Thanks George!! Lot s to think about.
On 2024-07-04 14:23, George Toft wrote:
> <scroll>
>
> Regards,
>
> George Toft
>
> On 7/4/2024 6:50 AM, techlists@phpcoderusa.com wrote:
>> Thank you so much George!!
>>
>> Another Question. I was a police officer in the 80's and 90's. During
>> my tenure the bank was on the hook for any criminal acts as long as
>> the customer was not negligent. I only dealt with this on a couple
>> occasional.
>>
>> So If someone gets access to my online banking and I report it in a
>> timely manner, or if someone washes one of my checks and I report it
>> in a timely manner, is the bank on the hook or am I?
>
> There are a ton of rules with more acronyms than the IT world has. I
> would love to tell you what I understand, but I'd be talking out my
> ass.
>
>
>> BTW I thought going old school was the most secure. I do not trust
>> the Internet. My daily driver is a Linux Box and I do not use my
>> cellular phone for anything except to talk and read some news. I am
>> semiretired and have home officed for a long time.
>
> Not sure there is any magic incantation that I can say that would put
> you at ease, other than "Risk Analysis," "Government Regulation,"
> "Audit and Reviews," "Compliance," "Controls and Countermeasures," and
> "Fines." We have to comply with a bazillion rules all designed to
> protect you, the bank customer. Some regions are really strict and
> their governments show they really care, like the EU - their rules are
> so restrictive. Here's an example: You cannot log into a server that
> serves the EU if Payment Card Information (PCI) is involved with the
> same user ID that you used to log into your work station. This prevents
> lateral movement from an insider attack should the attacker get an
> employee's credentials or Kerberos TGT (Hey!!! It's now on-topic!!!) .
> This is just an example. We have external inspectors and government
> auditors on site almost every two weeks making us prove compliance with
> all the rules, and the bigger we get, the more rules and more
> regulatory auditors we get to talk to. We actually have two people on
> my team of 27 whose job used to be project management, now is audit and
> compliance. All of this to protect you.
>
> Let's not forget about the Security Operations Center monitoring
> employee activities. Refer to the GTFOBins email from yesterday. I
> documented a chained attack to get root based on that page, and the SOC
> came knocking saying "George, we noticed suspicious activity on this
> server and this date. Whatcha doin'?" Fortunately, I documented
> everything and emailed it to my manager, so all I had to do was forward
> that back to the SOC.
>
> Mail scares me. I had to send my LEA ID in recently via USPS. I'm
> hoping they got it.
>
>
>> Any suggestions are appreciated.
>>
>>
>>
>> On 2024-07-03 21:48, George Toft wrote:
>>> Sorry, Kieth, I have bad news for you. You took a 30+ year leap
>>> backwards in security.
>>>
>>> I can tell you for certain, from my bank fraud analyst friend (just
>>> got promoted to financial crimes investigator), checks are the second
>>> most insecure way of transferring money, first being putting the
>>> money in the envelope. They helped the USPS bust a fraud ring who
>>> worked in the Post Office - fraudsters were pulling checks out of
>>> envelopes inside the local Post Office. My friend pulled out all the
>>> details for the Postmaster General.
>>>
>>> ACH is free (for you) and secure and guaranteed by the originator as
>>> they are on the hook to prove the identity of who initiated the
>>> transaction and they have to pay. It's all very complicated, and I'm
>>> not going into details here.
>>>
>>> I use ACH all the time. My physical devices have multi-layer physical
>>> protection. Logical access control is in-place. Both have
>>> multi-factor authentication. Password resets require multi-factor
>>> authentication.
>>>
>>> And the DoD is worse - their systems have so many layers, it was
>>> easier to just let my account get deleted from lack of use and
>>> rebuilt it from scratch. I have notes that tell me screen-by-screen
>>> what to put in each box and which ones to ignore. It's so secure,
>>> legitimate users can't even get in... and this is just my health
>>> insurance.
>>>
>>> Where all of this can break down - getting on topic - is with the SSH
>>> protocol and web proxies. When you connect to a website using HTTPS
>>> using a web proxy, your web browser uses it's cert to set up the
>>> connection, or so it thinks. What's really happening is the proxy is
>>> responding to the request and decrypting the message, then it forms a
>>> new request and sends it to the bank, which believes the proxy and
>>> sends it back. Everything gets decrypted on the proxy, so whoever has
>>> admin access to the proxy can see everything. Kinda like opening
>>> envelopes in the mail room :) Disclaimer: This is what some
>>> networking guys told me in a presentation about 10 years ago.
>>>
>>> In summary, ACH is safe if you do it from home without a proxy. Of
>>> course "safe" is relative, but it's safer than checks in the mail.
>>> Drop into your bank and ask the branch manager, or call their
>>> customer service and ask. They won't tell you checks are bad, but
>>> they will steer you to ACH and tell you it's better. Break out the
>>> Rosetta Stone and figure out what "better" means in corporate-speak.
>>> Banks are in it to win it, and they don't offer something for free
>>> unless they are saving money (cost avoidance) on the alternatives.
>>>
>>> Regards,
>>>
>>> George Toft
>>>
>>> On 7/3/2024 6:21 AM, techlists@phpcoderusa.com wrote:
>>>> <scroll>
>>>>
>>>> On 2024-07-02 18:20, George Toft via PLUG-discuss wrote:
>>>>> I work for a bank, and you would be amazed at how much security is
>>>>> baked into the connecting your browser to their web servers. Makes
>>>>> the NSA look like freshmen. And no, I'm not telling you who I work
>>>>> for.
>>>>>
>>>>> Regards,
>>>>>
>>>>> George Toft
>>>>
>>>> I'd like to hear more. The world is a hostile place. I recently
>>>> went old school. I asked the bank to disarm my online banking. I
>>>> now deal with paper statements and everything gets paid by check.
>>>> Not as convenient as on-line banking, however I am hoping it makes
>>>> my world a little bit more secure.
>>>>
>>>> What are your thoughts?
>>>>
>>>> Keith
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> On 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote:
>>>>>> Mike,
>>>>>>
>>>>>> The world is a hostile place. The more precautions you take the
>>>>>> better. I cover the camera on my cellular phone while not in
>>>>>> use. I cover the camera that is built into my laptop while it is
>>>>>> not in use. I think on-line banking is dangerous. At some point
>>>>>> I want to turn off WIFI and go to wired only on my local net.
>>>>>>
>>>>>> We lock our cars and houses for a reason.
>>>>>>
>>>>>> I do not know as much security as I'd like, however it might be
>>>>>> necessary at some point to to become more cyber.
>>>>>>
>>>>>> About 24 years ago the members of the Tucson Free Unix Group
>>>>>> (TFUG) helped me build a server that I ran out of my home. We
>>>>>> left the email relay open and I got exploited. About 10 years ago
>>>>>> I became root and I accidentally overwrote my home directory.
>>>>>> yikes... both were painful. The first example is a reason we must
>>>>>> be more aware of what we are doing. The 2nd is an example why we
>>>>>> should use sudo as much as we can instead of becoming root.
>>>>>>
>>>>>> Keith
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
>>>>>>> I just realized, while 99% of the people on this list are honest
>>>>>>> there
>>>>>>> is the diabolical 1%. So I guess I enter my password for the rest
>>>>>>> of
>>>>>>> my life. Or do you think that it really matters considering this
>>>>>>> is
>>>>>>> only a mailing list?
>>>>>>>
>>>>>>> On Sat, Jun 29, 2024, 10:22 AM Michael <bmike1@gmail.com> wrote:
>>>>>>>
>>>>>>>> Thanks for saying this. I realized that I only needed to run apt
>>>>>>>> as
>>>>>>>> root. I didn't know how to make it so I could do that..... but
>>>>>>>> chatgt did!
>>>>>>>>
>>>>>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
>>>>>>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>>>>>>
>>>>>>>>> NO WORRIES FROM THIS END RUSTY.
>>>>>>>>>
>>>>>>>>> As a general rule, I use sudo only for very specific tasks
>>>>>>>>> (usually updating my development package tree on OS X) and no
>>>>>>>>> where else will I run anything as root. I have seen what
>>>>>>>>> happens
>>>>>>>>> to linux machines that run infected binaries as root and it can
>>>>>>>>> get ugly pretty fast. In one case, I couldn’t take the machine
>>>>>>>>> out of service because of other items I was involved with, so I
>>>>>>>>> simply made part of the dir tree immutable after replacing a
>>>>>>>>> few
>>>>>>>>> files in /etc. That would fill up the system logs with an error
>>>>>>>>> message about a specific binary trying to replace a small
>>>>>>>>> number
>>>>>>>>> of conf files. Once the offending binary was found, it made
>>>>>>>>> things
>>>>>>>>> easier trying to disable it or get rid of it. However, after a
>>>>>>>>> while, I simply pulled the drive and ran it through a Dod
>>>>>>>>> secure
>>>>>>>>> erase and installed a newer linux bistro on it. I did use the
>>>>>>>>> same
>>>>>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
>>>>>>>>> last turned out to be handy as I caught someone trying to
>>>>>>>>> rootkit
>>>>>>>>> my machine using a known exploit, only they couldn’t get it to
>>>>>>>>> run because the binaries they wanted to replace couldn’t be
>>>>>>>>> written to. :)Yes, this would be a bit excessive, but over the
>>>>>>>>> long run, proved far less inconvenient than having to wipe and
>>>>>>>>> reinstall an OS.
>>>>>>>>>
>>>>>>>>> -Eric
>>>>>>>>> From the central Offices of the Technomage Guild, security
>>>>>>>>> Applications Dept.
>>>>>>>>>
>>>>>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
>>>>>>>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>>>>>>>>
>>>>>>>>>> (Deep breath. Calm...)
>>>>>>>>>>
>>>>>>>>>> I can't figure out how to respond rationally to the below, so
>>>>>>>>> all I'm going to say is - before you call troll, you might want
>>>>>>>>> to research the author, and read a bit more carefully what they
>>>>>>>>> wrote. I don't believe I recommended any of the crazy things
>>>>>>>>> you
>>>>>>>>> suggest. And I certainly didn't intend to imply any of that.
>>>>>>>>>>
>>>>>>>>>> On the other hand, it may not have been clear, so I'll just
>>>>>>>>>> say
>>>>>>>>> "Sorry that what I wrote wasn't clear, but english isn't my
>>>>>>>>> first
>>>>>>>>> language. Unfortunately its the only one I know".
>>>>>>>>>>
>>>>>>>>>> And on that note, I'll shut up.
>>>>>>>>>>
>>>>>>>>>> On 6/26/24 15:05, Ryan Petris wrote:
>>>>>>>>>>> I feel like you're trolling so I'm not going to spend very
>>>>>>>>>>> much
>>>>>>>>> time on this.
>>>>>>>>>>>
>>>>>>>>>>> It's been a generally good security practice for at least the
>>>>>>>>> last 25+ years to not regularly run as a privileged user,
>>>>>>>>> requiring some sort of escalation to do administrative-type
>>>>>>>>> tasks.
>>>>>>>>> By using passwordless sudo, you're taking away that escalation.
>>>>>>>>> Why not just run as root? Then you don't need sudo at all. In
>>>>>>>>> fact, why even have a password at all? Why encrypt? Why don't
>>>>>>>>> you
>>>>>>>>> just put all your data on a publicly accessible FTP server and
>>>>>>>>> just grab stuff when you need it? The NSA has all your data
>>>>>>>>> anyway
>>>>>>>>> and you don't have anything to hide so why not just leave it
>>>>>>>>> out
>>>>>>>>> there for the world to see?
>>>>>>>>>>>
>>>>>>>>>>> As for something malicious needing to be written to use sudo,
>>>>>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it
>>>>>>>>> didn't
>>>>>>>>> at least try then that seams like a pretty dumb malicious
>>>>>>>>> script
>>>>>>>>> to me.
>>>>>>>>>>>
>>>>>>>>>>> You also don't necessarily need to open/run something for it
>>>>>>>>>>> to
>>>>>>>>> run. IIRC there was a recent image vulnerability in Gnome's
>>>>>>>>> tracker-miner application which indexes files in your home
>>>>>>>>> directory. And before you say that wouldn't happen in KDE, it
>>>>>>>>> too
>>>>>>>>> has a similar program, I believe called Baloo.
>>>>>>>>>>>
>>>>>>>>>>> There also exists the recent doas program and the systemd
>>>>>>>>> replacement run0 to do the same.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
>>>>>>>>> PLUG-discuss wrote:
>>>>>>>>>>>> Actually, I'd like to start a bit of a discussion on this.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> First, I know that for some reason RedHat seems to think
>>>>>>>>>>>> that
>>>>>>>>> sudo is
>>>>>>>>>>>> bad/insecure.
>>>>>>>>>>>>
>>>>>>>>>>>> I'd like to know the logic there, as I think the argument
>>>>>>>>>>>> FOR
>>>>>>>>> using sudo
>>>>>>>>>>>> is MUCH stronger than any argument I've heard (which,
>>>>>>>>> admittedly, is
>>>>>>>>>>>> pretty close to zero) AGAINST it. Here's my thinking:
>>>>>>>>>>>>
>>>>>>>>>>>> Allowing users to become root via sudo gives you:
>>>>>>>>>>>>
>>>>>>>>>>>> - VERY fine control over what programs a user can use as
>>>>>>>>>>>> root
>>>>>>>>>>>>
>>>>>>>>>>>> - The ability to remove admin privs (ability to run as root)
>>>>>>>>> from an
>>>>>>>>>>>> individual WITHOUT having to change root password
>>>>>>>>>>>> everywhere.
>>>>>>>>>>>>
>>>>>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
>>>>>>>>> corporation,
>>>>>>>>>>>> that 2nd feature is well worth the price of admission, PLUS
>>>>>>>>>>>> I
>>>>>>>>> can only
>>>>>>>>>>>> allow certain admins to run certain programs? Very nice.
>>>>>>>>>>>>
>>>>>>>>>>>> So, for example, at my last place I allowed the 'tester'
>>>>>>>>>>>> user
>>>>>>>>> to run
>>>>>>>>>>>> fdisk as root, because they needed to partition the disk
>>>>>>>>>>>> under
>>>>>>>>> test. In
>>>>>>>>>>>> my case, and since the network that we ran on was totally
>>>>>>>>> isolated from
>>>>>>>>>>>> the corporate network, I let fdisk be run without needing a
>>>>>>>>> password.
>>>>>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition,
>>>>>>>>>>>> it
>>>>>>>>> was no big
>>>>>>>>>>>> deal - I could recreate the machine from scratch (minus
>>>>>>>>> whatever data
>>>>>>>>>>>> hadn't been copied off yet - which would only be their most
>>>>>>>>> recent run),
>>>>>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
>>>>>>>>> minutes of
>>>>>>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become
>>>>>>>>> root using
>>>>>>>>>>>> su, they had to enter the test user password.
>>>>>>>>>>>>
>>>>>>>>>>>> So, back to the original question - setting sudo to not
>>>>>>>>> require a
>>>>>>>>>>>> password. We should have asked, what program do you want to
>>>>>>>>> run as root
>>>>>>>>>>>> without requiring a password? How secure is your system?
>>>>>>>>>>>> What
>>>>>>>>> else do
>>>>>>>>>>>> you use it for? Who has access? etc, etc, etc.
>>>>>>>>>>>>
>>>>>>>>>>>> There's one other minor objection I have to the 'zero
>>>>>>>>>>>> defense'
>>>>>>>>> statement
>>>>>>>>>>>> below - the malicious thing you downloaded (and, I assume
>>>>>>>>>>>> ran)
>>>>>>>>> has to be
>>>>>>>>>>>> written to USE sudo in its attempt to break in, I believe,
>>>>>>>>>>>> or
>>>>>>>>> it
>>>>>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>>>>>>>>> myscript'
>>>>>>>>>>>> won't do it).
>>>>>>>>>>>>
>>>>>>>>>>>> And, if you're truly paranoid about stuff you download, you
>>>>>>>>> should:
>>>>>>>>>>>>
>>>>>>>>>>>> 1 - NEVER download something you don't have an excellent
>>>>>>>>> reason to
>>>>>>>>>>>> believe is 'safe', and ALWAYS make sure you actually
>>>>>>>>> downloaded it from
>>>>>>>>>>>> where you thought you did.
>>>>>>>>>>>>
>>>>>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to
>>>>>>>>>>>> download
>>>>>>>>> and test
>>>>>>>>>>>> software on, which you can totally disconnect from your
>>>>>>>>> network (not
>>>>>>>>>>>> JUST the internet), and which has NO confidential info, and
>>>>>>>>> which you
>>>>>>>>>>>> can erase and rebuild without caring. Run the downloaded
>>>>>>>>> stuff there,
>>>>>>>>>>>> for a long time, until you're pretty sure it won't bite you.
>>>>>>>>>>>>
>>>>>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
>>>>>>>>> from
>>>>>>>>>>>> anywhere, disconnect from the internet permanently, get
>>>>>>>>> high-tech locks
>>>>>>>>>>>> for your doors, and wrap your house in a faraday cage!
>>>>>>>>>>>>
>>>>>>>>>>>> And probably don't leave the house....
>>>>>>>>>>>>
>>>>>>>>>>>> The point of number 3 is that there is always a risk, even
>>>>>>>>> with
>>>>>>>>>>>> 'well-known' software, and as someone else said - they're
>>>>>>>>> watching you
>>>>>>>>>>>> anyway. The question is how 'safe' do you want to be? And
>>>>>>>>>>>> how
>>>>>>>>> paranoid
>>>>>>>>>>>> are you, really?
>>>>>>>>>>>>
>>>>>>>>>>>> Wow, talk about rabbit hole! ;-)
>>>>>>>>>>>>
>>>>>>>>>>>> 'Let the flames begin!' :-)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>>>>>>>>>>>>> wanted sudo not to require a password.
>>>>>>>>>>>>> Please reconsider this... This is VERY BAD security
>>>>>>>>>>>>> practice.
>>>>>>>>> There's basically zero defense if you happen to download/run
>>>>>>>>> something malicious.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
>>>>>>>>> wrote:
>>>>>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
>>>>>>>>> good at troubleshooting so I figured I'd give it a go. I sprint
>>>>>>>>> about half an hour asking it the wrong question but after that
>>>>>>>>> it
>>>>>>>>> took 2 minutes. I wanted sudo not to require a password. it is
>>>>>>>>> wonderful! now I don't have to bug you guys. so it looks like
>>>>>>>>> this
>>>>>>>>> is the end of the user group unless you want to talk about OT
>>>>>>>>> stuff.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- :-)~MIKE~(-:
>>>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail
>>>>>>>>>>>>>> settings:
>>>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>>>>
>>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------
>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)