DR.Williams

@MaceMoneta @NanouuSymeon I figured someone had to post this! I didn't even bother. I didn't have the need or use case that couldn't be solved in FORTRAN.

@NanouuSymeon APL {(+⌿⍵)÷≢⍵}

Good morning Developers 🙏 🌄 Which one is the most difficult programming language?

@NanouuSymeon The one you're currently studying. (although, my brain took a while to understand how anything worked in Prolog).

@ClaudiaTheDev @NanouuSymeon Been there...on which processor? x86, ARM, 6809, 6502, VAX ?

@NanouuSymeon Maybe not "most difficult" but by far most annoying and tedious i did so far was Assembler.

@brianwhelton No... purrfectly normal cat.

I think my cat is broken #LemmyTheCat

@gl0omsec @blackroomsec and keep them forever! Somewhere I saw a maxim to the effect : "incidents typically start days before the earliest available log"

No, but I have been the recipient of a wildly incorrect report from an MSP which claimed a user whose MFA token was stolen was the victim of a "rogue hacker WiFi network " they said was illegally and brazenly operating out of JFK airport. Stop laughing and stay with me, please. ✋ BRS Story Hour is now. I used this as an educational opportunity. It's important to note here that this kind of report is going to be given to whomever is in charge of the org because someone was hacked and that's a problem. However, the very first thing you should do if someone in your org is hacked is not panic and you need to find out how that happened. How you do that is you work backwards from reports. The final report you receive literally needs to walk you through the how of it and not the why. You don't know why and it doesn't matter why. At the very least it needs to be accurate and provable. Or, I should say, reproducible. We cannot react to a hunch. Before I went to JFK airport and did battle with this mysterious and elusive hacker who was committing all sorts of state and federal crimes in theory, I asked the MSP to produce for me an attack path report with TTPs (Tools, Tactics, Procedures.) It can be built for free in MITRE's Attack Builder tool. My first inclination that the person that wrote the report probably should not have been the one to do so is they had never heard of the tool. And that's okay because there was a day where I didn't know about the tool either but again this is a real life scenario and there are real world stakes here so it has to be accurate. I briefly educated them on where they could find the tool and asked them to produce it as soon as they could. I then waited. Five days passed. In that time I wrote my own report explaining how the scenario presented by the MSP was likely impossible and I outlined why that was impossible. Regardless of whether their actually was a rogue Wi-Fi device intercepting network traffic at JFK airport in what we call a man in the middle attack (MitM) or adversary in the middle attack (AitM), what cannot be explained by the rogue device is the multi-factor token being lifted. As that is the primary vector ( how the user's account was hacked) meaning how the hacker got in because multi-factor was in place and enforced, the MSP needs to show the exact way in which that occurred. There are a finite number of ways in which the token could be taken based on the SAAS platform used. Where it happened is also very important and in this case the where is the platform in place. And none of those ways have anything to do with wireless networking. They also do not account for a 15 minute time window where the user was in JFK airport and then got on a plane. This is a very narrow time window and the hacker would have been very lucky but it doesn't account for the token and it needed to. In my report I presented the more likely scenario that an EvilGINX server was the culprit and I also presented likely proof from audit logs where the user accessed that server as it was an IP that I did not recognize. In IT and in cybersecurity Time is a very important unit of measure. It tells you when something happened. As a side note in your network map or your IT dept materials there should be a page with your universal time written on it so that when you're looking at logs you can convert the cloud time in the log to the time you're more familiar with. In my case it's EST. The person at the MSP was not familiar with this so they were looking at logs initially 5 hours later than when the attack initially occurred and they did not see the IP address that I did as a result. I should also point out that those five hours were the next day and their entire report was further wrong because they said it happened on a Tue when it actually happened on a Mon. Part Two in replies.

@blackroomsec There's one indicator this story is made up! No one is in JFK for only 15 minutes before boarding a plane! Not even the pilot/captains! Everything else seems plausible. Thanks for sharing.

Part Two When the MSP representative called me 5 days later they admitted that the tool was difficult for them as they had never used it before. I reassured them that their ignorance of it was immaterial and I would be happy to show them on a video call. I then shared my screen and taught them how to use it. Without embarrassing them because that wasn't the point of this and I didn't want to turn them into an enemy when we got to the part of how the multifactor token was taken they paused and said they didn't know how that occurred. I explained that we needed to account for how it occurred otherwise the account was not hacked. Meaning that in the report we needed to show that the account would not have been breached had the multi-factor token not been taken and since it was we couldn't overlook that and not explain it. That it was a very important part of the breach. That it was the underlying reason for the breach and couldn't therefore be discounted. I said if you take out the multi-factor token being stolen how did the hacker get into the email account? I reminded them that multi-factor was enforced and that the user did not receive a message on their device asking them to allow the login. They said it couldn't be hacked if the multi-factor token wasn't taken. I said correct but it was. I then asked them how a hacker could lift a multi-factor token just by intercepting wireless traffic, alone and in this user's case within 15 minutes of only being in JFK airport and pointed out that the hacker got into the user's account before the user was ever in the airport which made their theory of the rogue wireless device moot. They said they didn't know and I said that a hacker can't intercept a multi-factor token just by spying on your wireless traffic there needs to be software in place specifically geared towards lifting a multi-factor token as it needs to leverage misconfigurations in the platform the account being targeted is on. I then brought up Microsoft's Token Tactics article to show them how the attack likely occurred as it lays out what needs to be in place or in other words the configurations that need to be in place for the user to be hacked in this manner. I then verified that one of those configurations was actually in place and explained why something not being turned off by the MSP caused the email account to be breached. And then focusing on the audit logs I explained the cloud time server difference from where we were and showed the initial time that the hacker got into the account which was 5 hours earlier than the representative was aware of and the user physically being in the airport. I then asked them with this new information to produce the attack path report and that they would have an easier time of it since it now accounted for the stolen token. They thanked me for my time and teaching them and produced the proper report which accounted for reality. I should say that this person was not a pentester and the MSP probably should have had them shadow one so they could learn proper incident response procedures before allowing them to submit an incorrect report to me but that's all water under the bridge. The moral of the story is that trained cybersecurity professionals are necessary and you and anyone you know were probably never hacked because of public Wi-Fi. Like Dan I've really never heard of this happening. It has never happened to me or any user I've ever encountered. If you were hacked, you were probably hacked because you used the same password over many accounts, the platforms you use either don't allow you to have what's called session expiry on multi-factor tokens or you aren't aware that this option exists and it's not turned on, your users aren't educated to not input credentials in websites that appear to be legitimate but actually aren't and a whole host of other issues. Your ignorance is what the bad actors are banking on. That's how they succeed.

@LogitechG define PC ? Lunar Lander on an HP (3000 or 9000 family, I forget ) ~1974 On a proper PC : Zork

What is the first PC game you remember playing?

@JBlancarte_ @cybersecmeg I will go stand in the sunshine (when available) and stare at wildlife/plants. I've never thought to touch grass. It's now on my list. (It helps that grass is 50-100ft away from the door. This is only 15 ft from the door. But I know better.

@cybersecmeg Whenever I’m feeling overwhelmed I’ll go outside and touch grass, literally and figuratively. Working remotely it can be hard to separate home from work but going outside always helps. 8-10 minutes to get some vitamin d.

drop your top tips for helping/improving your mental health in the comments! i’ll start: accept that it’s okay - normal, even - to not spend all of your time in front of a screen. you don’t have to be practicing or studying cyber 24/7/365 in order to be successful in the field.

@cybersecmeg Yes! Start by logging off. Give yourself time without the screen/keyboard. Especially at the start of your day - take time for yourself / family (esp. the furry kind).

@nixcraft Yes. Clothing required. and special requirements for roles that work with hazardous materials. (Shoes, trousers that cover the tops of shoes).

👔👞👗 🧑🏻‍💻 Does your office have a dress code?

@blackroomsec @LisaForteUK Clearly, they are paid by the hour (including travel).

Unpopular opinion but this is when you start a zoom and you tell them to point the camera at the server and then you tell them that it's not on despite three people telling you and then repeat they need to turn it on which was your original instructions that they didn't follow for some reason. I know. This is why I have no friends. 🤣

Couldn’t have said it better

@IanColdwater Fewer opcodes to learn...

@jendevca @SergiiKirianov

you code, no doubt, but do you code that hard?

@bekathwia @aranet_home Can you give us a sense of normal office vs. outside/open space?

“AiRplAneS are so well vEntiLateD” @aranet_home

@Retro_Computers Google image service did rather well: en.wikipedia.org/wiki/Epson_HX-…

Had this in the collection for some time. Anyone know what it does? Google doesn't return anything helpful retro.m1ner.co.uk/product/worlan…

@TheMekon_Venus TDK!

I can’t say I was a huge fan of Kodak floppy’s. They were just ok. What was the best brand?

@deepdiarrhea @SNicktendo My daughter's father had one!

@SNicktendo and now it’s you

$2.50? Why not?

@SNicktendo Yes, I had one. I listened to the local college radio station!

@qfgbook DCL e.g., SET DEF [WILLIAMSDR] CREATE/DIRECTORY [.WORK] DIRECTORY /BY_OWNER

Streamlining my autoexec.bat and config.sys files, also setting my sound card jumpers

@CoronaviridaeRu @qfgbook THIS ^^^ And setting the IRQ of cards you installed, "to optimize" the sequence and avoid conflicts!