you can set static entries in EdgeOS.

Always set DHCP to give out the ERL for DNS. set service dhcp-server shared-network-name LAN subnet 10.254.103.0/24 dns-server 10.254.103.1 Always set the ERL to look at itself for a DNS (127.0.0.1 set system name-server 127.0.0.1 Make sure that DNS is listening on your LAN ports. set service dns forwarding listen-on eth1 set service dns forwarding listen-on eth1.2 Set DNS forward lookup to whatever. set service dns forwarding name-server 10.254.103.4 # my Pi-Hole set service dns forwarding name-server 1.1.1.1 If oyu are on a domain, tell EdgeOS to forward those to the DC. set service dns forwarding options server=/ad.domain.com/10.254.0.21 set service dns forwarding options server=/domain.local/10.254.0.21 set service dns forwarding options server=/domain/10.254.0.21 Set up your static DNS entries. set system static-host-mapping host-name nas inet 10.254.103.7

The first time it is used, we have to manually type the domain\localadmin password.
995d4dcc-8f3f-428f-a56e-aafa241ca644-image.png
After that it is stored in credential manager.
e44ddd17-77ee-4318-a779-8edbc1471c2a-image.png

This is getting lost in the news today with everything else going on. This is incredibly important.

@DustinB3403 said in RedKey - Kickstarter Project:

@gjacobse did you say your a donator on this Kickstarter?

What about this was attractive?

NOT for this project.. no -

@IRJ said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

@scottalanmiller said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

Others seemed more peculiar; a Spanish hair salon, for example, was listed.*

Wtf

I wonder if it was always a Spanish hair salon or if someone else owned it.

@scottalanmiller said in Roll20.net breached:

Sucks when a site / business like that gets hit. Just people looking to have fun 😞

Yeah. But at least they didn't store the passwords in clear text!

Another day, another security breach/problem.
Note to myself: Am I getting used to that?

@pmoncho said in Kerio Connect "license error: license exhausted, cannot allow another host":

Based on the couple posts I have seen, each registered user can have five devices. So, if they have 30 devices, they need 6 user licenses. Did they add any extra devices lately?

Easily, but more likely they just let their license expire.

@stacksofplates said in Researchers use Intel SGX to put malware beyond the reach of antivirus software:

Did you see what Intel said regarding this:

Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Grus for their ongoing research and for working with Intel on coordinated vulnerability disclosure.

Outside of the threat model?.........

Haha, whatever that means.

Just used this again today, as another script I have had this attribute.

Not sure when the attribute was written to the script though. But it's working now.

This is the full error.

/bin/sh: bad interpreter: Operation not permitted

@PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

There's always going to be that risk or one absentminded click.

Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

However if your admin machine is owned, you have bigger issues to start with.

Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

There is security leakage between VMs on a client machine for instance over clipboard.

Have a look at Qubes. https://www.qubes-os.org/

It's probably the best implementation of security separation to date.

Using the Hyper-V VM Console without RDS pass-through eliminates any access to the VM beyond console.

Same with KVM or whatever.

MSP Maturity Model. Strictly speaking, the MSPMM does not tell MSPs to make all of their customers identical. But in practice, it encourages it and many MSPs talk about the MSPMM in these terms - finding ways to make customers all run the same tools, software, practices, network design, etc. This makes management so much easier for the MSP, but has two major problems.

First, it forces the customer to conform to the vendor, which makes very little sense. IT needs to adapt to the business, not the business to IT. But that's another topic.

Secondary, it means that an attack vector that works on the MSP will likely work on every single one of their customers making the prospect of breaching the MSP that much better. Sure, if a targeted attack by experienced state-sponsored hackers goes after an MSP, the MSP has little chance of winning that battle. But that isn't the real risk. In the real world, the risk is automated attacks looking for common vulnerabilities and spreading organically through shared tooling - things that are only possible or reasonably likely when the environments are homogeneous: both amongst the MSP clients, and between clients and the MSP themselves.

The traditional approach of MSPs, especially VAR - MSP combo companies, is to have not only the same tools and software, but even the same hardware and products so that any hole anywhere because a hole everywhere and breaching any one piece of the infrastructure means you are likely to breach it all.

@JaredBusch said in Couples Nest Security Hacked:

@scottalanmiller said in Couples Nest Security Hacked:

@tonyshowoff said in Couples Nest Security Hacked:

Crackers, not hackers bro.

Or whatever 1980s, early 90s jargon file stuff people tried to recapture from the media. I am a total green hat, I will be as black or white hat as you pay me to be and I've been paid well to do really mundane shit over the years and sometimes fun stuff.

Rainbow hat

Stay away from my, almost rainbow, plaid fedora.

I'll recruit you yet.

@anthonyh said in Zimbra, fail2ban, CentOS 7, and firewalld:

@scottalanmiller said in Zimbra, fail2ban, CentOS 7, and firewalld:

https://arstech.net/zimbra-fail2ban-setup/

I came across that article and it's the most promising. Though it's still a iptables based fail2ban configuration. I'm not sure if it's as simple as changing the references to iptables or if tweaking it to work with firewalld is more involved.

I suppose an option is to disable firewalld and install iptables. I've done that before in the past.

Hmm...

That's probably what they did, because you need to disable firewalld to enable iptables.

In the event now.

@Pete-S said in Local Encryption Scenarios:

@DustinB3403 said in Local Encryption Scenarios:

@Pete-S said in Local Encryption Scenarios:

@DustinB3403 said in Local Encryption Scenarios:

@Pete-S said in Local Encryption Scenarios:

Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.

The data files could be secured the same way as any paper records. Locked in a safe when not in use.

That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.

Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.

In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.

You have those examples a bit mixed up.

The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.

You break the lock, you get the data. If you break the encryption key you get the data.

But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.

Reminds me of this classic:
alt text

there is ALWAYS a relevant xkcd

@Pete-S said in Home Security Systems using WyzeCam and PoE Splitters:

There are so many real surveillance cameras for little money that are made for the purpose already. For instance this outdoor model for less than $30:

https://www.ebay.com/itm/Hikvision-DS-2CE16D0T-IRF-HD-1080P-IR-20m-IP66-2MP-Bullet-camera-outdoor/264073885252

To get real coverage you need different lenses in different applications and indoor and outdoor options as well. Installing cameras, wiring it all up and installing software and having storage, backups etc and keeping everything running is too much work to save a few bucks.

The hikvision cameras apparently are utter crap and worth avoiding.

YOu can also do a free test from Qualys
https://www.qualys.com/free-services/
https://www.qualys.com/community-edition/

@mroth911 said in locking down network:

so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

Thats the situation at hand.

They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

This is something I want to setup and walk away.. I am just doing this to help them.

Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.

You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.