518 posts • joined 25 Apr 2008
Ahh the ignorance.
It's amazing how many people don't understand how Russia works.
If you're a citizen or a company in Russia, and the government asks you to do something; don't consider it 'asking'. Consider it as an order; or find yourself out of business.
Russia is also known for imbedding agents in companies to conduct covert acts. This has been proven.
Finally, we also know, Kaspersky products were copying files and sending them home. This is unacceptable. yes, I heard their excuse on this... and of course I don't believe it.
Sure, Kaspersky labs has done a lot of good things for cyber security, but we all understand what a wolf in sheep's clothing is. Even the Mob built schools, parks, etc. for the local communities.
Let your heart bleed all it wants, but it's now at least 5 different independent reviews of the application which determined this is a dangerous product.
Kaspersky would be wise to let this go. Although Russian's don't fully understand the concept of 'free choice', they should understand... the more people hear about this, the less likely the general public will purchase their product.
Laughing!! !! !!
What a small fine considering the damage.
From a risk management perspective, it's cheaper to receive a fine from the EU than it is to integrate defense-in-depth measures on your commercial systems.
GDPR is great, but it still doesn't put enough responsibility on cloud service providers or 3rd party application vendors. You know, those with the most expertise who employ the least amount of people.
It's one of those political things which sounds good, but if you send enough money to us in Brussels, we'll ensure your fine isn't damaging; and we'll put the blame on the regular joe type company which employs 80% of the population.
I still don't get why the EU is still together. Sure, it makes a boat load of money for the elite and wealthy, but the average individual gets hosed over many times. Whenever rich and powerful people are for something... the rest of us should be very scared.
This so called study is hogwash.
It's not a study, it's an opinionated observation. There are so many things left out and unobserved, that to call this a study is an insult on anyone who is educated.
People do what they do based on opportunity, knowledge of something and whether or not it's 'cool' vs responsibility/irresponsibility.
In the 70s kids did one thing, in the 80s another and so on. To attribute it to one main thing or another is ridiculous.
Also, these horrible tragedies whether they involve kids, college campuses, alley ways, belt ways, etc. have been going on for many decades. The only thing which changes is the number of people who are made aware of it.
Today, EVERYTHING makes national if not international news. The Watts riots in the 60s didn't make the news in London, and its significance didn't even make it to Orlando. Today, it would be an entirely different story.
...and then there of course is ignorance. What people are told, because it's easy to sell them on... or it's what they've been led to believe. Especially if they don't have any idea at all. Such as the right to own firearms. There is no 'gun culture' in America the way people are led to believe it in Europe. Gun use comes down to the same thing nearly everything else does... responsibility or irresponsibility which is mainly placed on us by our community. Not a video game, music, etc.
This is why INFOSEC people shouldn't work directly with insurance companies.
This is something which should be handled by the legal department and the chief of risk management.
With the CISO providing input and technical advice.
An insurance company is still at heart a business. It's going to get away with and profit from anything no matter what. So if you let them get away with being vague, it's on you. Don't expect an insurance company to be light hearted and friendly... no matter how heart wrenching their commercials are.
Everything is risk management and cost benefit throughout the company and the insurance underwriter.
As an InfoSec professional, you need to understand your limitations.
Also, your wrong about small companies having short attention spans. I guess we know you've never been an executive or even a manager at one.
I'm sure his sentence was lightened quite a bit since he pleaded guilty. If he was found guilty in court, he likely would have received 15 years. This is federal court, so there is no early release or early parole. He'll serve the entire 5 years then be sent back to Canada... who then, will likely boot him out of their country.
It's the USA.
Nobody has to buy anything they don't want to. This includes the US Government.
A company has the right to create/enforce policy. Even the US Government.
Individuals, unions, corporations has the right to endorse or refuse products. As long as it isn't because of race, religion, etc.
Then lets look at Russia.
Not exactly the best track record with spyware--although, this goes for most countries.
Doesn't allow a lot of British, American, Australian applications/devices.
Known for forcing companies to do its bidding or face ... well, anything up to death.
Known for placing FSB operatives in software companies, to covertly code in backdoors, etc. to allow the Russian government access without the corporations knowledge.
Has been caught attempting to plant FSB agents, or using FSB agents to coerce/pay off employees to code in backdoors, scrape email, etc. Remember YAHOO! email?
Russia doesn't quite understand the concept of freedom of choice.
For the Trump haters: Yeah, everyone gets it. He's an ass. But consider what this makes you, if your blinded by hatred.. and you can't objectively provide comments without bashing someone. Besides, you'll stroke out if you don't relax a bit. Also understand, Trump only runs 1/3rd of the US government. He doesn't control it all. Even then, he can't do anything he wants; read the 2nd amendment.
Re: Yank Culture Issues
Apparently you like to comment without researching the entire facts.
The police didn't just shoot him when he walked out the door and there was resistance--likely based on the fact he wasn't exactly an innocent in the eyes of the law. Might want to find out why he was resisting and not following directions.
Re: The attack can only be partially mtitigated
I call BS on your claim of being a security researcher.
Exploiting the virtual NIC. Do you understand the concept of targeting the resources in memory? If you did, you'd laugh at what you are saying.
Also, this isn't an attack, per se. It's a peep hole which isn't plugged.
This is what happens when you hire individuals to do information security and networking with nothing but a bit of schooling behind them.
I also pin this on management, who obviously do not have proper change management + testing policies and procedures being enforced.
Wow, really people; where is the common sense?
Resetting to factory default FIRST REMOVES THE MALWARE which may exist on your appliance. No patch in the world works against firmware if the malware is allowed to stay.
Then update to the latest version, and apply the new patch when it's released.
Stop whining. Doing this takes approximately 5 to 10 minutes.
The numbers aren't due to satisfaction among developers, but rather vendor lock in (unable to get out of the contract) and longer required contracts.
There is no doubt Lambda has its good characteristics, but lets not go crazy with numbers yet.
Remember, you lose control of the environment when moving to Lambda and you don't have nice easy calls. Don't forget, you get charged for each of these calls (this is Amazon). So if you use this for a web app, and there are a lot of customers using it... be ready!
Don't forget all the features aren't well documented. This can be a nightmare for your security analysts. Especially when they want to go through errors. Wait, how does Amazon provide you with error information? HAHAHA. They don't want you to know the problem is on their end, not yours!
So before jumping into Lambda. You may want to do some in-depth research, and try it for at least 10-12 months before committing a large portion of one of your dev teams to it.
To be expected...
This is England... where everyone is on video all the time.
Rumor has it, if you are captured on video not watching the royal wedding festivities, you will be placed on the terror watch list. There is an exemption for those who were on a cricket pitch.
Not only is facial recognition being done, but they are also using software which does lip reading.
So those who appear to be pro-Brexit will also be put on a permanent watch list. Due to the limited amount of software licenses for this, it will only be used on cameras in middle to lower income areas.
Rich, elitists everywhere are exempt from any sort of camera spying technology, as long as they are against Brexit--which of course, most are.
Remember the large sunglasses used in the 1970s? Anticipate a widespread return. Soon, many in England may begin to wear burkas.
Re: Check for the undeclared payments between the JEDI contractors and dump.org
Apparently, as a businessman, you don't do proper research. There are plenty of reasons Microsoft has a leg up on everyone else.
1- Microsoft works well with the US Gov't. In comparison to other vendors, they don't attempt to add/change anything in an attempt to renegotiate contracts or milk extra money. Amazon's MO is to offer you just a bit more of something you must have, at a huge increase in cost. You should know this... "mr. real" businessman. *eye roll*
2- Amazon already has the internal search engine contract. Has had this, will continue to have this. So stop it with the Amazon whine.
3- Microsoft's technology tends to be compatible with many other products -- unlike Amazon, Oracle, etc. Decreasing the chances of vendor lock in.
4- Microsoft met FEDRAMP guidelines earlier than most other vendors; primarily because they didn't put up a fight against the stringent security requirements. *cough* Amazon bitched the whole way.
...and you think the gov't has no real businessmen? True in some instances, but It's a lot better now, than it was 2-5 years ago.
I'm betting you are one of the elitist jerk contractors who was recently fired because someone figured out you didn't understand the importance of attention to detail and research.
Don't worry... Oracle is always looking for your type of 'real businessman'.
...I can go on. But it just goes to show, how many people 'jump' to conclusions, and pass on the rhetoric of others without having the capacity to critically think.
Being drunk or under the influence of anything DOES NOT provide an excuse to commit a crime. If this was the case, DUI wouldn't be a crime.
Not all evidence acquired after arrest requires waiving Miranda.There are cases, where it's been proven Miranda wasn't provided after arrest, but evidence collected after the arrest was still allowed.
It depends. For instance, if it was from direct interrogation, it likely isn't going to be allowed, but if it was a recorded call or conversation to a friend... it's likely will be allowed. Not to mention, the friend will likely be called as a witness against the defendant.
Imagine the rock the defendant put his friend under.
Re: Signed a Miranda waiver form after being read his rights
They don't have to record the signing of Miranda.
Apparently he was coherent enough to remember someone's phone number, use a pay phone and conduct a collect call; yet too incoherent to understand Miranda... right--get real.
I'm sure if you were one of the individuals who lost their life savings because of malware he assisted in creating, you'd look at this a bit differently. Hopefully, you never have to find out.
Apparently, if you make crowbars and a crook uses it, you're liable.
Obama era judges. They take a whole different approach to the 4th and 5th amendments. It will take years before many of them are out of the system.
I get the wire fraud charge, but this is the only one which makes sense. The other two just don't make sense, unless they can, without a doubt, prove the intent was only for use by criminals and not security research and/or academia.
Re: 'White House was going to do away with its cyber security advisor role'
Getting rid of the White House cyber czar is a good thing.
repeat: IT"S A GOOD THING.
1 - It cuts down on the number of layers and red tape to get something accomplished
2- It provides power, decision and policy making to someone who is actually skilled in cyber security.
3- Saves $20 million per year.
4- Cyber Security is now added to the daily security brief from the NSA. Allowing POTUS to interject on info security if needed.
Just more left wing lunacy -- taking something good, then spinning it to make it look like something else.
I seem to remember a US government contractor who took classified files home to work on them... and Kaspersky code identified these files, scraped the entire file and uploaded them onto their databases. Then "somehow", these same files made their way to a covert Russian system.
Coincidence?? LOL NOT likely.
So maybe you don't care if Russia steals your game strategies, but many people put a lot of hard work into something and then store this on their private systems. I don't want a lot of the things I work hard on stolen by anyone.
Really.. feel sorry for Kaspersky? What are you, 9 years old? Unable to critically think for yourself, so you buy into anything a false victim says; because we all know... companies never lie.
Kaspersky will be just fine. They don't need NATO governments to make a profit. No brainer here, really.
...and I just love how you empathize with a corporation from a country which does some pretty messed up crap to their own citizens. Your empathy should be more focused on these victims.
This is another one of these bills introduced to bring everyone who is up for re-election this year to get on board knowing those senators who aren't up for re-election for another 2 and 4 years will vote against it... so they will keep their power.
...in short, it's a publicity stunt for politicians.
Let's get real, a government, no matter which country, isn't going to give up power it already has.
Negligence outweighs intent
Without a doubt, whether you intend to or not, using a laser can result in eye damage and loss of life. Therefore, the individual with the laser must be held responsible during its use.
A hunter may intend on shooting elk or some other game animal, but if the bullet goes through the animal (or misses) and the bullet continues to travel and hits a dairy cow or a person... the hunter is held responsible.
Intent provides the level of prosecution and penalty, but it DOES NOT absolve responsibility, nor does it diminish negligence.
Risk can be considered into the law as a preventative measure. For instance, it can become illegal to use laser pointers outdoors for any reason, within 3 miles of an airport without permit.
Re: Smart streetlight? FFS, why?
Thank you for opening your mouth, and removing all doubt.
Smart street lights can do more than turn on or off.
They can also:
- Alert to electrical/mechanical problems (light will not come on for some reason)
- Change the color of the light (for celebrations, holidays, etc.)
- Be used to repeat other radio signals
- Provide outlets etc. for items such as cameras and signs
- Yada yada.
Now, guess what we're all thinking about you.
