|
In my limited experience with card products, where a location is spotted as a nexus for fraud, the *bank* will notice it first. Your local gas station isn't opening the pumps to check for a skimmer. Your store with a POS terminal might swipe your card if you hand it to them and they have a card reader under the counter. There are hackable POS terminals though.
|
# ? Sep 25, 2022 16:13 |
|
|
# ? Apr 27, 2024 15:07 |
|
Defenestrategy posted:I'm gonna say "generally not", because lol security, but was curious. Definitely not audits, though they do sometimes find the devices themselves. The defense against skimmers is chip & pin, because it's impossible to replicate the chip from just reading it. If you get skimmed these days it's real easy to claim fraud: the person doing it will have used a fake magstripe card. The banks / cc companies will auto chargeback to retailers who accept a magstripe payment. Still a hassle, so not a bad idea to do a basic check on whatever slot you're shoving a card into. But some of the readers these days are pretty impossible to detect.
|
# ? Sep 25, 2022 16:39 |
|
No, not really any sort of audits like that. At most a PCI checkbox audit but it's usually the top level, not the card readers itself. Most companies outsource their card infrastructure to a third party to limit their PCI liability anyways. CommieGIR fucked around with this message at 19:45 on Sep 25, 2022 |
# ? Sep 25, 2022 19:40 |
|
Defenestrategy posted:I don't know if this is the right place to ask, but I was curious since I never worked in the consumer space. Here it's usually it's a check on the CC receipts and cross matching with user expense notifications.
|
# ? Sep 26, 2022 09:06 |
Costco had a compromised card reader early in the year in Chicago and that was not active for long before alarms started to trigger. The store employees really have to be the one to keep eye on the keypad, and reminders are sent, but the actual PCI audit cares more about the org's inf and won't really have any impact on a device n the middle or anything. Doubly so with card transaction vendors.
|
|
# ? Sep 26, 2022 12:31 |
|
BonHair posted:So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses" the Canadian Defense Establishment would go and get that information themselves from products they license from places I've worked for, then hand it off to the NSA on a silver platter there is no need for a third party like a corporation to be involved, other than the service providers and backhaul operators that are already completely on board
|
# ? Sep 26, 2022 13:22 |
|
this is a supposed information security thread, do people really not know what it means for a five eyes state to be a five eyes state, in detail especially Canada
|
# ? Sep 26, 2022 13:25 |
|
Potato Salad posted:this is a supposed information security thread, do people really not know what it means for a five eyes state to be a five eyes state, in detail This is a supposed info sec thread. Its amazing we post at all instead of just hitting the report button and moving on.
|
# ? Sep 26, 2022 14:30 |
|
Again, the GDPR issue is only about legal frameworks allowing data to be accessed from the USA, not about real threats or how intelligence agencies actually work in real life. It's 100% legal bullshit. But legal bullshit is a huge part of GDPR compliance at the moment.
|
# ? Sep 26, 2022 15:27 |
|
BonHair posted:Again, the GDPR issue is only about legal frameworks allowing data to be accessed from the USA, not about real threats or how intelligence agencies actually work in real life. It's 100% legal bullshit. But legal bullshit is a huge part of GDPR compliance at the moment. Tell me you're not in risk and privacy/compliance without telling me you're not in risk and privacy/compliance. "ITAR is 100% legal bullshit." "HIPAA is 100% legal bullshit." "PCI-DSS is 100% legal bullshit." "SOX is 100% legal bullshit." "GDPR is 100% legal bullshit." "GxP is 100% legal bullshit." etc. Rust Martialis fucked around with this message at 16:02 on Sep 26, 2022 |
# ? Sep 26, 2022 15:55 |
|
Hell yeah, petty posting is the best!
|
# ? Sep 26, 2022 15:56 |
|
isn't it, by definition, legal rear end-covering rather then necessarily true to whats on the ground.
|
# ? Sep 26, 2022 16:28 |
|
BonHair posted:Again, the GDPR issue is only about legal frameworks allowing data to be accessed from the USA, not about real threats or how intelligence agencies actually work in real life. It's 100% legal bullshit. But legal bullshit is a huge part of GDPR compliance at the moment. Its 100% legal bullshit that can enable very hefty fines, so its 100% effective.
|
# ? Sep 26, 2022 16:47 |
|
Famethrowa posted:isn't it, by definition, legal rear end-covering rather then necessarily true to whats on the ground. It says among other things you have to know - what personal data you collect - for what purpose do you collect it - how it is processed - and who can access it. You can't just hoover up personal data about the public without a clearly stated reason, you have to ensure that however and wherever you process it, you must provide GDPR-equivalent protection. There are a number of countries like Canada who are deemed to provide equivalent legal rights to data subjects (PIPEDA). Then there's the USA which freely let's national security agencies rummage around in your data - US laws are utterly incompatible with GDPR. Now, if you put data in AWS or Azure, they will admit that some staff in the US can access your data. It's called sub-processors. So if you store data in Azure, you need to take supplemental measures to protect the rights of data subjects. You could store it encrypted with the keys held outside Azure, but at some point it's going to be decrypted and processed in Azure...
|
# ? Sep 26, 2022 16:55 |
|
laws are legal bullshit
|
# ? Sep 26, 2022 16:56 |
|
CommieGIR posted:Its 100% legal bullshit that can enable very hefty fines, so its 100% effective. Let me rephrase: GDPR has both legal bullshit parts and actual good practice mandates (such as the very difficult "figure out what data you have and why"). But the trouble with using American cloud providers* falls pretty squarely on the legal bullshit category. Both kinds can get you fines though, and when legal gets involved, there's usually less room for "good enough" on the technical side. *If you're not dumb enough to give AWS unrestricted access to your unencrypted health data repository.
|
# ? Sep 26, 2022 17:00 |
|
BonHair posted:when legal gets involved, there's usually less room for "good enough" on the technical side. Oh boy are we in agreement on that. Ed: when the head of legal tells the CEO you maybe breached GDPR then Mister Reasonable takes a vacation Rust Martialis fucked around with this message at 17:06 on Sep 26, 2022 |
# ? Sep 26, 2022 17:02 |
|
Jeoh posted:laws are legal bullshit
|
# ? Sep 26, 2022 17:04 |
|
Jeoh posted:laws are legal bullshit They aren't even real, it's just some made up stuff, you don't have to comply.
|
# ? Sep 26, 2022 17:07 |
|
BonHair posted:Let me rephrase: GDPR has both legal bullshit parts and actual good practice mandates (such as the very difficult "figure out what data you have and why"). But the trouble with using American cloud providers* falls pretty squarely on the legal bullshit category. Both kinds can get you fines though, and when legal gets involved, there's usually less room for "good enough" on the technical side. Unencrypted health data repository? What in tarnation?
|
# ? Sep 26, 2022 17:09 |
|
Sickening posted:Unencrypted health data repository? What in tarnation? Not an actual thing I know of, but also not exactly improbable. Say you want to do some BI on your data and no one thinks about security because those guys just make everything more difficult. Huge data dump ends up on AWS with some guys in India doing the reports.
|
# ? Sep 26, 2022 17:14 |
|
BonHair posted:Not an actual thing I know of, but also not exactly improbable. Say you want to do some BI on your data and no one thinks about security because those guys just make everything more difficult. Huge data dump ends up on AWS with some guys in India doing the reports. If you are in the microsoft space you can use some sensitive label fuckery gently caress all this up and also send alarms. Power BI use to be a major pain in my rear end, no more!
|
# ? Sep 26, 2022 17:16 |
|
Also, don't do dumb poo poo like this quote:H&M — €35 million ($41 million)
|
# ? Sep 26, 2022 17:19 |
|
Famethrowa posted:isn't it, by definition, legal rear end-covering rather then necessarily true to whats on the ground. Can't speak for a lot of them, but sometimes when people who are idiots say "... and that's HIPAA data!" they don't realize they're actually talking about protected classes, ITAR is very much not legal bullshit, so disclose widgets and information to foreign nationals at your own peril. As a matter of fact, ITAR is one of the least legal bullshitty ones here, because basically all it is asking is that you can try it away from foreign nationals not to see certain things without a license. You don't meet three dozen controls and check 50 compliance check boxes; all you're doing is making an apparatus of procedures that keeps foreign nationals from seeing poo poo, then documenting how that works. Economic sanctions aren't legalistic bullshit, try sending a wire to North Korea. Give a presentation on IR CCD tech to a university in Cuba. Put a modern mobile IC in a letter envelope and send it to Iran. Go ahead, see what happens. HIPAA has large swaths of bullshit mostly because nobody who is handling it actually knows anything other than what MTG told them on Tucker Carlson. Said persons are sometimes hospital executives. GDPR can be considered SEMI legal bullshit RIGHT NOW only because we are still seeing how far the EU is willing to go to compare reality to paperwork. Pay attention to the investigation into Facebook's admission that they do not have a data governance program and that such a program would be impossible to implement. GDPR has produced plenty of fines against plenty of entities, so I guess only a fool would look at it like a toothless shark right now.
|
# ? Sep 26, 2022 17:35 |
|
Sickening posted:If you are in the microsoft space you can use some sensitive label fuckery gently caress all this up and also send alarms. Power BI use to be a major pain in my rear end, no more! "Can" is doing a lot of heavy lifting here though. I'm not saying you can't do it right, I'm saying companies are not doing it.
|
# ? Sep 27, 2022 11:04 |
|
BonHair posted:"Can" is doing a lot of heavy lifting here though. I'm not saying you can't do it right, I'm saying companies are not doing it. We are not in disagreement there. Power BI is a huge blindspot for all but the most niche of orgs. Its also one of those that can be the biggest timebombs. If anything, it doesn't seem like threat actors even targeting these areas enough because its such a clunky piece of poo poo of a platform. Its a data platform with poo poo administrative controls that hasn't shown up in the news enough for people to worry. Come put all your data unencrypted here! What is the worst that could happen?
|
# ? Sep 27, 2022 16:36 |
|
Sickening posted:We are not in disagreement there. Power BI is a huge blindspot for all but the most niche of orgs. Its also one of those that can be the biggest timebombs. If anything, it doesn't seem like threat actors even targeting these areas enough because its such a clunky piece of poo poo of a platform. Could you point me to any reading on this subject? I assumed that Power BI stored anything it used in an encrypted cache. Is that not the case?
|
# ? Sep 27, 2022 18:16 |
|
Ynglaur posted:Could you point me to any reading on this subject? I assumed that Power BI stored anything it used in an encrypted cache. Is that not the case? There's a lot of options, but what I've seen is one giant database (the data warehouse or data lake if it's particularly messy) where all the data (all the data) is collected from various sources, which is then pushed to another database with good structure. Needless to say this first database especially, but also the second, should probably be super secure. But encryption is bad for performance so... The Power BI platform doesn't really care how it gets data though, and it can actually be set up to only fetch exactly the data it needs (from the data warehouse or wherever) or just dump it all into Azure every hour. It can also work on multiple sources of different kinds, including actual spreadsheets. It really is just Excel on steroids. One issue I would be worried about is who (and what) has access to the data warehouse, and how are you keeping tabs on them? Experience tells me that the answer can be not so good. Especially since the business intelligence guys are best buddies with management, since they make charts and KPIs and colours and buzzwords, in addition to being trendy right now.
|
# ? Sep 27, 2022 18:57 |
|
BonHair posted:There's a lot of options, but what I've seen is one giant database (the data warehouse or data lake if it's particularly messy) where all the data (all the data) is collected from various sources, which is then pushed to another database with good structure. Needless to say this first database especially, but also the second, should probably be super secure. But encryption is bad for performance so... If your admins haven't disabled detection, MCAS will flare up like a rave once people start loading heavy data sets on powerbi. We get alerts from MCAS well before sensitivity label activity notifications.
|
# ? Sep 27, 2022 19:15 |
|
SlowBloke posted:If your admins haven't disabled detection, MCAS will flare up like a rave once people start loading heavy data sets on powerbi. We get alerts from MCAS well before sensitivity label activity notifications. What do your policy templates look like if you don't mind me asking. I use mcas alot but haven't made any for BI.
|
# ? Sep 27, 2022 23:41 |
|
Sickening posted:What do your policy templates look like if you don't mind me asking. I use mcas alot but haven't made any for BI. Mast Cell Activation Syndrome (MCAS) Mast cells are allergy cells responsible for immediate allergic reactions. They cause allergic symptoms by releasing products called “mediators” stored inside them or made by them. In allergic reactions, this release occurs when the allergy antibody IgE, which is present on the mast cell surfaces, binds to proteins that cause allergies, called allergens. This triggering is called activation, and the release of these mediators is called degranulation.
|
# ? Sep 28, 2022 04:17 |
|
jaegerx posted:Mast Cell Activation Syndrome (MCAS) it's a CASB
|
# ? Sep 28, 2022 05:01 |
|
CLAM DOWN posted:it's a CASB Is that what you caught in vegas during defcon?
|
# ? Sep 28, 2022 05:14 |
|
jaegerx posted:Is that what you caught in vegas during defcon? my lack of shame prevented anything terrible from befalling me in that cursed place
|
# ? Sep 28, 2022 05:47 |
|
Sickening posted:What do your policy templates look like if you don't mind me asking. I use mcas alot but haven't made any for BI. In our case it's the two stock: "Multiple Power BI report sharing activities" and "Suspicious Power BI report sharing" . Our main issue is users making reports and sharing willy nilly, something that takes time with conventional labels but MCAS gets immediately.
|
# ? Sep 28, 2022 07:30 |
|
I ended up with a flipper zero on the way because I like mucking about with random pentest tools and have some different kinds of keys to clone and play with, I also noticed it comes with a rubber ducky feature. Is there a good use case for that feature that I don't understand? I know the SOP for using a rubber ducky as a pentest tool is you load a script into it and either leave it unattended for some dufus to plug into their computer or hide the thing on a back port waiting for someone to login. Absolute worst case scenario for you, the pentest nerd, is that thing gets broken or thrown out and your out 50 bucks and three days to get a new one and thats if you don't know/care to build your own for like five bucks and a few hours of your life. In the case of the flipper zero if that gets lost, broken, or stolen you're out a cool two hundo, two weeks of shipping, and thats only if they're not on back order. So seems that leaving it unattended would be a not great idea. Defenestrategy fucked around with this message at 21:40 on Sep 29, 2022 |
# ? Sep 29, 2022 21:37 |
|
Defenestrategy posted:I ended up with a flipper zero on the way because I like mucking about with random pentest tools and have some different kinds of keys to clone and play with, I also noticed it comes with a rubber ducky feature. Is there a good use case for that feature that I don't understand? Use it as a tool of opportunity if you don't want to lose it. They're nice because of how quickly you can deliver a payload if a computer if it is unlocked and no one is attending it. Literally seconds with a USB insert vs sitting down and trying to download something or whatever payload you're attempting to deliver.
|
# ? Sep 29, 2022 21:53 |
|
the flipper zero is not a pentest tool, really. it's a fun toy that maybe you could use, but that's just your justification for buying the toy
|
# ? Sep 29, 2022 22:59 |
|
Achmed Jones posted:the flipper zero is not a pentest tool, really. it's a fun toy that maybe you could use, but that's just your justification for buying the toy I'll be the first to admit that I'll probably play with it for like two months, write some notes for how to use it, and throw both in my random bag of totally legal but suspicious items. Just like every other bit of tech I've had to learn in this discipline.
|
# ? Sep 30, 2022 02:58 |
|
|
# ? Apr 27, 2024 15:07 |
|
Achmed Jones posted:the flipper zero is not a pentest tool, really. it's a fun toy that maybe you could use, but that's just your justification for buying the toy Anything is a pentest tool if you want it to be
|
# ? Sep 30, 2022 04:10 |