cybersecurity

A request for any security engineers who are Lead/Staff/L6 level or above (e.g. Senior Staff, Principal, Sr. Principal, Architect, etc...). What advice would you give to senior engineers (and below) on things they should learn or prioritize for "leveling up" technically?

I understand a lot of what goes into promotions is not necessarily technical, i.e. politics, visibility, being on high-impact projects, etc... but strictly on the more technical plane, what skills, tools, trainings, frameworks, etc... would you recommend?

Thanks!!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

It’s quite the list

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

FWIW, this isn't to do with me personally at all, I'm not looking to do anything dodgy here, but this came up as a theoretical question about remote work and geographical security, and I realised I didn't know enough about this (as an infosec noob)

Presuming:

• an employer provides the employee with their laptop
• with security software installed that enables snooping and wiping etc and,
• said employer does not want their employee to work remotely from within some undesirable geographical locations

How hard would it be for the employee to fool their employer and work from an undesirable location?

I personally figured that it's rather plausible. Use a personal VPN configured on a personal router and then manually switch off wifi, bluetooth and automatic time zone detection. I'd presume latency analysis could be used to some extent?? But also figure two VPNs, where the second one is that provided by/for the employer, would disrupt that enough depending on the geographies involved?

What else could be done on the laptop itself? Surreptitiously turn on wiki and scan? Can there be secret GPSs? Genuinely curious!

After reading this thread I had the question on whether it is possible to verify you have certain information without revealing who you are to others.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

I plugged into ethernet (as wifi w/captive portal does not work for me). I think clearnet worked but I have no interest in that. Egress Tor traffic was blocked and so was VPN. I’m not interested in editing all my scripts and configs to use clearnet, so the library’s internet is useless to me (unless I bother to try a tor bridge).

I was packing my laptop and a librarian spotted me unplugging my ethernet cable and approached me with big wide open eyes and pannicked angry voice (as if to be addressing a child that did something naughty), and said “you can’t do that!”

I have a lot of reasons for favoring ethernet, like not carrying a mobile phone that can facilitate the SMS verify that the library’s captive portal imposes, not to mention I’m not eager to share my mobile number willy nilly. The reason I actually gave her was that that I run a free software based system and the wifi drivers or firmware are proprietary so my wifi card doesn’t work¹. She was also worried that I was stealing an ethernet cable and I had to explain that I carry an ethernet cable with me, which she struggled to believe for a moment. When I said it didn’t work, she was like “good, I’m not surprised”, or something like that.

¹ In reality, I have whatever proprietary garbage my wifi NIC needs, but have a principled objection to a service financed by public money forcing people to install and execute proprietary non-free software on their own hardware. But there’s little hope for getting through to a librarian in the situation at hand, whereby I might as well have been caught disassembling their PCs.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

This is a network defense design scheme question.

In a scenario where your organization is designing multi-layered firewall deployment and management, how granular  do you create rules at each of these three layers?

Example site is a main/HQ site that also houses your data center (basic 3 tier model).

1. Site has your main internet gateway and VPN termination point. As am example, it's a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.

2. Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It's bridging traffic between gateway and data center.

3. Within data center, hosts have software host based firewalls, all centrally managed by management product.

Questions:

• How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?

• How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?

• How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?

• How have organizations you've worked for implemented these strategies?

• Were they manageable vs effective?

• Did the organization detect/prevent lateral movement if any unauthorized access happened?

• What would you change about your organization's firewall related designs?

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

It seems there are two options when it comes to passwords: 1) SSO 2) DIY with a password manager and 2FA ideally with a security key.

SSO is too pricey ($1500 base @ Okta) at the moment and SAAS prices are ever increasing so that leaves us with option 2. Using an authenticator app means using personal phones, which is tricky, and if someone were to lose their phone the replacement cost would be high. So a security key seems better in that regard despite their upfront cost. Plus security keys like yubikey offer the ability to store TOTPs, which is necessary since not all the apps we use provide security keys as a 2FA option.

Did I arrive at the right conclusion on 2FA with security keys or did I miss something?

The other consideration is deployment. Without interrupting workflow, I figured the best way would be to set up all the keys (backup key as well for each employee) on a Friday after work and then 2-day ship them to our remote staff so they're ready for use when they return to work on Monday. It's possible we could also do it while they're on a week-long vacation to save on shipping costs.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

The red padlock (at a cafe)

The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously.

Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation -- like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not.

So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them.

TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

• I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).

• Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.

I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.

Bypass methods

I guess I need to study:

• ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
• SSH tunnel
• others?

Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:

• MultiVNC - VNC over SSH
• AVNC - VNC over SSH
• ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
• VX ConnectBot - same as connectBot but expanded

I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.

My to-do list of things to tinker with so far:

• Captive Portal Controller
• ~~CaptivePortalLogin~~ (AOS 6+, and no Izzy archives on this)
• Hotspot Login

Legal options

If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.

And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

update (phones bought last year already obsolete)

TLS 1.3 was not introduced until Android OS 10 (sept.2019). That was the release date of AOS 10. Older devices like AOS 9 would still be sold at that time and continuing at least into 2023. Shops do not pull their stock from the shelves when the end of support arrives. This means people buying new COTS Android devices just last year or even this year are already too out of date for the TLS 1.3 captive portal to function.

It’s seriously disgusting how many people expect consumers to upgrade this chronically fast.

What sources of technical controls does your organization use?

Do you base device/operating system configurations on:

• CIS workbench?
• NIST/STIG?
• Microsoft best practice?
• Google searches and 'that looks good'?

How closely rigorously does your organization enforce change management for policies or settings?

• Can you change GPOs/Linux/Network device settings as needed?
• During maintenance window?
• After a group meeting with code/change review and some sort of approval authority?

Does anyone fully implement workstation and server logon restrictions, and priviledged access workstations (PAW) as prescribed by NIST/STIG/CIS?

The URL is Microsoft's long description of the same concepts.

Specifically from the above, there's a few things like:

• Establishing asset/systems tiers (domain controllers or entire org compromise tier 0, moving towards less consequence in the event of system compromise)
• Accounts with the Active Directory Domain Admins or equivalent are supposed to be blocked from logging into lower tier assets
• Workstations that have access to log into these super sensitive assets like Domain controllers for management are considered PAWs, and are blocked from internet access, highly locked down, might have extra hoops or management plane assets are air gapped?

Question:

Does anyone actually do any of this at their organization?

If so, to what degree?

People hated red forest because it was a whole other set of infrastructure to baby sit.

People hate air gapped systems because no remote access or work from home.

The above doesn't work well with cloud, and as a result Microsoft (just as an example) pushed for the new hybrid PIM models replacing their old red forest concept.

I'm just curious.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

This is not an ad.

Does anyone have experience with Tenable products?

I'm interested in real world experience regarding:

• cost
• effectiveness
• ease of use

I'm playing with Tenable Security Center and Nessus Scanner. I'm early in the deployment, just looking for pointers and whether anyone has used it?

What alternatives is your org using if not?

Can you compare?

Edit, if anyone is interested, I can post results and opinions here also.