Posts by Aodhhan

Oh c'mon

If you host anything on WordPress you have to be willing to have your site hacked. I've said it before, WordPress is a training site for web service hacking.

If you're going to use it, only use WordPress for information... and then monitor it closely in case someone does gain access. Don't use any of the plugins, or anything which holds or allows access to backend components. In fact, if you're going to use it... don't put it on your network; instead, use a web hosting site.

Oracle database, Flash, Java, WordPress... four things you should keep on top of if you have any cybersecurity responsibilities.

Lift your nose in the air and turn away from vendor which doesn't provide web services using HTML5.

Rumor is

...they would have found these exploits faster, but everyone kept taking long bathroom breaks.

However, I do agree with the article. I'm a bit shocked about PHP without JSON.

Time to begin coding like it's 2016, not 2006.

I think everyone in cybersecurity knows...

WordPress is a training ground for hacking. Especially the modules. Small files which don't take a seasoned expert to reverse engineer, fuzz, etc.

Or...

Necessary if you move a lot of data. If not, the cheaper alternative is to use host-host with certs kept on a USB key. Realistically, if they really want the equations to move faster, they will need more processing and memory put on the device.

FIPS140-2 protocols and ciphers will likely be the norm on these devices. One thing to remember about FIPS 140-2 encryption, is that they only show what is usable by the US Government for top secret and below. For information above top secret, encryption is governed by a different set of publications.

Meaning, state sponsored intel agencies can likely crack the encryption within several months.

When it comes down to it, the easiest way to get past encryption is to get on the box itself. You can put millions of dollars into encryption, but if you click the wrong thing on the Internet... it doesn't matter.

So as an individual, if you really can't wait to shell out the money for this device... you likely haven't done a proper risk assessment, or you have more pride than brains.

Value

Bitcoins aren't valued on anything. Nobody uses them as an investment, since they aren't backed by anything and there is no guarantee.

The value goes up and down based on demand and to ensure the company itself profits; i.e., a commission.

If some wealthy companies find the need to use bitcoin a lot, the value goes up due to demand. If the number of companies/individuals using Bitcoin services goes down, the value goes down. It's this simple.

Companies don't invest in bitcoins because it's too risky and volatile, and they don't buy a few bitcoins in case they are hit by ransomeware. Why would they? It would be wiser to put money into an investment which is a lot less risky and more likely to provide a profit. Then purchase bitcoins as needed.

There are no safe browsers.

Inherit to the protocols used by browsers, you can't keep everything secret. Even if you refuse something coming into your browser, it tells a tale.

Using the Internet is a lot like going outside in that you cannot expect total privacy.

..and get a grip when it comes to the NSA. If you live in a NATO country, your own government does more spying on your country than the NSA does. In many of them, they don't even require a warrant to do so.

Seriously?

I don't agree with the senator when it comes to allowing back doors for encryption, but don't trash someone who was a POW. Especially when news comes from crappy internet web sites with no credibility, no proof, and isn't picked up by a national/world media organization. To do so only makes you a hard headed partisan whose brain is so closed you're no longer able to think for yourself or think critically.

In all reality, Cook missed an opportunity to be the opposition voice for this... because of his apparent hatred of anyone who wants to mess with encryption. Because of this, it really p$$@#! me off he didn't show. Cook has more than enough experience and knowledge to have answered any questions thrown at him, and given a chance to provide light on a the subject. Congress isn't a bunch of computer nerds, so without testimony from opposition (which is done all the time).

McCain is equally boneheaded because he is focusing too much on Apple, instead of working a few other angles; which in my view would do him more good... but I must admit I'm glad he isn't!

It's also apparent people don't understand the 5th amendment and when it can be used. When asking questions to put together facts, and the questions aren't geared towards pressing charges or criminal acts... the 5th can't be used. This should be obvious. Nobody is saying Cook has broken the law, he's just standing up for what he believes to be an infringement on his rights.

Security is not a myth.

In the most general terms, security is: the act of protecting something valuable. You can add many different types of "security" to a door, room or a network; therefore it isn't a myth. It exists.

Absolute security however, cannot be accomplished. There will always be a weakness if you want access to the valuable. This doesn't make it a myth.

Anyone in cybersecurity knows this and before deciding on what security measures to employ first complete a risk assessment. There is no need to spend $40,000 to protect $1,000 of valuables.

To protect something, cybersecurity employs defense in-depth which are security measures placed to protect something and add protection on top of other protections. Again, security. Some protection methods are better than others, some are more expensive to employ than others.

To make the point, security by obscurity is another security measure used. Therefore, it isn't a myth. Code is obscured all the time to make it more difficult to RE. This doesn't mean it will protect the code forever... it's just another measure employed to make it more difficult to bypass the security measure.

What creates the illusion you speak of is the fact hackers only have to get it right once against millions of systems connected to the Internet. For the most part, hackers are a lot like water in that they follow the path of least resistance.

I think you can figure the rest from here.

Well...

This is 3 minutes I'll never get back.

