|
CommieGIR posted:So in other words there's zero impetus for the dev teams to actually write secure code. I would never ask a company to stop giving me paycheck.
|
# ? Jan 19, 2023 18:28 |
|
|
# ? May 4, 2024 10:59 |
|
Sickening posted:Our companies CTO (a person whose entire career has been this one company) has decided we are going against the grain. Security issues in code are no longer the burden of those writing the code. This stalls velocity. Those teams tasked with code security will fix the code themselves when security issues are found. lol and lmao
|
# ? Jan 19, 2023 18:31 |
|
CLAM DOWN posted:lol and lmao He is also doing the same thing for infrastructure security and I have to say I am kind of pumped for the change. Your infrastructure some how comes to life with bad security configuration despite the guardrails , its going to get modified. It breaks? Can't stall velocity people.
|
# ? Jan 19, 2023 18:35 |
|
I interviewed at a fintech place one time that offered me $40k for their "legacy support team" which meant working 6am to 4pm fixing whatever fires exploded in any software that "didn't currently have a maintenance team"
|
# ? Jan 19, 2023 18:40 |
|
I love that security douches are supposed to write code. Love it.
|
# ? Jan 19, 2023 18:56 |
|
CommieGIR posted:So in other words there's zero impetus for the dev teams to actually write secure code. And no incentive for the sec team to write working code. Just seesaw that poo poo.
|
# ? Jan 19, 2023 19:05 |
|
Guy Axlerod posted:And no incentive for the sec team to write working code. Just seesaw that poo poo. Just encrypt the source code before compiling. Most secure software ever written!
|
# ? Jan 19, 2023 19:31 |
|
Guy Axlerod posted:And no incentive for the sec team to write working code. Just seesaw that poo poo. Job security for everyone!
|
# ? Jan 19, 2023 20:02 |
|
Guy Axlerod posted:And no incentive for the sec team to write working code. Just seesaw that poo poo. Even more anything that makes it through will get blamed on the security team, not the dev team.
|
# ? Jan 19, 2023 20:06 |
|
imagine being a security guy and being fired because you didnt catch a mistake your dev wrote into their spaghetti code lmao
|
# ? Jan 19, 2023 20:32 |
|
I just had a dev team whose lovely product is actively being used in spam and malware attacks yell at me for not having a solution in hand when I alerted them to the problem before customers started complaining. They literally have a site where someone can upload whatever the hell they want to, which gets a URL with a GUID that they can capture by just viewing the source for the page. The public IP is showing up everywhere on threat intel lists, rightly so, and customers are now not able to hit the site.
|
# ? Jan 19, 2023 20:37 |
|
Not sure if this is the best spot to ask, but I unfortunately have several services that my users are currently using a shared username and password for. None of these services use SSO, and several of them look like they were coded back when Geocities was still cool. Thankfully all of them use form login, instead of the ancient pop up auth box. None of them do a catchpa either, which might help some. Is there a way to get some SSO-style "click link to sign into service" system in place for these websites? Ideally the user would go to our sharepoint site, see the table of useful links, click on a link, and via the magic of some 3rd party service, is redirected to the site already signed in.
|
# ? Jan 20, 2023 03:01 |
|
AzureAd application proxy e: link - https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
|
# ? Jan 20, 2023 03:13 |
|
https://maia.crimew.gay/posts/how-to-hack-an-airline/
|
# ? Jan 20, 2023 05:29 |
|
My determination to never fly anywhere is still unchallenged
|
# ? Jan 20, 2023 06:09 |
|
Today a member of one of our accounts payable teams, which has been stung multiple times by compromised vendor payment rerouting, mentioned that she avoided something weird the other day. See, a vendor emailed asking to change from us sending a check to ACH. The vendor got weirdly aggressive when it didn't happen enough, so AP person went to the vendor's public website, compared the address on the ACH to all available addresses for the company, and found that none matched. She immediately called our Project Manager who works with the vendor and told him to call the vendor at a number he had for them before the whole thing started and verbally figure out what was going on. Crisis averted in a way that (more or less) followed the policy I wrote for them the last time they gave away six figures. They can learn!
|
# ? Jan 20, 2023 06:16 |
|
Silly Newbie posted:Today a member of one of our accounts payable teams, which has been stung multiple times by compromised vendor payment rerouting, mentioned that she avoided something weird the other day. See, a vendor emailed asking to change from us sending a check to ACH. The vendor got weirdly aggressive when it didn't happen enough, so AP person went to the vendor's public website, compared the address on the ACH to all available addresses for the company, and found that none matched. She immediately called our Project Manager who works with the vendor and told him to call the vendor at a number he had for them before the whole thing started and verbally figure out what was going on. Crisis averted in a way that (more or less) followed the policy I wrote for them the last time they gave away six figures. BUY LOTTERY TICKETS TONIGHT!
|
# ? Jan 20, 2023 06:17 |
|
Silly Newbie posted:Today a member of one of our accounts payable teams, which has been stung multiple times by compromised vendor payment rerouting, mentioned that she avoided something weird the other day. See, a vendor emailed asking to change from us sending a check to ACH. The vendor got weirdly aggressive when it didn't happen enough, so AP person went to the vendor's public website, compared the address on the ACH to all available addresses for the company, and found that none matched. She immediately called our Project Manager who works with the vendor and told him to call the vendor at a number he had for them before the whole thing started and verbally figure out what was going on. Crisis averted in a way that (more or less) followed the policy I wrote for them the last time they gave away six figures. It feels good when the bad thing is prevented. It feels bad to know , in your soul, that if a full audit was performed RIGHT NOW, more than 6 figures has left the door and its just not be noticed.
|
# ? Jan 20, 2023 06:18 |
|
Sickening posted:It feels good when the bad thing is prevented. It feels bad to know , in your soul, that if a full audit was performed RIGHT NOW, more than 6 figures has left the door and its just not be noticed. You're just a glass half full guy aren't you?
|
# ? Jan 20, 2023 06:20 |
|
jaegerx posted:You're just a glass half full guy aren't you? I know you are enjoying this security money now (that doesn't stop), but you have just begun your journey to really be exposed to how loving dumb these big organizations are jfc. In november, I spoke to a finance person whose only job is to pay PO's, tell me she has never questioned a po that has crossed her desk. She probably pays more than 100m in po's in a given year. When he statement was brought it up in conversation to her leaders, they didn't flinch. I feel more like the sheriff for "no country for old men" every passing day of my life.
|
# ? Jan 20, 2023 06:28 |
|
Sickening posted:It feels good when the bad thing is prevented. It feels bad to know , in your soul, that if a full audit was performed RIGHT NOW, more than 6 figures has left the door and its just not be noticed. Thankfully, we aren't that big. When our vendors don't get paid (like someone got into their email environment and rerouted payment), they angrily call us and let us know. Not to say we don't have a fake invoice problem, but I'm still training finance to look for that.
|
# ? Jan 20, 2023 06:31 |
|
Sickening posted:I know you are enjoying this security money now (that doesn't stop), but you have just begun your journey to really be exposed to how loving dumb these big organizations are jfc. I’m not quite sure I can drink more but I’ll try for for the money
|
# ? Jan 20, 2023 06:42 |
|
Silly Newbie posted:Thankfully, we aren't that big. When our vendors don't get paid (like someone got into their email environment and rerouted payment), they angrily call us and let us know. At this point , the apathy shown leads to me to only two reasonable conclusions. There really is no financial benefit to care or this is just common embezzlement that every company maintains because this is the normal csuite grift. These finance folks are well paid, educated people. Their jobs (especially at accounts payable) seems to be no more complex than basic data entry.
|
# ? Jan 20, 2023 07:15 |
|
Sickening posted:At this point , the apathy shown leads to me to only two reasonable conclusions. There really is no financial benefit to care or this is just common embezzlement that every company maintains because this is the normal csuite grift. It must be the first one. At $Job-2 I had hired a consultancy to write up some documentation about how to do something tricky with our firewall and the DMZ. They invoiced us before turning over the documentation. Accounts Payable cut them a $2750 check. To nobody's surprise, we never got that documentation. Given that my boss was micromanaging me to keep going back to nitpick and chisel at the contract I don't blame them.
|
# ? Jan 20, 2023 07:57 |
|
So basically I find the accounting department. Send them a txt I need 10k in $500 Apple Card’s and it works? My mom is 67 and doesn’t fall for that poo poo
|
# ? Jan 20, 2023 08:12 |
|
The Fool posted:AzureAd application proxy Buyers beware, Entra/AAD Premium P1 or P2 is required for Application Proxy.
|
# ? Jan 20, 2023 13:23 |
|
P1/P2 is required for o365 Sign-in logs. There's no reason not to get it.
|
# ? Jan 20, 2023 14:53 |
|
Sickening posted:I feel more like the sheriff for "no country for old men" every passing day of my life. Good movie, but wasn't the final punchline of the movie that even Tommy Lee Jones was cattle like the rest of 'em?
|
# ? Jan 20, 2023 16:50 |
|
SlowBloke posted:Buyers beware, Entra/AAD Premium P1 or P2 is required for Application Proxy. Yeah stumbled across that, apparently we have been giving contractors E1/A1 licenses and were not including AAD P1. Lord almighty it's tough to keep track of M365 user licensing if you don't just give everyone Enough (imo) with E3/A3 and call it a day
|
# ? Jan 20, 2023 16:53 |
jaegerx posted:So basically I find the accounting department. Send them a txt I need 10k in $500 Apple Card’s and it works? My mom is 67 and doesn’t fall for that poo poo Unironically yes. If a c suite wants thousands of dollars in gift cards to expense, we advise to confirm the requesting method or address, it is assumed to be for a conference or something. I'm sure a lot doesn't get checked and gets approved with the same momentum. Remember the Uber expenses leak?
|
|
# ? Jan 20, 2023 20:37 |
|
Huh, my office just gave us all business 1Password accounts with the option to link to a personal account and 4 invites to a family plan. Probably a good thing since they also just bumped our minimum password length from 8 to 15. I'm already pretty much moved over to Bitwarden, but only a free account so far. Is there anything 1P does in paid features that is particularly awesome or unique to them? My only hesitation is that I don't want to get my whole family over on premium 1Password and then either I leave my current job or they just cancel their business plan, which would freeze my family plan until started paying for everything myself Still bet most people are just going to write down some bullshit on a PostIt note stuck under their keyboards or something.
|
# ? Jan 21, 2023 17:50 |
|
We still trying to focus on password length and complexity like it’s a worthwhile venture.
|
# ? Jan 21, 2023 18:16 |
|
1 password has watchtower, which neat: https://watchtower.1password.com/ not sure if bitwarden has an equivalent
|
# ? Jan 21, 2023 18:20 |
|
Takes No Damage posted:Huh, my office just gave us all business 1Password accounts with the option to link to a personal account and 4 invites to a family plan. Probably a good thing since they also just bumped our minimum password length from 8 to 15. I'm already pretty much moved over to Bitwarden, but only a free account so far. Is there anything 1P does in paid features that is particularly awesome or unique to them? My only hesitation is that I don't want to get my whole family over on premium 1Password and then either I leave my current job or they just cancel their business plan, which would freeze my family plan until started paying for everything myself SSH agent Mobile Safari extension that’s almost identical to 1Password browser extension for desktop Better UI IMO
|
# ? Jan 21, 2023 18:24 |
Sickening posted:We still trying to focus on password length and complexity like it’s a worthwhile venture. The five passwords you should have memorized (for FDE, offline offsite backup FDE, password store, and your username and system passwords) should all be passphrase-protected keyfiles with arbitrary length based on how fast the CPU can generate a number of iterations each time the key is regenerated.
|
|
# ? Jan 21, 2023 18:29 |
|
Sickening posted:We still trying to focus on password length and complexity like it’s a worthwhile venture. Ironically this is after nearly everyone including CISA, NIST, and Microsoft have said: Its all about length, and to that end passphrases, and password expiration is stupid and pointless and only encourages worse passwords.
|
# ? Jan 21, 2023 18:48 |
|
CommieGIR posted:Ironically this is after nearly everyone including CISA, NIST, and Microsoft have said: Its all about length, and to that end passphrases, and password expiration is stupid and pointless and only encourages worse passwords. I seem to recall that a couple things (health data regulation audits maybe?) still mandate password complexity. Yes, they need to update their understanding of mathematics.
|
# ? Jan 21, 2023 19:05 |
|
Ynglaur posted:I seem to recall that a couple things (health data regulation audits maybe?) still mandate password complexity. Yes, they need to update their understanding of mathematics. Yeah PCI does as well, although I haven't seen any good reason for them to demand it. I think they just haven't updated their guidance yet.
|
# ? Jan 21, 2023 19:17 |
|
IIRC PCI 4.0 won’t any more.
|
# ? Jan 21, 2023 19:17 |
|
|
# ? May 4, 2024 10:59 |
|
Subjunctive posted:IIRC PCI 4.0 won’t any more. Yeah, I do remember reading over 4.0 and they did change it, but IIRC its still awaiting final approval and adoption.
|
# ? Jan 21, 2023 19:20 |