What are examples of services that use Kerberos for signing in?

I understand the ticket distribution in the Kerberos process but something I have always been confused about is what exactly uses Kerberos. Also why are there still things requiring NTLM if Kerberos is the standard? I am assuming when I sign in to my computer on the domain that is LDAP so when would I be using Kerberos or NTLM?

Touch here for the full post on Network Security Noblemen tumblr

What tools and technologies do you use in your workplace to check if files, websites and apps are secure?

Hi,

In my current job within the security department, I have to vet files, websites, applications and Android apps from time-to-time to ensure that they are secure.

I mostly use my own judgement and take a view on permissions and whether it is open source.

I generally use these websites and tools to help:

Would be really interested to know what other tools and tech you guys use.

Thanks

Touch here for the full post on Network Security Noblemen tumblr

Career in Information Security & Compliance

Hello,
I currently work as a Data Analyst, but I've been offered a job (or at least a job interview) for a position called "Information Security / Compliance Analyst". From what I understand from the job posting it's not a technical role at all (which I like) but it's more about mitigating risks, audits, making sure people comply to all regulations and act in a compliant way, etc.
Also, they apparently don't require certification or much experience in the field (which I also don't have). However, I can see myself working in that field, since I'm not very interested in the field I'm currently working in.
My question now is: is such a non-technical Information Security role a viable career option and what will the future for these positions most likely look like? Are there lots of open positions in this field? Or are most of them rather technical?
Happy for any input regarding this decision.

Thank you!

Touch here for the full post on Network Security Noblemen tumblr

Is there any way to download Cobalt Strike from the command line?

Background: we are trying to automate the deployment of our teamservers on Cobalt Strike. However, I don't see any way to download the installation files from the command line. The browser goes through several steps like putting in the license key and agreeing to ToS and hitting the link to the file directly with wget doesn't work. Is there any easy way to do it? Or am I just going to have to reverse engineer the requests the browser sends?

Touch here for the full post on Network Security Noblemen tumblr

Data Breach liability

Hi all,

I work in IT and today discovered a hole in our data centres network. We are on a managed IT environment and connect to Citrix VM's hosted by the data centre. Essentially I found a way to enter a directory path that should have been restricted. This means that our company's data and other clients of the data centre's data were exposed and I was able to see it. Some of the data is highly sensitive.

My boss asked me to document what had happened along with screenshots to prove that sensitive data was exposed. We then sent this to the data centre. They have now come back and said that I could be legally liable for this, if they have to report it. I haven't tampered, or used it maliciously in any sense.

Are they just trying to spook me because they don't want to disclose that a breach had occurred?

Thanks

Touch here for the full post on Network Security Noblemen tumblr

MFA authentication to O365 – road warriors users without mobile phone. Which secure solution?

Hello, we are deploying O365 in my company (teams, sharepoint, exchange online, office suite). In order to connect outside our network (road warriors), we ve implemented MFA with MS authenticator and OTP with SMS. Some users use their professional phones, others their personal one to make this second factor authentication…but some do not have professional phones AND don't want to use their personal ones for privacy. Giving them hard token is an issue for us as it s difficult to manage for logistics and support. We are thinking about soft tokens in the PC itself. Do you think it is secure enough? What are the solutions for soft token in a PC? What is the risk ? If there is a keylogger in the PC, even if the attacker is getting the password and the PIN for the soft token, how he can use it in another PC as the soft token was enrolled only in the first machine ?

Thanks a lot for your help !!!! It s quite urgent.

Touch here for the full post on Network Security Noblemen tumblr

Decoding Net-NTLMv2 blob?

More a curiosity question. Let's take as an example the hash on this page:

https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html

Which is:

Administrator::WIN-487IMQOIA8E:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:0101000000000000B09B51939BA6D40140C54ED46AD58E890000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000000000000003000004289286EDA193B087E214F3E16E2BE88FEC5D9FF73197456C9A6861FF5B5D3330000000000000000 

That last field is described as being a blob including the time and various other information used to generate the hash in the field before it.

I've been all over the Internet for parsers but everyone seems to care a lot more about just hashing it to crack passwords. Can it be decoded?

Touch here for the full post on Network Security Noblemen tumblr

Is XSS still possible within websites that use Angular

hello everyone

I am really confuse about XSS

is websites that use angular in frontend and calls API via json data – still vulnerable to XSS attacks? or is it became irrelevant due to AOT angular and other feature that angular use.

I know that there are reflected XSS which deepened on the backend code not the front end side but i see that angular guys are confident that there products had became invincible.

Touch here for the full post on Network Security Noblemen tumblr