Profile picture
, 5 tweets, 1 min read
My Authors
Read all threads
Hey infosec peeps, it's been a weekend full of enterprise change management and still learning how to do proper remote administration. Now would be a great time to:
* Scan external ranges for RDP open to the Internet, if found ensure it is configured with NLA 1/
* Review DNS logs for evidence of remote access products installed internally. These include: TeamViewer, GotoMyPC, LogMeIn, etc.
* Examine netflow for abnormally long connections that shouldn't be there, e.g. illicit outbound VPNs used as a reverse tunnel for access. 2/
* Audit your administrative groups for new members since the WFH migration began. A lot of organizations delegated new permissions on the fly to get people taken care of. Are these still needed?
* In addition to RDP exposed to the Internet, what other ports are there? SSH? 3/
* Finally, and this is a big one: review your firewall rules for changes in the last 30 days. Most organizations made some changes to support remote work in the moment that sacrificed confidentiality for availability. Hunt those down and start securing them if possible. /FIN
This is obviously not an exhaustive list, but it's where I'd start looking for low hanging fruit in an environment right now (and low hanging fruit is also what most attackers are looking for).
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jake Williams

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Jake Williams
@MalwareJake
I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/
In most assessments, we use topically themed email pretexts. First, because they work. But also because real threat actors don't send "Helo, I am Nigeria prince, clock attackment."

The @RenditionSec incident response practice tells us that topically themed emails WORK. 2/
Attackers use them and they're exceedingly successful when they do. People always strive to fill an information void. The multitude of emails from vendors in the last few days means they're even expected. Intuitively, we should train users before they fall for an attacker. 3/
Read 8 tweets
Profile picture
Jake Williams
@MalwareJake
So this is no doubt going to be fun. However, let's be realistic about risk:
1. Core SMB sits in kernel space and KASLR is great at mitigating exploitation.
2. Asssuming this is kernel space, any unsuccessful exploitation results in BSOD. 1/
zdnet.com/article/detail…
3. Nobody has working PoC trigger code yet that I'm aware of, though the description tells us where to look for the vuln.
4. Many orgs bit by WannaCry and NotPetya have looked at how they segment networks and how they treat SMB in general (though many have not). 2/
5. Even with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, look at BUCKEYE. They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn't easy. 3/
Read 4 tweets
Profile picture
Jake Williams
@MalwareJake
Can we stop pretending that taking/sharing pictures when you're in a public place is some sort of huge OPSEC issue? A few notes:
1. You're in a public place
2. The people most worried about this are usually the least interesting
3. You're already on CCTV, which may be shared
1/
If you're worried about risks of facial recognition, watch the @shmoocon talk from @LawyerLiz and @SuchiPahi on facial recognition policy. I don't think the cameras are going away at this point. That ship has sailed, can't close Pandora's box, etc. 2/
But debates about the policy on what big companies and government agencies can and can't do with facial recognition technology is still very much happening. You can (and should) get involved, even if that's just contacting your elected representatives and helping to educate 3/
Read 5 tweets

Related threads

Profile picture
UM Bentley Library
@umichBentley
Now could be a great time for you finally organize your digital photographs. Here are some tips from Bentley Archivist Aprille McKay: @aprillem /1
First, figure out where your photos are. On your phone? Hard drive? Online image services such as Flickr, Facebook, GooglePhoto, Instagram? /2
Second (this is the hard part), make decisions about which photos are most important. Be picky! You're more likely to follow through if the project size is not overwhelming. And always keep the copy with the highest resolution. /3
Read 7 tweets
Profile picture
Charlie Jane Anders (pls subscribe to @OOACpod!)
@charliejane
Hey if there's an independent business in your area that you really love and want to see stay in business, now would be a great time to give them extra support. Restaurants, bookstores, cafes, etc. You don't have to hang out in a public place, but you can still buy stuff.
Among other things, I'm gonna make an effort to buy more stuff from @comixexperience, @borderlands_sf, @WickedGrounds, @Booksmith, @GreenAppleBooks, @PapaloteSF, @CityLightsBooks & other local institutions. And lotsa Chinese restaurants/markets. What places do you wanna support?
Now that I just had to cancel an event due to COVID-19 concerns, I want to underscore that it's *incredibly important* to support the local businesses you care about right now. Everyone is going to be taking an economic hit, and some places may not survive.
Read 9 tweets
Profile picture
Daniel Sinclair
@_DanielSinclair
Now Japan too 👀 https://t.co/9yeEsUGHDx
It’s probably a good time to remember that the 2002 SARS outbreak killed 774 people across 37 countries and it had a 10% mortality rate. This one looks less deadly, but also looks ripe to — and actively is — going global. on.ft.com/2u6G7zV
Umm, any of y'all have room in your bunker? The Chinese government was withholding the severity of this outbreak & transmission capability, and the number of coronavirus cases has exploded😷
Read 2391 tweets
Profile picture
Tim Myers
@denvercoder
#infosec peeps

I was in my T-Mobile account. I closed the tab and then realized there was something I wanted to look at. Out of habit, I hit ctrl+shift+T and it opened the tab with my account still in place (I was still logged into my account). Isn’t this a security risk?
And look, I know someone is going to be like, "You should only use an incognito window in a Tor browser on a VPN and then burn your PC when you get done accessing your account"

I know how to prevent this from happening. I'm thinking about your average user.
My thinking is that someone could be working the front desk at some company and a Social Engineer could walk in and say, "Can you run and get Bill for me real quick" and when they leave they could hit C+S+T a bunch of times and maybe get access to stuff. 🤷‍♂️
Read 3 tweets
Profile picture
John Anderson
@jja0
Hey #infosec peeps! I got locked out of an account so I had to call customer service.

The rep asked for PII, and then unlocked my 2FA. She literally said this: "They ask the most stupid questions ever that nobody can remember. I suggest you pick 3, then screenshot it"
So, I refreshed my screen, and I enountered the worst choice of 2FA questions ever. I literally have no idea what the last name of my best friend from 3rd grade is. His first name is Toure, and I'm friends with him on FB these days, but who in the hell knows that when they are
literally, at best, 8 years old. May I humbly suggest that, if your own front-line CSRs are telling your customers to "just screen shot your 2FA answers" you are hands down, doing it wrong? Asking for a friend.
Read 3 tweets
Profile picture
TProphet
@TProphet
1/ I have been running startups and out of managing IT projects for about 5 years. Dove back in last week and it is like nothing has changed except the faces and place. Security architect is a different lens, but good IT hygeine is good security hygeine.
2/ This position would have been a big step up for me and might have been out of my depth the last time I was working on similar projects. Now, it's not quite a cake walk, but I feel confident in a way I never really have running startups.
3/ So much of security comes down to doing IT right. Having a sane inventory and reliable change management processes and documented procedures is honestly at least 50% of it. It's an easy but very expensive corner to cut.
Read 4 tweets

Trending hashtags

#7Steps #socialimpact #SitYourAssDown #Small #MicroCPD #GrahamGibbs #benefits #lawyers #Active #COVID2019 #structure #law #CognitiveTheory #studentengagement #ReadingList #tweetstorm #MaskBan #coronapocalypse2020 #interactive #Assessment #Unmissable #HotOffThePress #Use #24Hours #care

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!