hate these ads?, log in or register to hide them
Page 36 of 37 FirstFirst ... 263334353637 LastLast
Results 701 to 720 of 730

Thread: Antivirus is shit, everything is compromised, etc etc (Cybersecurity thread)

  1. #701

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,362
    It's elmicker. did you expect anything apart from 'tl;dr i'm better than you reeeeee' ?
    I mean, we coudl talk about EWS/2FA and the configuration headaches it entail, but reeee is better.
    Last edited by Itiken; November 1 2018 at 02:01:46 PM.
    Please don't teach me what to do with my pc.

  2. #702

    Join Date
    April 14, 2011
    Posts
    6,610
    That was only semi tongue in cheek. If you're running O365 with that many users, driving everything off a SAML/2FA flow is trivial. It would have pre-empted this entirely.

    I'd also recommend running regular phishing attacks on your own user base, then name and shame people who fall for it. Works wonders for compliance.

  3. #703

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,362
    1. naming and shaming as a strategy for anything IT security related does not work
    2. EWS still doesn't fully support 2FA. It's a legacy fucking nightmare.
    3. disabling EWS entirely as a vector breaks a bunch of mobile phone clients, eg all phones not using the official Outlook app.
    Please don't teach me what to do with my pc.

  4. #704
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,119
    Naming and shaming people would just result in them not reporting issues/talking to IT at all

  5. #705

    Join Date
    April 14, 2011
    Posts
    6,610
    Give it a go. You'd be surprised how effective it is. You should be doing the same with this incident as well. Lists of everyone compromised forwarded to their entire line management chain with a requirement for a sit down meeting as to why they think they fell for it and how they could be better supported to not do it again.

    If the business has determined putting in place proper protections isn't worth the investment, then it needs to be on them to clean up this mess. This is a people problem, not an IT one.

  6. #706
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,119
    Quote Originally Posted by elmicker View Post
    Give it a go. You'd be surprised how effective it is. You should be doing the same with this incident as well. Lists of everyone compromised forwarded to their entire line management chain with a requirement for a sit down meeting as to why they think they fell for it and how they could be better supported to not do it again.

    If the business has determined putting in place proper protections isn't worth the investment, then it needs to be on them to clean up this mess. This is a people problem, not an IT one.
    yeah and if that list of people includes literally 90% of the company then you're not going to get anywhere

    remember that an awful lot of businesses see IT as an expense, not an investment.

  7. #707

    Join Date
    April 14, 2011
    Posts
    6,610
    Thanks for reminding me of that Xeno, I've never really worked in IT before.

    IT is an expense, and it's an expense borne by the rest of the business. If the business has decided not to give you the cash you asked for to prevent incidents like these, for example by migrating away from insecure software, then the business needs to bear the cost of resolving these things. Bear in mind this is likely to be a GDPR issue - email inboxes are loaded with untracked PII and dozens of them have been compromised. You are legally required to have a DPO who reports to your chief executive. If he's not sat down with the CEO fleshing out a plan to prevent this from happening again then he's failing in his duties.

    I'd argue he's already failed, as 2FA is de facto commercial best practice, but that ship has sailed.

  8. #708
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,334
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by elmicker View Post
    Give it a go. You'd be surprised how effective it is. You should be doing the same with this incident as well. Lists of everyone compromised forwarded to their entire line management chain with a requirement for a sit down meeting as to why they think they fell for it and how they could be better supported to not do it again.

    If the business has determined putting in place proper protections isn't worth the investment, then it needs to be on them to clean up this mess. This is a people problem, not an IT one.
    yeah and if that list of people includes literally 90% of the company then you're not going to get anywhere

    remember that an awful lot of businesses see IT as an expense, not an investment.
    Then they will die as other, more nimble and future proof businesses that don’t, fuck them repeatedly.

    (2fa was my first thought too)
    meh

  9. #709
    Keckers's Avatar
    Join Date
    July 31, 2012
    Posts
    17,074
    Just sack everyone over 40 tbh
    Quote Originally Posted by Paul Mason
    It is absurd that we are capable of witnessing a 40,000 year old system of gender oppression begin to dissolve before our eyes yet still see the abolition of a 200 year old economic system as an unrealistic utopia.

  10. #710
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,119
    Quote Originally Posted by erichkknaar View Post
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by elmicker View Post
    Give it a go. You'd be surprised how effective it is. You should be doing the same with this incident as well. Lists of everyone compromised forwarded to their entire line management chain with a requirement for a sit down meeting as to why they think they fell for it and how they could be better supported to not do it again.

    If the business has determined putting in place proper protections isn't worth the investment, then it needs to be on them to clean up this mess. This is a people problem, not an IT one.
    yeah and if that list of people includes literally 90% of the company then you're not going to get anywhere

    remember that an awful lot of businesses see IT as an expense, not an investment.
    Then they will die as other, more nimble and future proof businesses that don’t, fuck them repeatedly.

    (2fa was my first thought too)
    You have this utterly ludicrous faith in the free market self-correcting for idiocy

    spoiler alert: it doesn't, because people (customers and producers) are also idiots.

  11. #711
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,334
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by erichkknaar View Post
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by elmicker View Post
    Give it a go. You'd be surprised how effective it is. You should be doing the same with this incident as well. Lists of everyone compromised forwarded to their entire line management chain with a requirement for a sit down meeting as to why they think they fell for it and how they could be better supported to not do it again.

    If the business has determined putting in place proper protections isn't worth the investment, then it needs to be on them to clean up this mess. This is a people problem, not an IT one.
    yeah and if that list of people includes literally 90% of the company then you're not going to get anywhere

    remember that an awful lot of businesses see IT as an expense, not an investment.
    Then they will die as other, more nimble and future proof businesses that don’t, fuck them repeatedly.

    (2fa was my first thought too)
    You have this utterly ludicrous faith in the free market self-correcting for idiocy

    spoiler alert: it doesn't, because people (customers and producers) are also idiots.
    Protip: the people that aren't idiots win.
    meh

  12. #712
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,119
    Quote Originally Posted by erichkknaar View Post
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by erichkknaar View Post
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by elmicker View Post
    Give it a go. You'd be surprised how effective it is. You should be doing the same with this incident as well. Lists of everyone compromised forwarded to their entire line management chain with a requirement for a sit down meeting as to why they think they fell for it and how they could be better supported to not do it again.

    If the business has determined putting in place proper protections isn't worth the investment, then it needs to be on them to clean up this mess. This is a people problem, not an IT one.
    yeah and if that list of people includes literally 90% of the company then you're not going to get anywhere

    remember that an awful lot of businesses see IT as an expense, not an investment.
    Then they will die as other, more nimble and future proof businesses that don’t, fuck them repeatedly.

    (2fa was my first thought too)
    You have this utterly ludicrous faith in the free market self-correcting for idiocy

    spoiler alert: it doesn't, because people (customers and producers) are also idiots.
    Protip: the people that aren't idiots win.
    counterpoint: Trump

  13. #713

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,362
    Alright then boys - help me out here. You are right about it being a people problem btw. Unfortunately the people are leigon.

    The o365 2FA is nice, but it's a bit of a pain to set up as you have to jump through a few hoops. It's not an insurmountable problem though. I use it, all the admin team use it, we are rolling it out to senior management who are all old and senile, so it's doable. The defaults are bullshit though so yeah, it needs some extra arseholery to be useful. Annoying, but fine. whatever. People.

    The larger problem is how 2fa interacts with the rest of the o365 suite, and with our teaching environments. Moodle uses our ADFS/O365, as does sharepoint. So every time you login to a machine, or open a new web browser you have to provide token auth which is all working as intended, right ? Ok. Good. Unfortunately, now as well as all their teaching materials, all staff need to carry their personal/company phone around with them at all times to log into anything. Try to get a bunch of unionised teachers to do this shit - i dare you.

    What would be actually useful is being able to force only external access (non site NAT IP's) to use 2fa, but i can't seem to find any way of that kind of thing. There are options within ADFS for 2FA and you can then zone it, but from what i can see ADFS 2FA isn't the same as O365 2FA. it's all about RSA tags or whatnot. i'm happy to be wrong about this, if I am - pls help, because the corporate will is there for 2FA, but the usability models are a fucking nightmare.
    Please don't teach me what to do with my pc.

  14. #714
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,334
    Quote Originally Posted by Itiken View Post
    Alright then boys - help me out here. You are right about it being a people problem btw. Unfortunately the people are leigon.

    The o365 2FA is nice, but it's a bit of a pain to set up as you have to jump through a few hoops. It's not an insurmountable problem though. I use it, all the admin team use it, we are rolling it out to senior management who are all old and senile, so it's doable. The defaults are bullshit though so yeah, it needs some extra arseholery to be useful. Annoying, but fine. whatever. People.

    The larger problem is how 2fa interacts with the rest of the o365 suite, and with our teaching environments. Moodle uses our ADFS/O365, as does sharepoint. So every time you login to a machine, or open a new web browser you have to provide token auth which is all working as intended, right ? Ok. Good. Unfortunately, now as well as all their teaching materials, all staff need to carry their personal/company phone around with them at all times to log into anything. Try to get a bunch of unionised teachers to do this shit - i dare you.

    What would be actually useful is being able to force only external access (non site NAT IP's) to use 2fa, but i can't seem to find any way of that kind of thing. There are options within ADFS for 2FA and you can then zone it, but from what i can see ADFS 2FA isn't the same as O365 2FA. it's all about RSA tags or whatnot. i'm happy to be wrong about this, if I am - pls help, because the corporate will is there for 2FA, but the usability models are a fucking nightmare.
    Unfortunately, having "half-2fa" or whatever is not doing much for you while still leaving your biggest attack surface (your users) open. It may even make the problem worse due to people thinking its all secure now.

    Getting your policy changed, and the C-level sponsor of the policy to make it so is really your only option, I'm afraid.
    meh

  15. #715
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,477
    Quote Originally Posted by Itiken View Post
    Unfortunately, now as well as all their teaching materials, all staff need to carry their personal/company phone around with them at all times to log into anything. Try to get a bunch of unionised teachers to do this shit - i dare you.
    Easy. Just require 2FA on your HR portal. Can't put in for PTO or check your paycheck without it.

    Watch your adoption rates soar.
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  16. #716

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,362
    Quote Originally Posted by XenosisMk4 View Post
    yeah and if that list of people includes literally 90% of the company then you're not going to get anywhere

    remember that an awful lot of businesses see IT as an expense, not an investment.
    To pick this one up to:

    - one of the nice things about working in education is people see the use for, and the need for modern technology. it's hard to teach kids to prepare for the world if your systems are 10 years out of date. At least, that's why my current management team think, and the budgets they give us back that up.

    There are practicalities though. We have to change slowly as the teachers are often not exactly resistant to change, but simply don't have the time between teaching, prepping and paperwork to 'stay up to date' with whatever thing we have just given them. To use the 2fa thing as a shining example - securing external only access works great as it' s a carrot and stick approach.

    "If you want to get your mail on your phone / home computer then you must comply with X and Y" works very well. Teachers who don't care, dont' want to, won't, and others can and will at their own pace.

    "When you login to a computer now you must have a mobile phone with you to do a token authentication" is not a policy anyone is going to sign off in the near future as general staff policy is "don't take your phone into the classroom". another way of performing 2fa would be lovely, but as above, when you ask people around here for actual suggestions and help you get sneered at.

    We are looking at pricing for conditional access licences next, as that looks like the way to set rules up for how and when you can access emails. Money is there to get the work done, but we need to find the right products. "just turn on o365 2fa" isn't it.

    Bear in mind this is likely to be a GDPR issue
    tell me about it. i'm trying to make people take GDPR seriously and have almost given up and instead am waiting for the massive explosion when something fucks right up an dwe get to say "told you so".
    Please don't teach me what to do with my pc.

  17. #717
    Keckers's Avatar
    Join Date
    July 31, 2012
    Posts
    17,074
    2fa is a pain in the arse and I hate it.
    Quote Originally Posted by Paul Mason
    It is absurd that we are capable of witnessing a 40,000 year old system of gender oppression begin to dissolve before our eyes yet still see the abolition of a 200 year old economic system as an unrealistic utopia.

  18. #718
    Donor erichkknaar's Avatar
    Join Date
    April 10, 2011
    Posts
    11,334
    Quote Originally Posted by Keckers View Post
    2fa is a pain in the arse and I hate it.
    It is, however, the only real way our industry has come up with so far, to protect users from themselves...
    meh

  19. #719
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,119
    I'm still very amused that the only sites that force me to use 2FA are my private torrent tracker sites

    Everywhere else is optional

  20. #720
    vDJ's Avatar
    Join Date
    July 31, 2012
    Location
    �� out there
    Posts
    1,397
    Hypodermal chips when

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •