I work at a Top Secret Organization, AM(A)A

Status
This thread has been locked.

Pleaded

Supreme
Feedback score
0
Posts
45
Reactions
16
Resources
0
How did I get the job?
I applied to typical cyber security jobs. The interviews looked like a usual job interviews. After the interviews (over 12) I had to sign NDA and was invited to do a polygraph test as a part of the security clearance. I didn’t know exactly what or who until I joined.

How do I know the information isn’t in the wrong hands?
I don’t. But I trust the people I work with to do their job. Everyone was hand-picked.

I can tell that the full application process took over a year and a half!

What’s the purpose of the organization?
Unfortunately, I can’t seem to figure out a way to discuss this without hinting towards which organization that is.
So I guess this top secret organization isn't really top secret if anyone can use the information to find out what the organization is and where it's based. Have you come across anything disturbing? And if so how did you react when you saw it. Also have you ever considered leaving the organization and if so why, and why did you decide not to.
 

on

• Previously Cornflakes •
Supreme
Feedback score
22
Posts
681
Reactions
328
Resources
0
i’m guessing you’re under some agreement like NDA to stop you from telling everyone what’s going on?
 

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
So I guess this top secret organization isn't really top secret if anyone can use the information to find out what the organization is and where it's based. Have you come across anything disturbing? And if so how did you react when you saw it. Also have you ever considered leaving the organization and if so why, and why did you decide not to.
The interviews took places in location not related to the original organization. The "public" organization name is a cover for it's real identity. I have considered leaving simply for the money in the private market, but I decided not to because I am enjoying what I do and I feel like it's important.

I have seen some disturbing things happen, sometimes, things don't go as expected.
I guess both the fact that I am apathetic and that I know things don't always go as expected made my reaction kinda "shrug"-ish.

i’m guessing you’re under some agreement like NDA to stop you from telling everyone what’s going on?
I have obviously signed documents that prevents me from disclosing classified information. However, there are things I can say as you can tell from the thread.
 

dxn

Supreme
Feedback score
47
Posts
248
Reactions
974
Resources
0
Assuming that you have had other companies contact your company regarding data breaches, what's the most advanced attack vector you've seen happen? Alternatively, what's the most common one you've seen.

If not, what's the most advanced exploit that you've seen in other companies, and how were they fixed?
 

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
What skills are required?
Are you referring to my position?

This really depends on the position. A special agent doesn't need the same skills as a cyber security specialist.
Assuming that you have had other companies contact your company regarding data breaches, what's the most advanced attack vector you've seen happen? Alternatively, what's the most common one you've seen.

If not, what's the most advanced exploit that you've seen in other companies, and how were they fixed?
Cool question!

I assume you're speaking about the first hop of the attacker.
Most advanced attack vector I've seen is definitely physical access.
Most common would be either social engineering or misconfiguration.
 

dxn

Supreme
Feedback score
47
Posts
248
Reactions
974
Resources
0
Are you referring to my position?

This really depends on the position. A special agent doesn't need the same skills as a cyber security specialist.

Cool question!

I assume you're speaking about the first hop of the attacker.
Most advanced attack vector I've seen is definitely physical access.
Most common would be either social engineering or misconfiguration.
What other types of misconfigurations are there? e.g. LFI / RFI, SQLi, etc.
 

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
What other types of misconfigurations are there? e.g. LFI / RFI, SQLi, etc.
The examples you have given are considered web exploits more than misconfiguration, but well, you can count them because some of these may happen because of old CMS and etc.
The thing that makes misconfiguration so common is the variety of places they can happen and the fact each of these alone looks harmless until you connect the dots.

Let's give a 100% misconfiguration based attack flow on a Minecraft server. I will not say what the misconfiguration is, see if you can get it. I'll then give a brief explaination as of the misconfiguration of each point.

Attack flow:
1) Login to a FTP server and download one of the plugins' config that contains credentials to the SQL server.
2) Connect to the SQL server (because it is not configured to allow connection specifically to the IP of the remote website using the database) using the credentials we got from the config file.
3) Pulling the website's admin panel credentials [username:md5(pass)] from the database.
4) Logging in the panel as administrator, uploading a webshell.
5) We take the private ssh keys from ~/.ssh/
6) We connect to the Minecraft's server using SSH.
7) rm -rf --no-preserve-root /

Brief explanation of the misconfigurations:
1) Login to FTP server was done without any specific credentials. Perhaps anonymous login is enabled and not limited? FTP server is old and contains vulnerabilities? What about default passwords or weak passwords? Did we say anything about the fact that the credentials are stored plain-text in the config file?
2) SQL server is not configured to allow connection specifically to required IPs, but rather open for anyone.
3) The plugin uses root/dbo as the SQL user and doesn't have a dedicated user so we have access to the credentials although they're in another table or database. MD5 is deprecated and can be easily cracked with today's measures, and on top of that - no salt was added to the users passwords.
4) The upload feature on the admin panel trusts the user input and lets him upload file of any extensions (php, aspx, jsp).
5) The web-server process was executed as root/Administrator, therefore we have full control over the machine (instead of having just the website user permissions)
6) SSH is not open for specific IPs but rather for everyone, the SSH private key doesn't have a passphrase so we can just use it.
7) No misconfiguration here, you're screwed.
 

bt2S5NpQVjX9yGNKJ

Deactivated
Feedback score
6
Posts
183
Reactions
127
Resources
0
What's the biggest "f" up you've seen or done that cost a company $$$ (Don't use names just say its a person, whether it's you or another person unless you feel comfortable sharing.[DOUBLEPOST=1567709286][/DOUBLEPOST]Also just a merge - Could you add me on Discord? I want to discuss cybersecurity in a Minecraft server more xD

(Discord is: O4M#7863)
 
Last edited:

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
What's the biggest "f" up you've seen or done that cost a company $$$ (Don't use names just say its a person, whether it's you or another person unless you feel comfortable sharing.[DOUBLEPOST=1567709286][/DOUBLEPOST]Also just a merge - Could you add me on Discord? I want to discuss cybersecurity in a Minecraft server more xD

(Discord is: O4M#7863)

I think my biggest one was screwing over a SSD lol.
Biggest I've seen was another person's mistake. It was priceless, very sad day.
 

utaninja

( ̄^ ̄ )ゞ
Supreme
Feedback score
36
Posts
1,360
Reactions
940
Resources
0
I’ve been switching over a lot of programs to be more protected/safe.

All of my passwords are 20+ letters. I now use Firefox and DuckDuckGo. I have a VPN and 2FA on everything. I’m also switching over to protonmail. What else should I be doing?
 

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
I’ve been switching over a lot of programs to be more protected/safe.

All of my passwords are 20+ letters. I now use Firefox and DuckDuckGo. I have a VPN and 2FA on everything. I’m also switching over to protonmail. What else should I be doing?
Just one more thing - stop being paranoid.

Seriously though, I can tell you that if someone powerful truly wants to get you. He will. It's just a matter of time and these things just make it harder for him. Some make virtually no change, and some can make a difference.

It all depends who you're trying to protect yourself from and why.
 
Last edited:

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
How long have you been in this organization?
Tell us about a co-worker that you are surprised had gotten into the organization.
~2 years

There were 2 co-workers I was very surprised to see. One was an old woman (around 70 years old).
The other was a person that should've been jailed but instead was offered to join under a few terms because he was very talented at what he did.
 

User

i left click on lego people
Supreme
Feedback score
107
Posts
3,721
Reactions
2,538
Resources
0
From what you've seen, are there any significant cyber security applications/companies (VPNs, antiviruses) that have malicious intent?
 
Status
This thread has been locked.
Top