Announcement

Collapse
No announcement yet.

IT Geek Speak ... IT Professionals and the like

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Originally posted by Sxy Rdr View Post
    If only this guy actually did work.... and apparently I'm not the only one who has noticed this issue.
    Oh, so you're now Wally's PHB?

    http://dilbert.com/strip/2017-12-03
    Jeff

    "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

    "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

    '13 XT250
    '10 ZG-1400 (operational again)

    Comment


    • Originally posted by WoodstockJeff View Post
      Oh, so you're now Wally's PHB?

      http://dilbert.com/strip/2017-12-03


      And how funny... we have a team building event tomorrow afternoon....
      Helen

      Comment


      • In April, we had a penetration test done on one of our sites. It revealed that we had not put in server-side support for blocking browser (and user) vulnerabilities, so we made a few changes, and requested the site be rescanned in early May. No scan took place (we KNOW when a scan is happening!).

        After many months, we get a message complaining that the site hasn't had its required PenTest within the required testing window. "Well, we gave you permission to test whenever, and even set up a date for you to do it, and you didn't. Why didn't you?"

        A PenTest was quickly scheduled.

        After a large number of tests, we get back a report, listing 5 programs as being vulnerable to "Click Jacking" (CJ), and a high vulnerability score because of that, and one program that did not use Cross Site Request Forgery (CSRF) tokens. The 5 CJ programs were simple HTML pages with links to the client's site and a literal "blank page" that is a place holder for a frame that gets filled in with an entry program when the user selects their options. They're vulnerable because they don't ask the browser to enforce "same origin", even though they can't DO anything useful. So we fixed that.

        The other (CSRF tokens) was done months ago.

        "Tester didn't find any tokens."
        "Do you see a POST variable named [name of token]?"
        "Yes."
        "That's the token. If you check, it's unique to each potential page request, and it isn't valid for more than one request."
        "You can't name CSRF tokens anything but CSRFToken."
        "We thought the idea was to USE the tokens, not advertise which variable was the token."
        "If it isn't named CSRFToken, it's not a CSRF token!"

        Sigh... Fortunately, doing the stupid thing is only one variable change. Our original design was that the token name could change randomly, so it was more difficult to try to forge the anti-forgery token, but apparently the stupidity of the PenTest software wins out.

        "We're running the test a second time, because the first time it aborted prematurely due to navigation problems."
        "Well, if it fooled around with the CSRF token value, the user session is destroyed, logging the user out immediately, which would put a kink in page navigation that relies upon being logged in...."
        "But CSRF problems shouldn't log you out!"
        "That isn't what your department said was the best action when we had a conference call on this back in May..."

        Good thing I'm out of town for the next three days...
        Jeff

        "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

        "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

        '13 XT250
        '10 ZG-1400 (operational again)

        Comment


        • Gee, I wonder how "Wally" did on the team building exercise....

          Got the "full report" on the PenTest back. 80% of the points were for things that were mitigated WHILE the second test was running (the five programs that could be "click jacked"), but most of the rest are tied to our "unconventional" CSRF token name.

          One program was listed as causing the server to stop responding when they mucked around with the "CSRF token that isn't named CSRFToken", when in reality it simply logged them out rather forcefully, and refuses to talk to the origin IP for 120 seconds after doing so. This definitely qualifies as "not responding to prevent flood attacks", but not "server crashed by input values". But the testing program doesn't care about WHY, just WHAT.

          One program was flagged for being vulnerable to multiple injection attacks. Again. It's a program that is required by federal regulations to faithfully record notes made by the client as part of their compliance. So, any value sent must be displayed... so long as the request is made from the original source and all parameters agree that it was authorized. And it does exactly that, although the "note" is "locked" from further editing.

          So, what happens if you inject the same value in different forms? Well, the system rejects them... but then displays the first properly-inserted note... "AHA! A vulnerability!!!! Must record this!!!!!"

          I spent a number of hours in April debugging this "vulnerability", only to find that the code WASN'T vulnerable, the tester was stupid. I question the intelligence of a company that sells such stupid tool for large amounts of money. Or maybe I should question the ethics of such a company, when the SECURITY TOOL has the same problem over 6 months after it was reported to them. They say they're quick to pick up on the latest web security issues, and developing tests to detect them.... Guess figuring out how to avoid FALSE POSITIVES isn't part of their repertoire...
          Jeff

          "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

          "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

          '13 XT250
          '10 ZG-1400 (operational again)

          Comment


          • You're going to love retirement

            Comment


            • if I keep to my current schedule, I'm still about 50 years away from retirement.
              Jeff

              "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

              "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

              '13 XT250
              '10 ZG-1400 (operational again)

              Comment


              • I am not a computer geek, but my husband is. He told me a computer geek joke about UDP, which I would tell to you, but you probably wouldn't get it.

                Lori
                RiderCoach since 2010
                I think I've finally figured out what I want to be if I ever decide to grow up.

                '17 Kawasaki NINJA 300 ABS KRT ("Sheldon #3)
                '15 green Kawasaki NINJA 1000 ABS ("Sheldon 2"--'tis better to have loved and lost...)
                '10 Honda NT700V ("The DomiNaTor")--SOLD
                '08 green Kawasaki NINJA 250 ("Sheldon")--SOLD
                '05 Honda Shadow Aero VT750C-SOLD
                FUMAS: Harley-Davidson Rocker C, Kawasaki ZX25R!!!!!!!!!

                sigpic

                ATGATT: Because the laws of physics couldn't care less.

                Someday I hope to become the rider that my bike deserves.

                All the worry in the world doesn't prevent death. It prevents life.

                Comment


                • Yeah, you would need TCP to make sure I got it.
                  Jeff

                  "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

                  "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

                  '13 XT250
                  '10 ZG-1400 (operational again)

                  Comment


                  • Today, much stupidity accompanied the snow.

                    "We need you to include a bar code on the first page of the PDF you send, so we can scan it into our paperless office system."
                    "To do that, you need to print the PDF on paper, and run it through the scanner, where we could simply include the information that would go into the bar code into the file name of the PDF, so it would never need to be printed."
                    "So, how much to include the bar code?"

                    And the security people finally got around to do the follow-up penetration test that they should have done after Christmas. As expected, it was pretty much clean... Except for 3 cases where their test tried to inject values that, while ignored by our system, got back a valid page, rather than getting an error.

                    Uh, the request was still valid after the invalid variables were discarded, so what's the problem? Again, stupid test program.

                    Ah, but that's next week...
                    Jeff

                    "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

                    "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

                    '13 XT250
                    '10 ZG-1400 (operational again)

                    Comment


                    • Originally posted by WoodstockJeff View Post
                      Ah, but that's next week...
                      Next week came. And then this week.

                      We got an email saying that the last scan was "incomplete", with no other information. We know why it was incomplete. They didn't ask.

                      This week, they sprung another unscheduled scan on us. I was watching the logs for all the servers scroll by as they threw thousands of "bad requests" at them. And every once in a while... Everything would stop. "Ah, they screwed around with the CSRF token they claim we don't have." A few minute later, it would start up again.

                      After 90 minutes, it all stopped.

                      Two days later, we get an email. "Can you enable our account again? It seems we got locked out."

                      So maybe this time they'll call and discuss the inadequacies of their testing methods.... Probably not.
                      Jeff

                      "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

                      "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

                      '13 XT250
                      '10 ZG-1400 (operational again)

                      Comment


                      • Last week, one of our data sources stopped functioning for unknown reasons. We opened a trouble ticket, and were immediately told that the issue was with a server migration that was in process, and it would stabilize "in a few weeks".

                        Well, this wasn't a good outcome considering that the data was "mission critical" to one of the customers, so we experimented and devised a way to get the data, albeit by requesting it multiple times until a working server was found.

                        Less than 12 hours after we put the "fix" in place, the last of the working servers was taken off-line.

                        After a marathon programming session, we discovered the real cause - the data was being sent, but it was in invalid XML documents. Because the XML failed validation, the transfer program had no source of data. The XML contained non-UTF characters embedded in an allegedly UTF-8 XML document.

                        We added code to our application to strip out the non-UTF data and make the XML valid again, and canceled the trouble ticket with a message saying, "We found what you broke. We've worked around it."

                        "Oh, did you find that non-UTF characters were being inserted? We have programmers working on fixing that."

                        "And you couldn't tell us this 5 days ago, when you sent us off down a rabbit hole to a fix that almost worked, until you broke something else?"

                        Still no answer to that question.

                        Root cause is they switched from a database that stripped all non-ASCII character from the data to one that had lots of marketing-added symbols that were non-ASCII and non-UTF (actually using a Windows codeset), and didn't realize that the data was different. Then they doubled-down by not stopping the migration until they fixed the problem, AND "neglected" to inform anyone of the problem...

                        And they chastise us for not doing things in the proper "Enterprise" model, like they do...
                        Jeff

                        "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

                        "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

                        '13 XT250
                        '10 ZG-1400 (operational again)

                        Comment


                        • Another year (or so), and multiple rounds of stupidity.

                          Today, I get an email advising me that I have to take training in how to recognize phishing attempts. I returned the email to the IT department of the community college with multiple highlights, pointing out the "phishing attempt warning signs" that their message had, including "go to this server on some other domain, and enter your college login credentials", failure of multiple forms of message origin authentication, and origin from a system known for a high percentage of compromised accounts.

                          We'll see tomorrow whether or not I still have to take the training.

                          And the PenTest antics of yesteryear continue, although the person in charge of running them now knows (mostly) what will break their tester. And since we have a copy of the tester, we have been tweaking things between their tests. Not in ways that are specific to breaking the tester, but ways that fix what the tester is trying to find. We're done to zero defects found in our testing, but...

                          Their latest issue was that if you included a test for SQL and LDAP injection, you got different page content back than if you didn't have the test. Of course, every successful submission will return unique information; the injection was completely ignored (LDAP isn't even installed). "Oh, we'll have to ignore those results."

                          I'm waiting for them to ask about why they keep getting logged out when testing things that we feel SHOULD log them out.
                          Jeff

                          "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

                          "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

                          '13 XT250
                          '10 ZG-1400 (operational again)

                          Comment


                          • Phishing email test: The one I reported recently was NOT the phishing email test. It was an actual "you must complete this task" assignment on privacy, explaining how we had to avoid asking for information that would be "sensitive in nature" and "subject to privacy laws". You know, the kind of thing that we're required to ask to fulfill our jobs.

                            The actual test email arrived this week. It was so painfully obvious that you'd think no one would fall for it. Really, "Macrosft Outl00k security department"? Obviously fake logos with typos, rather than image links to genuine sources? Content so screwball that even Microsoft Office365's servers flagged the message as a phishing email in a banner across the message, before displaying it to the user?

                            But, like their last test, they'll probably get a 20-30% hit rate. And most of those will probably be the "social media" types that believe whatever is sent to them.

                            But, I don't envy their IT people. I only have to teach email paranoia to 5 people, not more than a thousand.
                            Jeff

                            "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

                            "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

                            '13 XT250
                            '10 ZG-1400 (operational again)

                            Comment

                            Working...
                            X