You're all smarter than this

If banks didn't take IT security seriously, considering the number of ATM machines there are, there would be 10-20 thefts a day. Since in most countries, the bank takes the bite for any ATM hijacking, they do take it seriously.

Some banks may not take it as seriously as others, but in most larger countries, banks have gone all out to protect ATMs.

You should also know, there isn't anything which is hacker proof. NOTHING. Especially any system with external customer facing interaction, and a huge box holding a computer which goes through quite a few hands from when it leaves the factory until it gets placed into operations. So, plenty of time for someone to gain access and introduce something. A lot of companies may not take supply chain security seriously, or can be bought. You all can figure it out from there.

Hopefully...

Not a huge issue in my book. If you're exposing port 22 or any other comm port externally... you have bigger issues to worry about, and by now... most host based firewalls should only accept comms from other internal systems; hopefully, along with a log management system which sends out some sort of notification after 10 consecutive login fails. Yes, I know this can be irritating when decommissioning servers.

Light Sentence

It does seem a bit light, but the information was classified "For Official Use Only", no secret or above information was stolen. I wonder though, before the arrest, how much misinformation they planted into the system which was then transferred to China?

Okay so...

If you think the US government doesn't already have the code, then you're not much of a thinker.

The more something bounces around the slower the responses and more likely there will be collisions. Which means, follow the error messages back home. It is using TCP after all.

I'm sure this will be secure for a while. However, you're mistaken if you think most nation states won't have this cracked within a few years.

In all likeliness, the DEA realized this but whomever was the officer in charge was ignorant to the differences between a normal cell phone warrant to listen in on conversations (which was granted), and setting up their own cell tower to track it.

The DEA could have gotten a warrant in less than 30 minutes, and already had more than enough information to convince a judge. So, I don't believe this was laziness it was ignorance.

So now, whenever law enforcement asks for a warrant to listen in on cell phones, they will add tracking and setting up mock cell towers along with it. Not a huge or crazy case.

Some judges are so ignorant...

Judge Stephen Reinhardt is a technological idiot. Accounts and privileges provided to employees to access systems aren't owned by the employee, they are owned by the company. If an employee provides the keys to a building over to someone else and this person gains access with malicious intent, he will be prosecuted for trespassing among other things. So, why would turning over a password, as well as using another's password be any different?

An employee isn't given permission to give access to an employer's assets (in this case, enterprise network) to another person.

I'm sure if Judge Reinhardt's maid gave a copy of his house key to a friend, or even allowed the friend complete access to his property by opening the front door... he'd be rather upset.

The 9th Circuit is infamous for it's far left-sided decisions and often doesn't read the intent of the legislative law as written. Reinhardt only looked at the possibility of something which is out of the scope for this act, as well as attempting to change the law by adding a possibility. Something judges aren't supposed to do, but have started to do so with alarming frequency.

Yeesh... seriously

One of the things which drive me crazy about the EU. Pay a huge amount of tax to fill their coffers, and allow them to make a decision on where it goes without any representation or say from the people. It's shocking to me, for the size of the UK government and what they plan to do are going to invest nearly 2 billion Euro into this without providing more details on exactly where and how the money is going.

Realistically, I don't think 2 billion Euro + 6 Billion Euro (from business) is enough for their plans to equalize cybersecurity throughout the EU. So get ready to have your taxes increased to pay for this. Germany, France, The Netherlands... be ready to see most of your EU taxes go towards smaller EU countries which, according to the plan, will need to be funded so the EU isn't so 'fragmented' concerning the cybersecurity industry. Talk about stupid. Probably 60-70% cybersecurity corporations and startups are located in California. There is no need to spend money to startup companies in Alabama, Iowa and Wisconsin.

Bringing in the US's proposed increase in federal spending on cybersecurity isn't exactly a great comparison to look at. First, it doesn't fund research, development or private industry at all. Second, It doesn't concern building small corporations and balancing where things come from.

The US typically doesn't fund private industry improvement of cybersecurity. If a company needs to put money into this, it can fund it from profits or sell stock. A lot of congressional representatives were axed during the 2012 elections. Largely due to spending money on bailing out large corporations and banks, while the economy was stagnant and unemployment rising. Nobody helped bail out the citizens.

So I understand spending money to improve the cybersecurity throughout the EU governments, but not private industry. I don't blame UK for leaving... it was the right thing to do for the people. It also allows them to put money where they want and need to, like military defense... something the EU has allowed to dwindle.

Just goes back to the old saying...

Whenever you provide defense in-depth in order to make security idiot proof; someone builds a better idiot.

Yes yes, thank you all for the obvious, "lock down the system". A little hard to lock down a system to where a user doesn't have any privileges on the system or their own file system.

In a corporation or business which only provides cybersecurity training once a year, approximately 20% of users will still open the email.

There is a reason...

...almost every datacenter I know of has or is in the process of dumping Solaris.

Not to mention it's an Oracle product. The company has a poor history for timely patching, and isn't exactly teamed with genius' to help when there is a problem.

Another lazy and poorly written article.

Big shock... and it takes a whole page to describe:

Agencies in Victoria currently have poor information security policies and procedures. They have been given 2 years to correct, implement, and maintain industry guidelines.

<Link to the pdf>

Tada.

A democrat stepping against the president. Amazing!

Look, it takes 15 minutes or less to get a warrant as long as you have what's required or have MI6 do it; they don't have to worry about warrants in the USA.

What, so they can blame another Benghazi on one of our videos?

This is what we need, to have a political party which lies, misleads and insists everyone else is uneducated and clueless wants to get access to my social media. Yeah, that's great.

The next time a terrorist does something, they can then randomly find something on your Facebook, Twitter, etc. page and blame it on the video you posted of your child playing baseball instead of soccer.

It's not democracy when...

...people who aren't elected make the decisions.

...people who make decisions don't listen to those who live in the respective location, country, etc.

...there isn't a large vote on a decision, which includes representatives who look at how it affects people in a certain area.

...leadership over-plays hype and uses fear to overcome popular ideals of the people.

Once the general population loses voice on any decision affecting the nation at large. You've lost democracy. I say democracy is worth any pain you may endure so long as the people maintain a voice.

A few ignorant leadership members in Brussels wants to make decisions about a country without providing any extra resources or money to deal and support their decision. So now a tax has to be levied to support it. Taxation without representation.

I say, KUDOS to those who voted to get away from EU. It takes bravery to face the fear which has been shouted and threatened upon the people. It takes intelligence to see thru the BS.

Really... ignorant about NASCAR?

Let's see, a NASCAR originating team (Chip-Gannasi) just won LeMans using a Ford. Which hasn't been in the race for 40 years; kicking Farrari's arse with ease. Other endurance drivers which have been winners (Corvette teams) also race in NASCAR. Such as Dale Earnhardt Jr.

F1 Racing.. really? You know who will win the race by the 3rd lap. I see more passing in the hallways of a retirement home. Not to mention the yellow flag rules in Europe, don't exactly make things exciting.

NASCAR isn't regional. It's followed all over North America, Australia and a few other regional countries.

American owned racing teams or drivers are at the top of quite a few racing leagues. Even those which run all over Europe. Including rally cross.

Finally, it isn't just a NASCAR team which can be ignorant to computer security. Many corporations throughout the world fall victim to this without backups.

It doesn't take a genius to yell out "NO backups, stupid?". So really.

I'm not impressed by Oculus. The VR product is buggier than an candy bar on the ground.

No. It's not acceptable to bypass DRM for operability. If it was, there wouldn't be any DRM, because nobody would use it.

I think in the long run this will hurt Oculus. Many games which could be well suited for a VR environment may not happen because of this. Such as any games with a Hollywood movie as a base. Hollywood is a huge proponent of DRM.

If Oculus' code is so poor. All the bugs, plus having to bypass DRM... what other problems are there. How secure is their code? What attack vectors are now available due to poor coding?

No, it isn't a company trying to shut down competitors... wow, silliness. It's about poor coding and QA practices. If I pay for a product, I want it to work properly and not have to jimmy it's way around things to do it. I definitely don't want the coding to be so poor it may introduce or allow the introduction of vulnerabilities.

Pauli...you crappy columnist

Once again, you take the word of only one organization. Instead of using more than one source to collaborate data. Even so, you never investigate the matter fully to figure out why... you just take their word as gospel. WHY is a big part of journalism.

In some circles of state sponsored Chinese hacking against government networks there has been a decline... but nowhere near what is being presented by this article. The real data, Chinese hacking groups and memberships are classified, and even if you received it from USSTRATCOM or CYBERCOM, it wouldn't provide it in this manner.

China works all angles to get around any agreements, and the Obama administration is about as forthcoming with the truth in cybersecurity as they were when he stated you could keep your own doctor or ensuring Hillary maintained government guidelines on her own servers.

If a hacking group reorganizes or changes names and locations... apparently this wayword organization sees this as being removed from the Chinese hacking ranks? Or if they stop hacking US Government networks and go after privately owned networks, they don't show up anymore? Or a few other scenarios I wont name.

Don't be naïve in thinking China is going to stop going after the hard work laid down by other countries. It's what they do. They don't have the research and development budgets we do. Even the cars they develop are knockoffs of something created in the US, Japan or Europe.

They'll switch things up, and numbers will be reported differently, but don't be out fooled for a moment when it comes to China.

Pay twice as much...

...and wait twice as long for a patch. This has long been the mantra of Apple.

Perhaps they should lower their public affair budget so they can increase development and testing.

Probably...

Due to the number, this has to do with an application poorly written to provide a 10 digit password which is semi-complex, for either initial registration or password reset.

I'd go with the latter, if the programmer was lazy. Instead of putting in a random generator to come up with something complex to add it to the database, send out an email, etc. He used a wordlist of around 20-30 preset passwords, which probably rotated.

This is why you have an independent person check out code before release!

Better would be to...

...put links on their pages to sites which install ransomware. You know they'd click yes to anything from a fellow islamist.