|
Boris Galerkin posted:Is let's encrypt actually worth taking the x minutes to set up? I remember ready somewhere that all having a cert from them says is "this guy has a cert from us" but doesn't actually mean/do much else. Could be wrong though. considering x=about 3, it's pretty brain-dead easy. Just remember to automate your renewals.
|
# ¿ Apr 26, 2016 16:21 |
|
|
# ¿ Apr 24, 2024 18:17 |
|
Unless your person in charge of IT at the executive level is hip enough to not be susceptible to all the fearmongering clickbait and chain emails, you're probably going to be running AV on everything because WHAT IF WHAT IF WHAT IF and no logic or intelligent discussion will sway them.
|
# ¿ May 2, 2016 03:20 |
|
orange sky posted:The US could start a war with any country in the world except perhaps NK and China and they'd know through the use of companies such as Google or Apple: This requires/assumes that literally every mobile device is compromised on the entire planet. Or are you saying that Google/Apple would comply with requests to turn over such data?
|
# ¿ Jan 29, 2018 19:59 |
|
The Fool posted:Google and Apple aren't really the best sources for that kind of information. The signal to noise ratio is usually too bad. Yeah, gotta imagine there are people on payroll or contract for the DoD that do this sort of tracking for a living.
|
# ¿ Jan 31, 2018 18:16 |
|
Thanks Ants posted:Palantir used to be a lot more open about the capabilities of their software when hooked into social media feeds etc. but they presumably save all that for customer presentations now. "Palantir Technologies is a mission-driven company, and a core component of that mission is protecting our fundamental rights to privacy and civil liberties."
|
# ¿ Jan 31, 2018 21:33 |
|
EVIL Gibson posted:You can't deny it! They make sure to gather all this information and make sure no one accesses it If we don't have all the information, how can we be sure we're protecting it?!?
|
# ¿ Jan 31, 2018 21:54 |
|
For things that aren't hypercritical, I usually answer security questions as a fictional character. Makes it easier to remember, since I am REAL HUMAN BEAN, and my favorite whatever is subject to change.
|
# ¿ Feb 1, 2018 16:16 |
|
Klyith posted:2) crackable by the same methods as the pseudoramdom passwords people use now. grammar has rules, and you're probably using a phrase with common words and not something from a medical textbook. a safe phrase against hash attacks isn't 4 words, it's like 6-10. "word1word2word3word4" yes. "95word1+word2+word3+word4!" less so.
|
# ¿ Feb 13, 2018 18:35 |
|
Trabisnikof posted:Those are only meaningfully different for the most trivial of adversaries. Can you explain this better? A list of words alone can be attacked via a simple dictionary of common words, ok. A list of words separated by a random character with a few others thrown in increases the entropy massively. So for example, using a passphrase generator, I picked: "should lonely folks leaf" password: shouldlonelyfolksleaf entropy: 44.38 password: should lonely folks leaf entropy: 67.228 password: should+lonely+folks+leaf87# entropy: 83.764 Are you considering that a dictionary that contains all single characters AND common words could crack it as technically a password with only 10 actual "characters"? Does it not matter that you're running it against thousands of possible characters instead of just an alphabet?
|
# ¿ Feb 14, 2018 18:17 |
|
Trabisnikof posted:How many password attempts can an attacker achieve per hour? No, I don't think that's right. Cracking should+lonely+folks+leaf87# brute force is something like 60^27 possibilities = 1.02e48. But yeah, yeah, brute force. Cracking it by utilizing 1000 most common words(which doesn't contain all four of those) with symbols and numbers gives you ~1050^10 = 1.63e30. Even if we grant that you figure out that only a single symbol is used between letters, that's still ~1050^8 = 1.48e24. Even at ten billion hashes per second, it's going to take 5 million years. Well, wait. If you somehow gather that the pattern is word/symbol/word/symbol, it becomes easier. Throwing a symbol between a couple of the words, rather than all 4 is safer, I guess. Klyith posted:Real good entropy stuff, thanks for this post. Yeah, it's so difficult to come up with an actual metric that can be universally applied. The logic behind cracking is so much higher level than it used to be. And ideally, a proper difficult to crack password would be used on 1Password, with truly obscene generated passwords like VV$m6LKh72xaC;xFG)oYcZaapa unique for each website. I guess it all also points toward passwords being more and more on the losing end of the arms race and need to die.
