Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Nalin
Sep 28, 2007

Hair Elf

BlankSystemDaemon posted:

And at least KeePass does it right, because it requires you to interact with it, instead of just filling it in automatically.

It's actually configurable. You can have it do nothing, fill it in, or fill it in and submit.

Adbot
ADBOT LOVES YOU

Famethrowa
Oct 5, 2012

I think some people on something awful need to get 1pass

BaseballPCHiker
Jan 16, 2006

I never thought I'd be a compliance person, but here I am studying up for a PCI certification...

I have to say compared to some other compliance regulations it seems pretty well spelled out and descriptive.

Inept
Jul 8, 2003

BaseballPCHiker posted:

I never thought I'd be a compliance person, but here I am studying up for a PCI certification...

I have to say compared to some other compliance regulations it seems pretty well spelled out and descriptive.

card brands don't like losing money

It's generally nice that it's specific, until you hit some case where their language makes your existing solution a pain in the rear end. I know some people struggled with dated language with modern stuff like Kubernetes. At least with PCI 4.0 they introduced the customized approach instead of having to fill out a compensating controls worksheet for every single control where you're doing something different than the DSS spells out

BaseballPCHiker
Jan 16, 2006

I just kept getting brought into meetings with teams saying we want to do XYZ for PCI, and I'd have no idea if it was actually necessary or not or if they were totally misunderstanding some regulation or listening to a dumb auditor. This all came to a head when an auditor told someone in my org that we had to disallow copy/paste on all systems in scope for PCI....

I for sure dont want to work in compliance, but its a big part of the industry and I cant seem to totally ignore it anymore.

Sickening
Jul 15, 2007

Black summer was the best summer.
Nobody wants to work in compliance. Itís often a place of exile.

Thanks Ants
May 21, 2004

#essereFerrari


I had someone tell me that the EU were mandating EDR and it turns out they'd seen an article talking about Event Data Recorders in vehicles and were trying it on in a sales pitch about some endpoint security software.

Defenestrategy
Oct 24, 2010

Sickening posted:

Nobody wants to work in compliance. Itís often a place of exile.

I'd believe it. We've been prepping to get our ducks in a row for CMMC, and I've hated every moment of it.

BaseballPCHiker
Jan 16, 2006

Sickening posted:

Nobody wants to work in compliance. Itís often a place of exile.

That tracks with my org somewhat. The people who couldnt hack it in technical roles but who we still liked all ended up in compliance.

Rescue Toaster
Mar 13, 2003

BaseballPCHiker posted:

This all came to a head when an auditor told someone in my org that we had to disallow copy/paste on all systems in scope for PCI....

I don't remember what regulation they were quoting, but I worked for a place where IT said the failed password attempt lockout couldn't ever reset on success. So if you typed your password wrong three times, your account would be locked. Even if those three times were months apart. At a place that operated 24/7 and IT only worked day shift during the week.

BonHair
Apr 28, 2007

I came into the infosec business via compliance, and I still kinda like it and will go back to it eventually when I'm done being a product owner for a GRC tool. I'm not really technical though, and got into this career because the entire country suddenly needed anyone who could spell GDPR in five tries.

flakeloaf
Feb 26, 2003

Still better than android clock

Compliance is my whole thing but I use my powers for good, to dig through the morass of things that say no, to get my boss to a yes without using silver bullets.

It's entertaining even if it can be mind numbing at times.

Tryzzub
Jan 1, 2007

Mudslide Experiment

BaseballPCHiker posted:

I just kept getting brought into meetings with teams saying we want to do XYZ for PCI, and I'd have no idea if it was actually necessary or not or if they were totally misunderstanding some regulation or listening to a dumb auditor. This all came to a head when an auditor told someone in my org that we had to disallow copy/paste on all systems in scope for PCI....

I for sure dont want to work in compliance, but its a big part of the industry and I cant seem to totally ignore it anymore.

Likely in reference to this?

Requirement 3.4.2: When using remote access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.

If you are starting from scratch and do not know, I would say first understand your PCI type and level, which will drive which requirements you need to implement.

Thereafter work like hell to be SAQ A, unless you are a service provider, in which case work like hell to descope as much as possible.

Securitymetrics published a fairly usable guide to help with understanding the whole ordeal: https://www.securitymetrics.com/lp/pci/pci-guide

I am currently stuck in PCI hell, please send help

BonHair
Apr 28, 2007

Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context.
Also start by figuring out what you're actually doing in your business and then what kind of IT you are using for it. This can often take a year to get straight.

Sickening
Jul 15, 2007

Black summer was the best summer.
Compliance in companies comes with some problems. The people you need to do it right are probably wanting to do cooler work. The responsibility and accountability being asked to be accepted by the team is usually completely opposite of the agency they have. Winning is just status quo and losing is a giant death sentence too often.

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

at my previous job the company sold SOC/PCI/etc escrow/proxy services that tokenized and detokenized stuff between buyers and payment processors and merchants, for places like Wayfair and McDonaldsócompliance scope reduction as a service, if you will. they were also working on a compliance sort of tool like Vanta, and that tool was to be nicely integrated into the management surfaces to all the evidence was automatically generated and monitored, meaning that our customer would find out that someone had moved out of the compliance posture approximately when it happened, rather than while they were scrambling to get the evidence together for their auditor at renewal. (mostly the idea was that we would prevent things from ending up out of posture, but there were some things that only became an issue with hindsight, IIRC)

while I was there the CSO reported to me, so I got to learn a lot more about the practical elements of compliance management and attestation for the first time, and the biggest things I learned were

  • that sort of tool could really be a huge help to a lot of small-to-mid businesses, and maybe even bigger
  • building your own PCI-scope facility is a resort of last choice, and even the obvious costs of doing it (staff and compute resources and auditor liaison, ignore engineer interruptions and additional overall system complexity!) are a lot
  • I never want to be in that business again, Iím pretty sure

also, if youíre going to be in that game, itís easier on your sales team if 95% of your engineering staff arenít in Ukraine, even before the war

Zorak of Michigan
Jun 10, 2006

BonHair posted:

Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context.
Also start by figuring out what you're actually doing in your business and then what kind of IT you are using for it. This can often take a year to get straight.

One of my favorite sections of The Phoenix Project is the one where the new CTO, who is basically an avatar of IT competence, tells the security guy who's convinced he's the lone prophet of IT best practice that most of his pushes for better security are completely irrelevant, and walks him through all the non-IT controls that make the security guy's cherished worst case scenarios impossible. I started out feeling bad for the poor security guy, so seeing him yanked up short like that was also an eye-opener for me.

BlankSystemDaemon
Mar 13, 2009



BonHair posted:

Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context.
Also start by figuring out what you're actually doing in your business and then what kind of IT you are using for it. This can often take a year to get straight.
Along these lines, one of the folks responsible for 3-D secure (a multi-factor auth for credit cards, used in Scandinavia among other places), explores this in some detail here:
https://www.youtube.com/watch?v=I2rhwnY6Bg4

I Miss Snausages
Mar 8, 2005
Volvorific!

Rescue Toaster posted:

I'm dealing with a lovely device that has ancient HTTPS and modern firefox is officially reporting "gently caress You" when connecting to it.

An old Firefox 88 says the device uses TLS 1.0, TLS_RSA_WITH_3DES_EDE_CBC_SHA 112Bit. Which, yeah... But old firefox could connect with the about :config tls deprecated setting on. The cert is RSA 1024.
Modern Firefox version 100+ refuses outright regardless of settings, I'm assuming everything has been compiled out. openssl won't even handshake enough to report literally anything even with -security_debug_verbose switch.

The device's management interface is already on a VLAN, but even then I question going to http. Or maybe these algorithms are so absolutely pathetic these days that it's effectively no effort compared to http.

Is there some setting in modern firefox or chromium I'm missing? Building my own version of something? A VM with an old version of firefox that only connects to that VLAN and never gets updated forever?

This is why I have a Win7 VM with IE 11 a bunch of old USB stick non-install versions of chrome and Firefox for this reason. Comes in real handy when working with medical stuff.

Shumagorath
Jun 5, 2001

I Miss Snausages posted:

Comes in real handy when working with medical stuff.
:gonk:

Bald Stalin
Jul 11, 2004

Our posts
Studying Security+ after 15 years in IT Ops/Infra and it's very cool.

"Oh THAT'S what that's called"

"Oh THAT'S why we did that"

"Oh THAT'S what my boss told us to do incorrectly with massive risk"

Caconym
Feb 12, 2013


This is slowly getting better with more wireless stuff like Bluetooth sensors and such. Much of the outdated stuff is because of stringent regulations of "electromedical" devices, that is, stuff connected to the mains on one side, and to a patient on the other. Certifying that gear is expensive as gently caress, so once a hw-configuration is certified it will be static for the lifetime of the device, and not be compatible with newer OSes and such. But with Bluetooth you can air gap the patient from the mains, and thus run the sw on newer devices with less hassle while the patent sensors runs on batteries.

Cannon_Fodder
Jul 17, 2007

"Hey, where did Steve go?"
Design by Kamoc

Sickening posted:

Nobody wants to work in compliance. It’s often a place of exile.

:tif:

I feel seen.

mekyabetsu
Dec 17, 2018

This might be more appropriate for a mobile phone thread, but it's also security related. I've heard that it's a good idea to disable wifi when you're away from home, because big box stores like Walmart have their own APs setup to log hotspot scans from mobile devices. Who knows what that data is used for, but presumably, over time, companies could use it to figure out that I buy frozen pizza and lube every other Friday.

Is disabling wifi on mobile devices when you leave home still sound advice if you're paranoid and/or privacy-minded? On iOS, I have an option in the control center to "disconnect nearby wifi until tomorrow." Is that sufficient, or should wifi actually be disabled in the settings? Or is this all a bunch of nonsense?

