568 posts • joined 25 Apr 2008
Sorry for the misunderstanding
The NSA doesn't actively practice hacking systems in the USA.
We turn this over to the FBI and let them do it. We only get involved when these twits can't figure it out.
It's impossible to break into. We haven't found a way in so we gave up.
The protocol is different, but the cipher suites and certs are still the same.
We'll never be able to crack this.
BWah ha ha ha ha.
Psst. Think everyone will buy this?
Then there are other unreported vulns
As a penetration tester for a large company, it's my job to test all applications before they are certified on our networks. This includes internally developed, as well as COTS apps.
Probably more than 60% of the time, I find vulnerabilities for the vendor to fix. Around 10-20% of the time, it's a critical vulnerability (remote and easy to do). Each time, I noticed they NEVER publish the vulnerability. They just add the fix quietly into their next "update". No mention of what we find at all.
So why don't we say something out loud? Because most software vendors/companies have items in their commercial EULA's which amounts to a non-disclosure agreement. Getting on a bulletin board, twitter, etc. will put the company you work for--and your job--in jeopardy; so unfortunately this isn't an option.
So if your a network engineer, be aware of this factor and use it to budget better security equipment to mitigate this fact. Especially with external facing web applications.
I have to ask...
Since Oracle has a horrible reputation of fixing patches--not to mention the high number of EASY exploits; why are you still using this database, and/or any application requiring Oracle Java?
Fortunately, the two companies I've worked for in the past five years have both pretty much phased all Oracle products out--including Java based web apps. Not to mention, getting rid of applications which embed Oracle into their products. Such as Symantec DLP.
We were hoping it would take some time before people figure this out.
Now we have to get good at bypassing home physical security systems again.
Anyone who believes you can simply kick out a fix for something in a few days is ignorant about the process... and a moron for not taking the time to learn a bit more about it.
First off... nearly anytime you increase security--albeit slightly--you impact usability. Therefore, it must be tested by security and users. Many times, it must be tested against a load of different software to ensure it doesn't negatively impact them.
Just like chess, when you move a piece to strengthen your position, you also create a weakness because you're no longer defending areas where you once were.
So... the entire operation, usability, security, etc. must be checked, attacked, worked with etc. Sometimes, it isn't fixed during the first iteration, so it must be done over.
This does take some time. If you think you can do better, and teach people something they don't know... then by all means, step up and jump froggy jump! It's easy to be a beotch and complain about something, when you're a moron.
Sometimes it's better to keep your mouth shut and let people think you're an idiot, than to open it up and remove all doubt.
Where have you been?
This isn't a new technique. We've been using it for a while.
Keep politics out
I don't care which side you belong to. I don't want to see any political activities at a Info Sec conference. I even hate the morons on both sides, who want to interject it on this site.
They only display how hateful and small minded they are; most only repeat what they've heard, and not what they objectively know from doing their own work. If they did, they'd see both sides are moronic liars, who only say things to get your vote and do their best to trash anyone who opposes them.
So.. it's the same ole crap from both sides. Use your brain power for something else, and keep the political thoughts away from security sites and conferences.
This has been known by most of the major countries in the world since at least the mid 80s. It's one of the reason there is shielded conduit and tempest solutions, even when the transmission is encrypted.
If 18 or 22 years of age is too young to be held responsible for poor decisions, then we really need to raise the age for voting, drinking, driving, flying aircraft, etc. They weren't 12 to 14, so young my azz.
Sure it wasn't violent... which is why you give them 1 or 2 years instead of 5-20 years.
If they stole money from you, and you weren't able to feed your kids or make rent... you might think a bit differently. A lot of people live paycheck to paycheck. Losing 500 euros can really hit a family hard and cause undo stress... for a lot longer than 240 hours.
I think the judges have loss touch with what it is like for the majority of people. Those who don't make 300K plus euros per year.
Apparently, you think JLR should monitor all their vehicles and some how know when they are sold off?
