Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Zoom is no worse than any other conferencing system I've found so far. It's just at the moment they are in the spotlight as everyone and their dog flocked to them when everyone worked from home.

We have been monitoring their security "mishaps" recently and for what it's worth, from a technology side of things, they handled them pretty well. They also seem to be taking community suggestions seriously

Their PR on the other hand is pretty awful.

Adbot
ADBOT LOVES YOU

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

mllaneza posted:

Zoom scaled up from free video chat with some paid options to an enterprise-scale product really fast. They've actually managed to keep up with security features, so that's moderately impressive. Their user experience team is actually good at their jobs. For remote control sessions Zoom whips up on Webex, and Google Meet is stealing features from them. I appreciate attractive, easy t use software so that's a big plus for Zoom in my book. So they're hooked up with Chinese TLAs, state actors aren't really a problem you can do much about if they take an interest.

Pretty much this.

Like I said. Their PR is a bit horrendous but their actual product is one of the best on the market and they have done really well to address the issues that have been raised.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Or make a risk assessment based on your own company and weigh off the risks and see if you are comfortable with it.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Ynglaur posted:

I just pretend.

Wow...I don't think I've ever read a post that has both offended me and that I've agreed with more than this.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Axe-man posted:

I just come here to watch what you all do behind the closed doors at the other side of the server room.

Watch us Google whatever we are asked?

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Love when your av vendor uses terms like "expect decreased functionality"...

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
I'd be fine if they meant "stops throwing false positives at every single program".

But I have totally lost faith in this company so far.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

The Iron Rose posted:

Cylance is the worst, and their reporting is godawful.

They also don't start working on new OS support until it's fully released.
Saying and I quote "We don't get access to early OS builds from Apple"

Bullshit.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Absurd Alhazred posted:

Is their motto "We like to hit the ground running"?

"We like losing customers at a steady pace each year"


"Also our whitelists are more of a suggestion and we will still block things that are on your whitelist"

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
That was the last surprising news since Facebook said they didn't very political ads

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

That guy seems pretty dumb if I'm being brutally honest. Thinking that because he can see his own passwords stored in Google's password managers that that means they are being stored in plaintext.


I'm also gonna assume he ticked the "Remember this device for 30 days" thing when he logged on to that machine. Which disables 2FA for 30 days because it assumes you are clever enough not to get RAT'd

CyberPingu fucked around with this message at 11:02 on Jul 3, 2020

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
I mean. People are asked to save backup codes when you set up 2FA for the specific reason of if you lose your phone.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Volmarias posted:

If you're not a computer toucher or computer toucher adjacent you're not doing that though.

The onus of security of an account is on the users end. Not the company. The company can provide the tools but it's up to the user if they want to use it.

Everyone has the ability to learn how these devices work. Google exists, search engines exist. If they don't want to learn that's on them. If they want to keep secure personal data but don't take appropriate steps to secure it what realistically do you think can be done.

Your insurance company isn't going to pay out if your house gets robbed and they found out you left your doors unlocked.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Most 2FA solutions would work for you average Joe user. Even though SMS sucks balls on the secure list, it's still better than nothing and I would wager most people that own a computer also own a phone and have used it to send a message before.

Implementing 2FA sucks, the support burden is really bad especially when it comes to resetting it. Depending on what you are providing, most of the time it has to lead to the end user providing proof of account ownership.

There are ways of semi automating that e.g memorable security questions or something. But it's still one of the things we struggle with a lot because resetting 2FA for one of our customers usually involves about a 20min phonecall to our support.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Space Gopher posted:

The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack.

The problem with SMS 2FA is that phone numbers are not strongly tied to hardware, people, or cryptographic secrets. Phone provider CSRs are willing to help an attacker with a SIM swap, because they're judged on fast resolutions and survey scores, not security. Anyone who can break into not-particularly-secure provider customer accounts can set up call forwarding, and many services that do SMS 2FA also wire it up to a "call me" option that reads the code over a text-to-speech engine. SS7 attacks can redirect incoming SMSes directly to an attacker using the same mechanisms that let your phone number work overseas, and larger-scale organized crime treats access to SS7 as a commodity. There are a lot of ways to compromise 2FA SMS before your phone is ever involved, and that's the reason that SMS is not a good 2FA mechanism.

They arent great but they are a hell of a lot better than no 2FA at all.


The biggest issue though is education & attitude. How do you expect someone who doesn't even set a lock pin on their phone to use it for 2FA.

Education can be kinda treated, as the infosec industry we do a really bad job of education imo. Attitude is a lot harder, some people won't bother acting until it's too late and it's almost impossible to get through to them because of the "I don't have any worth stealing so why would I be hacked". As they think the only things hackers do is steal poo poo.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. :(

That could be done with literally any code though unfortunately. Social engineering is scarily easy.

Imo it should be included in more Pen Testing as if you have a lack of understanding from a people side of things then that's something I would want to know about.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
How the gently caress do you break a Sim card?

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

The Fool posted:

re-enacting a spy movie?

They said it so nonchalant as if its something everyone does on a regular basis

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Combat Pretzel posted:

It's an electronic circuit. That poo poo can actually break. I presume my ISP is a cheapskate in that regard, or whatever. That said, one replacement was because they stuck some more of whatever provider information is on there, needed for proper operation, because with the older one, the phone wouldn't hop onto the HSPA network. --edit: Also, SIM format changes. I went to get proper ones, instead of cutting these down to fit whatever SIM slot du jour.

I've literally never had a Sim break on me in the 13+ years of having a mobile

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Arsenic Lupin posted:

Naaah, you just have to be a virgin.

In this industry, virgins aren't exactly hard to find.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Not a huge fan of the random Furry stuff included in that article. Definitely takes away some of the credibility behind it.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

RFC2324 posted:

We have tiktok now which i am told is like vine but not owned by white supremacists?

Well it's owned by China's own brand of white supremacists I guess.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Can you post the article please?

I do love having a big lol at Apple and their lovely QA now.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
So that's been an issue for a couple of generations now that we have seen. I've seen some companies ban the use of any camera blockers other than black tape.

On another note. There is an abundance of easy to obtain camera jacking scripts that don't enable the LED....

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Combat Pretzel posted:

I assume they only work properly with older Macbooks? The claim was that in the newest models, the LED is looped into the power supply of the camera, so when powering it up for use, the LED is forcibly going on.

Dunno. I've not tested it on the newer ones actually.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Biowarfare posted:

I'm guessing on some of the older ones they're single-frame grabs that then turn off too. IIRC newer macbooks will hold power on the LED for a while longer to prevent this

Just gotta hope your camera is always in your peripheral vision and you are paying attention I guess

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Saying "this is unbreakable" is basically painting a giant "Come get us" target on your back and you look loving stupid when it gets reverse engineered.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

evobatman posted:

From an infosec perspective, who would even give a gently caress what's on the webcam unless you're hoping to catch someone naked? For real world espionage, wouldn't screengrabs, network traffic interception, keyloggers and listening to the microphone to know what's going on in the room be much more valuable? If I want to know what you look like, I can look you up on social media.

Most of the time it's for compromising photos. That's why you find a lot of these jacking scripts built into porn ads.

Then they can try blackmail you or risk releasing the photos.

But like someone else said..if they have jacked your webcam it's likely they have access to your system anyway


Also beyond that. Someone just staring at me all day gives me the creeps.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Fame Douglas posted:

That definitely sounds like some kind of weird Christian urban legend.

Nah, I meant the obvious malware ads linking to dodgy porn sites.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Lmao not just generic Brazzers ads.

Nah like the "This obviously hot single wants to gently caress you and lives 2 miles away from your secluded barn house in the middle of nowhere. Click here now....like now ... Now now...do it now."

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Ah so only 70% of systems are still vulnerable to it.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Looks like someone got access to an internal employee dashboard.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
Daily reminder that it doesn't matter how good your security is. Your staff are always the weakest link.

Education, zero trust and trying to get across the point that security is everyone's responsibility.

Do the fundamentals right before chucking loads of SaaS solutions at it.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

D. Ebdrup posted:

Implementing a two-person-rule for every administrative change above a certain threshold, just like banks have had for decades upon decades, whereby any withdrawl above a certain amount has to be confirmed by a separate employee out back.
Also, that gets the added benefit that huge companies like Amazon don't blame their biggest downtime incident on a single employee, when it's the fault of the entire team including management that it could've happened in the first place.

But no, devops gotta devops all over everything.

Yep, every branch should require a PR from someone else before it can be merged.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Internet Explorer posted:

We have all sorts of infosec stuff. Everything Microsoft throws at you with O365/M365, Azure Sentinel, even Darktrace.

No one looks at it, it's no one's responsibility, and we've never met as a team to discuss an approach.

It's great. I love it.

Darktrace is the loving snake oil of the infosec world

It's what would happen if movie producers could make infosec tools.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Shuu posted:

I literally cannot tell what Darktrace is supposed to do from their website.

.

Its aggregated attack logs with a shiny UI.

My favourite Dark Trace story was being at an InfoSec conference last year where DT were doing one of the keynotes

The guy before them was this ex GCHQ and current Interpol guy who was saying how we need to drop vendors selling us all these services and get back to doing the basics right.


Then DT stood up and tried to do a sales pitch.

CyberPingu fucked around with this message at 08:11 on Jul 30, 2020

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Internet Explorer posted:

There are so many loving false positives that it's just an avalanche of garbage unless you put an absolute enormous amount of time into it.

Tbf that sounds like a lot of AV solutions too.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Internet Explorer posted:

It's on a totally different level.

Oh I know. DT is loving horrendous, but false positives feel like a by product of over sensitive security (or lack of a 1000hour configured safe list).

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

evil_bunnY posted:

That's the thing, your monitor isn't a company-wide available asset. Write down your loving password if you must.

Also, state attorneys bragging about bagging teenage crackers while ransomware gangs go unchecked is very 2020

While everyone is working from home. Writing down a password on a post it note isn't the worst tbh, as long as its out of webcam view


But yeah, teenage crackers are low hanging fruit that boosts their "got em" numbers. Which makes them look better. Getting the high end organised guys takes time and money, and doesn't produce instant results

Adbot
ADBOT LOVES YOU

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
https://www.msn.com/en-gb/money/tec...U?ocid=msedgntp

quote:


After the user has inserted the Stealth device into their mouth, it would scan their pre-stored palate biometrics to check that it belongs to them.
Then, in order to unlock particular devices, a "one-time sense code" would be sent to the user – a process that requires internet signal or wifi – and they must perform a certain pre-defined, intentional sensory gesture with the tongue in response to the code, like pressing or sliding.



:wtc:

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply