Posts by Aodhhan

Dont you love...

3 people are critically hurt. Instead of focusing on these individuals and their families... everyone wants to provide their political opinion.

This isn't the time for your opinion. The fact you give one without focusing on those who are hurt only proves your heart and brain isn't where it should be. ...and you want the rest of us to believe you have the wisdom and foresight to provide an answer? ...get real.

Too quick to judge on phishing

Those of us who are penetration testers aren't shocked by the number of individuals who fall victim to phishing. With moderate training, 20% rate is right at the norm with a medium complexity phishing email.

Depending on how the mail is formatted, you can get a much higher rate.

Don't judge too harshly. At work, it's quite likely I can send you a phishing email you'd click on or open an attachment. If I catch you at a very busy time, and get everything on the mail just right to entice you or to fortunately provide information you're working on... you'd fall victim.

It's about the complexity of the phishing email. Shockingly, you find those age 20-30 will fall victim in higher numbers than those over 30 or even those over 50 years of age.

Younger individuals are easier to catch with a phishing, which is "mistakenly" sent to them and contains an attachment with what appears to be confidential information. The younger you are, the more likely you will give into your curiosity over security.

More of the same

So apps are mining Facebook... if you didn't figure out this was happening, then you really have no business using a computer. If you input anything which is then stored in the cloud, you better understand, somebody somewhere is going to leak, mine or hack your information.

When it comes to the majority of data points... these are already being gathered in by credit agencies, credit card companies, mortgage companies and data services such as INFOGROUP.

They trade this information and sell it out. Make/model cars you've purchased, where you purchase/shop, what brand/model of washer/dryer you purchase, if you voted, mail ads you respond to, type of deodorant you use, etc. You use a credit card, look how detailed the information on your receipt is. Credit card and retail outlets just sell out everything you do.

Even local governments sell out information, such as whether or not you showed up to vote and what dates you voted... i.e. do you show up to vote for more than just national elections? How often has the cops been called to your house? What upgrades you've done to your property, etc.

Until we can vote in people who will not sell out to the corporate data miners and sellers, and will clamp down on the amount of data which can be collected, stored and sold... this will remain a problem everyone should be aware of.

The odd thing is

We're finding out it wasn't Trump working with the Russians, but rather it was the Democratic party.

While Russia meddled with the elections, it didn't really impact it.

Also, it appears they didn't necessarily do it on their own accord; we're starting to see the Democratic party provided a conduit to do so.

With this coming to light, I don't expect to see the USA do much about this when it comes to offensive cyber ops.

Okay, why is there shock here?

A phone isn't a vault located in a military bunker. Phones should be looked at as the last place you keep sensitive information.

It's long been known, if someone gains physical control to your computer/device, etc... then they own it.

If not by using some 'secret killing box', then by another method.

So if you're a criminal conducting incriminating actions via your phone... don't be shocked if law enforcement uses it against you.

If you keep GPS active along with other 'features' active on your phone, don't be shocked when Google records your every move, puts the information into a database and then sells this information to Equifax; who then loses it when their database is breached. You chose to accept the risk. A phone shouldn't be looked at as being a secure safety deposit box located at Fort Knox.

You're InfoSec professionals. You're smart enough to look at this from the correct perspective of risk management. Don't get caught up in the emotion of this. Don't let the press or politicians twist your thinking. Keep your perspective true and remember, nothing is hack proof. So the loss or misuse of a box isn't any worse than someone not correctly securing information.

YAWN

People will never collect SAMBA alerts, because there will always be a high number of them.

Samba is to network services as Flash is to web services. A different solution should have been implemented YEARS ago. You can put brand new siding on a sod house and make it look better, but it's still the same old pig with lipstick. Eventually, something will take advantage of the weak underlying architecture.

Nothing new here, move on.

You can be from England, Russia, China, USA, Zaire, etc. One thing all have in common is a hate for traitors. You think England hasn't knocked off a few traitors in other countries?

Publicly England will beat its chest, threaten some sanction, expel diplomats etc.

Behind the scenes they'll move on as if they expected it.

Do you really think it's good for England to go to war over a turn-coat Russian? Wake up.

Do you think Russia will go to war over the suspicious death of Ed Snowden? Hardly think so.

They'd beat their chest, rattle saber, wag a finger, etc.

Realistically they'd probably wonder what took so long.

Yes it's difficult to find out who is behind attacks.

It's not difficult though, to hire experienced InfoSec professionals and support them adequately to provide a sufficient defense in depth architecture, patch management and monitoring to ensure it's difficult to get in, and just as difficult to get data out.

Since it is so difficult to identify hackers, you may want to keep this in mind when it comes to your risk management. Can I get a palm thump to the head?

Be careful about calling the kettle black.

...just saying.

...in 2018

When pen testing and doing code review, you'll occasionally run across hard coded passwords. They are usually left there from testing, weren't documented, and therefore weren't removed.

