Step right up, spin the wheel and find out who is implementing bad password policies today!

Today's winner is Transamerica. Their website doesn't allow you to paste when changing your password, so using a password manager is that much more annoying.

Thank you, Transamerica. You are helping perpetuate the use of simple, short, memorable passwords for important financial information.

Listening to DefSec about Kaseya vulnerability...

My old job used Kaseya. It has port 5721/tcp open publicly for agents to check in. It also had a web interface, which is typically available publicly. We used 2FA, but it's still far too exposed.

And since Kaseya is an RMM tool, if you pop the controller, you own the endpoints. You'd think securing the controller would be more of a priority...

But what do I know. Customer security is secondary to administrative ease, apparently.

I received a LinkedIn request from a random Indian name person that has very few links and claims to have started at my place of employment just before I did. They are located several states away, but I work for a regional healthcare provider.

Seems fishy. Anyone seen things like this? And what's to be gained if it's not legit?

I've got an interview for an InfoSec position on Monday. Fully looking forward to talking security again. Not sure how things would work out if I get the position (moving, selling the house, my wife's job, etc), but I guess we'll find out.

Here's hoping I don't make a complete ass out of myself.

I've said it before, and apparently I'll say it again.

Security is...
1. onions.
2. ...all about risk management.

Good security has layers - a single edge firewall protects against one attack surface...and leaves the rest wide open. AV, host firewalls, etc, all layers that add to overall protection.

Which layers do you need? Depends on the risk your devices pose. Database of PII/PHI? Damn right you need all those layers. Dev box? Maybe not.

CVE-2018-16864 : exploitable since 2016
CVE-2018-16865 : exploitable since 2013
CVE-2018-16866 : exploitable since 2015 ( but fixed by mistake on 08/2018 )

- brick PC bugs ( EFI erase ) ✔️
- Many account of unbootable machines after an upgrade: ✔️
- Uncountable vulns since years ✔️

Seriously, what is gonna take for distro to finally put back systemdD(isaster) to the dump trash it belongs ??

Oh, and any linux distro lead willing to share the huge hush money they must have won to accept that utter shitty piece of trash in the first place ?

I don't see any other reasons now...

If your website has password complexity requirements...maybe you should actually TELL PEOPLE. Don't just fail and give a generic "Our site is broken" page.

I'm looking at you, GlobalKnowledge.

My randomly-generated password from my vault was no good, because (presumably) the special characters caused some kind of problem. Super-long alphanumeric was fine.

Just downloaded all my photos/videos from FB and fully deleted the account. Feels good.

Now that I think of it, I need to re-activate FB and download all my photos and such. I have too much stuff that I never saved anywhere else.

RIP RedHat.

What do enterprises use for Linux servers besides RHEL/CentOS. In my experience it's been by far the most common.

I fixed the insecure method of updating credentials I used in this blurb yesterday. Now it's basically a one-liner, and it's not writing passwords to files.

Wrote this little tidbit because I spent far too long looking through complicated scripts for what should be a simple task.

Every time I deal with WSUS/Windows Updates, I'm happier that yum/apt/whatever Linux package management exists.

Does anyone have a good link for how certificates work? I come across a lot of people who think they're black magic. I want to be able to give them some info to explain it.

Any suggestions on links/resources/presentations would be appreciated.

I found this one that seems ok as a start:

I saw a novel way to calculate the Nth *day of the month, I decided to make it a more generic function.

I've decided I should do more writing/blogging. I think it would be good for my career in the long run.

Unfortunately, toddler + infant != free time.

Maybe one of these days...

Can we all agree to focus more on RCEs than local-only exploits? That's not to say that local-only things don't need fixing, but let's focus on the bigger issues.

I'm sick of hearing about Spectre/Meltdown (and variants) being the end of the world. Let's fix them, but let's stop pretending they're the most critical issue out there.

Sysadmins need a shirt reading: "I survived Patch Tuesday"

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.