General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,070
    Location:
    Canberra
    No all packets should be coming from the VPN interface.

    Once your VPN is established, packets coming in on the unsecured interface should be dropped (the VPN itself being an already established connection is the exception).

    If you allow non-secure routes on your VPN profiles (which is bad practice anyway), there many other ways to be pwned than this new vuln.
     
  2. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    Darktrace, like mentioned above can be nice. But its very expensive, and would be close to the bottom of my list of 'things' to put in, fix the boring basics first. It looks pretty, but pretty means shit. I've POC'd it at multiple places over the space of 3 years and its still not viable for 95% of places.
     
    elvis and Gargamel like this.
  3. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,540
    I have seen at least 1 very big, very public kaboom brought on because darktrace 'network engineer' didn't even understand what a VLAN was and tried to smash it into a client's spaghetti network.

    As a packet pusher the concept of some rando box spoofing RST packets gives me the willies.

    Also as a packet pusher I'm firmly on the dumb core complex edge side of the argument, I'd rather see that kind of function distributed and not reliant on chokepoints or interception or even worse in the routing path (*cough firewalls cough*).
    Extra irony points if the security guy who bought the thing is the same guy who insists that asymmetrical routing is the devils work and that every segment must implement uRPF because that's what it says in his theoretical security courseware (OFC when your rando darktrace box is spoofing packets with the client source headers... hahaha).

    I mean you can say metadata all you want but TLS1.3 will eat all middlebox vendors' lunches for starters except for all those who have fully drunk the Palo etc. kool-aid doing full SSL decrypt and even then they are throwing 48 cores on their middle of the range low six-figure boxes alone for example. Have you ever seen ginormous ASX200 mob try to basically build their own service chain and then have it choke the fuck out of their network, nevermind 10Gig interfaces lol let alone 40Gb when you've got firehoses worth if internal DC traffic trying to smash its way through multiple packet brokers, IPS, etc. and then all that getting in the way of any kind of clean failover (is it the gigamon? is it the fireye? is it the IPS? is it the actual firewall? OK now lets look at the actual network... GAH). Aren't all cloud friendly 12-factor apps encrypted at layer-7 for all internal calls?

    Defence in depth, micro-seg the shit out of it (I don't give a shit if its hypervisor/AWS SG/Azure NSG or client-based), least privilege, auth everthing, avoid chokepoints and magic middleware boxes and anything hacky (like having rando box spoof TCP resets). Shit you might even be ready for zero-trust lol

    (I am not a security guy but I like to argue with them)

    I actually am curious if anyone in the real world (not Akamai blowing their own horn or a startup or a hyper-scaler with a gazillion dollars and the best brains that money can buy) can get to zero-trust in the near future.

    re: the CVE, I agree with below post in bugzilla. I'll wait for the big boys (Palo, Cisco et al) to respond officially before I freak out.

    I mean read the contents. https://seclists.org/oss-sec/2019/q4/122
    Its basically inferring the sequence numbers IF the attacker is controlling a local node (on the same LAN as the victim interface) and then it arbitrarily injects data - but there is nothing here to make that data valid, let alone compromise the integrity of IPSEC. AND the attacker has to be on the same network as the interface.

    The bit I'm not understanding is how they even deduce the 'virtual IP' - I mean at least with say ESP the entire payload should be encrypted? So the only IP address visible would be the outer SRC/DST and so how would they spoof the inside IP without getting around the encryption? Unless this attack only works on AH? The entire CVE only gives openVPN as an example - even then I'm not understanding how they are attacking the inside 'virtual IP' 10.8.x.x directly without first encapsulating in the real 192.168.12.x destination IP? (I get that the MAC is in the frame so it would be looked at regardless)

    EDIT on re-reading it I think that's the point, its just spoofing and the OS stacks are too dumb to flat out ignore it as they should, also explains why it has to be L2 adjacent so it can hit it with the MAC address even though the IP is 'invalid'
     
    Last edited: Dec 15, 2019
  4. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,428
    Location:
    Brisbane
    #1 thing people screw up is this, in most aspects of IT. If you can't describe what you're trying to accomplish, stop, sit down, think about what you actually need.