Do you ever notice, after someone provides a decent explanation on something, 20 other people have to give their 2 cents worth; because of course, they're smarter than everyone else... BUT the explanations of these people get gradually worse until someone starts blurting out something which is offline from the original point.
Remember, it's better to have people think you may be an idiot, than to open your mouth and remove all doubt.
Yes, I'd rather do all of this. It's known as:
- Being forward thinking
- Someone who isn't going to support poor business practices
- Taking care of my financial future and my family
- Oh, and this will strike at the heart of many snowflakes... NOT BEING LAZY.
Taking several hours out of my life to deal with switching banks will likely save me many days of headaches and late payment fees in the future.
Anyone who isn't willing to do this, only perpetuates poor business practices. Someday, this is likely going to bite you in the backside.
Finally... when all this is over, TSB is going to look for ways to cut costs to cover the large expense this muck-up is costing them. It doesn't take a world class seer to figure out how the effects will eventually fall back onto the customer.
A $5 billion company is fined only 35 million for failing to notify investors. Not much of a fine.
This fine comes out to 0.07% of the companies value.
This isn't a fine, it's a punch-line.
Re: Why not scan properly?
[Insert here, why you'd toot your own horn and bring attention to your 'apparent' knowledge of grammar on an InfoSec site]
I imagine you berate children who make mistakes in order to display your superiority.
You really need to get over yourself.
Re: Another Perspective....
Autistic my ass, and it irritates me beyond belief his defense paid off some 'expert' to provide this opinion. It demeans and sheds a bad light on those who are truly autistic; as if autistic children are one look away from doing criminal acts.
All the court did with this light sentence is affirm such thinking, and displays the judge's ignorance and laziness to actually do some minor research.
An autistic teenager wouldn't attempt to make contact and leave messages. Doing so is a display of authority, and a willingness to abuse this authority. Entirely different from someone who cannot comprehend right from wrong.
Among the worst vendors from a security standpoint.
Oracle manages to ensure their customers pay them to increase the number of vulnerabilities on their own network.
Laws and Lessons
There is little doubt what he did was against the law. Just because a web site is poorly secured or coded, doesn't provide a excuse to gain access to information stored on the system. The application provided "some" controls around access and he used a tool to circumvent these.
If I used a common tool to eavesdrop on your communications (MitM attack), this doesn't make it okay; even if the communications were done using public equipment and you didn't employ encryption.
The question isn't about whether he broke the law. He did. There are a lot of things in life I didn't mean to do, but I was still held responsible for them. Starting when I was 11 and broke a window with a baseball.
The questions now revolve around intent as well as damages. He stated he wanted to download government documents, but to do what (exactly) with the information? What damage was done with the information he did gather? Did he send it off to others?
It will take some investigating to determine all of this, and we don't yet have the entire story.
Oracle... don't make me laugh
Oracle... the worst vendor in the world from an InfoSec prospective, and yet they want to provide their 2 cents worth. BTW Oracle, this decision makes fantastic sense.
- This is a private cloud system. So you want to manage it differently.
- Looking for one vender only, DOES spur competition. The best deal wins. Taxpayers like this.
- Choosing multiple vendors allows them to increase prices incrementally together. The costs will mainly be fixed, and the format will be such that, at the end of the contract, the DoD isn't subject to vendor lock in.
- One vendor means simplicity. Don't have to send personnel to a variety of vendor training courses. Again, great for the tax payer.
- One solution makes it much easier for patching and maintenance.
- One solution makes it easier to secure. MUCH easier to secure.
There is more, but you get the point.
Oracle is obviously isn't looking out for the tax payer or the security of DoD cloud data. It's only out for its own bottom line.
Oracle, get your security together before you start telling others how silly their ideas and solutions are.
Stop blaming developers for poor policy
Developers ARE accountable in one form or another. This comes down to policies and procedures laid out by management.
I've said this a few times on this forum. As an information security professional, you better first point the finger at yourself; because it's likely your risk assessment is the point of failure.
Code review and penetration testing the application is vital to risk assessment. If you fail to point out vulnerabilities and their effects (costs) due to bad development policies/procedures, then the fault is on you.
Risk assessment is the foundation of InfoSec. If all you do is look for vulnerabilities, you will be very frustrated at your job, wondering why things are done the way they are (where you work).
Re: ""blurring the boundaries between criminal and state activity" "
There is a HUGE difference between stuxnet and what Russia is doing.
Stuxnet (arguably) purpose was to delay a dangerous nation state from creating a very dangerous product.
Russia's purpose is to denigrate democracy as a whole. To attack and steal from other nation states, corporations and individuals. Not to mention take the lives of anyone who oppose what they are doing.
Don't confuse the tool with how it's used.
You're smart enough to critically think through something without throwing your politics into it. Start doing so. You'll find your whole view on the world will change... and I don't mean politically.
Thank you for the obvious. There is one thing, you have to compare the benefits of selecting this over other cloud services, not compare it to on-prem solutions; as you point out.
This solution is based purely on the storage of data. It doesn't include movement of data, security, encryption, etc... all which of course will cost more, and you can bet they will increase these prices.
Remember, access can include adding more data, not just pulling.
This solution is purely archival in nature. For instance, regulation states you need to keep documents for 5+ years. So you keep it for one year on another cloud or on-prem solution, and the rest of the duration on a solution such as this.
Dont you love...
3 people are critically hurt. Instead of focusing on these individuals and their families... everyone wants to provide their political opinion.
This isn't the time for your opinion. The fact you give one without focusing on those who are hurt only proves your heart and brain isn't where it should be. ...and you want the rest of us to believe you have the wisdom and foresight to provide an answer? ...get real.
Re: So since Intel have now confirmed that are unwilling to fix...
Another way to get a lot of down votes is to point out 2nd and 3rd order effects people don't want to hear.
Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees, and/or raise the cost of the next computer you purchase by a couple of hundred dollars.
As security professionals, you should all understand and identify risk management based decisions; and be intelligent enough to understand it. This is done by all corporations all the time. Including the one you work for.
Too quick to judge on phishing
Those of us who are penetration testers aren't shocked by the number of individuals who fall victim to phishing. With moderate training, 20% rate is right at the norm with a medium complexity phishing email.
Depending on how the mail is formatted, you can get a much higher rate.
Don't judge too harshly. At work, it's quite likely I can send you a phishing email you'd click on or open an attachment. If I catch you at a very busy time, and get everything on the mail just right to entice you or to fortunately provide information you're working on... you'd fall victim.
It's about the complexity of the phishing email. Shockingly, you find those age 20-30 will fall victim in higher numbers than those over 30 or even those over 50 years of age.
Younger individuals are easier to catch with a phishing, which is "mistakenly" sent to them and contains an attachment with what appears to be confidential information. The younger you are, the more likely you will give into your curiosity over security.
More of the same
So apps are mining Facebook... if you didn't figure out this was happening, then you really have no business using a computer. If you input anything which is then stored in the cloud, you better understand, somebody somewhere is going to leak, mine or hack your information.
When it comes to the majority of data points... these are already being gathered in by credit agencies, credit card companies, mortgage companies and data services such as INFOGROUP.
They trade this information and sell it out. Make/model cars you've purchased, where you purchase/shop, what brand/model of washer/dryer you purchase, if you voted, mail ads you respond to, type of deodorant you use, etc. You use a credit card, look how detailed the information on your receipt is. Credit card and retail outlets just sell out everything you do.
Even local governments sell out information, such as whether or not you showed up to vote and what dates you voted... i.e. do you show up to vote for more than just national elections? How often has the cops been called to your house? What upgrades you've done to your property, etc.
Until we can vote in people who will not sell out to the corporate data miners and sellers, and will clamp down on the amount of data which can be collected, stored and sold... this will remain a problem everyone should be aware of.
Take that, com-raid: US Treasury slaps financial sanctions on Russians for cyber-shenanigans, 2016 election meddling
The odd thing is
We're finding out it wasn't Trump working with the Russians, but rather it was the Democratic party.
While Russia meddled with the elections, it didn't really impact it.
Also, it appears they didn't necessarily do it on their own accord; we're starting to see the Democratic party provided a conduit to do so.
With this coming to light, I don't expect to see the USA do much about this when it comes to offensive cyber ops.
FYI: There's a cop tool called GrayKey that force unlocks iPhones. Let's hope it doesn't fall into the wrong hands!
Okay, why is there shock here?
A phone isn't a vault located in a military bunker. Phones should be looked at as the last place you keep sensitive information.
It's long been known, if someone gains physical control to your computer/device, etc... then they own it.
If not by using some 'secret killing box', then by another method.
So if you're a criminal conducting incriminating actions via your phone... don't be shocked if law enforcement uses it against you.
If you keep GPS active along with other 'features' active on your phone, don't be shocked when Google records your every move, puts the information into a database and then sells this information to Equifax; who then loses it when their database is breached. You chose to accept the risk. A phone shouldn't be looked at as being a secure safety deposit box located at Fort Knox.
You're InfoSec professionals. You're smart enough to look at this from the correct perspective of risk management. Don't get caught up in the emotion of this. Don't let the press or politicians twist your thinking. Keep your perspective true and remember, nothing is hack proof. So the loss or misuse of a box isn't any worse than someone not correctly securing information.
People will never collect SAMBA alerts, because there will always be a high number of them.
Samba is to network services as Flash is to web services. A different solution should have been implemented YEARS ago. You can put brand new siding on a sod house and make it look better, but it's still the same old pig with lipstick. Eventually, something will take advantage of the weak underlying architecture.
Nothing new here, move on.
You can be from England, Russia, China, USA, Zaire, etc. One thing all have in common is a hate for traitors. You think England hasn't knocked off a few traitors in other countries?
Publicly England will beat its chest, threaten some sanction, expel diplomats etc.
Behind the scenes they'll move on as if they expected it.
Do you really think it's good for England to go to war over a turn-coat Russian? Wake up.
Do you think Russia will go to war over the suspicious death of Ed Snowden? Hardly think so.
They'd beat their chest, rattle saber, wag a finger, etc.
Realistically they'd probably wonder what took so long.
Re: Jurijs Martisevs
Yes, because nobody ever names their child with a name originating from another country.
...where do these people come from?
Re: Which country was banned from the 2018 Winter Olympics?
What a fantastically brave conclusion.
...don't forget to stop by the hospital pharmacy and pick up some epi-pens along with other anti-toxins.
Re: I don't think computers work the way you think they do.
Thank you for your post, but it seems you don't know a lot about development.
You can't just cut/paste from a binary. Especially when using a different dev environment.
Yes it's difficult to find out who is behind attacks.
It's not difficult though, to hire experienced InfoSec professionals and support them adequately to provide a sufficient defense in depth architecture, patch management and monitoring to ensure it's difficult to get in, and just as difficult to get data out.
Since it is so difficult to identify hackers, you may want to keep this in mind when it comes to your risk management. Can I get a palm thump to the head?
Re: "If the user tries to stop the process, the computer system reboots."
Isn't if a bit funny when an ignorant Windows user feels the need to be noticed, that they actually post and rave about how bad Windows is? :)
One day my friend, you'll become knowledgeable and experienced; then realize how bad ALL operating systems are.
Be careful about calling the kettle black.
Re: It's the future given the eagerness of TLA's to spy on people.
By itself, it doesn't keep anyone from 'spying' on you or intercepting and attacking the encryption.
HE is about not having to decrypt the data in-transit and then re-encrypting; like when data is passed through perimeter security devices. Or when data is stored at rest, an application doesn't have to decrypt the data before processing it.
You still have to maintain a small modulus to noise ratio (in the key-switching matrices) and manage the field for security.
Switching to low-dimensional fields speeds up the homomorphic process at the cost of security/increased risk. Something we are all familiar with already. We can switch from TLS to SSL, but we also increase risk.
When pen testing and doing code review, you'll occasionally run across hard coded passwords. They are usually left there from testing, weren't documented, and therefore weren't removed.
Still, you bring up a good point about this happening in recent years. Because of the availability of development environment OWASP plugins along with much improved (over the past 5-10 years) static code checking software, we shouldn't see something like this from a large company like Cisco.
Well, no worries about BREXIT
Who cares about brexit anymore? Since China is buying up more UK companies every year, it will soon become part of the red giant. Soon, learning Mandarin will be compulsory in every UK school.
Look at the bright side... it will no longer be part of the 5 eyes community.