Regards,
George Toft On 7/5/2024 5:43 AM, [email protected] wrote:
BINGO!!! "Reasonably safe" is the fundamental goal post that we seek. What is one's risk appetite for any endeavor? There is no such thing as 0% loss. Obviously 100% loss is a non-starter. So somewhere in between is our goal. I won't beleaguer the list anymore, but this is the fundamentals of risk analysis, which is what I do at work. An on-topic example: In the not-Sudo solution we have, we discovered one application that would not work with it. One app - 6 servers out of 50,000 servers. Do I risk the 50,000 servers to make not-Sudo work on 6 when the original configurator made a fundamental programming error? No - we accept the risk. Actually, I'm now stuck with that misconfiguration without executing a ton of regression testing which would take months just to distill a reasonable test set, and my management isn't going to support spending thousands of salary dollars on something this trivial.On 2024-07-05 00:23, George Toft wrote:Had a chance to casually ask about the washed check thing today. Big eye-roll. Police report. Affidavits. Close the checking account. Big investigation. Sounds like a PITA.Regards, George ToftI just want to approach this in a way that I have reasonably safe bank transactions. I almost feel I need to learn cyber security.Thank you for all your feedback!!
Lastly, the 7 banks that own Zelle are getting hauled in to talk to Congress about their "acceptable fraud rate." They cheerfully announce they have less than 0.1% fraud rate. These huge banks don't care about 0.1% - that's acceptable. But if 0.1% of all e-mail you receive got through the filters and infected your system, that becomes another story.
Peace.
On 7/4/2024 3:14 PM, [email protected] wrote:Thanks George!! Lot s to think about. On 2024-07-04 14:23, George Toft wrote:<scroll> Regards, George Toft On 7/4/2024 6:50 AM, [email protected] wrote:Thank you so much George!!Another Question. I was a police officer in the 80's and 90's. During my tenure the bank was on the hook for any criminal acts as long as the customer was not negligent. I only dealt with this on a couple occasional.So If someone gets access to my online banking and I report it in a timely manner, or if someone washes one of my checks and I report it in a timely manner, is the bank on the hook or am I?There are a ton of rules with more acronyms than the IT world has. I would love to tell you what I understand, but I'd be talking out my ass.BTW I thought going old school was the most secure. I do not trust the Internet. My daily driver is a Linux Box and I do not use my cellular phone for anything except to talk and read some news. I am semiretired and have home officed for a long time.Not sure there is any magic incantation that I can say that would put you at ease, other than "Risk Analysis," "Government Regulation," "Audit and Reviews," "Compliance," "Controls and Countermeasures," and "Fines." We have to comply with a bazillion rules all designed to protect you, the bank customer. Some regions are really strict and their governments show they really care, like the EU - their rules are so restrictive. Here's an example: You cannot log into a server that serves the EU if Payment Card Information (PCI) is involved with the same user ID that you used to log into your work station. This prevents lateral movement from an insider attack should the attacker get an employee's credentials or Kerberos TGT (Hey!!! It's now on-topic!!!) . This is just an example. We have external inspectors and government auditors on site almost every two weeks making us prove compliance with all the rules, and the bigger we get, the more rules and more regulatory auditors we get to talk to. We actually have two people on my team of 27 whose job used to be project management, now is audit and compliance. All of this to protect you.Let's not forget about the Security Operations Center monitoring employee activities. Refer to the GTFOBins email from yesterday. I documented a chained attack to get root based on that page, and the SOC came knocking saying "George, we noticed suspicious activity on this server and this date. Whatcha doin'?" Fortunately, I documented everything and emailed it to my manager, so all I had to do was forward that back to the SOC.Mail scares me. I had to send my LEA ID in recently via USPS. I'm hoping they got it.Any suggestions are appreciated. On 2024-07-03 21:48, George Toft wrote:Sorry, Kieth, I have bad news for you. You took a 30+ year leap backwards in security.I can tell you for certain, from my bank fraud analyst friend (just got promoted to financial crimes investigator), checks are the second most insecure way of transferring money, first being putting the money in the envelope. They helped the USPS bust a fraud ring who worked in the Post Office - fraudsters were pulling checks out of envelopes inside the local Post Office. My friend pulled out all the details for the Postmaster General.ACH is free (for you) and secure and guaranteed by the originator as they are on the hook to prove the identity of who initiated the transaction and they have to pay. It's all very complicated, and I'm not going into details here.I use ACH all the time. My physical devices have multi-layer physical protection. Logical access control is in-place. Both have multi-factor authentication. Password resets require multi-factor authentication.And the DoD is worse - their systems have so many layers, it was easier to just let my account get deleted from lack of use and rebuilt it from scratch. I have notes that tell me screen-by-screen what to put in each box and which ones to ignore. It's so secure, legitimate users can't even get in... and this is just my health insurance.Where all of this can break down - getting on topic - is with the SSH protocol and web proxies. When you connect to a website using HTTPS using a web proxy, your web browser uses it's cert to set up the connection, or so it thinks. What's really happening is the proxy is responding to the request and decrypting the message, then it forms a new request and sends it to the bank, which believes the proxy and sends it back. Everything gets decrypted on the proxy, so whoever has admin access to the proxy can see everything. Kinda like opening envelopes in the mail room :) Disclaimer: This is what some networking guys told me in a presentation about 10 years ago.In summary, ACH is safe if you do it from home without a proxy. Of course "safe" is relative, but it's safer than checks in the mail. Drop into your bank and ask the branch manager, or call their customer service and ask. They won't tell you checks are bad, but they will steer you to ACH and tell you it's better. Break out the Rosetta Stone and figure out what "better" means in corporate-speak. Banks are in it to win it, and they don't offer something for free unless they are saving money (cost avoidance) on the alternatives.Regards, George Toft On 7/3/2024 6:21 AM, [email protected] wrote:<scroll> On 2024-07-02 18:20, George Toft via PLUG-discuss wrote:I work for a bank, and you would be amazed at how much security is baked into the connecting your browser to their web servers. Makes the NSA look like freshmen. And no, I'm not telling you who I work for.Regards, George ToftI'd like to hear more. The world is a hostile place. I recently went old school. I asked the bank to disarm my online banking. I now deal with paper statements and everything gets paid by check. Not as convenient as on-line banking, however I am hoping it makes my world a little bit more secure.What are your thoughts? KeithOn 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote:Mike,The world is a hostile place. The more precautions you take the better. I cover the camera on my cellular phone while not in use. I cover the camera that is built into my laptop while it is not in use. I think on-line banking is dangerous. At some point I want to turn off WIFI and go to wired only on my local net.We lock our cars and houses for a reason.I do not know as much security as I'd like, however it might be necessary at some point to to become more cyber.About 24 years ago the members of the Tucson Free Unix Group (TFUG) helped me build a server that I ran out of my home. We left the email relay open and I got exploited. About 10 years ago I became root and I accidentally overwrote my home directory. yikes... both were painful. The first example is a reason we must be more aware of what we are doing. The 2nd is an example why we should use sudo as much as we can instead of becoming root.Keith On 2024-06-29 08:55, Michael via PLUG-discuss wrote:I just realized, while 99% of the people on this list are honest there is the diabolical 1%. So I guess I enter my password for the rest of my life. Or do you think that it really matters considering this isonly a mailing list? On Sat, Jun 29, 2024, 10:22 AM Michael <[email protected]> wrote:Thanks for saying this. I realized that I only needed to run apt asroot. I didn't know how to make it so I could do that..... but chatgt did! On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss <[email protected]> wrote:NO WORRIES FROM THIS END RUSTY. As a general rule, I use sudo only for very specific tasks (usually updating my development package tree on OS X) and nowhere else will I run anything as root. I have seen what happens to linux machines that run infected binaries as root and it canget ugly pretty fast. In one case, I couldn’t take the machineout of service because of other items I was involved with, so I simply made part of the dir tree immutable after replacing a few files in /etc. That would fill up the system logs with an error message about a specific binary trying to replace a small number of conf files. Once the offending binary was found, it made thingseasier trying to disable it or get rid of it. However, after awhile, I simply pulled the drive and ran it through a Dod secure erase and installed a newer linux bistro on it. I did use the sametrick with chattr to make /bin, /sbin and /etc immutable. Thatlast turned out to be handy as I caught someone trying to rootkitmy machine using a known exploit, only they couldn’t get it to run because the binaries they wanted to replace couldn’t be written to. :)Yes, this would be a bit excessive, but over the long run, proved far less inconvenient than having to wipe and reinstall an OS. -Eric From the central Offices of the Technomage Guild, security Applications Dept.On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss<[email protected]> wrote:all I'm going to say is - before you call troll, you might want to research the author, and read a bit more carefully what they wrote. I don't believe I recommended any of the crazy things you(Deep breath. Calm...) I can't figure out how to respond rationally to the below, sosuggest. And I certainly didn't intend to imply any of that."Sorry that what I wrote wasn't clear, but english isn't my firstOn the other hand, it may not have been clear, so I'll just saylanguage. Unfortunately its the only one I know".And on that note, I'll shut up. On 6/26/24 15:05, Ryan Petris wrote:I feel like you're trolling so I'm not going to spend very muchtime on this.It's been a generally good security practice for at least thelast 25+ years to not regularly run as a privileged user,requiring some sort of escalation to do administrative-type tasks. By using passwordless sudo, you're taking away that escalation.Why not just run as root? Then you don't need sudo at all. Infact, why even have a password at all? Why encrypt? Why don't youjust put all your data on a publicly accessible FTP server andjust grab stuff when you need it? The NSA has all your data anyway and you don't have anything to hide so why not just leave it outthere for the world to see?why wouldn't it? sudo is ubiquitous on unix systems; if it didn't at least try then that seams like a pretty dumb malicious scriptAs for something malicious needing to be written to use sudo,to me.You also don't necessarily need to open/run something for it torun. IIRC there was a recent image vulnerability in Gnome's tracker-miner application which indexes files in your homedirectory. And before you say that wouldn't happen in KDE, it toohas a similar program, I believe called Baloo.There also exists the recent doas program and the systemdreplacement run0 to do the same.On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth viaPLUG-discuss wrote:Actually, I'd like to start a bit of a discussion on this.First, I know that for some reason RedHat seems to think thatsudo isbad/insecure.I'd like to know the logic there, as I think the argument FORusing sudois MUCH stronger than any argument I've heard (which,admittedly, ispretty close to zero) AGAINST it. Here's my thinking: Allowing users to become root via sudo gives you:- VERY fine control over what programs a user can use as root- The ability to remove admin privs (ability to run as root)from anindividual WITHOUT having to change root password everywhere.Now, remember, RH is supposedly 'corporate friendly'. As acorporation,that 2nd feature is well worth the price of admission, PLUS Ican onlyallow certain admins to run certain programs? Very nice.So, for example, at my last place I allowed the 'tester' userto runfdisk as root, because they needed to partition the disk undertest. Inmy case, and since the network that we ran on was totallyisolated fromthe corporate network, I let fdisk be run without needing apassword.Oh, and if they messed up and fdisk'ed the boot partition, itwas no bigdeal - I could recreate the machine from scratch (minuswhatever datahadn't been copied off yet - which would only be their mostrecent run),in 10 minutes (which was about 2 minutes of my time, and 8minutes ofscripted 'dd' ;-) However, if the test user wanted to becomeroot usingsu, they had to enter the test user password. So, back to the original question - setting sudo to notrequire apassword. We should have asked, what program do you want torun as rootwithout requiring a password? How secure is your system? Whatelse doyou use it for? Who has access? etc, etc, etc.There's one other minor objection I have to the 'zero defense'statementbelow - the malicious thing you downloaded (and, I assume ran)has to bewritten to USE sudo in its attempt to break in, I believe, oritwouldn't matter HOW open your sudo was. (simply saying 'su -myscript'won't do it). And, if you're truly paranoid about stuff you download, youshould:1 - NEVER download something you don't have an excellentreason tobelieve is 'safe', and ALWAYS make sure you actuallydownloaded it fromwhere you thought you did.2 - For the TRULY paranoid, have a machine you use to downloadand testsoftware on, which you can totally disconnect from yournetwork (notJUST the internet), and which has NO confidential info, andwhich youcan erase and rebuild without caring. Run the downloadedstuff there,for a long time, until you're pretty sure it won't bite you.3 - For the REALLY REALLY paranoid, don't download anythingfromanywhere, disconnect from the internet permanently, gethigh-tech locksfor your doors, and wrap your house in a faraday cage! And probably don't leave the house.... The point of number 3 is that there is always a risk, evenwith'well-known' software, and as someone else said - they'rewatching youanyway. The question is how 'safe' do you want to be? And howparanoidare you, really? Wow, talk about rabbit hole! ;-) 'Let the flames begin!' :-) On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:Please reconsider this... This is VERY BAD security practice.wanted sudo not to require a password.There's basically zero defense if you happen to download/run something malicious.On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discusswrote:good at troubleshooting so I figured I'd give it a go. I sprint about half an hour asking it the wrong question but after that itthen I remember that a PLUG member mentioned ChatGPT beingtook 2 minutes. I wanted sudo not to require a password. it iswonderful! now I don't have to bug you guys. so it looks like thisis the end of the user group unless you want to talk about OT stuff.-- :-)~MIKE~(-: ---------------------------------------------------PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings:https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected]To subscribe, unsubscribe, or to change your mail settings:https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss
--------------------------------------------------- PLUG-discuss mailing list: [email protected] To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss
