Just because you don't have any value from the logs doesn't mean someone else can't figure out a way to get value from them ;-)

Show thread

So even though I couldn't tell the -specific content- accessed, I could tell that the pattern of access was such that he couldn't have gotten to the parts where the sensitive thing I was concerned about were located.

And that's why metadata is important, and that's why "but it's worthless" is bogus ;-)

Show thread

Because while the URIs themselves were, essentially, all the same - because salesforce's application workflow apparently works through a single URI - the pattern of fetches indicated a specific sequence of events:

Initial login
Password change
Front page load
Page access
Logout

Nothing more [thankfully] - which is good, because had he gone one more page in it'd have been a problem

Show thread

So, handling an event that came up, I needed logs from salesforce [ugh].

The guy who could give me the logs kept saying that they were useless - that they didn't tell you anything. But since this was my only source of truth for what happened -on- said event, I kept asking, and eventually got 'em.

And yes, the URIs accessed do not, of themselves, tell you -squat-

The -metadata-, however, was very instructive.

I stood up IR the other day for what my monitors told me was an attempt to exfil password files via an API [which wouldn't have worked, but the attempts were concerning]

Turned out it was an internal CTF that they'd neglected to mention would be running in my monitored area ;-)

The event-stream library in NPM has been backdoored with a Trojan for some time. Looks like a damn mess. If you do/did anything with that library, time to put your helmet on.

Memorial Info for d3vnull 

Some folks may have heard already, but d3vnull passed away over the weekend.

Obit and memorial info here - cressfuneralservice.com/obitua

The family is asking for donations to an epilepsy research fund in lieu of flowers.

Fun fact: if you're using kubernetes you can edit secrets that you have permissions to access via:

> kubectl edit secret [name]

Setting the environment variable KUBE_EDITOR lets you use whatever editor you want.

Mmph. "We need monitoring of thing!"

Ok, can you tell me what thing looks like?

[crickets]

I have just tongue-in-cheek recommended that the DFIR/monitoring section of infosec where I work be called the "Security Monitoring and Event Response SHop" - so the acronym can be SMERSH.

So @tinker said that @LitMoose is over here now, and I figured I'd try to pay attention to masto again. Hi. It's me.

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.