Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old Today, 11:06 AM   #24391
elvis Thread Starter
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,909
Default

Quote:
Originally Posted by PabloEscobar View Post
Serious question, as I've never (and hope never to have to) go through it, but whats the process of getting a system back up if Tall Jan (who is malicious) has Domain admin?

If I nuke the lot and start from scratch?
How do I know my point in time backups haven't been backdoored?
Is there any way to say, with any real certainty "Russia doesn't have my shit anymore?"
I happen to know a bloke who's pretty good at replacing corporate Windows setups with Linux setups. PM me if you want deets.
__________________
Play old games with me!
elvis is online now   Reply With Quote

Join OCAU to remove this ad!
Old Today, 11:09 AM   #24392
Foliage
Member
 
Foliage's Avatar
 
Join Date: Jan 2002
Location: Sleepwithyourdadelaide
Posts: 31,704
Default

Quote:
Originally Posted by elvis View Post
I happen to know a bloke who's pretty good at replacing corporate Windows setups with Linux setups. PM me if you want deets.
A windows network team being suddenly put in charge of a linux setup would be even more of a disaster. Imagine all of the things that they would break!
__________________
You know, if you watch Titanic backwards, it's actually a heart warming tale of a ship that jumps out of the water and saves lots of drowning people.
Foliage is offline   Reply With Quote
Old Today, 11:09 AM   #24393
elvis Thread Starter
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,909
Default

Quote:
Originally Posted by Foliage View Post
A windows network team being suddenly put in charge of a linux setup would be even more of a disaster. Imagine all of the things that they would break!
Same bloke I mentioned above is pretty good at training/replacing those folk.
__________________
Play old games with me!
elvis is online now   Reply With Quote
Old Today, 11:19 AM   #24394
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,280
Default

Quote:
Originally Posted by elvis View Post
I happen to know a bloke who's pretty good at replacing corporate Windows setups with Linux setups. PM me if you want deets.
egads man, It's not even Friday yet.

My post was windows centric, because that's what my frame of reference is, but swap a few words around, and the same questions are valid in any environment. If you lose the keys to the kingdom, how do you ever ensure the security of said kingdom ever again.

At least it wasn't Mint hosting pre-owned Iso's
PabloEscobar is online now   Reply With Quote
Old Today, 11:34 AM   #24395
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 10,981
Default

Quote:
Originally Posted by PabloEscobar View Post
If we accept that the Ransomware was just a cover, and it was basically a big fuck-you (Sub $10K return on something like this is terrible monetization). from Russia to the Ukraine, So now we've got unrelated companies dealing directly with the fallout of an attack by a state based actor, something we've not really had in the past.

This is why I'm not sure the mossad/not mossad argument holds water anymore.

In the past, if you weren't going to be targetted by a state based actor, you could be pretty lax, Since yesterday... not so much.
I suppose targeted is the operative word here, a lot of this seems to be accidental fallout rather than targeted attacks. Mossad / not mossad to me is the TTP of the attack rather than the outcome. Plausible deniability works nicely in this aspect where they can go 'hell man if it was us as if we'd be dumb enough to infect xxx,xxx pc's we weren't aiming for.' %presidential tampering quip%

Mossad means your fully patched, generally well maintained and monitored network is still going to leak data / blow centrifuges and you probably won't notice they got in.

Not Mossad means some skiddie leverages work of very clever people and Wannacry's the world. This sits somewhere in the middle, but no way would I describe the overall impact of this as being 'mossad'.

Quote:
Originally Posted by PabloEscobar View Post
egads man, It's not even Friday yet.

My post was windows centric, because that's what my frame of reference is, but swap a few words around, and the same questions are valid in any environment. If you lose the keys to the kingdom, how do you ever ensure the security of said kingdom ever again.

At least it wasn't Mint hosting pre-owned Iso's
Instant agile patching devops cloud scale methodology my man

https://github.com/ChALkeR/notes/blo...credentials.md
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.

Last edited by millsy_c; Today at 11:37 AM.
millsy_c is online now   Reply With Quote
Old Today, 11:38 AM   #24396
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,280
Default

I guess targetted vs not targetted is still a point of difference.

But I'm viewing it from a Malware point of view.

Script Kiddy Malware - Wannacry - Not Mossad - Patch regularly all good.
Nation State Malware - 0 day/Supply Chain - Mossad - Fucked either way.

In this case, us regular sysadmins are dealing with the fallout from Nation State malware, and while having decent processes and procedures in place stop the lateral movement of this one... it only takes 1 mistake (or 1 shitty app) to get your whole environment owned.... This hasn't been the case in the past. but more and more, will be the case in the future.
PabloEscobar is online now   Reply With Quote
Old Today, 11:46 AM   #24397
connico
Member
 
connico's Avatar
 
Join Date: Jan 2004
Location: Sydney
Posts: 2,318
Default

Quote:
Originally Posted by PabloEscobar View Post
egads man, It's not even Friday yet.

My post was windows centric, because that's what my frame of reference is, but swap a few words around, and the same questions are valid in any environment. If you lose the keys to the kingdom, how do you ever ensure the security of said kingdom ever again.

At least it wasn't Mint hosting pre-owned Iso's
Change the locks on all windows and doors... :P
__________________
www.shoepolish.net.au
connico is online now   Reply With Quote
Old Today, 11:47 AM   #24398
elvis Thread Starter
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,909
Default

Quote:
Originally Posted by PabloEscobar View Post
egads man, It's not even Friday yet.
This is 2017. We're agile. Every day is shitposting day. If you're not shitposting 24x7, you'll be replaced by a shitposting AI bot who'll do a better job than you can ever hope to.

Quote:
Originally Posted by PabloEscobar View Post
My post was windows centric, because that's what my frame of reference is, but swap a few words around, and the same questions are valid in any environment. If you lose the keys to the kingdom, how do you ever ensure the security of said kingdom ever again.
Sure, but my "secret gubment back door NSA north korea pwn my networkz" paranoia is substantially lower for Debian, Ubuntu and RedHat than it is Windows, talking about "fresh out of the box". All touchy-feely perception of trust discussion, but it's still the case for me.

Additionally, just from a "what's the popular target right now?" point of view, Linux is "safer". People are writing Petya et al for Windows because it's the popular target. And sure, it's somewhat "security by obscurity", but it's one less thing that can get pwned if you're not running the target OS of choice.

Quote:
Originally Posted by PabloEscobar View Post
At least it wasn't Mint hosting pre-owned Iso's
I know a guy who can set up network deployment that checks package signing on a per-package basis both at install time and on a periodic basis post-install (via upstream checking as well as local tripwire checking), and doesn't require dodgy/legacy ISOs. PM me for deets.
__________________
Play old games with me!
elvis is online now   Reply With Quote
Old Today, 11:51 AM   #24399
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,280
Default

Quote:
Originally Posted by connico View Post
Change the locks on all windows and doors... :P
The locksmith is part of the kingdom.

All of their locks have been secretly modified so that the evil persons keys open them.
PabloEscobar is online now   Reply With Quote
Old Today, 11:52 AM   #24400
connico
Member
 
connico's Avatar
 
Join Date: Jan 2004
Location: Sydney
Posts: 2,318
Default

Quote:
Originally Posted by PabloEscobar View Post
The locksmith is part of the kingdom.

All of their locks have been secretly modified so that the evil persons keys open them.
Change the doors and the windows... behead the locksmith and find alternatives (plural)
__________________
www.shoepolish.net.au
connico is online now   Reply With Quote
Old Today, 11:56 AM   #24401
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 10,981
Default

Quote:
Originally Posted by PabloEscobar View Post
The locksmith is part of the kingdom.

All of their locks have been secretly modified so that the evil persons keys open them.
The IAM gods open their arms to welcome you into their warm embrace

Quote:
Originally Posted by PabloEscobar View Post
I guess targetted vs not targetted is still a point of difference.

But I'm viewing it from a Malware point of view.

Script Kiddy Malware - Wannacry - Not Mossad - Patch regularly all good.
Nation State Malware - 0 day/Supply Chain - Mossad - Fucked either way.

In this case, us regular sysadmins are dealing with the fallout from Nation State malware, and while having decent processes and procedures in place stop the lateral movement of this one... it only takes 1 mistake (or 1 shitty app) to get your whole environment owned.... This hasn't been the case in the past. but more and more, will be the case in the future.
For what it's worth, ransomware almost certainly will come more frequently with mimikatz + psexec options for lateral movement in the future, run admins in your environment at your peril! I'm keen on seeing how this ransomware spread so broadly.
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.
millsy_c is online now   Reply With Quote
Old Today, 12:13 PM   #24402
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,280
Default

Quote:
Originally Posted by millsy_c View Post
For what it's worth, ransomware almost certainly will come more frequently with mimikatz + psexec options for lateral movement in the future, run admins in your environment at your peril! I'm keen on seeing how this ransomware spread so broadly.
Yeah, from a dodgy medoc update, to a global "we fuck your shit up" in 1 easy step...

I to am very interested in seeing how this jumped from Ukraine to all the things.

There was talk of E-mails laced with CVE-2017-0199 exploits, but I've not seen any hit our filters. (which is unlikely, given how many lists our public e-mail addresses are on).

Cred theft was always going to be a game changer. We've got backup agents that run with elevated network privledges on a few laptops... if they get owned, it can be onwards and upwards...
PabloEscobar is online now   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 12:13 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!