Of course not. But you do have to think of the process... and bump it up against a few things.
It's the typical security see-saw balance of usability versus security.
Make it too easy, then a auto thief can easily make changes so you can't track the car.
Make it too hard, then the owner gets upset.
Like any new technology where security is involved, it takes a bit for a good balance to be struck. So in the mean time, don't get too pissy about the situation. Instead, work to find a balanced solution. This is what security professionals are supposed to do.
Re: Oh, we "customers" or "products" always pay
Apparently you don't understand economics.
If a company is fined and you believe they are going to raise prices because of this... then go elsewhere. Typically though, companies don't raise their prices; stockholders end up taking the biggest hit. Some may go into not paying raises/bonuses to employees. This is why fines can be successful in ending bad behavior.
Where the money goes? ...this depends. Typically there is some sort of general fund it goes into and then those in charge figure out what to do with this. Sometimes the money here goes for good things, like new bridges or other infrastructure projects. Like in Germany, it will likely pay for a pipeline to Russia.
The USA doesn't like the government interfering in business policy. You know, this whole freedom and liberty idea. The only real exception is health and welfare of the public/customers.
When it comes to this case, most people in the USA think it's moronic, and just a way for a government to screw over a company and the company's work force. In other words, a way to make politicians rich at the expense of employee raises and benefits.
Are people in Europe so stupid they wouldn't know how to download and install another browser; or another application and not use what is already installed? Of course not. Further, Android doesn't prevent the user from doing this. Can you imagine purchasing a new phone and there is not browser at all on it? C'mon. Do you really expect them to just install a competitor application? ...or some plain label and insecure browser? Common sense needs to be used.
Try doing this away from SFO
One of these days, they are going to start doing things away from the bay area.
San Fran has become a crap hole lately, especially in the downtown area. I wouldn't attend a conference there again if they paid for the entire trip.
I'd rather deal with the crowd in Las Vegas or traffic in Chicago than to put up with the smell and sights of downtown San Francisco.
Raise your hand...
If anyone is shocked Oracle had this problem.
...take the walk of shame if you're still using Oracle products. This includes the whacky Symantec products (Like DLP) which build it into the application.
This is a lot more common than most people think. The reason is pretty simple. For corporations who don't use experienced penetration testers and rely on application and web scanning tools. This is because findings from these scanning tools typically state HSTS and other "header" misconfiguration findings are considered "LOW". Because of this, the risk is typically accepted or placed deep in the queue to be fixed.
For those who hire good penetration testers or have them on staff, they will consider most header findings as a medium; even for internal sites (it doesn't take long to fix) to ensure these findings are corrected. Once the developers and middleware admins get used to this, it doesn't take them long to ensure all headers are correctly added and configured for each site.
Of course they say this... the longer you keep your data with them, the more money they make.
It's not like they say... they'll do it for free.
Nobody is shocked
Oracle has been hosing everyone since it became a publicly traded company.
The only shock, is how many ignorant corporations out there who still purchase Oracle's crap.
Re: Tee hee. Trump is to Putin as --
The whole DNC hack was done while Obama was in the White House. Along with Russia gaining Crimea. Oh, and don't forget the red line in the sand fiasco.
Meddling was done between Hillary and the Russians... remember Uranium One?
This is just the democrats yelling louder and without pause--accusing others so people don't talk about the transgressions done while they were in power.
If Trump walked on water, the democrats would scream it's because he doesn't know how to swim.
Yet, so many people buy into their BS and catch Trump Derangement Syndrome, and lose all focus on reality.
GM, Ford, Ferrari, and others plead guilty
...to creating sports cars which can easily outrun police and cargo vehicles to carry..uhm, stuff.
They all admit to knowing these high speed vehicles are perfect for criminal activities such as smuggling and trafficking as well as getting away as quickly as possible.
