cybersecurity

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Hi all,

Need to pick your brains for a bit regarding best practices for handling of account recovery issues while traveling.

Premise would be that my phone gets lost or stolen, and I may not have easy access to my laptop either, and being in a foreign country I couldn't easily get a copy of the original SIM to restore via OTP.

Consequently, I also don't really love the idea of using some password manager with a master password and no F2A.

Under those circumstances, what would you consider the best way forward to ensure accessibility without crippling myself in the process?

The only thing I can come up with is a random subdomain on one of my domains, with random username and random password, where I store an encrypted container containing txt-files. Maybe even further obscured with a random cypher (all numbers / letters shifted x positions to the right or something).

But there's gotta be other use-cases out there, so I was wondering what you are using?

Ideally something that doesn't involve another person.

Thanks!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Does your choice of configuration management tool (Ansible, SALT, Puppet, Chef, etc) control tier 0 assets? (Authentication/directory servers, network equipment, etc)

Do you consider your CM tool tier 0?

If so, do you only allow access to it via privileged access workstations?

Would you use GIT for the code repository?

What about if the GIT repo was local and also controlled as a tier 0?

What does your CM setup look like?

cross-posted from: https://infosec.pub/post/6670956

I'm curious what tools, SaaS, or other solutions are being used for vulnerability assessments?

DOD calls it ACAS, which is just an acronym for required assessment program of record they currently fullfil with Nessus scanner and related vender solutions.

Anyone have Nessus experience that can compare to another vendor? Good, bad, etc?

cross-posted from: https://infosec.pub/post/6671372

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully 😉)

Let's talk about root certificate management and the EU proposed QWACs.

Steve Gibson of the security now podcast weighed in with opposition to the EUs proposed QWACs certs and cited a few other prominent figures also expressing opposition.

Paragraphing their concerns, they proposed that mandating a bunch of new CAs introduced more risk and greater opportunity for abuse or compromise. Steve favors less CAs also being in favor pruning out most, but 6 or 7.

At the moment, I don't care for browsers having their own certificate stores, as I would rather use the OS which I would use group policy for windows or use an automation tool for Linux.

I am also in favor of pruning out certs, though I've never tested that in an enterprise.

Does your organization allow non OS certificate stores?

Does your organization prune out default root certs?

How do you feel about the proposed QWACs?

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Hey all, got a quick question!

I want to receive, parse and store syslogs from various devices on my home network on my windows box. I know, I know, its a bit backwards but I'd like to proceed with this sort of setup if possible (not against discussion, of course).

I've looked and looked for options but it seems like everything has been bare bones and basically just receives, or is locked behind premium. Surely there's some sort of solution out there, no? I'd be willing to implement something in Python if I need to but I'm considerably more hesitant when compared to using an open source soln.

Thanks for your time, looking forward to discussing/learning more!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• Sophisticated “Triangulation” attack targets iPhones (Kaspersky)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

FYI: Postfix has currently an unpatched vulnerability which allows sending of spoofed mail: https://www.postfix.org/smtp-smuggling.html

A fix is currently not available but to have peaceful holidays one should have these lines in the configuration as a workaround:

main.cf:
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_discard_ehlo_keywords = chunking

The Internet and email is old at this point.

It can be reasonably argued that email links are a significant threat vector right now.

So far, we just keep trying to sandbox links or scan attachments, but it's still not stopping the threat.

My questions for comment:

• Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
• Why can't we do PKI well after a few decades?
• Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?

I see services like id.me and others and wonder why we can't get digital identity right and if we could, would it eliminate some of the major threats?

Image credit: https://www.office1.com/blog/topic/email

Edit, post not related to the site or any service, just image credit.

Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• MongoDB Data Breach
• Google OAuth is broken
• Terrapin Attack exposes weakness in SSH

** Late post sorry!! ** - Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.