|
I hate to be that guy who starts posting in a thread asking for something. Buuut, does anyone here work for DigitalOcean, or know somebody who does? I'm trying to figure out some information on a box that keeps hitting my company. According to ARIN this mystery box is registered to them. I shot an email to the abuse address listed on ARIN but haven't heard anything back. I'm pretty new to InfoSec so my ability to enumerate a mystery attacker is still pretty poor in my opinion, so I'm looking for some help. I've suggested blocking this address until we understand exactly what's going on. Some of my coworkers have voiced concerns about the traffic coming from a possible partner.
|
#
¿
Dec 15, 2016 05:51
|
|
|
|
| # ¿ Apr 27, 2024 03:48 |
|
|
OSI bean dip posted:By "hitting" what do you see the attacking computer doing? The box is accessing various customer accounts. I originally thought the box may belong to a third party financial aggregator (I.e-Intuit's Mint). However, when I cross referenced traffic generated by an app like Mint the two didn't show any relation. It seems this address is simply logging into an account, loads the landing website landing page, then logging out. The accounts being accessed have all been accessed by Mint previously though.
|
|
#
¿
Dec 15, 2016 07:05
|
|
|
OSI bean dip posted:What is concerning here is that you're telling me you have multiple customers being accessed--how many customers are we talking about? Are we talking a handful? Dozens? Hundreds? What is your relation to Mint here? Have you done any research on this IP address? Last I checked it was roughly 60 accounts or so, none of which have had any suspicious activity on them. I don't have the IP off the top of my head at the moment but when I was initially researching the mystery box I didn't find it on any of the blacklists sites I use (Cymon, threatcrowd, MDL..ect). I also couldn't find any other information besides a basic whois page on the address. The pattern of traffic from this address has them logging into a new account roughly every two hours; some GET requests for various elements on our landing page, then the traffic stops. Intuit is a partner of ours, so I was looking at the traffic generated when a user logs in via Mint vs. the traffic that's being generated when someone logs in from this unknown address. The two don't share any relation, which leads me to believe this unknown address that is accessing accounts isn't any kind of financial aggregate, like Mint. Hopefully that makes sense. cstine posted:I do (and in T&S, no less); if you emailed abuse@ and didn't get a response I'll take a look. e: email sent Diametunim fucked around with this message at 23:27 on Dec 20, 2016 |
|
#
¿
Dec 20, 2016 05:23
|
|
|
Anybody have tips for parsing PST files? I need to grab every email sent or received in an eight month time-span. Once I've done that I need to comb through the emails for certain keywords. I've tried using the built in advanced features in outlook but for some reason Outlook isn't returning all of the results. I'd like to do this programmatically but searching for python libraries that can parse PST files doesn't bring up much. Maybe this is a chance to export the PST and use one of the encase machines in my office. Combing through peoples emails is really boring.
|
|
#
¿
Mar 17, 2017 05:27
|
|
|
Does anyone have any solid advice / tools for reviewing firewall rule sets for PCI compliance? My boss dropped this task on me this week and I've never touched a Firewall rule set before (although understanding them is easy enough), or audited anything for PCI compliance for that matter. A previous employee wrote some vba code in Microsoft access to do these types of reviews. However, the program was getting caught in an infinite loop while parsing the config files. I spent my day tracing through the code and I believe I solved the issue. Not really sure though, because I've never seen this program run before, and all of my co-workers haven't used it either. So, the program seems to parse the files now, but I'm unsure if it's doing so correctly. Does anyone have any tools to make my life easier? If not I'm going to be spending the weekend trying to fix this access database or rolling my own QAD implementation in Python.
|
|
#
¿
Apr 19, 2017 23:40
|
|
|
If anyone needs a list of hashes for the WannaCry / Wcry going around right now so you can block your endpoints from executing, links below. https://gist.github.com/Blevene/42bed05ecb51c1ca0edf846c0153974a https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
|
|
#
¿
May 12, 2017 21:23
|
|
|
BangersInMyKnickers posted:Who is the person in the GitHub link? We're a bit wary of shooting down hashes from some random GitHub post when I can't even find a corresponding twitter feed. Pulled it from: https://twitter.com/malwrhunterteam?lang=en if you search the page for "md5" the gist link will come up.
|
|
#
¿
May 12, 2017 22:41
|
|
|
Is anyone in here running an IDS/IPS setup on their home network? If so what's your setup like? I'm planning on moving forward with setting up a little home lab and monitoring traffic on my local lan as well as outside my firewall using Security Onion. Just need to pick up a new nic and more memory first.
|
|
#
¿
Jul 8, 2017 02:15
|
|
|
After deleting 22TB of old rear end logs ArcSight is finally crunching logs again. Nothing like not having proper storage threshold alerts setup on your systems. So glad I wasted an hour or three troubleshooting smart connector issues.
|
|
#
¿
Jul 11, 2017 22:37
|
|
|
Splunk may be expensive as hell but it beats the poo poo out of maintaining ArcSight. I'll be so happy when I can finally offline the rest of our logger boxes and never gently caress with another connector again.
|
|
#
¿
May 22, 2018 04:22
|
|
|
Can we talk boring rear end USB Device Control Policy for a bit? I'm curious as to what y'all are using to encrypt removable USB devices. I'm looking for an easy, cross platform, and preferably free way to device encrypt USB Drives that are handed out to end users for temporary use. My company is by majority Windows but we do have ~100 OSX devices in circulation which makes using Bitlocker an issue. I know there are solutions out on Github for OSX and Bitlocker but lets be honest, there's no way your standard end user is going to take the time to figure that solution out. e: I'm thinking Veracrypt is probably the solution to use, any other ideas? Diametunim fucked around with this message at 19:51 on Jun 4, 2018 |
|
#
¿
Jun 4, 2018 19:40
|
|
|
I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die.
|
|
#
¿
Sep 20, 2018 17:40
|
|
|
Shot in the dark, but are any goons at the CB Connect conference this week?
|
|
#
¿
Oct 9, 2018 16:50
|
|
|
Can anybody give me some insight into their process, policies, and procedures around approving an application for use within their environment? The business side of the house is working on a project with Samsung, and oh boy does Samsung have some lovely, lovely applications. The latest application I've been asked to review for this project is the Samsung CPCex Portal. We've been requested to use CPCex to facilitate transferring working key material and certificates between the two parties. The PM of this project has been contacting me daily asking if I can green-light this application for use. I have more concerns than I could reasonably list but some of my main gripes are: 1) This is very obviously a legacy application, ActiveX in this year of our lord 2019 2) The documentation is in Korean, and that is all of it. 3) Users must register their endpoints with Samsung 4) If I say "yes" I'm going to have to support this in production and holy poo poo I don't want to do that. The last application I had to review of theirs was Samsung Wormhole and I still have weekly meetings on my calendar for troubleshooting. 5) Seriously, why can't Samsung just use a normal SFTP connection like the rest of our partners. I've voiced my concerns to my teammates and managers and they won't touch this issue with a 10-foot pole. So here I am, asking strangers on the internet how I should be doing my job.
|
|
#
¿
Feb 27, 2019 06:08
|
|
|
I'd like to dedicate this post to Cisco who's latest IPS GeoDB update zeroed out my list of blocked countries which caused the access control list to freak out and drop all traffic causing a production outage. Queue the director of IT Ops calling me on my cell and yelling at me directly. I love this job some days. Just kidding, I can't wait to quit. From college to burned the gently caress out in three years.
|
|
#
¿
May 17, 2019 01:01
|
|
|
|
| # ¿ Apr 27, 2024 03:48 |
|
|
With BYOD policies it's also worth thinking about your process, policies, and procedures you'll need to cover should you ever need to confiscate a personal device for forensic investigation in the event you suspect an employee of doing whatever deserves a forensic investigation of their device. I would also never let a device that isn't running a modern OS (one still receiving security patches) connect to my environment or resources in any fashion.
|
|
#
¿
May 17, 2019 20:07
|
|