    The five why's can die in a steaming pile of poop, but honestly they're worth it sometimes.

    If it's short, you're probably drinking vendor koolaid unfortunately. Honestly a lot of this stuff is thinking logically. You shouldn't need to a security course to go 'oh hey, 1FA login portal to citrix exposed to the web may not be the greatest idea.

    I'm yet to find a place that has a good asset register and idea of what's running, you're already at a disadvantage. Blinkenboxen can have their place but rarely. The basics are way more important than bolting on stuff to compensate for it.
     
    Gargamel and elvis like this.
  5. Skitza

    Skitza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,772
    Location:
    In your street
    We have our PoC running still and its doing it's thing. We have had a few meetings with the guys now and are still evaluating. Looks like it will ge expensive though wow haha.
     
  6. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    I think I might just spend my time shitposting about bad security (you know, for something different).

    https://www.zdnet.com/article/compa...are-leaves-300-without-jobs-just-before-xmas/

    A telemarketing firm (lol) gets cryptoed, paid the ransom, still couldn't decrypt the files, goes broke, sacks 300 staff right before Christmas.

    * Patch your shit
    * Have sane storage permissions
    * Don't use admin accounts as daily drive accounts
    * Use competent email security
    * Have snapshotting storage
    * Have physically separated backups that are tested frequently
    * Invest in automated OS deployment and configuration management (systems should be "cattle, not pets").

    Shit's not hard. Cryptolocker is the digital equivalent of the Darwin awards.
     
    Last edited: Jan 7, 2020
  7. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,540
    The shit you're talking about is NASA grade rocket science for many. It also relies on a.) Competent staff and b.) Giving a shit i.e. time and money


    Sheeeet don't you run the consolidated B&E rant thread lol
     
  8. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
    NotPetya would like a word.......Patching wouldn't have stopped it in 2018. It was MimiKatz (which Microsoft still hasn't properly fixed) bundled with EternalBlue. Distributed by a Ukranian accounting software update server that was compromised by Russia.

    https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world
     
  9. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,070
    Location:
    Canberra
    sucks people lost their jobs, but glad those jobs no longer exist.


    Security is not a single solution. You have to do all of it. Patching alone won't help. Firewall alone won't help. Manually approving every email attachment ever won't help.

    Security in depth/layers/multi-faceted whatever you want to call it.

    And the age old, since the dawn of time issue of backups is always relevant - and seemingly - always overlooked.


    It comes down to 'giving a shit' like wintermute said. Some business don't deserve to survive if they do nothing about ensuring survival.
     
    millsy and elvis like this.
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    Absolutely. If all the give-a-shit you can muster is "buy a box, turn it on", then you deserve an equal amount of protection.

    The last six months for me have been eye opening. I'm helping a few companies through stricter security requirements, and the responses are quite amazing. People will spend tonnes of cash on firewalls, door locks and cameras to tick boxes, but then put in allow-all ACLs on flat /8 networks, never review footage and prop doors open. Meanwhile there's no centralised authentication, everyone has local admin rights, passwords are taped to monitors, physical data sharing isn't logged or controlled. It's nuts.

    The absolute basics are neither difficult nor expensive. Indeed, you can cover off most of the essential stuff for free (or very little extra if you've already got stuff like AD/GPO in house). People just have to care.
     
  11. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,070
    Location:
    Canberra
    And have the political clout to tell the lusers that they can no longer have local admins, access to everything, change their password regularly etc. these minor inconveniences can not be ignored because of a few bleating users complaints about usability/to hard/no training/etc.
     
  12. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,540
    Actually the basics are difficult and involve understanding topics, giving a shit, and doing this the secure way not the easy way.
    A lot of stuff - e.g. patching - costs effort and sometimes downtime.
    Not having local admin = takes more time to install stuff, users have to wait around a bit more, possibly buying / running more solutions like privilege management programs.
    Real certs - WTF PKI black magic, my head hurts. How many fun outages have we all seen because someone forgot (i.e. ignored repeated warnings and/or there was simply no tracking in place) to renew a cert, assuming we're not all hawt devops-yolo-letsencrypt-bot-it-all.
    FW rules - dear god where do I start - what if you're the classic "I have 10000 FW rules and no time/guts/money to go through them all" scenario and the pile of shit just keeps growing higher and higher with each FW vendor magicbox generation.
    I could go on.

    I wouldn't say security is easy, otherwise everyone would be doing it properly.
     
    Last edited: Jan 7, 2020
  13. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,070
    Location:
    Canberra
    Only if you believe security to be an absolute/digital thing. You have security or you don't. that's not how it works.

    putting in a firewall gives you some degree of protection, not nothing, not complete, but it helps.
    Adding AV, gives you a little more protection, maybe it'll protect you against something that got through the firewall, maybe it won't. but you've improved your odds.
    Adding privilege limitation, again if something gets in via the firewall, and AV and hits your user, the damage is limited/nullified. because they don't have admins and write access to everything.

    It all adds up, no one thing needs to be perfect.

    And of course there's always the fact that it'll never be perfect, it's a moving target of one-ups-man-ship between the attackers and the potential victims, there'll be zero-days, there'll be the dumb user that bypasses half of your protections by visiting that site from the dodgy email that got through the spam filter, or picking up a USB in the car park, or holding the door open for the guy in hi-vis who has no reason to be let in, but hey he's in high vis gear so he must be ok.

    The basics are easy and cheap, and provide a lot of protection.
     
  14. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,428
    Location:
    Brisbane
    Cannot be emphasised enough. It's all a sliding scale of risk / reward / financial input.

    Free of course as mentioned in the last posts is with respect to implementing things to do the controls, not the people time behind it.
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    Still struggling to get a large-ish client to work this out. They're aiming for a pretty strict certification to gain work with a large vendor. Total #yolo network, no on site dedicated IT people. I've spent weeks attempting to explain that security is a war of attrition, requires constant vigilance and training, and isn't fixed by appliances and magic bullets.

    * Put in a firewall - "are we there yet?"
    * Put in AV - "but we have a firewall?"
    * Put in DNS blocking - "doesn't AV stop malware?"
    * Put in AD - "but we have a firewall? And passwords are too difficult"
    * Removed direct/unproxied Internet access - "But Firewall? And my kids are on school holidays and need $RandomAdwareSite while their iPhone babysits them in the office"
    * Patched the firewall - "What, we have to maintain this?"

    And we've only just started. They think they're Fort Knox now, and the auditors are going to laugh them out of the first review.

    Security work reminds me daily just how poor average digital literacy is, even in the upper end of the white collar world.
     
    freaky_beeky likes this.
  16. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,428
    Location:
    Brisbane
    I like the ASD principals for a bit of focus, as working out your areas of focus is a challenge. Many places are driven by outcomes from testing reports / blinkenboxen instead of a plan.
     
  17. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,540
    Go on, do NAC / dot1x next.
     
    elvis likes this.
  18. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    I'm pretty sure I saw one dude's brain leak out his ear when I put in VLANs. dot1x would likely kill someone with complexity.
     
    Myst likes this.
  19. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,070
    Location:
    Canberra
    Make sure you're certificate server runs out of disk space 3 months ago, and ensure no one looks at alerts, then wonder why phones and PC start failing to connect to the network as their certs expire and can't be renewed.
     
    millsy and elvis like this.
  20. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,692
    Location:
    Canberra
    man i hate EAP-TLS/802.1/etc. much prefer PEAP, because when was the last time you ever saw end to end certificate management actual done ever? Password/account management on the other hand.......
     

Share This Page

Advertisement: