|
Axe-man posted:I just come here to watch what you all do behind the closed doors at the other side of the server room. it's this CyberPingu posted:Watch us Google whatever we are asked? E: what a lovely snipe After 10 months of complaining about it I'm finally getting the goahead to update our on prem virtualization environment, firewalls and ASAs. Say no to RCE CVEs from 2018! The Iron Rose fucked around with this message at 20:38 on Jun 25, 2020 |
#
?
Jun 25, 2020 20:36
|
|
Cat Army 
|
|
| # ? Apr 19, 2024 23:50 |
|
|
The Iron Rose posted:After 10 months of complaining about it I'm finally getting the goahead to update our on prem virtualization environment, firewalls and ASAs. Say no to RCE CVEs from 2018! Enjoy being the default scapegoat for any anomaly in the next few months.
|
|
#
?
Jun 25, 2020 21:54
|
|
|
The Iron Rose posted:it's this congratulations, each one of those is going to have 8.0+ CVEs by Christmas. all of your edge devices will have anonymous, unlogged RCEs
|
|
#
?
Jun 25, 2020 23:58
|
|
|
to secure your environment, you need to get one of these
|
|
#
?
Jun 26, 2020 00:00
|
|
|
Get down Mr. Trotsky!
|
|
#
?
Jun 26, 2020 00:59
|
|
|
Subjunctive posted:Enjoy being the default scapegoat for any anomaly in the next few months. Don't worry soon they will have a container for that soon.
|
|
#
?
Jun 26, 2020 01:00
|
|
Love when your av vendor uses terms like "expect decreased functionality"...
|
|
|
#
?
Jun 27, 2020 11:16
|
|
|
CyberPingu posted:Love when your av vendor uses terms like "expect decreased functionality"... I mean, I don't really know what show it's a still from so he might have a point? 
|
|
#
?
Jun 27, 2020 13:17
|
|
|
CyberPingu posted:Love when your av vendor uses terms like "expect decreased functionality"... Given that the best vendor-sourced AV is that which does nothing, unironically this.
|
|
#
?
Jun 27, 2020 13:40
|
|
|
I'd be fine if they meant "stops throwing false positives at every single program". But I have totally lost faith in this company so far.
|
|
|
#
?
Jun 27, 2020 14:32
|
|
|
Cylance is the worst, and their reporting is godawful.
|
|
#
?
Jun 27, 2020 15:57
|
|
The Iron Rose posted:Cylance is the worst, and their reporting is godawful. They also don't start working on new OS support until it's fully released. Saying and I quote "We don't get access to early OS builds from Apple" Bullshit.
|
|
|
#
?
Jun 27, 2020 16:02
|
|
|
CyberPingu posted:They also don't start working on new OS support until it's fully released. Is their motto "We like to hit the ground
|
|
#
?
Jun 27, 2020 16:54
|
|
Absurd Alhazred posted:Is their motto "We like to hit the ground "We like losing customers at a steady pace each year" "Also our whitelists are more of a suggestion and we will still block things that are on your whitelist"
|
|
|
#
?
Jun 27, 2020 16:57
|
|
|
Thanks for the advice everyone. The Zoom web client was a little janky, but it seemed to work for what I needed it to do and hopefully didn't leave too much poo poo on my actual system.
|
|
#
?
Jun 27, 2020 17:00
|
|
|
Absurd Alhazred posted:Is their motto "We like to hit the ground
|
|
#
?
Jun 27, 2020 17:57
|
|
|
Arivia posted:Thanks for the advice everyone. The Zoom web client was a little janky, but it seemed to work for what I needed it to do and hopefully didn't leave too much poo poo on my actual system. What exactly do you think running it in a web browser might have left on your system? Specifically I mean, excluding cookies and access tokens. Do you really think that it maliciously breached your browser’s sandbox and left malware on your machine? Caution is good! But think of the data flow, and recognize where your fears and concerns are rational, and where they may be less so.
|
|
#
?
Jun 27, 2020 18:15
|
|
|
The Iron Rose posted:What exactly do you think running it in a web browser might have left on your system? Specifically I mean, excluding cookies and access tokens. Do you really think that it maliciously breached your browser’s sandbox and left malware on your machine? It is only very recently that "join a meeting from your browser" meant anything other than "install a horribly hosed up browser extension that installs a permanent service that doesn't auto update". And for anyone who isn't on the latest versions of everything involved, it may still mean exactly that.
|
|
#
?
Jun 27, 2020 18:41
|
|
|
keseph posted:It is only very recently that "join a meeting from your browser" meant anything other than "install a horribly hosed up browser extension that installs a permanent service that doesn't auto update". And for anyone who isn't on the latest versions of everything involved, it may still mean exactly that. Yeah, most things I wouldn't worry about too much, but Zoom was known for breaking security models in and out of browsers even just by clicking on web links. My original post in this thread mentioned a stub application that got installed by clicking on a Zoom link awhile back.
|
|
#
?
Jun 27, 2020 18:45
|
|
|
Arivia posted:Yeah, most things I wouldn't worry about too much, but Zoom was known for breaking security models in and out of browsers even just by clicking on web links. My original post in this thread mentioned a stub application that got installed by clicking on a Zoom link awhile back. I actually missed that and made a bad assumption, so I need to walk back my earlier post. Your concerns are entirely valid and legitimate, mea culpa.
|
|
#
?
Jun 27, 2020 19:50
|
|
|
The Iron Rose posted:I actually missed that and made a bad assumption, so I need to walk back my earlier post. Your concerns are entirely valid and legitimate, mea culpa. Apology accepted, no worries. It's a reasonable criticism for the vast majority of web client concerns.
|
|
#
?
Jun 27, 2020 19:58
|
|
|
I don't think I'll be installing Tiktok (not that I had any desire to) https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/ https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/
|
|
#
?
Jun 28, 2020 19:01
|
|
|
That was the last surprising news since Facebook said they didn't very political ads
|
|
|
#
?
Jun 28, 2020 19:10
|
|
|
FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021
|
|
#
?
Jun 29, 2020 16:23
|
|
|
rafikki posted:FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021 Youch, that's a good one.
|
|
#
?
Jun 29, 2020 17:43
|
|
|
I’m sure most orgs will throw that on the bi-annual patch schedule right away.
|
|
#
?
Jun 29, 2020 17:52
|
|
|
Martytoof posted:I’m sure most orgs will throw that on the biennial patch schedule right away. E: can't spell
|
|
#
?
Jun 29, 2020 18:31
|
|
|
My bus card’s website just updated and made everyone change their passwords. My new randomly generated password was too long, contained numbers, and contained more than one kind of special character, all of which had to be “fixed” for the website to accept it.
|
|
#
?
Jun 29, 2020 18:46
|
|
|
Arivia posted:My bus card’s website just updated and made everyone change their passwords. My new randomly generated password was too long, contained numbers, and contained more than one kind of special character, all of which had to be “fixed” for the website to accept it. Lmao, sounds like its being written straight to a DB.
|
|
#
?
Jun 29, 2020 19:23
|
|
|
rafikki posted:FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021
|
|
#
?
Jun 29, 2020 19:46
|
|
|
CommieGIR posted:Lmao, sounds like its being written straight to a DB. Based off of the way the form acted, I believe you’re correct. Wouldn’t surprise me if it’s stored in plaintext.
|
|
#
?
Jun 29, 2020 19:53
|
|
|
Arivia posted:Based off of the way the form acted, I believe you’re correct. Wouldn’t surprise me if it’s stored in plaintext. Almost guaranteed. Might even be able to see some of the SQL if you dig deep enough into the page front.
|
|
#
?
Jun 29, 2020 19:56
|
|
|
Pablo Bluth posted:I don't think I'll be installing Tiktok (not that I had any desire to) quote:In all, the researchers found the following iOS apps were reading users’ clipboard data every time the app was opened with no clear reason for doing so:
|
|
#
?
Jun 29, 2020 20:46
|
|
|
rafikki posted:FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021 This is so loving dumb Like how the gently caress does Palo Alto not give you the ability to explicitly trust a self-signed cert rather than just blanket not validate at all.
|
|
#
?
Jun 29, 2020 21:23
|
|
|
Also how is this a 10 https://twitter.com/tylerthecreator/status/285670822264307712 except sub "just walk away from the screen" with "just disable SAML auth"
|
|
#
?
Jun 29, 2020 21:25
|
|
|
Blinkz0rz posted:Also how is this a 10 That’s like saying “just go login with admin/admin”
|
|
#
?
Jun 29, 2020 21:27
|
|
|
The Fool posted:That’s like saying “just go login with admin/admin” a cvss score of 10 should be reserved for critical security issues with no remediation if you can turn the feature off it's not a critical vuln it's a choice
|
|
#
?
Jun 29, 2020 21:34
|
|
|
Blinkz0rz posted:a cvss score of 10 should be reserved for critical security issues with no remediation It's like if there were a bypass in Active Directory authentication and someone's response was "well then just unbind from the domain..." Sure, it is possible for *someone* to log in locally but that is not likely to be the person/people who normally need to log in to that machine. I mean sure, there are definitely environments out there where "just turn it off" is entirely acceptable because they don't actually need the SSO capabilities and are just using it for convenience or where people just don't need to make changes to the box regularly so it being temporarily limited to a few privileged users isn't a big deal, but there are also plenty where it's effectively mandatory for the intended workflow. edit: As far as the specific score, they do note that it's only a 10 in a worst case scenario. They call it a 9.6 in cases where the management interface is properly locked down and that fits with my fiddling around with the CVSS calculator here: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator wolrah fucked around with this message at 00:17 on Jun 30, 2020 |
|
#
?
Jun 30, 2020 00:09
|
|
|
I don’t think of sso as a convenience feature and haven’t for a long time.
|
|
#
?
Jun 30, 2020 00:17
|
|
|
|
| # ? Apr 19, 2024 23:50 |
|
|
I still have to educate IT middle management and project managers on that every week. Last week I was pulled into a SaaS rollout and discovered that the vendor of the application continues to allow direct password login after you federate with SAML. The data stored in this platform was rated a 9 out of 10 on their risk analysis. The vendor DEVELOPERS response when I asked them WTF they thought SSO was for? "Well it would be a lot of work to fix this so just tell your users to only use the SSO link". Yesterday I was doing some 1:1 requirements gathering with a business user about her request to archive documents in a shared mailbox. It was during this meeting I learned they had set up some SaaS for 10 users in her department but didn't tell us. "It's only 10 users we didn't think it was worth it". Nobody understands the point of SSO at my company.
|
|
#
?
Jun 30, 2020 16:47
|
|