Hobo @ Hobo @lemmy.world

Posts

0

Comments

230

Joined

2 yr. ago

I'm absolutely shocked that a company had a software whitelist before the widespread adoption of the internet. Ahead of their time in implementing, and fucking up, software whitelisting!

Yep you're right, but at least that adds another layer of complexity to their attack. A lot of security controls are at least somewhat situational, and most non-draconian companies have a process to put further mitigations around those exceptions either from increased monitoring or adding additional supplemental controls.

There's no such thing at perfect security, just better risk mitigation. Slipping in a usb hub between the computer and keyboard while someone isn't looking is a bit trickier then just plugging in a usb stick. If you disable unused usbs in the bios, instead of trying to do silly stuff like glue them shut, then the attacker has at least been temporarily thwarted if they slot it into a dead port. Aside from the high traffic areas, disabling ALL usb ports in places like datacenters and especially colocated datacenters, can thwart the attack outright as well.

Really from looking through this thread a lot of people seem to be under the misconception that security that isn't perfect is pointless. It's like claiming that locking your doors is pointless because lockpicks exists. The point isn't to keep a sophisticated attack at bay, but rather to keep script kiddies and drive-by attacks from hitting your network. To defend against sophisticated attacks you really have to go a bit crazy, and even then very small slip ups can be disastrous. Ask Microsoft about their root cert getting leaked via a core dump!

I fully acknowledge that many people also work for places with dumbass security controls. Gluing usbs is WAYYYY up there on that list in my opinion. It also looks like a lot of people work at places that have really shitty security teams that haven't quite figured out that controls are situational and require more thought then, "see checkbox, execute checkbox."

That's obvious when a mouse or keyboard doesn't work. OP, and clealy other people in here, don't really understand the actual attack vector in play. They aren't using the USB as data storage, they are using as a cellular connected RAT and/or a tool to deploy a RAT to a workstation.

I think gluing usbs is dumb in just about any environment (disable them on the BIOS is the right answer), but attackers aren't using it to drag and drop files and then physically take the usb with them. They are plugging them into a workstation, or just leaving them in the parking lot and letting other people plug them in, leveraging them to get initial access, and then essentially abandoning them.

For example see stuxnet: https://en.m.wikipedia.org/wiki/Stuxnet

Also, again, there are absolutely editors who will just wordlessly revert objective, factual edits, with clear, proper citations from accepted primary sources...

That might be the misunderstanding. Primary sources are not directly allowed on wikipedia without very careful consideration that no analysis was done. Wikipedia article are, and should be, mostly derived from secondary sources to avoid bias. The Wikipedia page does a pretty good job of describing the guideline:

https://en.m.wikipedia.org/wiki/Wikipedia:No_original_research

I made one comment to you clarifying the other person's point because you clearly didn't understand what they were saying. Personally seen a couple of small companies fold because they were ransomed from a password on a post it. But you do you.

The guideline is abundantly clear too with little room for interpretation:

5.1.1.1 Memorized Secret Authenticators

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

https://pages.nist.gov/800-63-3/sp800-63b.html

Nope. The premise is they pwn ANOTHER, less secure, personal device and use the camera from the DIFFERENT device to pwn your work computer. For example, by silently installing Pegasus on some cocky "security is dumb lol" employee's 5 year out-of-date iphone via text message while they're sleeping, and use the camera from that phone to recon the password.

They probably wouldn't want the $3.50 that person has in their bank account, but ransoming corporate data pays bank, and wire transfering from a corporate account pays even better! If you're in a highly privileged position, or have access to execute financial transactions at a larger company, pwning a personal device isn't outside of the threat model.

Most likely that threat model doesn't apply to you, but perhaps at least put it under the keyboard out of plain sight?

Misunderstood STIG from the sound of it. The STIG is only applicable to unprivileged users but tends to get applied to all workstations regardless of user privileges. Also I think the .mil STIG GPOs apply it to all workstations regardless of privileges.

The other thing that tends to get overlooked is that AC-12 let's you set it to whatever the heck you want. Ao you could theoretically set it to 99999 year by policy if you wanted.

https://www.stigviewer.com/stig/application_security_and_development/2017-01-09/finding/V-69243

Dude looks like he passed out way too early at a frat party hosted by the Klan.

Fair enough! I should've said, and have corrected it to, reactionaries.

Also I didn't really mean it in as US centric way hence saying conservatives rather than Republicans. More of the philosophy of conservativism instead of the political oriented conservatives. You know, trying to maintain old institutions at all costs, automatically assuming new institutions are not as good, only finding faults in new methods/institutions while ignoring the faults with the old, etc.

Reddit, youtube, and tiktok are quickly becoming the new, "video games cause violence" cry from reactionaries. Hell you see people here claiming tiktok is going to make all the kids have 2 second attention spans. It's all just scapegoats for other systematic failures in culture, education, and social saftey nets, but those are hard to fix. Easier to just blame the platform and not make any real changes.

Dang I misread it as I turned 40 in March. Guess I am the sucker!

Sucker! I have a whole 6 months to figure it all out before I turn 40. I'm a terrible procrastinator so I'll probably just wait until the night before to start really working on it though.

That's just their fake accent so they won't reveal their secret identity.

In splunk this is a pretty straightforward query and can be piped to stats count and sorted. I don't know if you'd exactly count that as gui though.

Poor Keanu Reaves gave up his childhood memories in Johnny Mnemonic to store something like 100GB of data in his brain. I don't remember the Star Trek storage callout cause they were generally pretty good about just fabricating their own units for stuff (future sci-fi writers should take note, it's always easier to make up units then deal with pedantic people on the internet).

So in the US when we want to make something illegal, and that thing happens to be a constitutional right, we levy a tax against it. Then we only issue tax stamps to very select few people, or simply refuse to issue them at all. NFA 1934 is one of those weird tax scheme that makes you obtain a $200 tax stamp to have certain types of weapons. They are heavily controlled and non-transferable without going through a similar process.

Here's more info about it if you care to look into it: https://en.m.wikipedia.org/wiki/National_Firearms_Act

We also did this with Marijuana during that same time: https://en.m.wikipedia.org/wiki/Marihuana_Tax_Act_of_1937

First line of Bilbo Baggins's birthday speech.

He was also Jewish. Which makes his antisemitism even more strange.