|
same
|
#
?
Mar 29, 2023 00:03
|
|
|
|
| # ? Apr 25, 2024 13:55 |
|
|
just delete your cookies
|
|
#
?
Mar 29, 2023 00:08
|
|
|
dpkg chopra posted:buddy, terrible posts is all we have
|
|
#
?
Mar 29, 2023 02:32
|
|
|
Subjunctive posted:that’s all fine and good, but what about my terrible posts? who’s going to apologize for them? ask not for whom the poo poo posts, it posts for thee
|
|
#
?
Mar 29, 2023 04:41
|
|
|
lomarf https://twitter.com/hillai/status/1641146512712368128
|
|
#
?
Mar 30, 2023 19:58
|
|
|
holy gently caress that's bad. the whole "azure ad credentials are used for bing" thing makes that xss exploit a catastrophic vulnerability
|
|
#
?
Mar 30, 2023 20:02
|
|
|
Powerful Two-Hander posted:*nods sagely* terrorists win
|
|
#
?
Mar 30, 2023 20:07
|
|
|
drat they’ve rolled that all out so fast too
|
|
|
#
?
Mar 30, 2023 20:11
|
|
|
i am a moron posted:drat they’ve rolled that all out so fast too I’m sure there’s no correlation
|
|
#
?
Mar 30, 2023 20:22
|
|
|
I’m thinking there’s more and it’s worse One of the comments was ‘GitHub copilot wrote this’ and I bet it’s not far from the truth, it’s a very basic fuckup to make on azure
|
|
|
#
?
Mar 30, 2023 20:30
|
|
|
idk i feel like $40k is a pittance considering the damage they would have taken if a hacker actually abused that exploit
|
|
#
?
Mar 30, 2023 21:08
|
|
|
PIZZA.BAT posted:idk i feel like $40k is a pittance considering the damage they would have taken if a hacker actually abused that exploit absolutely, that was my first thought lol
|
|
#
?
Mar 30, 2023 21:43
|
|
|
lol same
|
|
#
?
Mar 30, 2023 21:59
|
|
|
PIZZA.BAT posted:idk i feel like $40k is a pittance considering the damage they would have taken if a hacker actually abused that exploit https://www.microsoft.com/en-us/msrc/bounty?rtc=1 it’s nice of them to put the relative worth of security to various MS divisions in a table like that
|
|
#
?
Mar 30, 2023 22:38
|
|
|
amazing. This would suggest that even if microsoft had made them single tenant apps, any microsoft tenant account would have had access. If their fix was to add authorization to the apps it should be good now, but if all they did to "fix" it was set it to single-tenant, users in whatever tenant they put it in would still have full access to gently caress with everything. tbh tho this is all a bunch of issues with bad application security and nothing to do w/ azure ad itself. Bing getting owned would be funny but it doesnt impact me. The real gently caress up is bing getting secret oauth authorization in everyone's 365 tenant. Thats totally hosed.
|
|
#
?
Mar 30, 2023 23:10
|
|
|
discord is retroactively stripping trailing data from PNGs to mitigate the android redaction bug https://twitter.com/lexikiq/status/1641975123832983553
|
|
#
?
Apr 1, 2023 14:30
|
|
|
thank you discord thiscord
|
|
#
?
Apr 1, 2023 16:03
|
|
|
today we are canceling the acropalypse
|
|
#
?
Apr 1, 2023 18:30
|
|
|
haveblue posted:today we are canceling the acropalypse btw ms has also pushed updates for the snipping tool versions starting with w10
|
|
#
?
Apr 1, 2023 18:33
|
|
|
western digital announces OurCloud https://www.bleepingcomputer.com/news/security/western-digital-discloses-network-breach-my-cloud-service-down/
|
|
#
?
Apr 3, 2023 16:58
|
|
|
owncloud
|
|
#
?
Apr 3, 2023 18:54
|
|
|
git apologist posted:owncloud
|
|
#
?
Apr 3, 2023 18:57
|
|
|
pwncloud?
|
|
#
?
Apr 3, 2023 21:24
|
|
|
mystes posted:That's already the name of an actual thing ownedcloud
|
|
#
?
Apr 3, 2023 21:25
|
|
|
WD employees getting unexpected paid vacation days
|
|
#
?
Apr 4, 2023 06:05
|
|
|
mystes posted:That's already the name of an actual thing that’s the joke, yes
|
|
#
?
