Infosec Lurker | Technical Debt Collector
It's not for fun, or any sense of community.
It's just trying to dull the pain.
| Pronouns | he/him |
Recently, I did some work to bring Philly Tech Calendar and RVA Tech Calendar under the same umbrella — which also meant that I could add Boston, and a calendar for online events, too! Check it out:
Hello fellow hackers!!!
I want to give away the Flock Safety camera and battery pack I tore down a few weeks ago. The Serial header has been soldered to and the back 7 pin connection has been cut to trace voltages and I2C busses.
Otherwise the android OS is factory-ish minus the install of magisk root to access the filesystem. I did not overwrite the boot loader, but can give you the root enabled boot loader to call from fastboot.
I want to pass on the camera to someone who can continue to dissect the OS and the APPS publicly. I don't want the camera to go to a CVE hunter.
Thoughts?
Three ../s to pwn the custom app in /opt/vendorname/bin
Seven for the webapp under /var/www/root/tools/special/backup/cgi-bin
Nine for that crazy app that's path is truly a sin
One for the base app in /sbin
It's setuid root so with it you win
One app to root them all, one app to sign them
One app to pilfer them all and from /etc spy on them
In the land of the root app where directory traversals lie.
@chillybot https://imgur.com/gallery/60Jt9g3
found this for you
Simple walkthrough on setting up a development certificate authority:
https://isc.sans.edu/diary/rss/32092
@Sempf
Do it!
I've been running one in a vps for years. I have scripts to update/restart installed apps, it notifies me when I need to patch the OS, and I upgrade the os twice a year. About as close to maintenance-free as you can get.
I recently received an email that at first glance appeared to be a well-crafted phishing message, warning that my Microsoft Entra ID was going to expire in a month if I didn't make a purchase. The only piece of information in the message was my supposed Entra ID.
After checking with Microsoft it appears this automated message is legitimate, and it is in reference to a Microsoft Teams trial account I created for a day and then abandoned. But apart from the Entra ID, which isn't mentioned in any prior communications from Microsoft, there is zero context for the user.
How hard would it be for Microsoft to include just a tiny bit more information in each message? Like, "Hey, this message is about an account created 5 years ago, for Teams" or something. Otherwise these marketing messages train users to fall for phishing scams.
Marks and Spencer’s CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks.
They are also rebuilding internal systems and hope a majority of that will be done by August.
Lesson: mass contain early. M&S didn’t. Co-op did.
@GossiTheDog I'd be very curious to know what the breakdown is between TCS dropping the ball and lying about it and M&S/Co-op not actually insisting on adequate procedure.
It's not terribly uncommon for people to only care about time-to-resolution with some lip service to user satisfaction when it comes to helpdesk metrics; and tacitly discourage things that are slow and unpleasant like hassling people for ID, at least until that becomes a visibly terrible idea.
"M-SThrowaway" might indicate M&S?
Or is that too obvious or deliberate obfuscation? 🙂🤷♂️
@GossiTheDog as someone who has been subjected to Tata on multiple occasions going back over a decade?
This isn't nearly spicy enough. I don't even describe them as a 'body shop' because they'd gladly route you to a corpse and try to charge extra for '24x7 coverage.'
When one employer did a basic security audit of their helpdesk services, Tata failed so severely that the contract was pulled for cause before the audit was even completed. They moved it all back in-house.
@GossiTheDog and lo, I found my notes! And, hooboy, hang onto your hats kiddos. Things they failed at (which caused me work):
- resetting passwords without verifying identities
- removing 2FA from accounts (not allowed period; there was a procedure)
- removing or updating 2FA without verifying identities (so a LOT of 2FAs had to be assumed compromised)
- adding users to groups directly instead of directing them to the appropriate request
@GossiTheDog The root problem here isn't that TCS are shockingly bad (they are, just about everyone knows that).
The root problem is that "management decisions" constantly overrule those that raise concerns about their service and tell any remaining internal IT and security staff to "deal with it as best you can."
I'm very much of the view that, yes, the outsourced provider can be the cause of an incident, they can provide a shockingly bad service, they can cost your business millions of pounds. But the decision to continue to use them when you already know this is a real possibility - that's a decision by senior management within the company. That's on you.
@Cyberoutsider @GossiTheDog Totally agree. You can outsource the work but never the accountability.
Here is (yet another) example of risk management failures, the management under cost pressures find affordable solutions, celebrated for cost savings but the implicit risks are not understood nor uncovered during sourcing process.
There are ways to compensate however there is any way a significant risk trade off that needs to be made consciously, rather than implicitly like today.
(Experience from enterprise offshore outsourcing +15 years)
@GossiTheDog Interesting. I don't have the background on this specific attack, but I'm reminded of the Target credit card theft. An HVAC company near me was the point of entry for the attackers; they had high-access keys to Target's intranet because they install and maintain shopping-mall-grade HVAC and can remote-override it for maintenance and schedule reasons (nation-scale chain stores with giant footprints save not-inconsequential money on things like "Don't power up the HVAC to normal capacity on days nobody is here").
They had the keys on the same machine running their webserver.
(Meanwhile, Target actually did get an SEC slap-on-the-wrist for one specific thing: the HVAC intranet piece wasn't firewalled from the financial transactions and cash register source code pieces).
If it is the case then the leaders of businesses like M&S who outsource these services to the lowest cost providers should also be held to account
It’s typical of British business management to know the cost of technology but not the value of it
I do not work for either company. Nevertheless, I can corroborate these comments, but not on a public forum. Not much interested in a private forum either. I'll just say that insider threat analysis and mitigation is VERY important when TCS is something you are forced to use.
@GossiTheDog K. Krithivasan, also known as Krithi, aka the face of quality IT, that you can trust.
Hash tag
These Indian, "IT", call centers probably do double time as scamming operations.
Hilarious twist would be that it was an inside job, faked to look like a compromise.
Why does an offshore call center even have access to administrator passwords?
Joe Woods
kajer
K. Reid Wightman 
🌻 
Viss
thedæmon
eternalyperplxed
BrianKrebs
Kevin Beaumont
penguin42
Estiqaatsi
Luna D Dragon
AnneH
fuzzyfuzzyfungus
RichBartlett 
Grievous Angel
Simon Zerafa
RootWyrm 🇺🇦
Dave 🐶
Sten Eikrem
Tony
bytebro
Mark T. Tomczak
Andy Davies
Mark Bryant
arcayr
Brian Clark
Colin Haynes
Einhörnchen
Mike
Resuna