|
klosterdev posted:They're about to do it all over the nation if the Breonna Taylor decision is as slap-on-the-wrist as Louisville's locking down is for it to be
|
# ? Sep 24, 2020 03:16 |
|
|
# ? Apr 23, 2024 16:16 |
|
CVE-2020-1472 is causing our on-prem infra teams to poo poo themselves because they're still using NTLM and it's just *kisses fingers*
|
# ? Sep 24, 2020 22:57 |
|
CLAM DOWN posted:CVE-2020-1472 is causing our on-prem infra teams to poo poo themselves because they're still using NTLM and it's just *kisses fingers* :chefskiss:
|
# ? Sep 24, 2020 23:07 |
|
-- nvm, wrong CVE
Fame Douglas fucked around with this message at 10:15 on Sep 25, 2020 |
# ? Sep 25, 2020 00:43 |
|
I have a product team having a meeting with me tomorrow because the new product they are building is running into an issue with not being able to encrypt certain HIPAA protected information in order for their product to function correctly. I assume they are going to ask me if I am okay with not encrypting HIPAA protected patient information. I am not going to be amused if this is the case because the entire meeting could be an email and my participation is basically summed up as "no".
|
# ? Sep 25, 2020 00:51 |
|
I tend to defer those stupid "should we ignore this obvious regulatory requirement" to legal because when I say no I'm being an unhelpful business blocker, but when legal says no it's sage advice from someone who know what they're talking about.
|
# ? Sep 25, 2020 00:57 |
|
I successfully convinced a company to store passwords in the DB with bcrypt or PBKDF2 instead of SSH1
|
# ? Sep 25, 2020 01:29 |
|
Cup Runneth Over posted:I successfully convinced a company to store passwords in the DB with bcrypt or PBKDF2 instead of SSH1 Doing God's work, good goon.
|
# ? Sep 25, 2020 03:17 |
|
I got another CTF question for you guys, if anyone is versed in Google cloud. I rooted a machine which is a GCE, and the cloud environment is in scope. I found a bucket which has a googlecloudfunction.spec file in it, and the content of the file is: code:
code:
|
# ? Sep 27, 2020 16:57 |
|
I'm more of an AWS guy, but I would assume that the credentials used to deploy the function are over broad, or the credentials assumed by the function are over broad, or there's something else interesting about the function. Did you find the source of the function next to that deployment spec?
|
# ? Sep 28, 2020 00:02 |
|
You could try fuzzing the api endpoint with a wordlist to discover functionality.
|
# ? Sep 28, 2020 09:16 |
|
spankmeister posted:You could try fuzzing the api endpoint with a wordlist to discover functionality. for example: if that endpoint actually is 'bar', try throwing in 'foo' this also works with get->set, EVIL Gibson fucked around with this message at 18:21 on Sep 28, 2020 |
# ? Sep 28, 2020 09:29 |
|
EVIL Gibson posted:for example: This seems like the genesis of an Auto-BOFH.
|
# ? Sep 28, 2020 09:34 |
|
Kazinsal posted:This seems like the genesis of an Auto-BOFH. The history of IT all leads up to the autobofh. Eventually we will automate cynicism and hostility to the point that we won't be needed
|
# ? Sep 28, 2020 16:36 |
|
Kazinsal posted:This seems like the genesis of an Auto-BOFH. I like to imagine the intern developers in that one comic with the curly tie. You know they were told to make a 'get' function to fetch some sort of information but forgot Eclipse automatically builds out everything sometimes and just also made a 'set'.
|
# ? Sep 28, 2020 18:24 |
|
https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254?cid=ed_npd_bn_tw_bn Thank you for the job security UHS!
|
# ? Sep 28, 2020 19:07 |
|
Sickening posted:https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254?cid=ed_npd_bn_tw_bn The only thing UHS is going to learn from this is that pure analog fax is more available than an efax solution you can't log into anymore
|
# ? Sep 28, 2020 20:33 |
|
"Don't worry, we'll just pay the ransom!"
|
# ? Sep 28, 2020 20:38 |
|
We tried to pay the ransom when we got hit but they never replied to our messages Eventually we did manage to recover a copy of our directory but had to rebuild anyway because Domain Admin was compromised Plus lots of user data was basically lost forever
|
# ? Sep 28, 2020 20:44 |
|
klosterdev posted:We tried to pay the ransom when we got hit but they never replied to our messages Yeah, Paying the ransom might make recovery easier, but for the most part you are likely still compromised and still gotta find a way to rebuild from scratch. I've had two clients I've done ransomware IRs with, one had a decently segmented network so they managed to isolate and save a lot of stuff, so they didn't pay the ransom since they had good backups and an Engineering team that was on the ball with their alerts. The other did not, and really their only option was pay the ransom or fold the company. Even then, it was a couple weeks of sifting through decrypted data that included a couple backdoors/shells. They still largely got back on their feet but spent a significant amount of man hours and budget standing up a mirrored environment to move the scrubbed/decrypted data to. Their Cyber Insurance paid out, which helped a bit. CommieGIR fucked around with this message at 20:57 on Sep 28, 2020 |
# ? Sep 28, 2020 20:51 |
|
Mopp posted:I got another CTF question for you guys, if anyone is versed in Google cloud. Rhino Security has done some stuff on priv esc using cloud functions, so that may be a possible path here? https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
|
# ? Sep 28, 2020 20:57 |
I don't expect anyone in here to need convincing, but there's a security analysis of SMS as second factor authentication in ACM Queue in case you need to refer other people to it.
|
|
# ? Sep 29, 2020 14:09 |
|
Regarding WHOIS data, I can remember having been pestered years ago to make sure my data on my domain registration is correct or else... Now I'm looking up some weird-rear end domain my town is using for some business, and the WHOIS output is pretty much "REDACTED FOR PRIVACY" all over. What's that all about?
|
# ? Sep 29, 2020 15:44 |
|
Private domain registration has been around forever, most registrars offer it, some even for free. The registrar still keeps your info, but hides it from public whois lookups.
|
# ? Sep 29, 2020 15:47 |
|
Its pretty much there so private individuals can run websites without getting autodoxxed, which I think we can all agree is good
|
# ? Sep 29, 2020 15:54 |
|
You can lookup up the history on a WhoIs record to see what was listed before it was locked down. A hosting company I worked for used a bot to scrape the contact info from public WhoIs records for a certain type of client and then used that info to cold call them to promote our services. This was in '01/02 I'm also pretty sure some registrars would sell the customer data to marketing companies for adverts in junk snail mail.
|
# ? Sep 29, 2020 17:23 |
|
RFC2324 posted:Its pretty much there so private individuals can run websites without getting autodoxxed, which I think we can all agree is good Unless your name is Brian Krebs, anyway.
|
# ? Sep 29, 2020 17:38 |
|
Combat Pretzel posted:Regarding WHOIS data, I can remember having been pestered years ago to make sure my data on my domain registration is correct or else... Now I'm looking up some weird-rear end domain my town is using for some business, and the WHOIS output is pretty much "REDACTED FOR PRIVACY" all over. What's that all about? They've been like this since GDPR came in in 2016. You still need to keep your details correct (and still get the email reminders) but the public whois interface is redacted now
|
# ? Sep 29, 2020 17:49 |
|
Shout out to GDPR for killing off the whois privacy upselling market
|
# ? Sep 29, 2020 17:50 |
|
Rufus Ping posted:Shout out to GDPR for killing off the whois privacy upselling market Doesn't stop Network Solutions
|
# ? Sep 29, 2020 17:52 |
|
Shuu posted:Rhino Security has done some stuff on priv esc using cloud functions, so that may be a possible path here? https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/ Thanks, this was helpful. I've done some enumeration given that I know the function is nodejs, but haven't found anything. The function returns all data, up to a certain limit. Look here: code:
Ideas highly appreciated.
|
# ? Sep 29, 2020 19:45 |
|
CommieGIR posted:Yeah, Paying the ransom might make recovery easier, but for the most part you are likely still compromised and still gotta find a way to rebuild from scratch. A while ago I had a client that got hit. They had no proper backups, no real security, nothing. I am not an IR person, I have no IR credentials, and nobody at our company does either. We ended up referring them to a proper IR team, who was expensive, and they decided to go with some sham solution from a big name company. That company plugged in a firewall and ran some scans and said "whelp you are all good." I'm terrified of what they probably have still laying around in their environment.
|
# ? Sep 30, 2020 03:14 |
|
siggy2021 posted:A while ago I had a client that got hit. They had no proper backups, no real security, nothing. I am not an IR person, I have no IR credentials, and nobody at our company does either. We ended up referring them to a proper IR team, who was expensive, and they decided to go with some sham solution from a big name company. That company plugged in a firewall and ran some scans and said "whelp you are all good." There's a couple sham IR companies going around lately with the rise in Ransomware, I've not encountered one directly, but I've heard stories from others where they had reoccurrences after the cleanup company told them they were safe
|
# ? Sep 30, 2020 20:36 |
|
I'm losing my mind with this dev who keeps insisting that X-Forwarded-For is an appropriate place to do IP restrictions. How are these people allowed near an enterprise computer system.
|
# ? Oct 1, 2020 06:46 |
|
I used to use X-Forwarded-For to get around the geoblocking on Comedy Central videos and was sad when they finally fixed it.
|
# ? Oct 1, 2020 06:55 |
|
I think it was in 2012? that I first learned about what you could do with that header, when Stack Overflow had the issue. There are still some terrible websites and devs out there that rely on that header as an actual security mechanism, it's insane. e: yeah here it is, good read: https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html
|
# ? Oct 1, 2020 06:58 |
|
Speaking of Ransomware, OFAC is getting ready to roll out rules making it against the rules to pay ransomware demands.
|
# ? Oct 1, 2020 19:11 |
|
CommieGIR posted:Speaking of Ransomware, OFAC is getting ready to roll out rules making it against the rules to pay ransomware demands. Like, internally or in general for American companies There are some giant-rear end companies getting crypto'd that could straight-up go under if they can't get their data back
|
# ? Oct 1, 2020 19:20 |
|
klosterdev posted:Like, internally or in general for American companies American companies mostly, but basically they are saying if you pay the demand, you are likely violating international sanctions, and cyber insurance companies are not going to pay out in those cases.
|
# ? Oct 1, 2020 19:30 |
|
|
# ? Apr 23, 2024 16:16 |
|
It's ok they aren't paying out ransomware ransoms, they are just paying a good ol' American cybersecurity consultancy to "decrypt the ransomware" for them
|
# ? Oct 1, 2020 19:32 |