Apr 4, 2023 07:35
|
|
|
this morning my boss got a phishing test email that was allegedly a company policy update and was sent from the legitimate HR email account. After forwarding it to everyone he could think of his customized url has been clicked from over 20 different endpoints.
|
|
#
?
Apr 4, 2023 17:00
|
|
|
shame on an IGA posted:this morning my boss got a phishing test email that was allegedly a company policy update and was sent from the legitimate HR email account. After forwarding it to everyone he could think of his customized url has been clicked from over 20 different endpoints. thus demonstrating the need to keep repeating this experiment for as long as the cheques clear
|
|
#
?
Apr 4, 2023 17:03
|
|
|
shame on an IGA posted:this morning my boss got a phishing test email that was allegedly a company policy update and was sent from the legitimate HR email account. After forwarding it to everyone he could think of his customized url has been clicked from over 20 different endpoints. When companies using phishing simulations for anything more than awareness and to check boxes, it makes my head hurt.
|
|
#
?
Apr 4, 2023 17:09
|
|
|
If it's coming from a legitimate account it's not even phishing at that point. Unless the lesson is never open company emails in which case I support this 1000%.
|
|
#
?
Apr 4, 2023 17:10
|
|
|
Soylent Pudding posted:If it's coming from a legitimate account it's not even phishing at that point. Legitimate isn't something a user can really verify. If the sender address matches are real internal email address, its not the fault of the end user that it got to their inbox if it was sent externally. Its all on the fault of spf/dkim/dmarc. If your phishing simulations assume spf/dkim/dmarc doesn't exist and delivers email like that anyway... well yeah that is loving cringe.
|
|
#
?
Apr 4, 2023 17:14
|
|
|
The amount of focus on user education needs to stop. You can't rely on users to not do the bad thing. They will do the bad thing. Your tech has to stop them from doing the bad thing or make it super inconvenient to do the bad thing. Protections that require good decision making from users aren't really protections.
|
|
#
?
Apr 4, 2023 17:17
|
|
|
Sickening posted:The amount of focus on user education needs to stop. You can't rely on users to not do the bad thing. They will do the bad thing. Your tech has to stop them from doing the bad thing or make it super inconvenient to do the bad thing. Protections that require good decision making from users aren't really protections. That sounds hard and expensive though
|
|
#
?
Apr 4, 2023 17:24
|
|
|
Last Chance posted:That sounds hard and expensive though Its really not. It is more inconvenient though.
|
|
#
?
Apr 4, 2023 17:25
|
|
|
next step is infosec guy kidnapping and torturing someone for his password then informing the victim they lost the test and need to do remedial training
|
|
#
?
Apr 4, 2023 17:26
|
|
|
you can’t get email phished if your company doesn’t have email
|
|
#
?
Apr 4, 2023 17:27
|
|
|
Sickening posted:Legitimate isn't something a user can really verify. If the sender address matches are real internal email address, its not the fault of the end user that it got to their inbox if it was sent externally. Its all on the fault of spf/dkim/dmarc. I read legitimate as "they sent it from the actual HR account". It sounds like they just spoofed the correct account and the email system isn't configured to warn the user it's an external account? Sickening posted:The amount of focus on user education needs to stop. You can't rely on users to not do the bad thing. They will do the bad thing. Your tech has to stop them from doing the bad thing or make it super inconvenient to do the bad thing. Protections that require good decision making from users aren't really protections. This focus on user education also ignores that many users actually have to open documents and at a certain point "don't do insecure things" becomes "just don't do your job". We can't keep blaming users for what are ultimately risks inherent in being on the internet. Zero trust has become a stupid marketing buzzword. But "assume all users are foreverally compromised and design accordingly" is much better than expecting eternal user hypervigillance.
|
|
#
?
Apr 4, 2023 17:31
|
|
|
our system flashes huge warnings on external emails, they sent it from the actual hr account
|
|
#
?
Apr 4, 2023 17:41
|
|
|
in my experience the “external email address” is how you know an HR benefits email is legit
|
|
#
?
Apr 4, 2023 17:41
|
|
|
|
| # ? Apr 25, 2024 13:55 |
|
|
I really wish 365 didn't eat a license to have "on behalf of" messages. I want to know who in departments is sending the email
|
|
#
?
Apr 4, 2023 17:52
|
|