|
# ¿ Feb 14, 2018 21:27 |
|
Klyith posted:So yes, Yeah, I don' think personal password security is accomplishable without some kind of vaulting, which of course imports its own headaches of either trusting someone else with all your secrets or managing all of it yourself correctly. Thanks for your posts though, the bear analogy is a good one that I will steal. Meanwhile our AD passwords are 8 characters with only modest character set requirements, so uhhh...
|
# ¿ Feb 15, 2018 17:25 |
|
So we get "analysts" from our security team sending us giant exports of "SUSPICIOUS LOGIN ACTIVITY ON EXECUTIVE ACCOUNTS." Most of the time it's just page after page of BAD PASSWORD. They expect me to somehow grill our C-levels about whether or not it was them. No. I am not doing that. If our crack security team can't somehow suss out where these logins are coming from and do some investigation without dealing with the spotty memory of the end user, wtf are they going to do if I come back and say yep, they say they were sleeping at this time. OK? NOW WHAT? loving clowns.
|
# ¿ Feb 23, 2018 16:10 |
|
cheese-cube posted:Sounds like they're just running garbage-tier reports against your environment that identify things like "X account failed auth Y number of times in period Z". You wouldn't perchance be relying on a BPO for security operations stuff? Either way tell them to stop running rubbish Nessus reports and get a proper SIEM appliance that's configured to do correlation and analysis to actually identify real risks. I am not sure of the details, but our entire security team seems to be very confused and think that visibility = security. They're very big into buying tool after tool that watches this or that and generates piles and piles of logs and reports. Let me put it to you this way: I manage just about everything in terms of endpoints, and never at any point in my years here has anyone from our security team thought to sit down and go over our general security posture for those endpoints. Ever.
|
# ¿ Feb 23, 2018 21:57 |
|
Potato Salad posted:
Bomgar's a legit good product, I think.
|
# ¿ Apr 19, 2018 19:38 |
|
*deletes app*
|
# ¿ Aug 2, 2018 16:37 |
|
Darchangel posted:Uh, stupid question for someone who's not familiar with the issues, why is being acquired by Cisco bad, aside from "giant company acquires another good, small company and ruins it"? "This year has brought five undocumented backdoors in Cisco’s routers so far, and it isn't over yet. In March, a hardcoded account with the username “cisco” was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely."
|
# ¿ Aug 2, 2018 17:46 |
|
They also like to create obnoxious and nonsensical dependencies, so that to use one product successfully, you've really gotta use this OTHER product. They want to be the go-to for SO many categories of product that they're not actually competitive in :\
|
# ¿ Aug 2, 2018 18:29 |
|
Yeah but Umbrella spawned out of it, and ain’t that some poo poo.
|
# ¿ Aug 3, 2018 04:00 |
|
Thanks Ants posted:Does it still not work on IPv6 networks? No idea. We're gonna roll it out though, because our security department is a bunch of creeps :\
|
# ¿ Aug 4, 2018 03:43 |
|
evil_bunnY posted:https://twitter.com/kennwhite/status/1025401519481470982 Getting root to the device is not the same thing as getting access to the coins stored on it. The "hackers" shifted the goalposts pretty hard.
|
# ¿ Aug 7, 2018 18:18 |
|
anthonypants posted:You don't think it's possible for a rooted device, which can execute enough code to play a video, cannot execute code to transfer buttcoins to an attacker's address? Didn't McAfee shift the goalposts later to claim that his "unhackable" claim didn't include hacking by security professionals? No passphrase/hash or actual data is stored on the device. Even if a rooted one can actually connect to the bitfi dashboard, without the passphrase that cannot be extracted from the device, it's functionally useless. They've basically abandoned storing anything sensitive on the device, instead everything's either in your brain or in the blockchain itself. That's how I read it anyway.
|
# ¿ Aug 7, 2018 18:42 |
|
ozymandOS posted:what do you think you could do with a rooted device the next time the user enters their passphrase to access their butts I am not sure. I haven't actually seen one run. Are you just entering it in on a kb? Diva Cupcake posted:wait, so this is basically single factor auth? does the bifti device itself hold no purpose? lol This is what I can't figure out. Is it just a gateway device to their service/wallet? Why couldn't I just do all this over the web?
|
# ¿ Aug 7, 2018 21:20 |
|
So is it just me, or is there a big fight coming about encrypted DNS? Tools like Cisco Umbrella want to have all DNS queries routed through them for "security", hell, your ISP wants your DNS traffic so it can serve you ads, and now Cloudflare and others are offering TLS encrypted servers?
|
# ¿ Aug 28, 2018 19:23 |
|
The Fool posted:Don't forget DNS over HTTPS Surprised this isn't becoming the browser-level standard, or at least a more publicized option.
|
# ¿ Aug 28, 2018 19:55 |
|
wolrah posted:Mozilla is playing with it in Firefox test builds, but they're being strung up currently by privacy concerns since these tests necessarily override local DNS settings and instead send your queries to a third party, in this case Cloudflare, who the user may or may not trust. That is logical, but I don't know why I would trust Cloudflare any less than my ISP, Google, or any other DNS provider.
|
# ¿ Aug 29, 2018 15:47 |
|
Furism posted:I can't wait to hear 5-10 years from now that CloudFlare is operated by NSA and they recorded a gazillion amount of requests and uncrypted content because they were doing TLS proxy under the pretense of caching. I get that, but I don't think Cloudflare is any MORE likely to be in the pocket of the NSA than anyone else. At least with TLS you don't have to worry about the intermediate snoops.
|
# ¿ Aug 30, 2018 18:10 |
|
CLAM DOWN posted:https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
|
# ¿ Oct 18, 2018 16:51 |
|
Enjoying that we have hundreds of 840s and 850s in production with BitLocker and I've heard jack nor poo poo from our CISO on this.
|
# ¿ Nov 8, 2018 20:10 |
|
astral posted:Right, and the Samsung drive itself doesn't offer the HW encryption unless you go through a process (described by Diva Cupcake) to enable that. That's a pretty big fuckin' relief.
|
# ¿ Nov 8, 2018 22:39 |
|
my cat is norris posted:I guess this question is semi-related to InfoSec... Never done it on an SSD, but GetDataBack has saved me a few times. Free trial will at least show you what it can get. If the drive was just quick formatted, then the blocks were marked empty, but the data is still there.
|
# ¿ Nov 14, 2018 20:45 |
|
repiv posted:1Password is letting users give away a 1 year subscription for thanksgiving, PM me your email if you want some free 1Password. Is this still a thing? They didn’t send me anything and I’d love to give one away.
|
# ¿ Nov 26, 2018 19:48 |
|
Rufus Ping posted:the option is still showing up for me in the bottom right corner of my.1password.com when I log in Thanks!
|
# ¿ Nov 28, 2018 19:36 |
|
tf when a user wipes and reloads their machine to circumvent the management/security software. sigh.
|
# ¿ Jan 16, 2019 18:29 |
|
Well, the person is only about 1 or 2 rungs down from the top in the org chart, so we'll see how that goes. I told my boss, who then felt obligated to escalate it, so we'll see what shakes out. Modifying boot device was not specifically prevented, so welp.
|
# ¿ Jan 16, 2019 20:51 |
|
Jabor posted:I mean, at that point it wouldn't have proper client certs, so the end result shouldn't be much different from if they'd bought in a personal laptop and tried using that? LOL if you think we're cool enough to have certs actually required to do anything meaningful in this garbage fire company. No switch port security. Wifi key for corp network is pre-shared and has been the same for over a decade.
|
# ¿ Jan 17, 2019 18:35 |
|
bull3964 posted:Then, aside from breaking policy, this guy didn't actually do anything negative to your security footprint. I don't disagree with that, except that he normally wouldn't have local admin and then went ahead and installed a bunch of software on his new machine where he was God. The sad part is, dude is high enough up, and supposedly smart enough, he could have asked for an admin account for his use on the box and gotten it.
|
# ¿ Jan 17, 2019 19:32 |
|
Also, WEIRD, the machine hasn't checked in since about an hour after it was re-enrolled 3 days ago. That's a few dozen 15m checkins missed, even though this person was working. It's almost like they took it home and did the same poo poo again. At this point I hope they get fired, but I know they won't. :\
|
# ¿ Jan 18, 2019 19:09 |
|
Volmarias posted:Sounds like they have some kind of compromised machine, better suspend the account until you can verify everything LOL, I'd love to, but the user is across the country, and if I can't get the management suite to touch the box, I can't kill it. Not about to gently caress with his AD account. I am just gonna escalate it to my director and let him deal with it.
|
# ¿ Jan 26, 2019 02:03 |
|
But.... phishable 2-factor is still >>>>>>>> single factor??
|
# ¿ Jan 28, 2019 21:33 |
|
|
# ¿ Apr 24, 2024 18:17 |
|
OK, so if you had to speculate, what does the following represent?code:
|
# ¿ Feb 26, 2019 17:35 |