They also admitted to knowing these products have been used in terrorist attacks as well as kidnappings; yet still...they provide customer support as well as spare parts to those in need.
I don't condone this guys product, but let's get real. Those who need to be arrested and focused on (with laws) are those who use the product illegally. With a few simple changes to his words, he could've marketed this as a security tool in many locations (including the US) and been fine.
The employer has the responsibility to provide for the physical and mental well-being of its employees?????
No it doesn't; you do. How about this... listen better in school, buckle down, and get an education. Then you wouldn't have to work in a warehouse.
Perhaps you should try a job outdoors, in the elements... like many jobs.
Perhaps try putting your life on the line, such as first responders.
Maybe try high rise construction or trash collection.
Waaaah.. underpaid. No you're not. Look at the thousands of other occupations out there where it takes a lot more to collect a paycheck. Taking an order, tossing it in a box, putting it on a truck... etc. Not exactly worthy of high wages. You don't see most people working in department stores driving the newest cars.
Quit using WANT, want, WANT, and start using earn EARN earn.
They have to do something
Their over priced, under secured database is starting to be used less and less; so Oracle has to do something.
Banks don't exactly have a huge supply chain, so saying any of them use this isn't really saying much. Where they do, it's so regulated by every country, that it's not really providing anything but a common application.
My worry is simple. It's Oracle. Once again, they rush a product through... to be one of the first so they can charge way too much. All their products are pushed this way... all their products have security holes which can be used as examples of what not to do.
Oracle: Not exactly the best name in the InfoSec world.
I imagine, nothing will change in this regard.
Re: Extraditing random people?
Look... instead of looking silly, why don't you take 3 minutes and use Google on the phone which is obviously stuck 10 inches from your eyes. What makes idiots comment about something they admittedly don't know anything about?
It's not about where a 'server' is (good grief... really, you think it's about the server?) It's about where the crime is committed/damage takes place.
It's the snowflake way
If we yell loud enough with a message which is just corny enough (it doesn't have to be true), somebody will eventually believe it, provide us a forum, and we will be smart and important.
Anyone can publish anything. Doesn't mean it's worth its weight in dog crap.
Indictment bombshell: 'Kremlin intel agents' hacked, leaked Hillary's emails same day Trump asked Russia for help
Smoke and mirrors
The democrats are basically shouting over everyone and taking any little thing they can and running with it.
They're doing this to cover up the fact Hillary broke the law and set up a private server, used her position of power against her rivals, made terrible choices both in and out of office (including choices which killed people).
Hillary's strategy is... if you shout really loud and don't allow anyone else to talk, then the public will not be able to hear the real truth and see just how bad you really are. The only fallacy in this, is not shutting up long enough to understand the public isn't stupid.
The DNC will continue it's push against Trump, but there are a lot of people in Hillary's own party who are very happy she didn't win the election; could you imagine?
Re: Come on!
Actually, it was Obama who said Putin is nice.
Obama: Hey, Putin is nice... let's pull our defense systems out of eastern Europe as a sign of good faith and friendship.
Putin: Ha! The American's pulled back, strike Crimea! No worries... Obama will just draw another red line he will not enforce.
A company using primarily servers facing the Internet fails to use MFA for administrators.
You have to consider the CIO neglectful in their duties for not ensuring MFA is implemented
LOL @ Oracle
Oracle's security has been so bad, they needed to figure out a way to make everyone else look just as bad or worse.
Perhaps Oracle should spend more time putting out a product which doesn't need so many patches every year. I still don't understand why businesses buy their products. Not only is it security nightmare, it's more expensive than competitor's.
What a bunch of $$$7
In good faith, I believe the company should publish the names and PERSONAL emails of all company board members and those holding the position of VP and above.
If they will do this, then I'll go along with them saying this is a LOW vulnerability... but you know they will never do this.
Re: proceed with phase 2
The Democrats have wanted to remove representative democracy from the constitution for about 20 years now, and replace it with a modified socialism model. Yet, like all socialistic models, there is no real solution to how a country will pay if everyone received free ...everything.
American's don't celebrate kicking the Brits out of the country on July 4th. This is the day American's celebrate independence from a ridiculous monarchy. Since America had to give England two epic beat downs (don't forget about 1812) before they learned their lesson, another holiday was created for this azz-whooping. It's just not very PC these days to openly celebrate making another country your beotch; so this holiday isn't widely known.
If you can't do, might as well go into teaching
Implied consent is far too broad of a term to make an assumption with. Yes, and assumption, because for a case like this, implied consent has never been adjudicated in the courts.
..and just because you place something into the public domain, doesn't automatically presume implied consent. Anyone who has taken a high school law class can get this question correct.
You park your car on public streets; therefore, implied consent says anyone can take it after you leave.
Sounds good, right? But obviously this isn't the case.
You'd think a professor could take 10 minutes to think this out and realize how wrong they are.
Another example... you put your garbage on the street, so now anyone can go through it and grab any old documents and other personal items you tossed out for themselves.
Again, sounds good, but in most countries... doing so is still considered stealing. Tossing something out doesn't give 'implied consent' that anyone can take it and use it.
So, once again... another so called security professional at a university who went into education because they couldn't actually perform well on the job. If you can't do, might as well teach.
Thank you captain obvious--Is this really your best?
Way to put a lot of time restating keynote speeches given for the past 10 year; actually for the past 50. Don't forget the basics; we must get back to basics--maintain your foundation... blah blah. DUH! Sounds more like a speech given by a coach before a football match, than a well thought out technology briefing. Could also be the big all caps writing on a pamphlet.
BTW, those who aren't concentrating on the basics and shoring up their own networks... aren't worried about state sponsored attacks. They aren't worried about anything--because they're ignorant to begin with.
If I pay a lot of money to attend a conference, I don't want to hear ridiculous 'basic' crap from an individual who is on the cutting edge of information security. I can open up YouTube and search for this. Give me something new. Something I can't search for and find. Give me your best. YOUR BEST.
When I see crap like this, it makes me think the person giving the speech isn't really as smart as they let on about... it seems more likely it's the people they work with who are the intelligent ones, and they are the 'average' person riding on the coat tails of others.
PaaS and SaaS cloud environmental risk.
Too many professionals don't understand the increased risk, and don't have the experience to know where the data is and how well it's protected.
---then they find out (TOO LATE), the cloud provider has no responsibility or risk acceptance; it's all on them.
This is what happens, when you vote in people who want bigger government.
Tax and monitor.
Complete Security Failure -- NOT a mistake
This only shows how lazy people are. No doubt the expertise existed to provide a thorough and accurate risk assessment of this system. If an in-depth investigation takes place, they will likely find, the internal security organization provided the risks associated with not using MFA along with fire IDs, restriction/segregation of privileges along with password policies.
Don't call this a mistake... it was a deliberate act to accept the risk.
The "I don't want to inconvenience my workers" snowflake, lazy, PC attitude doesn't work in most professional settings, especially when it comes to risk.
Get rid of plastic straws if you must, but don't accept moronic risk out of laziness and PC optics.
Oh... and you may wish to fire whomever decided to accept such risk, and please publicize their name, so everyone knows not to hire this individual to make risk decisions.
Does anyone have my ICQ number? I can't remember it!
Right now there isn't a lot, if any regulation on cloud service providers; therefore, they have you by the short and curlies.
I really hate an increase in government regulations, but CSPs who are currently not responsible for data as a whole (even with PaaS), really need to be reigned in. There is too much consumer information being placed on these systems for CSPs not to be more responsible.
It's ridiculous when a CSP has you locked in and then they change the rules on you--and you're stuck.
Malware disguised as something else is hardly a new concept.
Cheating... has been going on before man lived in caves.
During testing, testers are often provided means of adding this/that... doing this/that, jumping here/there, etc. and this information on how this is done gets leaked.
With today's processors and memory availability, it isn't hard to add in code to sanitize input, mask values, and other techniques to prevent cheating. However, there is no real incentive to stop this until it gets out of hand. People being able to cheat, to some extent, brings people to their game and therefore increases revenue.
..and since stupid cannot be fixed; there will always be the gullible cheaters who fall prey to malware disguised as the latest cheat. But let's face it, if you're so pathetic you need to cheat on an online game, what do you really have to lose by a MiTM attack.. other than their mom's credit card number.
You don't owe the public an apology... you owe the public immediate suspension followed by sacking after an investigation.
Since this has now become a trend (not that it wasn't before), those in leadership, policy writing and technical operations all need to be under fire and out of a job.
What happened to the government? It used to be when you just sneezed out of place you'd get fired. Now you can't event get rid of someone who is outright negligent.
Politicians... this is why you guys are being voted out in favor of someone with little experience (in being bribed, etc.). It doesn't matter which party you belong to, if you're part of the establishment, you probably should enjoy every last second while you can.
Just another asinine NY Times reporter trying to make extra money by publishing a book on something he knows very little about. Not to mention, typical NYT reporter not doing any further research or speaking with other InfoSec professionals about certain tactics, techniques and procedures used by penetration testers and information system forensic experts.
How many times this year has the NY Times had to retract or clarify something because their reporters did a half-ass job? A LOT.
When standards are low, you're going to have employees who aren't the best around.
Typical spoiled little brat.
No coping mechanism to deal with an uncomfortable situation.
Most work places which allow news to be shown on television don't have the sound on, or the sound is very low. So I'm betting she is exaggerating quite a bit. Likely, she was looking for some sort of attention out of the ordeal.
Plus I'm sure, she figured her pantyhose was a perfect place for stashing documents. Listening to her talk and looking at her social media... I'm betting nobody has tried to breach her pantyhose on a Friday/Saturday night.
Wrong.. it wasn't the NSA who wanted to withhold knowledge of Russia hacking voting systems; it was the Obama administration. This has been known now for almost a year.
According to what is released.. each country has to maintain a unit.
So, instead of sharing resources... each country has to spend money on them.
Sounds more like an opportunity for bureaucrats to gain more control over something they know little about, and allow crazy old men at the EU HQ to make more money for themselves by selling influence.
Watch... soon, all penetration testing will have to be done using certain commercial tools, and it will be against the law to create your own, or use tools which aren't on their approved list (you know, companies who provide kickbacks to bureaucrats) -- throughout Europe.
If each country has to already maintain a unit, then why let the whackos in Brussels tell InfoSec professionals what to do?
Just more power grabbing and money making schemes.
Re: Fake negative reviews?
All parole conditions will come with a statement (to the effect) of staying away from those affected by your actions which originally landed you in jail/prison.
Along with about 20 other items.
In the USA, any violation of your parole will put you back for the full time (for state/local sentences), and will likely cause you to face new FEDERAL charges. Under federal sentencing guidelines, you serve the entire sentence. No chance of parole after 12 months.
Reread the first amendment and court cases regarding it.
You don't have the right to say anything at anytime.
First amendment means you can speak out against the government without reprisal. Doesn't mean you can trash your neighbor, slander or threaten people.
Someone didn't do their homework in school, and only listens to moronic political laced comments.
Encryption and Integrity.
Big difference in how the certificates work.
I'll point to Google, so you can do the rest.
Kaspersky, I think thou dost protest too much!
Yes, all governments are self-serving... loathing SOBs; however,
if you don't understand the difference between a freely elected government and a government ran by a pseudo-dictatorship which invades a peaceful nation and runs hundreds of thousands of people out of their home at gunpoint.. then I believe you have a lot of research and self-reflection to do.
For anyone to back the Russian government about anything is just ridiculous. It also means you don't have any regard for human rights.
It's amazing how people will hang on to conspiracy theories about MI6, CIA, NSA and believe Russia is okay. How stupid can anyone get? I suggest you open your mind a bit, think critically, and talk to people from Russia and surrounding countries. You will be in for a mind blowing reality check.
Look at everything
If you're willing to pay for it, Microsoft provides patches and fixes for Windows XP Pro until 2020.
It isn't cheap, but in cases where you don't have much choice... you know how it is.
ATMs are more/less PoS devices. Many applications haven't been updated to run on more modern OSs. If they have, the ATM owners (not necessarily the banks who lease them), won't spend the money on upgrading OS and applications until they are made to do so. Why should they? You'd save the money and pocket it yourself, right?
The number of increasing integrity attacks are starting to change minds, not to mention the cost of insuring old software/OSs. As is how much courts are starting to make examples of corporations who aren't being attentive to proper due diligence, and especially those who aren't attentive to proper due care. In-which using and old OS will likely hit the hardest in courts.
If you look hard enough, you can still find Windows XP in the US and western Europe. Mostly with companies who lease out older ATMs. For banks who own their own ATMs, these are likely updated with newer operating systems, and a wealth of physical security add-ons.
This is what we called in the 80s and 90s... BSware.
Just a bunch of crap put together, which is not only difficult to collaborate, but so effing boring that nobody will.
This happens when a good idea, turns out to be not such a good idea, and then into a pile of BS.
Even though they knew hours ago, they should have abandoned the project... they didn't. So they go ahead with it and publish rubbish like this.
Just a means of individuals 'publishing' something for the sake of publishing and to say they have.
Texas-Austin academics should have stopped this from being published. In not doing so, you've more-less put this university on the back burner for integrity. Although, U of Texas never was on the map for computer engineering, let alone computer security.
C'mon guys, there are more important things to study and research. Don't be afraid to let go of a project if it isn't going anywhere... it's better than being laughed at.
Matt Halpern, Manuel Philiose and Mohit Tiwari... better luck next time, if you're given the opportunity.
Re: ahum, dumb fucks ?
Calling an entire generation of individuals, in which a good majority haven't been given the skills to think about and look at 2nd, 3rd and 4th order effects, "dumb fucks" isn't entirely out of line--especially when it comes to information security as a whole (not just a profession).
So yes, it is a security problem for those who download the latest 'game preview' only to find out it's actually an application spreading malware. Yes, it's a security problem, when the generation doesn't learn from such actions and repeats these insecure acts in a habitual manner--then continues to spread to family devices on their home network or via email attachments.
Offensive security should NOT be contained to only the lab. Not to mention, offensive security has very little to do with the SDLC. Code review and offensive security is two different things; not to be confused with penetration testing.
So, before you begin harping at people about what the 'problem with security' is--you should first spend about 7-10 years in the field so you completely understand it.
Calling people dumb fucks is not the reason for poor security, or responsible for a society in fear and uncertainty. Nor is it responsible for poor patching practices. Good grief. If you really believe this, then you're a snowflake who will never thaw out. Would you like your crayons in a box of 8 or 16?
I love people who come up with false narratives and stats which are so far off, you can only assume, they don't have the brain power and patience to do 20 minutes of research and cross checking to get it right. ...rather, they'd prefer to spout out numbers and false figures in an attempt to make themselves seem more superior than others. Fact is, it only displays their own ignorance.
Using once source, especially something you just heard, or figured out on your own... isn't going to make you look smart.
...and bundling "YANKS" and all citizens of the USA as one is really asinine. ...but it's understandable many Europeans do this, as they don't really understand the size of the USA, and cannot begin to imagine what it is like to live there. As if, what works in England can transfer to the USA; when most of the states alone are larger and more populace than England; let alone 50 put together.
The EU bundled together, is only half the size and population of the USA, and look how screwed up it is.