Shumagorath
Jun 5, 2001
Windows Phone had location-aware Wi-Fi toggles; maybe iOS has the same? Either way I spent a good thirty seconds wondering how the lube and pizza go together so I dunno what Walmartís going to infer without more spending than your ad tracking brings in.

vanity slug
Jul 20, 2010

iOS uses random MAC addresses when scanning for Wi-Fi networks

mekyabetsu
Dec 17, 2018

vanity slug posted:

iOS uses random MAC addresses when scanning for Wi-Fi networks
I know that iOS has the private MAC address option, but does that kind of tracking use MAC addresses? I recall reading somewhere that it could also use SSIDs, so that if your home network's SSID is "ABC" an AP that is collecting data would log when a phone entered the area and scanned for "ABC". Do phones even send out SSID names when they scan for wifi?

Shumagorath posted:

Windows Phone had location-aware Wi-Fi toggles; maybe iOS has the same? Either way I spent a good thirty seconds wondering how the lube and pizza go together so I dunno what Walmartís going to infer without more spending than your ad tracking brings in.
Yeah, I don't really think Target or Aldi care that much about the pittance that my broke rear end spends on groceries, but I'm also sure that they'd love to send me mailers targeting my specific behavior and spending habits if they could do it cheaply.

mekyabetsu fucked around with this message at 14:15 on Mar 3, 2024

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

mekyabetsu posted:

I know that iOS has the private MAC address option, but does that kind of tracking use MAC addresses? I recall reading somewhere that it could also use SSIDs, so that if your home network's SSID is "ABC" an AP that is collecting data would log when a phone entered the area and scanned for "ABC". Do phones even send out SSID names when they scan for wifi?

No, they donít. You might not be reading very reliable things.

mekyabetsu
Dec 17, 2018

Subjunctive posted:

No, they donít. You might not be reading very reliable things.

Or I just made it up in my head, which is equally likely. Thanks for the education. I really do appreciate it. :)

flakeloaf
Feb 26, 2003

Still better than android clock

Subjunctive posted:

No, they donít. You might not be reading very reliable things.

They did a decade or so ago (one of our demos used an SDR to de-anonymize phones by doing exactly that) but I haven't checked on it recently. If you're organized enough to do that, though, you can just set up an imsi catcher. Walmart is probably not doing that, and anyone who is isn't interested in you.

e: an article on probe requests https://blog.spacehuhn.com/probe-request

flakeloaf fucked around with this message at 14:25 on Mar 3, 2024

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

flakeloaf posted:

They did a decade or so ago (one of our demos used an SDR to de-anonymize phones by doing exactly that) but I haven't checked on it recently. If you're organized enough to do that, though, you can just set up an imsi catcher. Walmart is probably not doing that, and anyone who is isn't interested in you.

are you talking about connecting to unadvertised SSIDs? I donít recall anything in the WiFi scanning protocol that has an SSID outbound from the scanning device

E: I forgot about directed probes, of course. I thought they were only used for connecting to unadvertised SSIDs, but that could be incorrect!

Subjunctive fucked around with this message at 14:29 on Mar 3, 2024

flakeloaf
Feb 26, 2003

Still better than android clock

Subjunctive posted:

are you talking about connecting to unadvertised SSIDs? I donít recall anything in the WiFi scanning protocol that has an SSID outbound from the scanning device

I imagine that's how it worked, yeah; the phone was sending out probe requests for its familiar but un-advertised networks and my device (with the manual I didn't read, about the spec I also did not read) picked 'em up so I could see things like MARRIOTT 346 from among the consenting few who'd left their phones on.

Not to alarm you or anything mekyabetsu , these are not things ordinary users need to concern themselves with. Anyone doing this knows what they're doing is wrong.

SlowBloke
Aug 14, 2017
iOS won't use their native MAC by default but it will keep using the same generated MAC on a previously joined SSID, which, if joined by a user specific password or a user-bound session out of a captive portal, could be used by the infrastructure owner to track customers. Yes, i know this is deep tinfoil territory but it's still a weakness of the system.

RFC2324
Jun 7, 2012

http 418

Need a combo of :munch: and :tinfoil:

apseudonym
Feb 25, 2011

mekyabetsu posted:

This might be more appropriate for a mobile phone thread, but it's also security related. I've heard that it's a good idea to disable wifi when you're away from home, because big box stores like Walmart have their own APs setup to log hotspot scans from mobile devices. Who knows what that data is used for, but presumably, over time, companies could use it to figure out that I buy frozen pizza and lube every other Friday.

Is disabling wifi on mobile devices when you leave home still sound advice if you're paranoid and/or privacy-minded? On iOS, I have an option in the control center to "disconnect nearby wifi until tomorrow." Is that sufficient, or should wifi actually be disabled in the settings? Or is this all a bunch of nonsense?

No, this hasn't been a thing for a long time with MAC randomization.

Some APs could be broadcast in scans but people really misinterpreted how that worked. The only APs that were ever broadcast by your phone were for networks with hidden APs (which are dumb and you probably don't have any saved, and if you do -- don't).

Adbot
ADBOT LOVES YOU

BonHair
Apr 28, 2007

Considering the store also has video recordings of your face while you sample the lube in aisle 5, you don't need to worry. Even if they have your mac address, that basically only tells them that the same guy keeps coming in every Friday, they presumably don't have anything to link it to. Unless of course you allow Google to track your location, in which case why are you not worried about that way more?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply