hate these ads?, log in or register to hide them
Page 35 of 37 FirstFirst ... 25323334353637 LastLast
Results 681 to 700 of 730

Thread: Antivirus is shit, everything is compromised, etc etc (Cybersecurity thread)

  1. #681

    Join Date
    April 18, 2011
    Posts
    2,816
    Quote Originally Posted by Lana Torrin View Post
    I mean fuck whos puts a proprietary printer interface on multi million dollar equipment and then stops supporting it completely 5 years later.
    That would be every manufacturor of high precision industrial grade hardware. Allthough it would be ten years not five.

    Instead they'll happily refer you to "totally not the same owner" company X that will make custom pcb's for you at exorbitant prices with 4-6 weeks delivery date.

  2. #682

    Join Date
    November 5, 2011
    Posts
    11,455
    Quote Originally Posted by erichkknaar View Post
    I simply cant believe any story that involves a vendor not being able reset a password for 2 weeks.

    That entity wouldn't be a vendor for long.
    It's almost more believable than half the shit you say to wank up your internet status.

  3. #683
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,470
    Quote Originally Posted by Spartan Dax View Post
    Quote Originally Posted by Lana Torrin View Post
    I mean fuck whos puts a proprietary printer interface on multi million dollar equipment and then stops supporting it completely 5 years later.
    That would be every manufacturor of high precision industrial grade hardware. Allthough it would be ten years not five.

    Instead they'll happily refer you to "totally not the same owner" company X that will make custom pcb's for you at exorbitant prices with 4-6 weeks delivery date.
    In our case, our tools are 15-20 years old, so it shouldn't be a surprise having difficulty sourcing parts. But a major problem is that this vendor serves a niche role in an industry, and has bought out virtually all competition over the past 30 years.

    I guess the point I was trying to make with my last post is that when you acquire a highly specialized product/service, your vendor corners the market, and said vendor has an airtight contract, you shouldn't expect stellar service.
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  4. #684
    Glyken Touchon's Avatar
    Join Date
    June 25, 2011
    Location
    UK
    Posts
    637
    Quote Originally Posted by erichkknaar View Post
    I simply cant believe any story that involves a vendor not being able reset a password for 2 weeks.

    That entity wouldn't be a vendor for long.
    Most likely it's "you're paying for our bronze support package, which has a 2 week SLA. Would you like to upgrade for $$,$$$ per year?"

  5. #685
    Lana Torrin's Avatar
    Join Date
    April 13, 2011
    Location
    Bonding around
    Posts
    19,006
    Quote Originally Posted by Nordstern View Post
    vendor has an airtight contract, you shouldn't expect stellar service.
    I'll just chop the other bits off.. I'm actually trying to think hard of a vendor where I have had good service. "Good" in this case being better than my jaded old self expects.. I can only think of Nutanix (pre Dell) tbh, and they charge about 40% more than their closest competitor.

    I have had OK service from IBM, HP and Dell. I know a guy at VMWare so I never actually contact their support. Most software vendors are terrible and their first line of defense is to blame the hardware and piss you about for 2 to 3 weeks. I have actually had microsoft blame another microsoft department in the past (and somehow they thought that would make me happy?).
    Quote Originally Posted by lubica
    And her name was Limul Azgoden, a lowly peasant girl.

  6. #686
    Mashie Saldana's Avatar
    Join Date
    April 10, 2011
    Location
    Peterborough, UK
    Posts
    976
    Quote Originally Posted by Shaftoes View Post
    Does anyone here read tales from tech support on reddit?

    https://www.reddit.com/r/talesfromte...admin_when_my/

    This guys story about finding a vulnerability in a piece of financial software is incredible. He goes into the technical details about exactly how he found the vulnerability and it is extremely interesting.
    Thanks for the link, it didn't disappoint.

  7. #687
    thebomby's Avatar
    Join Date
    April 9, 2011
    Location
    Switzerland
    Posts
    7,156
    Quote Originally Posted by elmicker View Post
    A story in which he:
    - Calls himself a black hat
    - Strums himself silly about using linux and being able to use wireshark
    - Goes to extreme and incredibly insecure lengths to avoid his organisation's internal security policies
    - Gleefully details having no disaster recovery procedures
    - Runs a business critical system dependent on a single user's single password with no 2fa or break-glass procedures
    - Runs same business critical system wide open to MITM attacks
    - Probably breaks the law by crafting an MITM attack to break into said system
    - Runs a business critical system that apparently passes passwords around in the clear, rather than hashing them
    - Runs a system where the vendor has, as part of normal business practice, more privileged access than the customer
    - Hasn't updated said business critical system in three years

    Don't be like this guy. This guy is a fucking amateur.
    He's not the only one. The entire company, the "vendor", the government agencies, the banks and in fact everyone except the union lawyers, all seem incredibly naive and stupid.
    Будь смиренным, будь кротким, не заботься о тленном
    Власти, данной Богом, сынок, будь навеки верным...
    Я люблю Росcию, я - патриот

  8. #688
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,092
    Quote Originally Posted by thebomby View Post
    Quote Originally Posted by elmicker View Post
    A story in which he:
    - Calls himself a black hat
    - Strums himself silly about using linux and being able to use wireshark
    - Goes to extreme and incredibly insecure lengths to avoid his organisation's internal security policies
    - Gleefully details having no disaster recovery procedures
    - Runs a business critical system dependent on a single user's single password with no 2fa or break-glass procedures
    - Runs same business critical system wide open to MITM attacks
    - Probably breaks the law by crafting an MITM attack to break into said system
    - Runs a business critical system that apparently passes passwords around in the clear, rather than hashing them
    - Runs a system where the vendor has, as part of normal business practice, more privileged access than the customer
    - Hasn't updated said business critical system in three years

    Don't be like this guy. This guy is a fucking amateur.
    He's not the only one. The entire company, the "vendor", the government agencies, the banks and in fact everyone except the union lawyers, all seem incredibly naive and stupid.
    NBS?

    you get what you pay for, and techwise, people who know what they're doing don't work in underpaid dead-end jobs.

    edit: I get strong "this is the job I have so I'll just stick with it despite everything being on fire" vibes

    I'm aware of the things I don't know and the things I can't do, and I'm confident enough in my position to say "yo i have no fucking clue what this is, can we get a 2nd opinion" but a lot of people don't have that confidence and will wing it, and then end up assuming more and more responsibilities whilst also having no clue what they're doing

    doubleedit, the vendor having access to their product over your own internal security is actually a thing that I've encountered personally, it's wank and generally we just say "fuck off till we're ready to do the thing" but certain licenses do have that clause

    tl:dr it sounds like a bog standard "we never planned for X" business who's entire system relies on X not being on fire, caught fire
    Last edited by XenosisMk4; October 31 2018 at 12:43:04 AM.

  9. #689
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,256
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by thebomby View Post
    Quote Originally Posted by elmicker View Post
    A story in which he:
    - Calls himself a black hat
    - Strums himself silly about using linux and being able to use wireshark
    - Goes to extreme and incredibly insecure lengths to avoid his organisation's internal security policies
    - Gleefully details having no disaster recovery procedures
    - Runs a business critical system dependent on a single user's single password with no 2fa or break-glass procedures
    - Runs same business critical system wide open to MITM attacks
    - Probably breaks the law by crafting an MITM attack to break into said system
    - Runs a business critical system that apparently passes passwords around in the clear, rather than hashing them
    - Runs a system where the vendor has, as part of normal business practice, more privileged access than the customer
    - Hasn't updated said business critical system in three years

    Don't be like this guy. This guy is a fucking amateur.
    He's not the only one. The entire company, the "vendor", the government agencies, the banks and in fact everyone except the union lawyers, all seem incredibly naive and stupid.
    NBS?

    you get what you pay for, and techwise, people who know what they're doing don't work in underpaid dead-end jobs.

    edit: I get strong "this is the job I have so I'll just stick with it despite everything being on fire" vibes

    I'm aware of the things I don't know and the things I can't do, and I'm confident enough in my position to say "yo i have no fucking clue what this is, can we get a 2nd opinion" but a lot of people don't have that confidence and will wing it, and then end up assuming more and more responsibilities whilst also having no clue what they're doing

    doubleedit, the vendor having access to their product over your own internal security is actually a thing that I've encountered personally, it's wank and generally we just say "fuck off till we're ready to do the thing" but certain licenses do have that clause

    tl:dr it sounds like a bog standard "we never planned for X" business who's entire system relies on X not being on fire, caught fire
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    meh

  10. #690
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,470
    Quote Originally Posted by erichkknaar View Post
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    Why do you hate capitalism? /s
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  11. #691
    Cosmin's Avatar
    Join Date
    March 14, 2012
    Location
    UK
    Posts
    6,076
    Quote Originally Posted by Shaftoes View Post
    Does anyone here read tales from tech support on reddit?

    https://www.reddit.com/r/talesfromte...admin_when_my/

    This guys story about finding a vulnerability in a piece of financial software is incredible. He goes into the technical details about exactly how he found the vulnerability and it is extremely interesting.
    After going through all the details and parts, even with my limited understanding of the tech stuff in there, the whole story is just
    Guns make the news, science doesn't.

  12. #692
    Keckers's Avatar
    Join Date
    July 31, 2012
    Posts
    17,031
    Quote Originally Posted by erichkknaar View Post
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    The market doesn't always provide alternatives
    Quote Originally Posted by Paul Mason
    It is absurd that we are capable of witnessing a 40,000 year old system of gender oppression begin to dissolve before our eyes yet still see the abolition of a 200 year old economic system as an unrealistic utopia.

  13. #693

    Join Date
    May 31, 2011
    Posts
    4,155
    Quote Originally Posted by Keckers View Post
    Quote Originally Posted by erichkknaar View Post
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    The market doesn't always provide alternatives

    This and also "Vendor vastly exaggerates actual capabilities / service / support".

  14. #694
    thebomby's Avatar
    Join Date
    April 9, 2011
    Location
    Switzerland
    Posts
    7,156
    Quote Originally Posted by Keckers View Post
    Quote Originally Posted by erichkknaar View Post
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    The market doesn't always provide alternatives
    This. Smaller European countries often have just one major financial software provider. Here in Switzerland, it's a thing called Abacus. Which is shit and probably just as bad as the Finnish one, but installations are required to only allow access through VPN when used externally. Direct bank access is only allowed via bank specific APIs which are vetted by banks, so possibly, but not surely a wee bit safer.

    I should also revise my comment above slightly. The guy didn't break any company rules, as Elmicker states. He got written permission to do what he did. He was still very naive, and I seriously ask how his company was supposed to be a security company, but clueless idiots doing shit is par for the course in all walks of life.
    Будь смиренным, будь кротким, не заботься о тленном
    Власти, данной Богом, сынок, будь навеки верным...
    Я люблю Росcию, я - патриот

  15. #695
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,256
    Quote Originally Posted by thebomby View Post
    Quote Originally Posted by Keckers View Post
    Quote Originally Posted by erichkknaar View Post
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    The market doesn't always provide alternatives
    This. Smaller European countries often have just one major financial software provider. Here in Switzerland, it's a thing called Abacus. Which is shit and probably just as bad as the Finnish one, but installations are required to only allow access through VPN when used externally. Direct bank access is only allowed via bank specific APIs which are vetted by banks, so possibly, but not surely a wee bit safer.

    I should also revise my comment above slightly. The guy didn't break any company rules, as Elmicker states. He got written permission to do what he did. He was still very naive, and I seriously ask how his company was supposed to be a security company, but clueless idiots doing shit is par for the course in all walks of life.
    These all sound like market opportunities for someone, tbh. that way of doing software is about 30 years out of date.

    (I'm being completely facetious, btw. I'm well aware of how shit the state of some of this is)
    meh

  16. #696
    Cosmin's Avatar
    Join Date
    March 14, 2012
    Location
    UK
    Posts
    6,076
    Quote Originally Posted by erichkknaar View Post
    Quote Originally Posted by thebomby View Post
    Quote Originally Posted by Keckers View Post
    Quote Originally Posted by erichkknaar View Post
    If they where dumb enough to buy a system that takes two weeks to get support from a vendor to log into a "business critical system" they probably don't deserve to survive as a business.
    The market doesn't always provide alternatives
    This. Smaller European countries often have just one major financial software provider. Here in Switzerland, it's a thing called Abacus. Which is shit and probably just as bad as the Finnish one, but installations are required to only allow access through VPN when used externally. Direct bank access is only allowed via bank specific APIs which are vetted by banks, so possibly, but not surely a wee bit safer.

    I should also revise my comment above slightly. The guy didn't break any company rules, as Elmicker states. He got written permission to do what he did. He was still very naive, and I seriously ask how his company was supposed to be a security company, but clueless idiots doing shit is par for the course in all walks of life.
    These all sound like market opportunities for someone, tbh. that way of doing software is about 30 years out of date.

    (I'm being completely facetious, btw. I'm well aware of how shit the state of some of this is)
    I'm p. sure penetrating those markets as a small firm (read: smaller than a medium sized corporation) is p easy, no?
    Guns make the news, science doesn't.

