BlackRoomSec Profile picture
Hacker. Technical Muppet. Fun Dip enthusiast. My Asset Management ebook out now: https://t.co/luimEfAj83
Feb 22 16 tweets 4 min read
So, to test ChatGPT's Crazy meter today, I asked it to simulate the Kobayashi Maru, which is the "unwinnable" test in the Star Trek canon that Captain Kirk hacked to his advantage. Here is my hack. I can't stop laughing.

Thread mode activated. Image
Nov 12, 2023 4 tweets 7 min read
Yes, I'll turn this into a mini thread for you. I hope this helps you as it helped me :)

RTFM
You've probably seen the acronym "RTFM" many times and have probably also seen many people poke fun at it because manuals, as a general rule, aren't very interesting to read. Unless you're like me and love them, that is. One of my father's favorite things to say to me is "Most people when they want to read a book pick up Moby Dick but not my kid! She reads technical manuals for fun!"

My father's acerbic wit aside, manuals contain very important pieces of info on the devices/software/etc they go to which can teach you how best to use/interact with them. If my father would actually read one, he wouldn't have to call me all the time just to operate his television.

Before you tackle any project, check your ego at the door and operate from the assumption that you know very little about what you are about to do, even if you know you know a lot. Pretend you don't and something magical will start to happen as you practice this behavior: eventually you'll be learning things you didn't know about the things you do.

I have installed Linux and Windows thousands of times over in my life and career. I still make mistakes. And, every time I've made a mistake it was because I either didn't read the instructions fully or I was rushing through it thinking I had it in hand.

As an example, let's say you've been given the task of setting up an APC battery on someone's computer. You open the box and go to plug it in and it doesn't work, because let's be honest, this isn't a hard task, right? This is because the battery isn't correctly assembled and you missed a step. Inside the box and the manual there is a page with a huge red stop sign that says to open the battery and plug the positive/negative terminals in before use. Do that and then when you plug it in, it will turn on.

Here's a real life example of a situation I inherited that concerned an APC UPS with servers attached to it: I walked into a server closet and saw the UPS on the floor (not rack-mounted as it should've been - the "IT Manager" didn't know how to rack mount it I was told) plugged into a surge protector which was plugged into the wall.

I was NOT happy and smirked. I then turned to the manager in charge and said "Have you had a lot of power outages?" To which he responded "Yes, actually! If you could figure out why, we'd really appreciate it." I then pointed to the floor. "That is your problem. It goes directly into a wall, not into a surge protector. A UPS is a very expensive surge protector and by doing this you're causing it to shift to battery mode and could be causing voltage spikes."

Sheepishly, he unplugged it and the "outages" stopped.

Google why I said all of this but Schneider Electric writes down in their manuals why you should not do this. Two jobs ago I had a very close relationship with Schneider as part of my job but I have always had APC UPSes or battery backups at all jobs I've worked at going on thirty three years. The stop sign has always been there.

What if it was an application that you didn't read its manual and you install it, it's working, your boss is happy and sometime later you get hacked because you didn't know you had to not only change the default username and password but the developer had a note in the manual which said that you also had to turn a specific setting OFF otherwise you'd leave it open to attack. You might be wondering why they would ship it in such a state and that is a good question to research, too. Probably for testing purposes, if I had to guess. What if later on you read the manual and you learned that the application had an ACL (Access Control List) that would've allowed you to lock down access to the device from just your company's LAN which would've prevented the specific hack you fell victim to?

Read every manual. The developers of the application know their application better than you but as you read their instructions you learn valuable information for the next time but MOST importantly you learn so that should you encounter a situation where the manual isn't available or is incomplete, you can apply what you learned in previous similar tasks to this one.

Every thing I do my notes are in front of me no matter how many times I have done the same task. I prepare for everything ahead of time. Tomorrow I have four meetings scheduled. On Friday I printed out all the supplemental info I need for all four.

1/x
Security Baseline Checklists Are Your Friend
Want free training? Download security baseline checklists and learn how to do each task. It is a roadmap to securing whatever application/device it goes to. If you have the right type of license with O365, use Microsoft's Secure Score. It tells you exactly what you need to do to secure your O365 environment and checks off each task once it is completed.

Download NIST Cybersecurity Framework 1.0 and go through every section. **Please note the comment period for NIST CSF 2.0 is over as of 11/6/23 and it will be updated likely Q2 2024. GOVERN takes precedence. This is a free cybersecurity framework for securing everything at your org from servers, to applications to embedded devices and even mobile devices. It can be overwhelming so start with the first section "Identify" and as you go through it you will see that the first step is to identify what you have so you can then secure it all.

If you can't do this or don't have the access, use the NIST framework at home with what you own. Identify what you have, first. Write it down and pretend this is what you're managing at work. How the heck do you get all of it secured? You probably have a router, right? Is it at its most latest patch version (fully up to date?) Does it have WiFi capability? Do you have a guest network? Is its default username and password changed? Start slow. Take one device. Read its manual. Update it. Then start going over its settings. What can you eliminate? What seems like it might be a security risk to you? If you aren't sure, research how to secure it.

Use ChatGPT to walk you through some of the tasks in the baselines you don't understand. **But also do Google searches to ensure what the AI tells you is correct.

Ask it "Microsoft Secure Score is asking me to turn on my customer lockbox. What does this mean? Walk me through how to do this step by step and provide necessary links, please."
Oct 26, 2023 19 tweets 7 min read
Media Sanitization Thread

This is a sanitized version of the Media Sanitization Policy I created. I borrowed heavily from NYS IT policies so if you recognize the language, that is why. I'm interested in hearing your thoughts but please keep in mind the following:

* I cannot answer questions where the answers would expose sensitive info I am forbidden to divulge. I will not be terminated, I will be arrested, so if I don't answer, you know why.

* This was specifically written the way it was for our situation and environment. Yours will differ and you may have stricter requirements. You may have requirements which are less than mine. This is a *living* document subject to change and evolution based on factors outside my control.

*Yes, it may appear at one point I went overboard but I'm the boss so I get to insist on certain things when my neck is the one that is going to be on the line if mistakes are made. This Captain goes down with her ship. She doesn't pass the buck as you've seen in many, many breaches (and I'm not comfortable with that at all btw, it's gross REMEMBER TIMMY?😯)

* There is no wrong answer here. It is based on your org and requirements so tailor it to you if you decide to use it as a template.

* There are many, many other free tools available and different procedures to do the things I'm describing. I'm aware of them and have used thousands of tools in my career just as you have.

This document, though, is not just to be read by me or by those with my skill-level which is significantly greater than the audience it is designed for.

Not a brag, just fact. I've been doing IT and later cybersec stuff for over 33 years and hacked since Mitnick was in prison (plus donated to his defense) even though our last interaction was not civil here on Twitter.

Rest his soul. I was sorry to hear that he died.

With that said, this had to be tailored for the org, the environment and various skill levels.

I fully acknowledge I may have made mistakes because despite my experience, I do make them and I'm not ashamed to admit that.

I'm going to break it up and provide a few screenshots. I'm not quite sure if this is the right place to post this but I don't have time to maintain/secure my site so this will have to do. Excuse formatting/typos please.

Here are some links I think you should have if you don't know them already:





See the warning in red for guidance on why certain drives have to be connected directly to the mobo:



Here's a similar warning from Louisiana State U:


HDParm Man page (it's hilarious all the warnings)


DoD Standard - One of my old teachers helped write this. He made me teach DHCP once to a group of plumbers as punishment for hacking his workstation. True story 🤣


Replies will be staggered.
Image Image