Head Bee Guy posted:Is there a preferred multi factor authentication app? Duo is pretty good, Authy gets a lot of good press from our DevOps guys.
|
|
# ¿ Feb 27, 2021 23:04 |
|
|
# ¿ Apr 28, 2024 14:58 |
Signing into your Google account on your phone and using the device as the 2nd factor is the easiest thing for me. I wish more places did push notifications as 2FA tbh, or like how MS auth does it.
|
|
# ¿ Feb 27, 2021 23:13 |
RFC2324 posted:Duo does push, Google does it, Facebook is really pretty nice about it(it asks for codes, but you can just push yes on the app). Yeah we use Duo for work. It's pretty good though some of their enterprise stuff is annoying. I've disabled and 2FA wherever possible.
|
|
# ¿ Feb 27, 2021 23:17 |
Sickening posted:I wish this entire industry would shut the gently caress up about passwords. Passwords are amazing but suck because people are creatures of habit and there's no way of changing that. Also apparently the tech world cant stop storing them insecurely
|
|
# ¿ Feb 28, 2021 18:51 |
Sickening posted:They aren't amazing. And if I ever hear someone talk about "password complexity" again ever in my life it will have been too soon. In a perfect world they work. But the problems come from our inability to use them properly.
|
|
# ¿ Feb 28, 2021 19:53 |
CLAM DOWN posted:A perfect world doesn't exist, so they don't work. Too many in security fail to understand/account for the fact our users are human beings. Thats why I said in a perfect world. Also why I said we suck at creating them and keeping them safe.
|
|
# ¿ Feb 28, 2021 20:02 |
I've been trying to get passwordless auth implemented for our customers at work for loving ages now and it always seems to hit some sort of dead end. Also fwiw, password expiry is the loving worst faux security poo poo ever and gently caress knows why it's even included in CIS poo poo.
|
|
# ¿ Feb 28, 2021 23:50 |
Sickening posted:Microsoft will detect you are using password expiration in azure/o365 and will suggest you turn it off as a security suggestion. It counts against you in their secure score system. Yeah it's the same with AWS' CIS benchmarking I wrote a big gently caress off document about how we could implement passwordless auth in like 5 different ways and some marketing dickhead came in and was like "All these are going to impact engagement, this is dumb"
|
|
# ¿ Feb 28, 2021 23:58 |
Sickening posted:Well, they are correct! It will impact your engagements with all other orgs with old grog security teams who are also stuck in 1996. Being on those calls and listening to them berate someone for this stuff must be a real treat. I had to sit on a call the other day and listen to our head of sales pour over GDPR rules to see if there were any loopholes to spam our customers with emails. I wanted to smash his face in
|
|
# ¿ Mar 1, 2021 00:06 |
Oh...my...christ Someone sent us a PoC to our responsible disclosure program, that he had uploaded to YouTube
|
|
# ¿ Mar 1, 2021 11:07 |
spankmeister posted:It's an unlisted video, right? It is not. I've already sent a request for it to be taken down.
|
|
# ¿ Mar 1, 2021 11:25 |
evil_bunnY posted:It's trivial to unlist or reupload it. As geonetix says, if you treat people right they'll reciprocate, and someone contacting your RD team to begin with is already primed to be cooperative. Yeah I get that. It's just a bit annoying having to go through this. If we can verify it he will be rewarded.
|
|
# ¿ Mar 1, 2021 13:59 |
droll posted:Is looking at the applicant's LinkedIn, noticing they worked at a company where I know someone, and asking that someone I know about the applicant, gross/bad? Untrustworthy if anything. Also people at the other company might not know the applicant is looking for jobs
|
|
# ¿ Mar 4, 2021 22:07 |
We actually went through this with one of our IT techs I asked a guy at his last place who I went to Uni with what he was like. He gave him a not great review because he worked on the night team. Im so loving glad I didnt listen to that guy and its the last time ill ever do that
|
|
# ¿ Mar 4, 2021 22:19 |
CommieGIR posted:https://twitter.com/nyancrimew/status/1369390591700828170?s=20 Lol one of our vendors tried to sell us this poo poo in the middle of the pandemic when our offices were closed.
|
|
# ¿ Mar 11, 2021 21:57 |
https://www.lawgazette.co.uk/news/uk-to-depart-from-gdpr/5107685.article gently caress sake
|
|
# ¿ Mar 12, 2021 12:43 |
RFC2324 posted:I guess everyone who cares about the exchange thing is busy right now. Busy on holiday. E.g hiding under their beds with their phones switched off and all the lights off in their house.
|
|
# ¿ Mar 12, 2021 19:30 |
Pablo Bluth posted:I've just started playing around with HackTheBox. It's a terrible time-sink... It's very fun though. Try hack me is also another great similar platform
|
|
# ¿ Mar 14, 2021 11:49 |
Pablo Bluth posted:I haven't got very far at the moment; just working my way through Starting Point. I went down a rabbit hole of trying to manually launch nc and powershell reverse shells via php and lost too many hours to what turned out to be noddy mistakes on my part... This will be a lot of your experience with boxes. The makers intentionally put rabbit holes on a lot of them to throw you off. Which is actually fun to do in real life machines too tbh. But I hope no one ever gets to see any of my rabbit holes I've put on our infrastructure. Otherwise that means I hosed up somewhere else.
|
|
# ¿ Mar 14, 2021 16:04 |
Sickening posted:Dumb question time, is there a website that shows all the active unpatched vulnerabilities of windows server 2003? Shodan technically....
|
|
# ¿ Mar 22, 2021 18:23 |
Proteus Jones posted:poo poo, I forgot I got a lifetime a few years ago for Black Friday. Just checked, and yep still active. It's $4 for life.
|
|
# ¿ Mar 30, 2021 12:06 |
Absurd Alhazred posted:I have no idea what that is but $4 for a lifetime membership sounds good to me! External vulnerability scanner. Also has other slightly more morally opaque uses like being able to search for say every router that has default creds on it etc
|
|
# ¿ Mar 30, 2021 15:01 |
Why the gently caress does an IT admin have root access to their s3 buckets and aws accounts?
|
|
# ¿ Mar 30, 2021 21:22 |
https://twitter.com/adventureloop/status/1387447008609308672?s=09 https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/
|
|
# ¿ Apr 29, 2021 15:16 |
Apparently Okta were negotiating with the guy who hacked them for the last month or so. Meaning he was extorting them and giving them time to hang themselves. He had pretty much full access for a full month before they realised. Which is loving hilarious.
|
|
# ¿ Mar 24, 2022 16:35 |
I was at a conference yesterday and there was a talk on incident management that had a nice flowchart about what you should do in response to reporting an incident and what the media are looking for. As most times companies aren't judged for being breached, they are judged for how the respond. It boiled down to basically having your CEO issue an apology and statement asap to: A)Show that your CEO actually cares and isn't an absentee CEO B)stops the rumour mill from filling in stuff too quickly. Also making sure that your CEO understands what they are talking about but also can dumb it down Then it just went to post mortem stuff making sure that you accurately access what happened and how you dealt with it, including if your spokesperson who did the media piece was the right person and if they need further training.
|
|
# ¿ Mar 24, 2022 19:09 |
BaseballPCHiker posted:Do you have a link on this? It was from an itk at a conference I was at yesterday who may or may not work for Okta. So pinch of salt etc etc
|
|
# ¿ Mar 24, 2022 20:21 |
We are a Google house and I'd say Google's spam filtering out the box is probably good enough by itself. Once you do some more configuration I can't see any benefit to adding another service on top. Especially since it adds another potential attack vector too
|
|
# ¿ Mar 25, 2022 06:34 |
Lol, was just informed by one of our higher ups in the dev team that it's "standard procedure to run job applicants code reviews before we inspect the code"
|
|
# ¿ Mar 29, 2022 15:08 |
The OSCP exam just got overhauled drastically so the old study methods don't really work. It's now heavily weighted towards active directory which it wasn't before. With AD taking 40/100 points for the exam. Personally I found OSCP and the PWK kinda sucks but somehow is a gold standard for industry certs. The 24 hour time restriction loving sucked and it's insane that anyone thought that was a good idea. The OffSec labs were buggy as gently caress and you share a lab environment with 100s of other people meaning boxes are constantly being reset from under you losing all your progress. For the cost it's actually a joke that students dont get segmented machines
|
|
# ¿ Apr 8, 2022 18:46 |
You can do 3 boxes + the lab report. Realistically though unless you need it to break into pentesting I'd go for something like eCPPT from eLearnSecurity if it still exists Or even try do PNPT from CyberMentor. Which is a 5 day Active Directory attack certificate. It's also £350 and includes a free resit. So significantly less cost OffSecs materials are woefully out of date and poorly presented. Don't give them money
|
|
# ¿ Apr 8, 2022 19:08 |
Achmed Jones posted:
Buffer overflow is no longer a guaranteed part of the exam, it can show up on one of the 20 point boxes. The exam is now mostly focussed around a 3 box AD lab that you have to own the domain controller on for full points. There's no partial points for it so you either get 40 or 0. Then there's 3 20 point boxes in the same vein as the 20 point boxes were before.
|
|
# ¿ Apr 8, 2022 21:47 |
So A few weeks ago I found out our devs run unchecked code from interview candidates. Basically they run the code to see if it works before inspecting the actual code. Last week I managed to complete my successful phishing of my company's HR + engineering departments. All because one dipshit didnt follow procedure. * Created a fake profile, linkedin profile, the works * Submitted fake CV to our HR * Spoke to a new start about what questions they got asked during the phone interview * Hooked up a voice modulator and passed the phone interview * Got the code review, sent in a load of bollocks ruby/rails code with a reverse shell baked in * Got a live session on a department heads machine, grabbed his AWS creds for proof
|
|
# ¿ Apr 16, 2022 19:38 |
It was all signed off from my boss who is our Director of Security so I'm all good.
|
|
# ¿ Apr 16, 2022 20:14 |
The best part is is I had to reach out to that department head to tell him this He just assumed the code didn't work. Never did hear back from HR though
|
|
# ¿ Apr 16, 2022 20:20 |
|
|
# ¿ Apr 28, 2024 14:58 |
I did get promoted to senior on Friday...so that was nice
|
|
# ¿ Apr 17, 2022 08:22 |