𝒟𝒶𝓃𝒾𝑒𝓁

@manjusrii By way of comparison, this paragraph tells much of the story, but only already know the answer. "ChatGPT is bullshit" walks you through the philosophical and linguistic nuance to get to the conclusion. I can't believe I'm spending the time on X to say how much I like a paper.

@manjusrii Yes, we can, and should. I've read that paper properly twice today, and while it smacks of a 20 year old extracting the urine for a sweary title, it also has some really good points. Impressed by how well it explains the conclusions. Excluding the hard bullshit parts, 10/10

Can we just admire the title (and sentiment) of this new journal article for a minute link.springer.com/article/10.100…

@GodlyTrident @GossiTheDog @helvetehansen Nope. If that were all security needed, we would have been unemployed a long time ago. It’s missing the two biggest issues we’re going to continue to face in the medium term, being AI and supply chain. Neither are solved problems, neither will be solved with SE or netflow.

@GossiTheDog @helvetehansen Modern security is basically about traffic monitoring and preventing people from falling into social engineering traps. I mean, people are even storing their enterprise passwords in browser and third party apps and other personal info.

Serious question: When creating a gold OS image, does anybody really consider current exploitation TTPs (a la metasploit), or do you rely primarily on OS patching and GRC? #informationsecurity #CyberSecurity #metasploit #Windows10

@reprise_99 Hi @reprise_99 , the link doesn't work any more - do you have an updated link?

We are often engaged with organizations that have lost complete control of their Microsoft Entra ID tenant, I wrote a comprehensive blog post on lessons learned from real world engagements to try to help reduce the risk of the same happening to you microsoft.com/en-us/security…

@Palace0fWisdom @blackroomsec That works for online attacks, but doesn’t change the risk of offline attacks in any way.

@eyeTSystems @blackroomsec You can still have password lockout and with a complex password if you have a written policy that X lockouts equals a phone call or other direct contact, I’d say it’s mitigated.

I have, perhaps, a dumb question to ask. Two, if you'll indulge me. Why is the password in every breach something simple? I don't think it's all laziness. I could be wrong but it just seems to me that everyone just assumes it's laziness and that there aren't other factors involved so they never look for any other explanation. Isn't that also being lazy? I think if they did and they found it wasn't laziness and in let's say out of every 100 breaches they shared a common reason we could try to fix that problem? My second question is how are all these orgs that have breaches with simple to guess passwords being part of the foothold which got them jacked, passing audits? I don't want to sound like I'm holding a grudge but my experience with MSPs that package in cybersecurity compliance training and resources with monthly services don't really know what they're doing all the time. At what point do they get held accountable for telling a client they passed with flying colors and then six months later we find out the client got hacked and the password is, oh let's live little, rockyou. 😳 I'm not trying to start trouble here but I'm really curious is anybody else out there concerned that this keeps happening and I don't mean from a cyber security perspective I mean from a common sense one.

@blackroomsec @BDess82 Couldn’t agree more. Controls are Physical, Technical and Administrative. If a control is not technical or physical, it’s voluntary, and compliance needs to recognise that.

@BDess82 Then that's not an audit but the honor system and defeats the purpose of one.

@blackroomsec @Palace0fWisdom This one is difficult - it’s not usually stating that this methodology is implicitly removing offline brute force as a risk. If you’re consciously accepting this class of risk as being of little importance for your org, fine… but it’s often lost in the conversation.

You're correct. NIST r5, Microsoft security baseline to name two compliance standards, no longer recommends password rotation because of the reasons you state, only in the event of breach now. MSPs haven't caught on hence why I mentioned they don't know. It's a problem for me because they're advertising Cybersec services and expertise.

@troyhunt @stripe Reimbursement still gives Finance control of purchases. It’s not ideal, and exceptions “can” be made, but it has to be for a valuable service, and pre-approved for SaaS and similar.

@troyhunt @stripe Tickets - PO Lunch - Directors have a card if they’re invited, otherwise reimbursement Taxi/meals reimbursement, hotels booked by admin on our behalf In our case it’s all about control. Only approvers can ask for a PO to be raised. Card purchases by director only.

We often receive comments to the effect of “we want to purchase a @haveibeenpwned subscription but our company doesn’t allow us to use a credit card”. What is the financial reason behind this? This is a very small portion compared to those that *do* pay by card, but why is this?

@andreamatranga Got to say, as someone who has been adjacent to a project in this space, nobody, and I mean nobody is actually giving a shit - there’s no money in traditional business cases to develop the app… Follow up question, how bad is it? GTFS seems to be OK from my basic analysis??

It's pretty clear that nobody involved with Google Maps development ever walks anywhere or takes public transit. I think a maps app that took these use cases seriously could really prosper.

@troyhunt @Telstra I had the same two days ago as well… Assuming just random spoofing, but strange

Twice in the last day, I’ve had someone call me and say “I missed a call from this number”. Both Aussies, both sound legit and both suggesting outbound spam calls have spoofed my number. I still have full control of the number (not SIM hijacked), ideas? @Telstra?

@MalwareJake You’re not wrong. But in businesses that are still maturing, it does provide 95% of the log data that is required, for endpoints with the agent installed. It’s not the only log location, nor the only control, but it’s OK. As long as the org understands their blind spots.

Repeat after me: EDR (or XDR, whatever someone defines that as) is *not* a SIEM replacement. If someone is claiming this, they either misunderstand the situation or they're trying to sell you EDR...

CVE-2023-33617 An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter. cve.mitre.org/cgi-bin/cvenam…

CVE-2023-33599 EasyImages2.0 ≤ 2.8.1 is vulnerable to Cross Site Scripting (XSS) via viewlog.php. cve.mitre.org/cgi-bin/cvenam…

CVE-2023-26014 Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Minify HTML plugin <= 2.1.7 vulnerability. cve.mitre.org/cgi-bin/cvenam…

CVE-2023-26011 Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Read More Excerpt Link plugin <= 1.6 versions. cve.mitre.org/cgi-bin/cvenam…

CVE-2023-25474 Cross-Site Request Forgery (CSRF) vulnerability in Csaba Kissi About Me 3000 widget plugin <= 2.2.6 versions. cve.mitre.org/cgi-bin/cvenam…

CVE-2022-46813 Cross-Site Request Forgery (CSRF) vulnerability in Younes JFR. Advanced Database Cleaner plugin <= 3.1.1 versions. cve.mitre.org/cgi-bin/cvenam…

CVE-2023-33362 Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function. cve.mitre.org/cgi-bin/cvenam…