What's with all the anonymous wankers beaking off about PHP vs Node, or JavaScript in general, when it's a server-side parsing of input that leads to the vulnerability? WebGoat was written as an on-purpose vulnerable web app for learning on, maybe some of you should download it and Burp or ZAP and do some self-education. OTOH, I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"
Test for what you need, or at least look for related benchmarks. Mine (750 Ti) does more crunching for password cracking than anything else, but helps out nicely for certain jobs. (Hashcat FTW of course!)
I've taken the intrusion detection and incident handling courses, with certs in both (still have the latter). When considering them, try to align with what you figure you'll be doing job-wise, if you know. The intrusion detection stuff was great for grubbing through packets to figure out what's going on, where the hacker tools and incident handling gives you some hands-on playing and knowledge you'll want for incident response. I wasn't doing any network monitoring in my role though, so didn't keep up the intrusion analyst cert, but I did love the course.
I don't know your organization's level of risk tolerance, but getting them to pay for one of the following would be an eye-opener: - A vulnerability assessment will show a sea of red for the unsupported platforms. Maybe that'll be sufficient to convince them that it's time to upgrade (and train up on new stuff). - A penetration test will take those same vulnerabilities, and combine it with attempting to use those vulnerabilities to see what they could get. The difference is in trying to use those issues, and turn them into "oh SHIT" screen shots in the report. It's the difference between "someone could theoretically do X" and "someone just did X, and documented it all for your edification."
On the latter engagements, especially with the dreadfully old stuff, it is quite enlightening to include those screen shots that show how I've added new users, logged in with them, and used them to poke yet more systems I couldn't reach from the starting point. The under-educated staff would only help things if social engineering was in scope too.
It's actually the main Facebook app that I uninstalled. Messenger is OK for its intended purpose, but the main one was what doing sketchy things I didn't want. I now use a mobile browser instead, so their functionality is limited to what the browser and phone ecosystem will permit.
It seems like every time one of their senior execs opens their mouths in public, they blather on and on to show us just how clueless and tone deaf they are. It's like their recruitment process has a required check box:
Even if the job is mostly remote (as mine is), many clients want to see you once in a while. Or, maybe you are doing internal testing which requires you to be on-site, but only project-focused, not all the time. I've managed to off-shore myself (literally, on an island), while being responsive to clients and still able to travel in a reasonable period of time when needed.
I forget which case it was, but there was one in the news a little while back. Some dark market guy, living on his Uni campus and doing his thing. Apparently the bust tried to do the DPR thing, but he had an encrypted, battery-less laptop and he was able to yank the power cord out.
I find that's one of the more useful bits about PCI, is that at some point, somebody tells the company to get their house in order. Maybe not the whole thing, but there's some value to moving all of the CC data tot he closet and locking THAT. My general security side says they should apply that principle elsewhere, but it's a harder sell when the rest isn't directly tied to cash flow.
These companies seem convinced there is financial reason to keep everyone else's data, and maybe there is. If so, it behooves them to do so correctly, according to the value of what they hold. If they think the data is worth less, a painful lawsuit judgement may change their minds. (See Ford, and Pinto gas tanks.)
I'm in the security industry, and this approach pretty much sums up what I try to instruct my clients to do. It differs of course from the piles of unprotected, unaudited, unmanaged fluff that some management wanker thought might be handy to keep around. Even restricted to such a constrained, specific scope as credit card data makes them blanche, I can't imagine them making the leap to more loosely guarded information without a business case.
I deal a lot with clients who have compliance requirements such as PCI. This sort of thing is an endless source of grief, where the, "it doesn't matter, it's just an appliance" phrase comes up all the time. You have devices put into PCI-scoped network zones to do a job, but which are either using a dusty version of a commodity OS under the hood, or don't support a bunch of requirements like account controls such as password complexity and account lockouts. Being big-name security appliance and networking companies, it's tough to justify taking them all out back to the shooting range. But I'd love to...
What they need to do is implement client-side encryption before it gets uploaded. Sure, we can use something like EncFS to let Dropbox host only files I've already encrypted, but other cloud-storage companies like SpiderOak have written themselves out of access to my file contents.
In my humble experience, POS systems are those most forgotten, and least protected once you get on to the network. Few patches if any, and the vendors often squawk about only supporting ancient versions of Windows XP. Yes, the POS systems are probably Windows. Probably no AV either, and quite likely all administered with shared accounts that everybody knows. A firewall is by far the least they should be doing.
This sort of thing is starting to hurt, right in the pocket book where it counts. That is exactly the right response to companies stabbing their consumers in the back.
Something comprehensive would indeed be much better than solving for one layer. The challenge I find is trying to get people to pay attention to any of it at all, never mind changing everything they do in one fell swoop. For sure, making secure options the default is a huge step, but in this case, we're still relying on whatever compromised client gets allowed on to the wifi.
I've had a FON device, and I think its main protection against malicious (illegal, stupid) use is that other users on the open FON channel are either authenticated FON users roaming to your access point or paid users who again aren't really anonymous.
What I was wondering though is whether each of these openwireless devices could also be set up as a Tor entry node for all of the free traffic going out that way? Think something like the Tails distro, where you don't record anything, and don't really want to either. Keep it somewhat bandwidth-friendly for the rest of your network, and worry less about what some anonymous user does with it.
Slashdot Mirror
For now. Already, some apps expect network connections each and every time, so people get used to the idea that it's just a net-requiring device.
And they know how to grow food, unlike most of us.
Whoops, that was me. One side effect of auto-clearing cookies. Anyway.
