Surprisingly, I'm still waiting to hear how blockchain can help my business with COVID-19.

I think I've found better wording to describe my issues with the NIST password recommendations.

I understand the reasoning for the recommendations. I even agree with the logic. But the recommendations are based on flawed premises:

1. Every person makes good password decisions
2. Breaches are always detected in short order

We have plenty of evidence to show that both of these are empirically false.

And, as always, it comes down to managing risk. Security isn't a magic bullet.

It's the latching on to one aspect of the problem that pisses me off. There's so much more involved than just whether someone's password expires on a clock or not. Security is all about risk management, and it's so complex that no one person has all the answers. It's also a moving target, so even if you think you have a handle on it, out shifts and changes before you can react.

I made the mistake of telling people on Reddit that not having regular password expiry is bad. The reaction is amazing.

Hear me out...if people reuse passwords, and one sure gets popped...they all got popped.

Also, no one mentions disabling expiry with any other recommendations, like MFA. My fear is that all the people who see one piece of the recommendations and run with just that, without considering all the other pieces.

Security is like onions...

I'm so sick of seeing the "Microsoft says don't expire passwords" garbage.

They don't look at the reality of the situation. Passwords are only one piece (2FA, SSO for business accounts, etc are all important). Plus, most importantly...people are lazy, and if you don't force changes occasionally, they'll have the same password everywhere.

And it will be 'CorrectHorseBatteryStaple'.

Why is the question "Is RDP listening on the internet safe?" still being asked? I swear I see it asked at least daily.

Makes no sense.

My home lab is setup with 2-factor protected Apache Guacamole on a non-standard HTTPS port. It's all free, and just takes a little effort to setup. Anyone facing the option opening RDP to the internet can spin that up and be better off.

Of course, there's always the possibility of vulnerabilities in that setup, but...that's always a possibility.

So...not only are these all terrible passwords...but apparently Disney+ has no password policy.

Bravo, Disney.

blog.mozilla.org/firefox/disne

Dear vendors: It's 2019. Stop sending me 1024-bit RSA SSH keys to load. Our policy requires at least 2048, but why stop there? Use 4096 or pick a different algorithm.

Pretty sure it's laziness. "All our other customers accept it..."

I've started watching a lot of Deviant Ollam's videos, and they're pretty good. He's a good presenter.

In one, he starts talking about lock boxes as vulnerabilities. I'm only half paying attention to the video, but I look over and see a picture of my building in the presentation.

Not the kind of exposure we would like, I'm sure.

I'm so sick of seeing the "Microsoft says don't expire passwords" garbage.

They don't look at the reality of the situation. Passwords are only one piece (2FA, SSO for business accounts, etc are all important). Plus, most importantly...people are lazy, and if you don't force changes occasionally, they'll have the same password everywhere.

And it will be 'CorrectHorseBatteryStaple'.

Step right up, spin the wheel and find out who is implementing bad password policies today!

Today's winner is Transamerica. Their website doesn't allow you to paste when changing your password, so using a password manager is that much more annoying.

Thank you, Transamerica. You are helping perpetuate the use of simple, short, memorable passwords for important financial information.

Listening to DefSec about Kaseya vulnerability...

My old job used Kaseya. It has port 5721/tcp open publicly for agents to check in. It also had a web interface, which is typically available publicly. We used 2FA, but it's still far too exposed.

And since Kaseya is an RMM tool, if you pop the controller, you own the endpoints. You'd think securing the controller would be more of a priority...

But what do I know. Customer security is secondary to administrative ease, apparently.

I received a LinkedIn request from a random Indian name person that has very few links and claims to have started at my place of employment just before I did. They are located several states away, but I work for a regional healthcare provider.

Seems fishy. Anyone seen things like this? And what's to be gained if it's not legit?

I've got an interview for an InfoSec position on Monday. Fully looking forward to talking security again. Not sure how things would work out if I get the position (moving, selling the house, my wife's job, etc), but I guess we'll find out.

Here's hoping I don't make a complete ass out of myself.

I've said it before, and apparently I'll say it again.

Security is...
1. ...like onions.
2. ...all about risk management.

Good security has layers - a single edge firewall protects against one attack surface...and leaves the rest wide open. AV, host firewalls, etc, all layers that add to overall protection.

Which layers do you need? Depends on the risk your devices pose. Database of PII/PHI? Damn right you need all those layers. Dev box? Maybe not.

CVE-2018-16864 : exploitable since 2016
CVE-2018-16865 : exploitable since 2013
CVE-2018-16866 : exploitable since 2015 ( but fixed by mistake on 08/2018 )

So:
- brick PC bugs ( EFI erase ) ✔️
- Many account of unbootable machines after an upgrade: ✔️
- Uncountable vulns since years ✔️

Seriously, what is gonna take for distro to finally put back systemdD(isaster) to the dump trash it belongs ??

Oh, and any linux distro lead willing to share the huge hush money they must have won to accept that utter shitty piece of trash in the first place ?

I don't see any other reasons now...

If your website has password complexity requirements...maybe you should actually TELL PEOPLE. Don't just fail and give a generic "Our site is broken" page.

I'm looking at you, GlobalKnowledge.

My randomly-generated password from my vault was no good, because (presumably) the special characters caused some kind of problem. Super-long alphanumeric was fine.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.