Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«263 »
  • Post
  • Reply
The Iron Rose
May 12, 2012

Cat Army


Axe-man posted:

I just come here to watch what you all do behind the closed doors at the other side of the server room.

it's this

CyberPingu posted:

Watch us Google whatever we are asked?


E: what a lovely snipe

After 10 months of complaining about it I'm finally getting the goahead to update our on prem virtualization environment, firewalls and ASAs. Say no to RCE CVEs from 2018!

The Iron Rose fucked around with this message at 19:38 on Jun 25, 2020

Adbot
ADBOT LOVES YOU

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

The Iron Rose posted:

After 10 months of complaining about it I'm finally getting the goahead to update our on prem virtualization environment, firewalls and ASAs. Say no to RCE CVEs from 2018!

Enjoy being the default scapegoat for any anomaly in the next few months.

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan

The Iron Rose posted:

it's this



E: what a lovely snipe

After 10 months of complaining about it I'm finally getting the goahead to update our on prem virtualization environment, firewalls and ASAs. Say no to RCE CVEs from 2018!

congratulations, each one of those is going to have 8.0+ CVEs by Christmas.

all of your edge devices will have anonymous, unlogged RCEs

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan

to secure your environment, you need to get one of these

Only registered members can see post attachments!

xtal
Jan 9, 2011



Get down Mr. Trotsky!

Axe-man
Apr 16, 2005

The product of hundreds of hours of scientific investigation and research.

The perfect meatball.


Clapping Larry

Subjunctive posted:

Enjoy being the default scapegoat for any anomaly in the next few months.

Don't worry soon they will have a container for that soon.

CyberPingu
Sep 15, 2013

Ready To Ruck!





Love when your av vendor uses terms like "expect decreased functionality"...

Schadenboner
Aug 15, 2011

I MEAN, TURN OFF YOURE MONITOR, MIGTH EXPLAIN YOUR BAD POSTS, HOPE THIS HELPS?!

CyberPingu posted:

Love when your av vendor uses terms like "expect decreased functionality"...



I mean, I don't really know what show it's a still from so he might have a point?

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

CyberPingu posted:

Love when your av vendor uses terms like "expect decreased functionality"...

Given that the best vendor-sourced AV is that which does nothing, unironically this.

CyberPingu
Sep 15, 2013

Ready To Ruck!





I'd be fine if they meant "stops throwing false positives at every single program".

But I have totally lost faith in this company so far.

The Iron Rose
May 12, 2012

Cat Army


Cylance is the worst, and their reporting is godawful.

CyberPingu
Sep 15, 2013

Ready To Ruck!





The Iron Rose posted:

Cylance is the worst, and their reporting is godawful.

They also don't start working on new OS support until it's fully released.
Saying and I quote "We don't get access to early OS builds from Apple"

Bullshit.

Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!


CyberPingu posted:

They also don't start working on new OS support until it's fully released.
Saying and I quote "We don't get access to early OS builds from Apple"

Bullshit.

Is their motto "We like to hit the ground running"?

CyberPingu
Sep 15, 2013

Ready To Ruck!





Absurd Alhazred posted:

Is their motto "We like to hit the ground running"?

"We like losing customers at a steady pace each year"


"Also our whitelists are more of a suggestion and we will still block things that are on your whitelist"

Arivia
Mar 17, 2011


Thanks for the advice everyone. The Zoom web client was a little janky, but it seemed to work for what I needed it to do and hopefully didn't leave too much poo poo on my actual system.

D. Ebdrup
Mar 13, 2009



Absurd Alhazred posted:

Is their motto "We like to hit the ground running"?
Maybe they think it'll be friends.

The Iron Rose
May 12, 2012

Cat Army


Arivia posted:

Thanks for the advice everyone. The Zoom web client was a little janky, but it seemed to work for what I needed it to do and hopefully didn't leave too much poo poo on my actual system.

What exactly do you think running it in a web browser might have left on your system? Specifically I mean, excluding cookies and access tokens. Do you really think that it maliciously breached your browser’s sandbox and left malware on your machine?


Caution is good! But think of the data flow, and recognize where your fears and concerns are rational, and where they may be less so.

keseph
Oct 21, 2010

beep bawk boop bawk


The Iron Rose posted:

What exactly do you think running it in a web browser might have left on your system? Specifically I mean, excluding cookies and access tokens. Do you really think that it maliciously breached your browser’s sandbox and left malware on your machine?


Caution is good! But think of the data flow, and recognize where your fears and concerns are rational, and where they may be less so.

It is only very recently that "join a meeting from your browser" meant anything other than "install a horribly hosed up browser extension that installs a permanent service that doesn't auto update". And for anyone who isn't on the latest versions of everything involved, it may still mean exactly that.

Arivia
Mar 17, 2011


keseph posted:

It is only very recently that "join a meeting from your browser" meant anything other than "install a horribly hosed up browser extension that installs a permanent service that doesn't auto update". And for anyone who isn't on the latest versions of everything involved, it may still mean exactly that.

Yeah, most things I wouldn't worry about too much, but Zoom was known for breaking security models in and out of browsers even just by clicking on web links. My original post in this thread mentioned a stub application that got installed by clicking on a Zoom link awhile back.

The Iron Rose
May 12, 2012

Cat Army


Arivia posted:

Yeah, most things I wouldn't worry about too much, but Zoom was known for breaking security models in and out of browsers even just by clicking on web links. My original post in this thread mentioned a stub application that got installed by clicking on a Zoom link awhile back.

I actually missed that and made a bad assumption, so I need to walk back my earlier post. Your concerns are entirely valid and legitimate, mea culpa.

Arivia
Mar 17, 2011


The Iron Rose posted:

I actually missed that and made a bad assumption, so I need to walk back my earlier post. Your concerns are entirely valid and legitimate, mea culpa.

Apology accepted, no worries. It's a reasonable criticism for the vast majority of web client concerns.

Pablo Bluth
Sep 7, 2007

I've made a huge mistake.


I don't think I'll be installing Tiktok (not that I had any desire to)
https://www.boredpanda.com/tik-tok-...ion-collecting/
https://arstechnica.com/gadgets/202...clipboard-data/

CyberPingu
Sep 15, 2013

Ready To Ruck!





That was the last surprising news since Facebook said they didn't very political ads

rafikki
Mar 8, 2008

I see what you did there. (It's pretty easy, since ducks have a field of vision spanning 340 degrees.)

~SMcD

FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




rafikki posted:

FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021

Youch, that's a good one.

Martytoof
Feb 25, 2003

 
 


I’m sure most orgs will throw that on the bi-annual patch schedule right away.

Sarern
Nov 4, 2008


Won't you take me to
Bomertown?
Won't you take me to
BONERTOWN?



Martytoof posted:

I’m sure most orgs will throw that on the biennial patch schedule right away.

E: can't spell

Arivia
Mar 17, 2011


My bus card’s website just updated and made everyone change their passwords. My new randomly generated password was too long, contained numbers, and contained more than one kind of special character, all of which had to be “fixed” for the website to accept it.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Arivia posted:

My bus card’s website just updated and made everyone change their passwords. My new randomly generated password was too long, contained numbers, and contained more than one kind of special character, all of which had to be “fixed” for the website to accept it.

Lmao, sounds like its being written straight to a DB.

evil_bunnY
Apr 2, 2003



rafikki posted:

FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021
LMAO that's a doozie

Arivia
Mar 17, 2011


CommieGIR posted:

Lmao, sounds like its being written straight to a DB.

Based off of the way the form acted, I believe you’re correct. Wouldn’t surprise me if it’s stored in plaintext.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Arivia posted:

Based off of the way the form acted, I believe you’re correct. Wouldn’t surprise me if it’s stored in plaintext.

Almost guaranteed. Might even be able to see some of the SQL if you dig deep enough into the page front.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!


quote:

In all, the researchers found the following iOS apps were reading users’ clipboard data every time the app was opened with no clear reason for doing so:
...
AliExpress Shopping App — com.alibaba.iAliexpress

Blinkz0rz
May 27, 2001

MY CONTEMPT FOR MY OWN EMPLOYEES IS ONLY MATCHED BY MY LOVE FOR TOM BRADY'S SWEATY MAGA BALLS


rafikki posted:

FYI if you have Palo Altos configured to use SAML authentication - https://security.paloaltonetworks.com/CVE-2020-2021

This is so loving dumb

Like how the gently caress does Palo Alto not give you the ability to explicitly trust a self-signed cert rather than just blanket not validate at all.

Blinkz0rz
May 27, 2001

MY CONTEMPT FOR MY OWN EMPLOYEES IS ONLY MATCHED BY MY LOVE FOR TOM BRADY'S SWEATY MAGA BALLS


Also how is this a 10

https://twitter.com/tylerthecreator...670822264307712

except sub "just walk away from the screen" with "just disable SAML auth"

The Fool
Oct 16, 2003



Blinkz0rz posted:

Also how is this a 10

https://twitter.com/tylerthecreator...670822264307712

except sub "just walk away from the screen" with "just disable SAML auth"

That’s like saying “just go login with admin/admin”

Blinkz0rz
May 27, 2001

MY CONTEMPT FOR MY OWN EMPLOYEES IS ONLY MATCHED BY MY LOVE FOR TOM BRADY'S SWEATY MAGA BALLS


The Fool posted:

That’s like saying “just go login with admin/admin”

a cvss score of 10 should be reserved for critical security issues with no remediation

if you can turn the feature off it's not a critical vuln it's a choice

wolrah
May 8, 2006
what?


Blinkz0rz posted:

a cvss score of 10 should be reserved for critical security issues with no remediation

if you can turn the feature off it's not a critical vuln it's a choice
Yes, technically you can turn it off. From a practical standpoint that's likely to be more challenging, because you may or may not have any other way to provide comparable ability to log in for the people who need to get in to it.

It's like if there were a bypass in Active Directory authentication and someone's response was "well then just unbind from the domain..." Sure, it is possible for *someone* to log in locally but that is not likely to be the person/people who normally need to log in to that machine.

I mean sure, there are definitely environments out there where "just turn it off" is entirely acceptable because they don't actually need the SSO capabilities and are just using it for convenience or where people just don't need to make changes to the box regularly so it being temporarily limited to a few privileged users isn't a big deal, but there are also plenty where it's effectively mandatory for the intended workflow.

edit: As far as the specific score, they do note that it's only a 10 in a worst case scenario. They call it a 9.6 in cases where the management interface is properly locked down and that fits with my fiddling around with the CVSS calculator here: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

wolrah fucked around with this message at 23:17 on Jun 29, 2020

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

I don’t think of sso as a convenience feature and haven’t for a long time.

Adbot
ADBOT LOVES YOU

droll
Jan 9, 2020

Shape shifta Time travela

I still have to educate IT middle management and project managers on that every week.

Last week I was pulled into a SaaS rollout and discovered that the vendor of the application continues to allow direct password login after you federate with SAML. The data stored in this platform was rated a 9 out of 10 on their risk analysis. The vendor DEVELOPERS response when I asked them WTF they thought SSO was for? "Well it would be a lot of work to fix this so just tell your users to only use the SSO link".

Yesterday I was doing some 1:1 requirements gathering with a business user about her request to archive documents in a shared mailbox. It was during this meeting I learned they had set up some SaaS for 10 users in her department but didn't tell us. "It's only 10 users we didn't think it was worth it".

Nobody understands the point of SSO at my company.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«263 »