  17. #697

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,353

    Cool we got p0wned

    This all started 2 weeks ago - i got to work to find my inbox clogged with shitty spam emails from a particular user. We immediately nuked his account, then got another load form user #2, then more, and more started comi nthrough, phones were ringing off the hook and all that jazz. It became pretty obvious that something was going badly wrong in front of our eyes.

    Looking at the spam emails they were a relatively unsophisticated phishing attack with an algorithmically generated url with a copy of our company logo and a Username and password box. Clever users saw it, didn't know or think to check whether it's legit or not, and stuck in their username and password like the good little users they are. Fucking eejits. It appeared these credentials were then stored in some backend system which was periodically harvested then some script was run against O365/EWS to login to the user's mailbox and work through their inbox, replying to every single message with another smap email, with random content and url's. We could catch up with individual users but it became rapidly apparent that we were facing a losing battle as people had been owned time ago, and only now were their credentials being used. The method of propagation made it particularly obnoxious as users would see an email from a staff member with a sensible subject they were recently discussing, and not immediately see the warning signs. The content was obviously bollocks to us trained IT ninjas but not everyone is as smart as us.

    It's worth noting, Microsoft / O365 support were no help at all. They have no kind of security / incident response group interested in end users or the enterprise, all I got after putting a few tickets in for help were dumb as fuck 1st line people copy/pasting me the same articles i was reading.

    First up, we forced the entire organisation to reset their passwords. it's only ~2000 staff so no big deal there right. That caused absolute mayhem but stemmed the flow for a while as all the alrady pwn'd user accounts were no-longer usable, but we were not under any illusions that this was a full fix, it did give us room to breathe.

    Back to the MS O365 cleanup tools in their natty and recently renamed Security and Compliance centre which simply refused to work for us. You can't do a lot of really basic shit that used to work fine on premise, but this new center is a piece of crap and very ungranular. It'd either give us 0 search results or 16million, so we had to go back to remediation, and playing whack-a-mole with users.

    A policy was quickly formed and passed out that staff should forward the emails, all of which looked superficially the same, to a central account and we went around disabling user accounts and leaving them locked for 24 hours. Our head of HR and numerous other users were not happy, but then again they shouldn't have been pished should they ? In the background, increasingly irate emails were sent out to staff trying to top them being stupid and they did go through. Lots more people reported suspicious emails, and fewer people got 0wned over time. Sadly, after half term it seemed everyone's brians seized up and on Monday/Tuesday we had another massive barrage of fuckwittery.

    Queue more mass-account disablings, and another stab at the MS Search center. This week it worked, and with some juggling I ripped out about 65k emails matching my rough criteria. There are probably some accidents in there, but tough. We were way beyond sense of humour territory. Finally with working search and destroy filters and after a week of scrabbling around tryin to manage this along with my other workloads, I felt like we were on top of things. Users were still causing us problems, but it was down to 2 or 3 a day not 20. Finally I put some draconian message filters in place which won't scale particularly well, but will catch, kill report and reject on any messages which match common spam email content strings.

    It's been quite an interesting ride as it caught us with our pants down. some of the tools do exist out there to deal with these things, but pulling all the pieces together into a coherent, documented whole has taken far longer than it should have done. This is probably the first serious attack I've personally had to deal with though, so a bit of learning was to be expected. The 'victims' reactions were also interesting, most admitted they had made a mistake and accepted the actions necessary though the odd one here an there would flat out deny ever opening a spam email, yet alone entering their username and password into some random box on the internet:

    There are a number of things i've taken away now the dust has settled:
    - Everything internally has to be SSL'd, have it's host names fixed and get logins tidied up then users trained to look for dodgy unsecured URL's.
    - MS's default tools are shit. as are their default spam protections in O365.
    - Incident response is painful, messy and will probably be worse next time.
    - i hate people, especially ones who flat out deny clicking spam links.
    Last edited by Itiken; November 1 2018 at 01:37:03 PM.
    Please don't teach me what to do with my pc.

  18. #698

    Join Date
    April 14, 2011
    Posts
    6,597
    So, you've heard of this thing called 2fa right?

  19. #699

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,353
    Quote Originally Posted by elmicker View Post
    So, you've heard of this thing called 2fa right?
    *yawn* 2/10
    Please don't teach me what to do with my pc.

  20. #700
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,092
    Quote Originally Posted by elmicker View Post
    So, you've heard of this thing called 2fa right?
    I'm not sure we read the same post

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •