Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
SlowBloke
Aug 14, 2017
If you are the kind of dipshit that runs a virus on a prod machine, there is no excuse to not set up this https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017

Achmed Jones posted:

do you actually think the person was thinking ahead?

He was an admin on a mspaint discord so no.

SlowBloke
Aug 14, 2017

ZeusCannon posted:

Im gonna out myself as an idiot for a moment here and ask a probably dumb question.

For the people syncing their keepass are you all using an associated token for the database to restrict access as well as the u/pw? Ive always been shy about syncing since duplicating the database always felt less secure.

Depending on the keepass database importance, i set up a yubikey to execute a challenge as MFA on critical ones. KeepassXC does it natively (guide at https://keepassxc.org/docs/#faq-yubikey-2fa) on win/mac/linux, keepassium does it on ios/ipados.

SlowBloke
Aug 14, 2017

Powerful Two-Hander posted:

hooooly poo poo did I just find a fuckup

we have a cloud platform that uses sso across the company domain(s), so when you go to it and enter powerfultwohander@company.com, it forces sso against our idp (you can probably see where this is going), but only if the domain is yours.

so if you go to it and enter the email address as powerfultwohander@yospos.com it just reverts to username and password and you can then upload whatever you like!

loving lmao. not only did it security not think of this (neither did until just now but it's not my job), but the vendor didn't think to mention it and their solution to it is absolute trash (just ip restrict to that domain your morons).

bonus: we don't monitor outbound data on the main domain account anyway lol

this is gonna ruin at *least* two people's days

Isn't that standard keycloak behaviour? I don't think you can do much to mitigate it.

SlowBloke
Aug 14, 2017

Achmed Jones posted:

el mero mero is right. there's a ton of people who won't use totp but will uses sms mfa. they are much better off with sms mfa than no mfa. that there's another better (but less user friendly) choice is irrelevant and misses the point

If they are on that level of non-technical, iOS has native TOTP and security key in the os at the tip of their finger(or face).

SlowBloke
Aug 14, 2017

post hole digger posted:

random question but what is considered the standard for enterprise wifi these days? is it still certificate-based 802.1x managed by radius with adfs issuing the certs? do any companies have any interesting alternatives to that model? in particular, the adfs component of it? how is azure ad as an adfs replacement for x.509 certs?

its been a while since ive had to do any wireless networking poo poo and im curious what this landscape looks like these days

edit: i found this, which looks very interesting. i was never a super strong windows admin, but never liked working with adfs. anyone have any experience with this in particular? https://redmondmag.com/articles/2022/02/14/azure-active-directory-certificate-based-authentication-preview.aspx

The very high end cloud-managed wifi from aruba will let you do client enroll with an app that checks the client security stance and use saml for credentials so you can use mfa for extra security.

SlowBloke
Aug 14, 2017

Subjunctive posted:

Question from a friend: Is there a security key that exists that supports U2F and FIDO2, has a fingerprint scanner and NFC or BT?

If you can skip u2f, feitian makes one https://www.ftsafe.com/Products/FIDO/Bio

SlowBloke
Aug 14, 2017

mystes posted:

Is it really possible for a device to support fido2 without supporting u2f? IIRC fido2 is just u2f with an additional mode that allows keys to be stored on the device so I don't think it should be possible, and I would guess that this is just some sort of mistake in the feature comparison table.

The underlying logic is the same but the user side api are different(ctap1+uaf vs ctap2+webauthn2), so it's possible that they only expose the current ones. A lot of sites calls fido2 as second factor u2f when it's not a fido1 api call.

SlowBloke
Aug 14, 2017

Midjack posted:

80 bucks a month is enough to get a subsidized decent phone and good enough data plan for work only, isn't it?

I can get a 5g unlimited plan for 20Ä/month and an iphone 14 for 30Ä/month (33 installments) easy so yeah.

