|
Shaggar posted:ive moved as many services as possible to managed service accounts cause password management sucks That's what I want to do but nobody seems to know how do actually do it and I'm not allowed access to anything to find out. I didn't think they were dumb enough to just put the passwords on confluence though jfc e: gently caress it I'm gonna go talk to the weird AD guys about this because I'm sick of dealing with this I've also thrown the team doing this under a bus because they should know better Powerful Two-Hander fucked around with this message at 18:31 on Dec 15, 2021 |
#
?
Dec 15, 2021 18:28
|
|
|
|
| # ? Apr 25, 2024 15:59 |
|
|
Shaggar posted:ive moved as many services as possible to managed service accounts cause password management sucks Getting vendors to support gmsa's has been a nightmare though. It's such a good feature that most vendors can't handle because they suck at Windows services.
|
|
#
?
Dec 15, 2021 18:32
|
|
|
Powerful Two-Hander posted:That's what I want to do but nobody seems to know how do actually do it and I'm not allowed access to anything to find out. service accounts are pretty easy and the extra few steps you have to do for setup are absolutely worth it. the only real problem is if you run into a UI that doesnt support credentials without a password. The biggest problem being task scheduler. IIs and windows services dont have a problem with it tho. the other thing you need to remember is when granting access, service account object types are not selected by default in the standard windows account search UI. ewiley posted:Getting vendors to support gmsa's has been a nightmare though. It's such a good feature that most vendors can't handle because they suck at Windows services. ive found that even if they dont support it explicitly, many times you can force gmsas in there somehow. like if they install a windows service you can change the credentials after the fact in the normal windows UI.
|
|
#
?
Dec 15, 2021 18:40
|
|
|
the official microsoft docs for service accounts are incredibly verbose and have a bunch of stuff about security best practices unrelated to GMSAs. things like "for fucks sake dont give service accounts domain admin". thats not GMSA specific at all and its correct advice, but it inflates the docs which i think may put people off from using them cause its alot of reading. the reality is you set up the KDS root key once (may already be done): https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key and then you can start using new-ADServiceAccount to start creating accounts.
|
|
#
?
Dec 15, 2021 18:44
|
|
|
managed service accounts work to a point but the amount of software out there that cannot use them because of some development decision is just the worst
|
|
#
?
Dec 15, 2021 19:03
|
|
|
haveblue posted:the lack of payments will continue until security improves This is very good.
|
|
#
?
Dec 15, 2021 19:58
|
|
|
haveblue posted:the lack of payments will continue until security improves
|
|
#
?
Dec 15, 2021 20:08
|
|
|
Mr. Crow posted:https://www.npr.org/2021/12/14/1064247651/kronos-hack-paychecks 0.5 haveblue posted:the lack of payments will continue until security improves yes
|
|
#
?
Dec 15, 2021 21:38
|
|
|
Lain Iwakura posted:managed service accounts work to a point but the amount of software out there that cannot use them because of some development decision is just the worst this but also theyre a real pain in the rear end to set up, there needs to be a "new gmsa" button in aduc
|
|
#
?
Dec 15, 2021 22:24
|
|
|
30 TO 50 FERAL HOG posted:this but also theyre a real pain in the rear end to set up, there needs to be a "new gmsa" button in aduc eh it’s just a couple of PS commands, I like that they’re set and forget. OTOH not even all of Microsoft’s own services support them, you can’t restrict certificate issuer agents in ADCS using gmsas, which makes it difficult to run ADFS and WHFB with automatic cert issuance. Now I’ll grant that this is a corner of a corner case, but still
|
|
#
?
Dec 16, 2021 00:31
|
|
|
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.htmlquote:
|
|
#
?
Dec 16, 2021 01:15
|
|
|
cinci zoo sniper posted:https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
|
|
#
?
Dec 16, 2021 01:25
|
|
|
cinci zoo sniper posted:https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html I'll be honest, I'm not smart enough to understand all of the technical bits of this, but "the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states," strikes me as an odd statement. Isn't NSO heavily associated with Mossad and IDF Intelligence? What reason is there to think they *wouldn't* have access to this level of sophistication? They basically are an extension of a technologically sophisticated nation state, unmoored of any of the pesky optics or diplomatic issues that come with managing cybersecurity for a nation state.
|
|
#
?
Dec 16, 2021 01:30
|
|
|
post hole digger posted:I'll be honest, I'm not smart enough to understand all of the technical bits of this, but "the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states," strikes me as an odd statement. Isn't NSO heavily associated with Mossad and IDF Intelligence? What reason is there to think they *wouldn't* have access to this level of sophistication? They basically are an extension of a technologically sophisticated nation state, unmoored of any of the pesky optics or diplomatic issues that come with managing cybersecurity for a nation state. If they're making exploits that are this crazy, then probably anyone with sufficient money can buy access to anything at any time (rather than just a couple countries) which kind of sucks.
|
|
#
?
Dec 16, 2021 01:33
|
|
|
i think “previously” is meant as “prior to thr existence of organizations like the nso group”, but it’s definitely unclear
|
|
#
?
Dec 16, 2021 01:35
|
|
|
one hell of a buried ledequote:JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent. just casually building a CPU from scratch using a loving PDF image compression format
|
|
#
?
Dec 16, 2021 02:38
|
|
|
JOP: JBIG2 Oriented Programming
|
|
#
?
Dec 16, 2021 02:40
|
|
|
pseudorandom name posted:JOP: JBIG2 Oriented Programming can log4j run doom?
|
|
#
?
Dec 16, 2021 03:16
|
|
|
if you inject the right payload into the jvm then absolutely
|
|
#
?
Dec 16, 2021 03:17
|
|
|
https://twitter.com/landaire/status/1471173067703341061
|
|
#
?
Dec 16, 2021 03:22
|
|
|
easy there, quick draw
|
|
#
?
Dec 16, 2021 03:34
|
|
|
cinci zoo sniper posted:https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html voted 5
|
|
#
?
Dec 16, 2021 03:41
|
|
|
Jim Silly-Balls posted:can log4j run doom? https://twitter.com/gegy1000/status/1469714451716882434
|
|
#
?
Dec 16, 2021 08:32
|
|
|
CMYK BLYAT! posted:one hell of a buried lede this is sick as hell and also a great example of why computer security is impossible
|
|
#
?
Dec 16, 2021 09:05
|
|
|
redleader posted:this is sick as hell and also a great example of why computer security is impossible Just don't make your decoder turing-complete.
|
|
#
?
Dec 16, 2021 09:09
|
|
|
technically i think it isn’t turing complete because it’s single-pass through its instructions. they just gave it a shitload of instructions
|
|
#
?
Dec 16, 2021 09:18
|
|
|
still it’s worth noting that computer security can be a bit easier if your show_jpeg method is not allowed to functionally emulate a general-purpose programming language
|
|
#
?
Dec 16, 2021 09:20
|
|
|
rjmccall posted:technically i think it isn’t turing complete because it’s single-pass through its instructions. they just gave it a shitload of instructions a shitload of instructions that created a turing-complete virtual CPU that can rewrite its own memory, which i think means it's turing complete in a very convoluted way the same way like, conway's game of life is
|
|
#
?
Dec 16, 2021 10:35
|
|
|
If you can rewrite the decompressor's pointer to the next transformation it's supposed to apply, you can implement a loop, and then you have universal computation.
|
|
#
?
Dec 16, 2021 11:02
|
|
|
didn't some maniac write a CPU in Excel using Boolean operations and then, idk, cell colouring or something? E: actually maybe it was Factorio or one of those other autism simulator games Powerful Two-Hander fucked around with this message at 11:43 on Dec 16, 2021 |
|
#
?
Dec 16, 2021 11:37
|
|
|
it's one of the most complicated VMs to be found deployed in an exploit, but it's not that groundbreaking as a concept. the toolchain already exists commercially in the form of game drm it's just generalising the VM itself so that it can be redeployed given primitives created in a generic environment. creating the VM is where all the initial work went, and when given the primitives in the environment to work with it was ported across the barrier to doing this is cost to develop the vm in the first place, but the professional environment behind this means there isn't a single exploit writer from vuln to payload. each part is its own team that are r&ding techniques that can be used interoperably. the deployment of this just means they have enough financial and technical capital that they were confident they could replace the part in their chain when it was found now how they created the primitives is technically interesting and really what p0 are focusing on, but i wouldn't get starstruck at seeing a proprietary interpreter and scripting language deployed that's just a sign of how mature the tech is getting. the existence of this vm in their malware isn't news, i definitely recall hearing about it before just not analysed to the level p0 thankfully have and it's here that i realise no one ever cared about the distinction between vm and scripting environment in malware and it's just been used interchangably
|
|
#
?
Dec 16, 2021 11:40
|
|
|
"Turing Complete" is a really cool game
|
|
#
?
Dec 16, 2021 11:55
|
|
|
Wiggly Wayne DDS posted:it's one of the most complicated VMs to be found deployed in an exploit, but it's not that groundbreaking as a concept. the toolchain already exists commercially in the form of game drm it's just generalising the VM itself so that it can be redeployed given primitives created in a generic environment. creating the VM is where all the initial work went, and when given the primitives in the environment to work with it was ported across I think people are more impressed by the whole "built it out of PDF-image-compression-derived NAND gates like some hosed up minecraft redstone computer" thing than the "it has a scripting language" thing
|
|
#
?
Dec 16, 2021 12:06
|
|
|
Wiggly Wayne DDS posted:it's one of the most complicated VMs to be found deployed in an exploit, but it's not that groundbreaking as a concept. the toolchain already exists commercially in the form of game drm it's just generalising the VM itself so that it can be redeployed given primitives created in a generic environment. creating the VM is where all the initial work went, and when given the primitives in the environment to work with it was ported across idk.. linku your GitHub I guess?
|
|
#
?
Dec 16, 2021 12:10
|
|
|
would be cool to see what you've been doing to advance the state of the art
|
|
#
?
Dec 16, 2021 12:10
|
|
|
cinci zoo sniper posted:https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
|
|
#
?
Dec 16, 2021 12:41
|
|
|
Oh great, a novell netware 4 client running in a vm of windows 98 is considered a business critical component. 
|
|
#
?
Dec 16, 2021 12:42
|
|
|
Wiggly Wayne DDS posted:it's one of the most complicated VMs to be found deployed in an exploit, but it's not that groundbreaking as a concept. the toolchain already exists commercially in the form of game drm it's just generalising the VM itself so that it can be redeployed given primitives created in a generic environment. creating the VM is where all the initial work went, and when given the primitives in the environment to work with it was ported across
|
|
#
?
Dec 16, 2021 12:47
|
|
|
fins posted:Oh great, a novell netware 4 client running in a vm of windows 98 is considered a business critical component. elevator seeking yeah to the parking lot get me the gently caress outta here
|
|
#
?
Dec 16, 2021 14:55
|
|
|
|
| # ? Apr 25, 2024 15:59 |
|
|
Powerful Two-Hander posted:today I also learned that our support team (who are the ones that manage service accounts etc. Under "segregation of duties") have been storing the credentials in confluence so they didn't have to go ask the password vault owners for access every time it's impossible to find anything you don't already know the location of in Confluence so that seems pretty safe
|
|
#
?
Dec 16, 2021 14:59
|
|
