|
my attitude is that they are all a joke so we might as well go with a cheap one that isn't a pain in the rear end to run like SEP. Maybe something that logs all process execution so I can shove that in the siem and do some real work since they won't like me do a global rollout of sysmon
|
#
?
Feb 6, 2020 00:42
|
|
|
|
| # ? Apr 25, 2024 14:45 |
|
|
I'm sick and tired of hearing about EDR and threat hunting when I don't even have the staffing to install the current poo poo on half the assets we own
|
|
#
?
Feb 6, 2020 00:44
|
|
|
sep is actively harmful to your security
|
|
#
?
Feb 6, 2020 00:44
|
|
|
BangersInMyKnickers posted:my attitude is that they are all a joke so we might as well go with a cheap one that isn't a pain in the rear end to run like SEP. Maybe something that logs all process execution so I can shove that in the siem and do some real work since they won't like me do a global rollout of sysmon I will add process monitoring as an addon to Checkbox for $1 per machine
|
|
#
?
Feb 6, 2020 00:48
|
|
|
this is cool and awesome (unironically this is also a good walkthrough on spying on local encrypted traffic)quote:Wacom drawing tablets track the name of every application that you open https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/
|
|
#
?
Feb 6, 2020 00:57
|
|
|
DrPossum posted:this is cool and awesome (unironically this is also a good walkthrough on spying on local encrypted traffic) quote:Disclaimer: I haven’t asked Wacom for comment about this story because I’m not a journalist and I don’t know how to do that. So far so good.
|
|
#
?
Feb 6, 2020 01:12
|
|
|
lmao security fuckup megathread - <hi>Rick</hi>
|
|
#
?
Feb 6, 2020 01:30
|
|
|
The Fool posted:sep is actively harmful to your security https://twitter.com/taviso/status/732365178872856577?s=20
|
|
#
?
Feb 6, 2020 01:39
|
|
|
Shame Boy posted:i made a quick diagram because i feel like i'm not very good at explaining The problem you've got here is that you're having your customer's tablets trust your root, but then having that root sign all the customers keys. So your customer's tablets would trust not just their own, but all other customer's keys, via your root. Poof, no more security. I don't know how this is supposed to make anything easier. Instead of having to add the cert their server generates, they have to add your root cert. Whatever, that still makes them add a cert, right?
|
|
#
?
Feb 6, 2020 02:40
|
|
|
computers are an utter joke and society should never have trusted even the simplest, least important thing to them
|
|
#
?
Feb 6, 2020 02:59
|
|
|
BangersInMyKnickers posted:I'm sick and tired of hearing about EDR and threat hunting when I don't even have the staffing to install the current poo poo on half the assets we own Fuuuck do i feel this. I feel this in my goddamn bones.
|
|
#
?
Feb 6, 2020 03:02
|
|
|
quote:https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/ lol they should've used certificate pinning for sending their spyware data
|
|
#
?
Feb 6, 2020 04:34
|
|
|
FYI for people who care about SSL/TLS configurations, the Qualys SSL Labs tester is now marking servers that offer TLS 1.0 and 1.1 as grade "B" at most. if you want to get an "A" grade you will need to serve only TLS 1.2 and above. this is in line with the latest TLS configuration recommendations from Mozilla which also recommend TLS 1.2 as the minimum supported version (configuration generator matching those recommendations here). also, all of the major browser vendors have announced they are disabling TLS 1.0 and 1.1 by default in the first half of this year so make sure your servers enable at least 1.2 if not 1.3.
|
|
#
?
Feb 6, 2020 04:43
|
|
|
if nothing else i'll give the iowa app devs kudos for using auth0 i deal with a lot of customers in the "trying to leave legacy tech paradigms behind" space and i swear to god if i have to deal with one more fucker that tries to cobble together a bespoke authn/authz system out of jwts prayers and duct tape i will start stabbing people oidc and oidc-capable identity providers may not be perfect but that doesn't mean you're going to somehow fare better trying to slowly reinvent it poorly
|
|
#
?
Feb 6, 2020 10:04
|
|
|
infernal machines posted:it's bad, but i'm reasonably sure if someone leaked diebold's voting machine implementation it too would be on the level of babby's first burp and fart piano apk
|
|
#
?
Feb 6, 2020 10:08
|
|
|
Mr.Radar posted:FYI for people who care about SSL/TLS configurations, the Qualys SSL Labs tester is now marking servers that offer TLS 1.0 and 1.1 as grade "B" at most. if you serve TLS 1.0 in tyool 2020 (nobody cares about 1.1 the set of devices that support 1.1 but not 1.2 is miniscule) you either do not care about your TLS configuration or do not care what Qualys has to say about it. godspeed all you unfortunate souls in the latter category with large enough customer bases using Android <=4.x and XP still
|
|
#
?
Feb 6, 2020 10:10
|
|
|
BangersInMyKnickers posted:work made me give my contact info to every AV company in the top half of the gartner quadrant bs and I am in absolute hell Oh man I feel your pain, I spoke at a trade show for my company and holy hell the vendors are wall to wall email and calling. Motherfuckers i have no use for any of your products. Also just use Defender, there’s literally no other AV on windows that is worth paying for.
|
|
#
?
Feb 6, 2020 14:39
|
|
|
ewiley posted:Oh man I feel your pain, I spoke at a trade show for my company and holy hell the vendors are wall to wall email and calling. Motherfuckers i have no use for any of your products. yeah I am pulling for defender but the only way I'm getting approval for that is with ATP because they demand some kind of centralized visibility. E3 licensing doesn't include it and I doubt we're going to E5 so its an extra bolt-on that I might not be able to afford
|
|
#
?
Feb 6, 2020 14:45
|
|
|
quote:the app was built in several months at a cost of $63,182. drat!
|
|
#
?
Feb 6, 2020 14:57
|
|
|
How much of a shitshow is it to sign JWTs with a plain old pub/priv key pair, no CA involved? As you may notice, I'm an idiot who has no idea what is going on.
|
|
#
?
Feb 6, 2020 14:58
|
|
|
BangersInMyKnickers posted:yeah I am pulling for defender but the only way I'm getting approval for that is with ATP because they demand some kind of centralized visibility. E3 licensing doesn't include it and I doubt we're going to E5 so its an extra bolt-on that I might not be able to afford if Microsoft lowered the pricing on some of this stuff they would totally eliminate all competition
|
|
#
?
Feb 6, 2020 15:29
|
|
|
redleader posted:computers are an utter joke and society should never have trusted even the simplest, least important thing to them in picard when the lady romulan was explaining how romulans dont trust any form of machine intelligence and keep their computers simple i just kept nodding in agreement
|
|
#
?
Feb 6, 2020 15:32
|
|
|
thou shalt not make a machine in the likeness of a human mind
|
|
#
?
Feb 6, 2020 15:47
|
|
|
haveblue posted:thou shalt not make a machine in the likeness of a human mind i mean yeah obviously have you seen what sort of idiots the human mind produces? much better to get hopped up on
|
|
#
?
Feb 6, 2020 16:10
|
|
|
DrPossum posted:this is cool and awesome (unironically this is also a good walkthrough on spying on local encrypted traffic) i just assume that this is what literally every program does if you leave that "send anonymous usage statistics to help make the program better!" box hidden deep within the settings menu checked e: and also probably even if you uncheck it because they never thought anyone would uncheck it so they didn't test that SAVE-LISP-AND-DIE posted:How much of a shitshow is it to sign JWTs with a plain old pub/priv key pair, no CA involved? As you may notice, I'm an idiot who has no idea what is going on. depends on what else you're doing with them, if it's just making an auth token that the same server which made the token needs to later validate for session-tracking reasons, it's probably fine.
|
|
#
?
Feb 6, 2020 16:11
|
|
|
BangersInMyKnickers posted:yeah I am pulling for defender but the only way I'm getting approval for that is with ATP because they demand some kind of centralized visibility. E3 licensing doesn't include it and I doubt we're going to E5 so its an extra bolt-on that I might not be able to afford What kind of visibility? if you’ve got SCCM, it manages the client pretty well with a few caveats (like not pulling logs centrally, no central quarantine, etc) but those are all pretty minor and could be easily picked-up by windows log forwarding. Most requirements I’ve seen just care that scans happen and alerts are forwarded to a central console.
|
|
#
?
Feb 6, 2020 16:47
|
|
|
Shaggar posted:if Microsoft lowered the pricing on some of this stuff they would totally eliminate all competition they're probably terrified of the existing vendors pushing for an antitrust
|
|
#
?
Feb 6, 2020 18:26
|
|
|
ewiley posted:What kind of visibility? if you’ve got SCCM, it manages the client pretty well with a few caveats (like not pulling logs centrally, no central quarantine, etc) but those are all pretty minor and could be easily picked-up by windows log forwarding. Most requirements I’ve seen just care that scans happen and alerts are forwarded to a central console. its the log forwarding, really. We're super fragmented with 50+ domains that we're still trying to collapse down in to one, and probable another 50% we don't even know about yet. no existing windows event forwarder infrastructure exist and trying to push stuff with GPOs will only hit a fraction of the clients. Whatever we use needs to be able to ship client logs to something centrally that we can dump in to the siem without hassle or extra deployment poo poo
|
|
#
?
Feb 6, 2020 18:30
|
|
|
I just forward all logs to the toilet
|
|
#
?
Feb 6, 2020 22:36
|
|
|
BangersInMyKnickers posted:they're probably terrified of the existing vendors pushing for an antitrust for sure, but I also imagine they make enough money on customers who can afford it.
|
|
#
?
Feb 6, 2020 22:37
|
|
|
BangersInMyKnickers posted:yeah I am pulling for defender but the only way I'm getting approval for that is with ATP because they demand some kind of centralized visibility. E3 licensing doesn't include it and I doubt we're going to E5 so its an extra bolt-on that I might not be able to afford BangersInMyKnickers posted:they're probably terrified of the existing vendors pushing for an antitrust BangersInMyKnickers posted:its the log forwarding, really. We're super fragmented with 50+ domains that we're still trying to collapse down in to one, and probable another 50% we don't even know about yet. evil_bunnY fucked around with this message at 22:49 on Feb 6, 2020 |
|
#
?
Feb 6, 2020 22:46
|
|
|
evil_bunnY posted:Oh boy why are you still there when that's the situation and C-boys are nickel and diming you. retirement package is really really good and it stays at 40hrs a week. we just had major c-level churn so people are either new or a fill-in while they candidate search so I get to ride this horse poo poo out until someone with some sense grabs the wheel
|
|
#
?
Feb 6, 2020 22:58
|
|
|
Are they willing to spend money? If so, Crowdstrike is my favorite POS advanced endpoint tool right now.
|
|
#
?
Feb 7, 2020 00:06
|
|
|
SAVE-LISP-AND-DIE posted:How much of a shitshow is it to sign JWTs with a plain old pub/priv key pair, no CA involved? As you may notice, I'm an idiot who has no idea what is going on. that's fine from a security standpoint, sort of. the actual problem becomes one of orchestration, because everything consuming the JWT needs to trust the keypair. how do you scale that to multiple signers? 1. add another key to a hardcoded list of trusted keys 2. copy the keypair around 3. trust another keypair that signs the keys that actually do the signing (1) obviously eventually falls down with scale, but can get you pretty far (2) is terrible (3) is a rudimentary CA and of course you have to have a decent rotation and revocation workflow figured out for when a dev inevitably uploads a server's private key to github
|
|
#
?
Feb 7, 2020 02:44
|
|
|
Captain Foo posted:I just forward all logs to the toilet Yes, I believe SEP was already mentioned.
|
|
#
?
Feb 7, 2020 04:34
|
|
|
Varkk posted:Yes, I believe SEP was already mentioned. SEP is six different toilets being poo poo in to in rapid succession
|
|
#
?
Feb 7, 2020 14:36
|
|
|
Symantec Enterprise Pooper
|
|
#
?
Feb 7, 2020 14:40
|
|
|
BangersInMyKnickers posted:SEP is six different toilets being poo poo in to in rapid succession Are they on the edge of a cliff?
|
|
#
?
Feb 7, 2020 14:41
|
|
|
you want to search through SEP logs? then you're going to have in ingest this loving mess Each of those is a unique csv log feed with its own schema, zero adherence to anything resembling a common information model, and even basic attributes like the client container aren't consistent across them so you're doing join lookups all over the place to figure out who the gently caress owns the server that just got a doublepulsar IPS hit because the IPS logs will only tell you the hostname and IP address and nothing else e: oh yeah and they'll screw with it and break your parser with every other update
|
|
#
?
Feb 7, 2020 14:51
|
|
|
|
| # ? Apr 25, 2024 14:45 |
|
|
Just had a conversation about how all av blows
|
|
#
?
Feb 7, 2020 15:05
|
|