SlowBloke
Aug 14, 2017

infernal machines posted:

i am sincerely regretting having implemented azure information protection for a client

dealing with sensitivity labels on documents, and the myriad of sharing options in onedrive is just enough of a divergence from their usual workflow that they absolutely cannot get it right, and they're starting to get pissed off rather than taking the time to learn how it works (we've had multiple demo sessions and done one-on-one training with several of them, no one retains anything).

aip was a hard requirement to move them to cloud hosted infrastructure, which they wanted because they have people working across the country and they were getting annoyed with the limitations of the remote access system. now, instead, they're getting annoyed by the workflow changes and it appears everyone but a few of the partners are willing to throw access controls and data security to the wind because no one can remember the steps to do anything for longer than a single work day

i'm not sure if there's a lesson here, or a point to this, other than apparently security is impossible, because even if you can make it work, no one wants it.

If this was a greenfield deploy why did you use AIP instead of MIP? AIP isn't natively integrated in sharepoint/onedrive/office but relies on several moving parts to work compared to the mostly transparent MIP.

SlowBloke
Aug 14, 2017
I do am curious to see how the google equivalent of MIP works, every big google tenant i interacted with had a security stance of "YOLO".

SlowBloke
Aug 14, 2017

dpkg chopra posted:

ok someone correct me if Iím wrong

my company is a contractor for BigTech Co. and Iíve recently been added to that team

as part of the remote onboarding process, BigTech Co. requires that we do an ID verification process.

one of the steps of that verification process is

a) adding the BigTech Co. email to our device accounts
b) Installing an App on our phone
2) On iOS going to Settings -> General -> Device Management and ďTrustingĒ BigTech Co.

this is essentially just adding the certificates so that BigTech Co can remotely manage my device no?

I ask because my employer does not give us work devices as we do not use our phones for work purposes so Iím 100% not comfortable doing this

If itís just a siloed certificate for the purposes of Id verification that I can just remove afterwards then thatís less worth escalating for

On iPhone you can have a managed device or a supervised device. Supervised is far more powerful in the remote management options but require the device to be set up using ABM at purchase or with configurator(and then wiped). Managed will still provide lot of data so I strongly advise to contact your company to have them send you a cheap burner phone.

SlowBloke
Aug 14, 2017

Beeftweeter posted:

afaik configurator doesn't work anymore? i'm not sure you can do that with modern ios versions

I've used it two days ago on an iPadOS 16.4 device to enroll it onto ABM so no, it still works fine.

SlowBloke
Aug 14, 2017

Beeftweeter posted:

oh huh. maybe i was thinking of configuration utility? i haven't done MDM stuff in a real long time

The apple original MDM solution that talked to an Apple MacOS Server (Profile Manager and Managed Preferences) is no longer functional, maybe you were remembering that? Every active MDM solution will ask you to tinker with Configurator 2 (forcing you to get at least one MacBook and one iPhone since there is no windows build)
Intune has this flow to enable supervised on devices purchased outside of ABM https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-manually-add-devices-in-apple-business-manager-abm-or/ba-p/2328462

SlowBloke
Aug 14, 2017

zero knowledge posted:

fortunately the EU is bringing back the glory days of EV with eIDAS and QWACs so you'll get to have those asinine arguments forever.

The only change is rather than reselling geotrust certs, your cert provider will resell one from a EIDAS enabled CA.

SlowBloke
Aug 14, 2017
Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new :corsair:

SlowBloke
Aug 14, 2017

Soricidus posted:

the classic algorithm, which I donít think anything still uses, was cryptographically broken. modern zip files have to be brute forced, iirc they arenít gpu resistant or anything but a strong enough password can be secure

I think windows explorer still uses the old ZipCrypto method, not AES-256 like winzip or others.

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017

nudgenudgetilt posted:

how does keepassxc's mfa support actually secure the data though? is the yubikey being used for a cryptographic operations, or is it keepassxc just "lol, yeah, you got the static yubikey and master password, take what you need"

It uses the OTP generator part of the yubikeys, keepassxc docs are kinda lame but keepassium uses the same logic to work and explain how to set them up

https://keepassium.com/articles/how-to-use-yubikey/

You set up a seed on one of the two HMAC-SHA1 slots on one(better if multiple) yubikey and it will provide the codes if the correct button is pressed.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply