Posts by Aodhhan

On top of this...

It's not unusual to find video, audio and text conferences going over the wire unencrypted. This includes some of the best and most popular solutions. In this case it isn't the vendors fault, it's a configuration problem by those using it.

The Internnet 1980s

I still remember 80s Internet well!

Well.. it didn't exist anywhere like it is today, but it was still available to the general public.. primarily for email only. There were quite a few companies which had access to the Internet of this era who created email and file transfer frontend applications to use and would charge a monthly fee. CompuServe being a big one at the time.

Then there were companies who had their mainframes available to anyone who knew their phone number or could find it using a war dialer.

Security was nothing like it is today. Odd thing though, on many systems passwords given out at the time could not be changed. These passwords were often complex, but only 8-10 characters. If you could change it, you can imagine what people changed it to.

Accessing a system via frontend application you could only guess a few times. If you came in via telnet, a lot of systems let you guess forever. It really didn't take long to brute force or use dictionary attacks to gain access.

This study says what?

So, for some stupid reason... the number of files containing sensitive information is higher on one drive than it is on the typical corporate network? In this case.. a lot higher.

We didn't hit anywhere close to 18% on our first run through using DLP on: personal folders, personnel folders, application storage or databases. So these figures seem a bit high to me. I just called a few people and asked them what they think, and they're inline with me.

To provide a minimal fair sample, you'd need to study 100-200 companies using one drive for accurate figures. I'm thinking the companies who would allow this study to take place on their systems likely don't think security first; skewing the results. Please don't say people used some sort of survey. Surveys aren't accurate for technical information like this due to interpretation for one thing.

The blog you're getting this information from isn't even concentrating on security. It talks about the increased use of Office365. Even then it only provides figures, and doesn't provide any informative proof to back it up. Doesn't provide what type of study was done, how it was conducted and participants. Nothing for us to go... "hmmm".

Kids these days...

A bit misleading. Topping the charts are pretty well crafted malware, likely through the funding of nation states. They do more than exploit a vulnerability and launch a reverse shell. There is a lot put into something which uses many methods of propagating to specific places. Hiding this takes talent and effort of a team. There aren't many individuals who will take this on by themselves to create a malicious application, when they could put the time and effort into creating something they could sell to thousands of people for $8.99. or a quick ransomware application to get paid whatever they can get.

There is also a huge shift in other forms of malware which don't take a lot of time to do, and still provide the results they are looking for.

This report provides some good information, but if your take from this is: kids these days can't write a decent virus... then information security isn't your strong suit.

Wow, no conspiracy?

I'm waiting for someone to say something along the lines of: Kaspersky is actually creating the ransomware, then coming up with a solution for PR purposes.

Nicely done Kaspersky... keep kicking their backsides!

...as well as sponsoring motorsports! :)

Mr. Pauli's Informed Opinion

What a gaffing laugh this is. Perhaps Mr. Pauli won't mind reimbursing a victim then... when they take his advice, pay up, but don't receive a key to unlock their data. Or the data has been screwed with.

I've been in InfoSec for a long time. Working for both the Department of Defense and banking industry. I know many of my peers, and I can't think of one person who in general and as a rule recommend paying the ransom. There may be a few exceptions where the risk is acceptable, but for the most part... it isn't.

The big factor your informed opinion lacks is: loss of control over the data. In short, your data is no longer trustworthy. You don't know what changes have been made to it. What code has been added to it, etc. You may get your data back, but it may come with some extra bits you don't want. You're basically paying for f-up'd data which could cost you a lot more later on.

It's apparent you and your other 'informed' friends aren't very experienced with ransomware, outside what you hear from other people with opinions but little experience.

Good information from Bitdefender Labs

Unfortunately, Mr. Pauli 'f-ups' another bit of good information. He did the same thing yesterday with a couple of articles. Tries to come up with cute phrases which aren't just misleading, it's likely false.

1) The botnet doesn't "enslave" anything. The systems aren't out of the control of the owner, and still do what they have been created to do. If it was enslaved, they would be under the control of someone else.

2) If you're going to say something like it's causing a great deal of revenue loss, then you're making a statement which requires proof, or at least a reference backing your statement up.

The rest of the article is a poor job of cut and pasting from the original Bitdefender Labs blog which does a fantastic job of analyzing this botnet. Mr. Pauli would have done a better service to just state the facts, a brief who, what, where, when and then link the article.

Apple the Tyrant

Is anyone really shocked?

Those who don't use Apple products chuckle about another problem with the iOS.

Apple users defend the problem to the end, and continue to pay higher prices for more vulnerabilities and blindly support the iOS... as if they were Hillary voters.

Legislation

Unfortunately, legislation for crap like this doesn't exist.

I don't mind the fact most politicians are ignorant when it comes to technology, but their job is to protect us. So they should at least hire some tech experts and advisors.

When it comes to anything dealing with technology, they are way behind and only do something after a large number of people have been badly affected in some way.

Try to keep this in mind the next time you vote. :)

What in the world...

Was this article written by a 10 year old?

Sentences written so poorly, they must be read several times to understand what is trying to be said.

Stop using "appears" and "seemingly" (especially over and over) when it's a fact.

Quit trying to get cute with words. "clawed back control". Investigate and report how and what was done for them to stop this attack.

You're yet another author on this site who doesn't understand how to identify and properly use subjects and objects in a story. Not to mention.. keep the subjects together. You talk about 2 factor authentication, then talk about something else... then back to 2 factor authentication.

This isn't your day job... is it?

Once again...

John Leyden tries to get cute with a headline and bunks up what the story is really saying.

Don't worry John, you're not the only pseudo parajournalist on this site who doesn't know the difference between a subject and an object when writing.

FugginLameAzzSHeet

Anything Oracle or Adobe related isn't worth using.

Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.

At first people were worried that customers and vendors would have a fit if we rejected all PDFs, but it's amazing how smoothly it's gone. Not to mention the relief for patch testing and worried application owners.

It's amazing how secure an environment gets when you stop using Oracle (anything) on the network, and stop using Apache for public facing web sites. For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.

Oh c'mon

If you go to this guys website, you deserve this.

Seriously though... anyone with a popular blog (or whatever you call this trash) should have enough brains to pay for a decent service which maintains credible security and has applications which don't rely on Flash, Java, etc. to make it "pretty".

Just like businesses which continue to use WordPress to punch out web sites and then throw their arms up when it gets hacked into... you're going to get what you pay for and you wont learn until it happens.

I'd like to see what the outcome is, if a class action lawsuit is brought up. Will definitely be more entertaining than Mr. Hilton's web site.

Think about it...

In this case, considering his background and the low level classification of the data taken (even information labeled "For Official Use Only" is considered classified) six months is appropriate.

Because he likely relied on connections back to China, releasing him with house arrest allows lettered agencies to monitor his communications and movement. There's more to gain by monitoring him and making his life a living hell than to put him in prison.

DoD System Administrators who primarily only work on the "Unclassified" networks only require a "Secret" clearance. Administrators who primarily work on networks classified at secret and above require a top secret clearance with access to SCI.

Since he only had a secret clearance, he likely didn't have direct access to highly classified information.

Ignorant media writers

Mr. Pauli,

Stop confusing Skunk Works and DARPA.

To put it very simply: DARPA is government research. Skunk Works is a group at Lockheed Martin.

Why the two exist are entirely different as well. Skunk Works wouldn't publicly reach out to other entities for ideas.

I've read other articles you've written involving the government, and most have some small errors to them. Take about 2 more hours and do a bit more research then take more time to actually TALK to people, not persons... PEOPLE. You just might be able to put together a decent article. When you make assumptions, speed write an article or twist it to your beliefs, it becomes a piece of crap and you lose credibility.

Take responsibility

Ahhh... the new generation, once again refusing to take responsibility.

If you download an application, then you're responsible for ensuring you have the latest version, patches, etc. How lazy do you have to be, not to take 2 minutes to see if that application you're using is up-to-date every 30 days?

If you have more than 10 applications on your phone, you likely aren't using them all... so get rid of the ones you don't use. You can take 3 minutes to re-download it later on if you decide to use it again. Having a huge amount of space to store things doesn't mean you have to.

If you expect Apple or Google to maintain your applications, then you have to accept they will have root access to your phone 24/7. Which means, a hacker could use this same method as an attack vector.

Let me guess... the majority of the people who expect Apple/Google to maintain their applications are the same ones who backed Apple against the FBI. Being ignorant and lazy is no way to get through life!

They're going to milk what they can squeeze.

Artists must be making enough money, or feel they benefit (something) by using Google to release their music, otherwise they wouldn't permit it.

Until artists start saying no to Google, they will squeeze and squeeze. Free market, baby!

Please tell me you don't want the government to step in and regulate this more.

August 1st.

Don't be shocked if Microsoft announces on this date, they will no longer support Windows 7 after the first of the year.

Microsoft is turning into Apple... demanding conformity

Wont be long, and we'll be forced to use only Microsoft products.

Goodbye Flash.. so long Java

Our company has already begun turning vendors away who continue to use Flash and/or Java on their web apps. Kudos to Google for demanding the same. If a vendor hasn't already gone to HTML5, you have to wonder just how seriously they take security.

July can't come soon enough

Yet, I know they will extend this date out... making us live this nightmare and pushy update signpost longer.I don't want to upgrade, not going to upgrade, and yet... I'm getting squeezed to do things only their way.

All MSFT needs to do is raise their prices and corner us more... then we'll be living the life of an Apple user.

Good effing greif.

A password policy which requires upper and lower case and 15+ characters long is all you need.

Anyone can be taught how to put together a passphrase they can easily remember. Make it silly, make it gross, make it rhyme, etc. Put together words from your life, hobby, little league memories.

iPlayedShortstop4years

BiebsDrivesFastCars

TomCruiseCouchJumper

MyNeighborHatesDogs

MyDaughterThinksShesGod

YellowCarsAreSoUgly

MyBossHazaLittleWinkie

PriusDriversScareMe

Have to change it in 60 days? Put a twist on it, add numbers or characters. Reverse Caps, etc.

!!TomCruiseCouchJumper@@

Really Brits... even you can learn this. Hey, another easy to remember pass phrase.

Old News

TOR, anonymizers, proxies of all kinds. This has been suspected before and confirmed when Voldemort (He who must not be named.. i.e. Snowden) became famous.

Why get upset about this?

First... it's IBM's system. They can let in whomever they want. They aren't a government system running on taxpayer money.

Second... I got in. No hassle, no fuss. 20 minute wait.

Third... if you get in, you can see why they want to limit it to people who have a clue. This isn't a system for an average computer nerd wannabee.

Fourth... it likely isn't set up with load balancing applications with a capacity for thousands of people to be on at one time.

Get a grip on yourself. The fact IBM is setting this up for people all over the world to set up experiments shows they DO GET THE CLOUD.

This article proves the author doesn't get the cloud, and is likely clueless when it comes to security and resources.

Considering the amount of money stolen by him alone, along with selling & renting Gozi to rip off so many people... I think 3 years is a pretty light sentence. Sure, I think he should be given some credit for assisting authorities with nabbing a few other criminals but wow, this is a bit much.

Others have been given 10 year sentences for simply grabbing information and some credit card numbers totaling less than $100,000. This guy ripped off millions of dollars affecting thousands of people and gets 3 years?

Other criminals who get caught stealing $10,000 to $100,000 (non computer theft) receive sentences over 5 years.

..and you're crazy if you think this guy will stay in the country and pay one cent in reparations.

Another failed judge and failed prosecutor.

More likely...

It's a little bit of real information, with a lot of BS info added in to get people's attention.

Linus' problem...

Maybe he is a good guy. I think Obama is probably a good guy... but they both suffer from, "I'm always right, you're always wrong (even though you're the expert), syndrome".

I love how Apple users defend any decision coming out of Silicon Valley, no matter how ridiculous it is.

Any Apple OS is just as vulnerable as any Android or Windows system out there, so quit thinking it matters whose more secure than the other, when they all suck. Be honest with yourself.

One of the authors above is correct... there is no way Redmond could get away with not supporting an OS which is less than 10 years old, especially with 20% numbers. Yelling out, the patch is to upgrade to the next full OS version is just ignorant. Something I shouldn't have to explain.

There is one thing Android users have above all others... they pay a lot less for the same number of vulnerabilities and same (maybe better) service. They also have more applications available and for less cost.

If you ask me, it's the Apple users who are the fools in this game.

I love how people miss the big picture and want to damn the FBI. Yeah, the FBI screwed up here, but they do many things everyday which keep most of you moronic parrots safe. Apparently, everyone who wants to damn them never makes mistakes, ever.

To say they did it on purpose or used a "yes-judge" is just ignorant.If you can't figure out why, then perhaps you should go work out your brain or attempt a crossword puzzle.

The big picture is the fact these gross f-ing child pornographers and supporters could get released to continue conducting these acts. One day... if you have a child you might see what is really important here.

What's next... rape won't be a crime as long as it's done within the privacy of your own home?

Police won't be able to search the home of a thief for stolen goods?

Amazing how many people don't critically think about anything these days.

People stand up against this without putting any thought into it. They just rant against the government or repeat something they heard from someone they believe has wisdom, knowledge and expertise... well, until they become a victim and there's likely proof of the act on the criminal's phone.

One of the US Government's primary jobs is the protection of its citizens. Right to privacy isn't absolute, and it loses when it comes to security of the nation or protection of the people.

You're naïve and moronic if you believe law enforcement sits there and listens in or picks through everyone's phone, just because. Yeah, they have nothing better to do, right?

Unless you're a criminal, you really should be standing behind government on this one. Especially since 99.99% of the crap on your phone is probably the same information you'd leave unsecure on paper all around your house.

Apparently this attack is aimed at everyone who isn't computer security savvy, and isn't too lazy to do some simple research to get the key. Also, asking for only $20 dollars tells me the motivation wasn't to get wealthy; rather, to make a statement.

Wouldn't mind doing a binary disassembly on this to find out if the first round or two of deletions are aimed at something specific to get your attention but something you could easily download and replace, such as Steam files.