What's with all the anonymous wankers beaking off about PHP vs Node, or JavaScript in general, when it's a server-side parsing of input that leads to the vulnerability? WebGoat was written as an on-purpose vulnerable web app for learning on, maybe some of you should download it and Burp or ZAP and do some self-education. OTOH, I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"
Test for what you need, or at least look for related benchmarks. Mine (750 Ti) does more crunching for password cracking than anything else, but helps out nicely for certain jobs. (Hashcat FTW of course!)
I've taken the intrusion detection and incident handling courses, with certs in both (still have the latter). When considering them, try to align with what you figure you'll be doing job-wise, if you know. The intrusion detection stuff was great for grubbing through packets to figure out what's going on, where the hacker tools and incident handling gives you some hands-on playing and knowledge you'll want for incident response. I wasn't doing any network monitoring in my role though, so didn't keep up the intrusion analyst cert, but I did love the course.
I don't know your organization's level of risk tolerance, but getting them to pay for one of the following would be an eye-opener:
- A vulnerability assessment will show a sea of red for the unsupported platforms. Maybe that'll be sufficient to convince them that it's time to upgrade (and train up on new stuff).
- A penetration test will take those same vulnerabilities, and combine it with attempting to use those vulnerabilities to see what they could get. The difference is in trying to use those issues, and turn them into "oh SHIT" screen shots in the report. It's the difference between "someone could theoretically do X" and "someone just did X, and documented it all for your edification."
On the latter engagements, especially with the dreadfully old stuff, it is quite enlightening to include those screen shots that show how I've added new users, logged in with them, and used them to poke yet more systems I couldn't reach from the starting point. The under-educated staff would only help things if social engineering was in scope too.
Those Lisp machines are still worth a few bucks. My wife would cringe, but I'd love to stuff one into a corner of my home office.
Hey, I might still have one of those Sharp units. What did your software do?
It's actually the main Facebook app that I uninstalled. Messenger is OK for its intended purpose, but the main one was what doing sketchy things I didn't want. I now use a mobile browser instead, so their functionality is limited to what the browser and phone ecosystem will permit.
Of course, you can use your LACK table as a mini server rack too. Mine's holding up a firewall in the closet.
Hah, thought that was just me. Be nice though, and pry the circuit board off first so you don't scatter bits all over the range.
See you there!
It seems like every time one of their senior execs opens their mouths in public, they blather on and on to show us just how clueless and tone deaf they are. It's like their recruitment process has a required check box:
[X] Yes, I am a twat!
Even if the job is mostly remote (as mine is), many clients want to see you once in a while. Or, maybe you are doing internal testing which requires you to be on-site, but only project-focused, not all the time. I've managed to off-shore myself (literally, on an island), while being responsive to clients and still able to travel in a reasonable period of time when needed.
I forget which case it was, but there was one in the news a little while back. Some dark market guy, living on his Uni campus and doing his thing. Apparently the bust tried to do the DPR thing, but he had an encrypted, battery-less laptop and he was able to yank the power cord out.
I find that's one of the more useful bits about PCI, is that at some point, somebody tells the company to get their house in order. Maybe not the whole thing, but there's some value to moving all of the CC data tot he closet and locking THAT.
My general security side says they should apply that principle elsewhere, but it's a harder sell when the rest isn't directly tied to cash flow.
These companies seem convinced there is financial reason to keep everyone else's data, and maybe there is. If so, it behooves them to do so correctly, according to the value of what they hold. If they think the data is worth less, a painful lawsuit judgement may change their minds. (See Ford, and Pinto gas tanks.)
I'm in the security industry, and this approach pretty much sums up what I try to instruct my clients to do. It differs of course from the piles of unprotected, unaudited, unmanaged fluff that some management wanker thought might be handy to keep around. Even restricted to such a constrained, specific scope as credit card data makes them blanche, I can't imagine them making the leap to more loosely guarded information without a business case.
He is a flight risk.
I deal a lot with clients who have compliance requirements such as PCI. This sort of thing is an endless source of grief, where the, "it doesn't matter, it's just an appliance" phrase comes up all the time. You have devices put into PCI-scoped network zones to do a job, but which are either using a dusty version of a commodity OS under the hood, or don't support a bunch of requirements like account controls such as password complexity and account lockouts.
Being big-name security appliance and networking companies, it's tough to justify taking them all out back to the shooting range. But I'd love to...
What they need to do is implement client-side encryption before it gets uploaded. Sure, we can use something like EncFS to let Dropbox host only files I've already encrypted, but other cloud-storage companies like SpiderOak have written themselves out of access to my file contents.
In my humble experience, POS systems are those most forgotten, and least protected once you get on to the network. Few patches if any, and the vendors often squawk about only supporting ancient versions of Windows XP. Yes, the POS systems are probably Windows. Probably no AV either, and quite likely all administered with shared accounts that everybody knows. A firewall is by far the least they should be doing.
This sort of thing is starting to hurt, right in the pocket book where it counts. That is exactly the right response to companies stabbing their consumers in the back.
Something comprehensive would indeed be much better than solving for one layer. The challenge I find is trying to get people to pay attention to any of it at all, never mind changing everything they do in one fell swoop. For sure, making secure options the default is a huge step, but in this case, we're still relying on whatever compromised client gets allowed on to the wifi.
I've had a FON device, and I think its main protection against malicious (illegal, stupid) use is that other users on the open FON channel are either authenticated FON users roaming to your access point or paid users who again aren't really anonymous.
What I was wondering though is whether each of these openwireless devices could also be set up as a Tor entry node for all of the free traffic going out that way? Think something like the Tails distro, where you don't record anything, and don't really want to either. Keep it somewhat bandwidth-friendly for the rest of your network, and worry less about what some anonymous user does with it.