowed in the Information Security Policy at my job. In this case the company would probably decide, with the CISO's approval, to stop all cooperation with this audit company. in a real company the CISO would be told by the ceo or cfo that the exercise is not for security but commercial reasons and just “fix it” when it’s over
|
|
#
?
Nov 8, 2019 20:07
|
|
|
we had some decent SOC2 auditors in the sense that they understood their role was largely a checkbox on our future RFPs but they made it as painless as possible and did a lot of good work around process documentation and let me push through a bunch of security reforms. fireeye did a pen test for us and they were great. i wish i could get more buy in from management to do more of that kind of stuff but its so expensive because its actually worthwhile.
|
|
#
?
Nov 8, 2019 20:31
|
|
|
the worst is when you have to start going to seminars to learn secure coding from places that...don't teach much. "Here, let's exploit winamp with a bitflip in a skin, see how that worked in windbg? good, now, don't code like that!" Hope that was money well spent! It was fun, though, for me, the person not paying to make our software more secure.
|
|
#
?
Nov 8, 2019 20:44
|
|
|
yeah the more low level something is the more useless it is, certifications that are about policies and procedures and making sure they get followed are mostly good, certain about like lmao here’s how to gently caress up in c so simply don’t do that are of course worthless
|
|
#
?
Nov 8, 2019 21:07
|
|
|
prisoner of waffles posted:“this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it” is great and hilarious It’s hilarious and also very true. I think they got upset at that.
|
|
#
?
Nov 8, 2019 21:15
|
|
|
prisoner of waffles posted:“this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it” is great and hilarious
|
|
#
?
Nov 8, 2019 21:35
|
|
|
prisoner of waffles posted:this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it also a great thread title imho
|
|
#
?
Nov 8, 2019 22:51
|
|
|
Progressive JPEG posted:also a great thread title imho SecFuck M/T v18.3.11 - “fail the audit by agreeing to it”
|
|
#
?
Nov 8, 2019 23:05
|
|
|
lmao that exchange reminds me when we were handing off a project to a client (they wanted to stop paying us $X/month to manage their poo poo and so they hired 2 dudes for $12/hr to do it in-house), so I asked their team to send me their public keys to add it to the servers. immediately they both sent me their private keys, in plain-text ascii, unencrypted, over gmail. i blew up immediately and sent an email to everyone and poo poo on them and warned the company that if this is the kind of poo poo they're doing on day 1 it's going to be a disaster by end of the week. they eventually sent new public keys instead. by day 4, they were panicking, calling my cell phone at 5:30pm because they were having an issue and their dudes had hosed up 2 servers somehow, and didn't know how to fix it. i didn't answer any of my calls, because they weren't paying for managed service anymore and they were on their own. eventually they started paying us to manage their poo poo AND still had the 2 guys they were paying $12/hr who would could do things like "restart a service".
|
|
#
?
Nov 8, 2019 23:08
|
|
|
"heavy metal posted:The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.
|
|
#
?
Nov 8, 2019 23:50
|
|
|
Cocoa Crispies posted:SecFuck M/T v18.3.11 - “fail the audit by agreeing to it”
|
|
#
?
Nov 9, 2019 00:05
|
|
|
Catch 22/tcp: fail the audit by agreeing to it
|
|
#
?
Nov 9, 2019 00:41
|
|
|
mystes posted:Catch 22/tcp: fail the audit by agreeing to it and if you refuse it, you're declared insecure
|
|
#
?
Nov 9, 2019 01:20
|
|
|
The conclusion is this: we were forced to create a user on each server of which we will dump their public key. Once the audit is done we will remove the user immediately along with their lovely key. And I do mean immediately. We will be logged into the server while the audit is being ran, and will be deleting the user IMMEDIATELY as soon as they are done.
|
|
#
?
Nov 9, 2019 02:19
|
|
|
Cocoa Crispies posted:SecFuck M/T v18.3.11 - “fail the audit by agreeing to it”
|
|
#
?
Nov 9, 2019 02:21
|
|
|
abigserve posted:It's pretty out of control how much money is being poured into security people that run Nessus, print out a report and go "all this stuff is broken. I will not propose any solutions but rather shoot down any that you propose." Don't dox my side hustle bro.
|
|
#
?
Nov 9, 2019 02:51
|
|
|
ratbert90 posted:The conclusion is this: we were forced to create a user on each server of which we will dump their public key. Once the audit is done we will remove the user immediately along with their lovely key. And I do mean immediately. We will be logged into the server while the audit is being ran, and will be deleting the user IMMEDIATELY as soon as they are done. set the user’s login shell to print an ascii art goatse and then terminate
|
|
#
?
Nov 9, 2019 10:27
|
|
|
prisoner of waffles posted:“this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it” is great and hilarious i say this to auditors all the time, oh you want me to send you data to complete your audit? as per policy I will need you to provide written authorisation from the data owner, otherwise it could be an audit issue!
|
|
#
?
Nov 9, 2019 11:53
|
|
|
quote:In response to this request, the C&C answers with a PNG file that contains steganographically hidden data. This data is encrypted with the same key as the C&C requests. The decrypted data contains backdoor commands and arguments for them.
|
|
#
?
Nov 9, 2019 15:16
|
|
|
|
| # ? Apr 29, 2024 09:20 |
|
|
ratbert90 posted:The conclusion is this: we were forced to create a user on each server of which we will dump their public key. Once the audit is done we will remove the user immediately along with their lovely key. And I do mean immediately. We will be logged into the server while the audit is being ran, and will be deleting the user IMMEDIATELY as soon as they are done. how many C-levels did you get to sign off on this poo poo so its not your rear end on the line
|
|
#
?
Nov 9, 2019 15:38
|
|