Still, you bring up a good point about this happening in recent years. Because of the availability of development environment OWASP plugins along with much improved (over the past 5-10 years) static code checking software, we shouldn't see something like this from a large company like Cisco.

Well, no worries about BREXIT

Who cares about brexit anymore? Since China is buying up more UK companies every year, it will soon become part of the red giant. Soon, learning Mandarin will be compulsory in every UK school.

Look at the bright side... it will no longer be part of the 5 eyes community.

What happened to all the intelligent InfoSec professionals who used to comment on this site?

All I see now is the rantings of those who think they know about a country's legal system, and those who just spew out political hate. Both without using critical thinking, complete understanding of the facts, and/or any real time experience.

The act in question, doesn't bypass due process.

You also can't look at stored data in the same light as storing material products.

Stored data can be accessed in many locations at the same time, and in essence is then stored in many locations at the same time. If a document is called up and viewed in Chicago from it's stored location in London, it's actually in both places. In fact, you can delete the document in London, but it will still exist in Chicago.

You can't do this with material item, without defying the laws of physics.

What's odd... those who are politically aligned to the left should be for this law. It's something which is very anti-big business, and anti-wealthy. These are the individuals who will be affected more than some bloke living in his mom's basement.

Pointless battle

Let's say the s9 is disapproved by the system, but the PM still wants to intercept information on British citizens... all they do is contact their buddies in the CIA to set up their equipment for interception and get the information through them.

--thanks for playing. the PM wins either way.

Did all the information security professionals run away?

I remember a time when intelligent conversations and an exchange of information security ideas took place on this site.

Now, it's turned into a political punching bag where trolls spew out their hate for something, or attempt to display how much wit they have (usually the wit is on the low side).

Reading through posts on most of the articles (even those which aren't political) are few and far between when it comes to information exchange. Too often, comments aren't geared towards the subject of the article.

What happened... did all the intelligent security professionals run off?

Great... just what we all need, one more company calling us and interrupting our day to deliver a sales pitch.

WTF

Did this guy just wake up from a 30 year coma?

Many of these risks existed in the 1980s and were worries then.

So don't give us a left wing scare tactic... how about letting us know what you're going to do about it and how you will go about it.

Rocks... glass houses... c'mon Linus.

Once again Linus is off his meds and ranting as if his creation was perfect from the start.

Oh.. the stories I can tell about hacking into systems using the early versions of UNIX and Linux. All attacking the OS itself and not software. The input points, the early libraries were all such easy targets, than in less than 30 minutes you could teach an average person how to successfully hack systems.

Ahh yes the old paper voting system.

The argument goes, there's no way you can hack the voting system using this method right and of course you can recount them.

There is absolutely no way to hack the voting system using this 'old fashion' method.

Pfftt... c'mon. A security professional should know better.

The old paper, pen, write in, mark a box, fill in an oval etc. has been hacked for HUNDREDS of years.

Someone grabs/casts more than one ballot. Someone who has access can 'lose, add or change ballots.

With the added number of people involved when it comes to paper ballots, it's open to a lot of fraudulent activities. I.e. the original hacker.

There is good and bad to all methods. Along with strengths, weaknesses, vulnerabilities and risks to ALL methods. This is something all computer security professionals should realize.

So I'm assuming, those who want to damn the use of computerized voting systems are ignorant to

Errors all over this

This article should be removed.

The author fails to properly provide exact information. In fact, it changes what is actually stated by OpenSSL Management Committee.

I'm not a huge fan of OpenSLL "Management Committee", since all they do is jump on to an encryption standard, instead of actually creating an algorithm themselves. Sort of like, building a radio for a car and then attempting to tell the world they are an expert on cars.

So, I don't have any real skin in this game, but c'mon... this is really bad reporting.

Stop trying to create something which has already been created or spread the word using your own agenda, spin or artistic flair. Just the facts man.

Labor is the key.

You really have to look at the available labor pool, both technical and nontechnical. Technically, heavy cloud experience is a must. So the talent must exist or be convinced to move to the chosen location.

Labor cost, as well as cost of living will be shared with this. Taxes, taxes, taxes... states willing to make a special deal on tax rate will get a boost in points. Legal political kickbacks for officials will likely be available in some locations. If you're in a conservative leaning city, don't count on winning this.

Weather

Some of the obvious...

Austin or Dallas - Hah, really, Texas? Asterisk politics here.

Chicago - High Taxes. High technical labor turnover.

Denver or anything west of the Mississippi River is probably out. Probably needs to be somewhere a bit closer to the east coast. Denver also has the risk of heavy snow closing airport and ground travel more than 5 days a year.

Boston, Neward, New York City, DC/Maryland. High labor cost and living costs.

Canada has different laws. New set of laws and lawyers. Not to mention those pertaining to cloud ops.

So I'd look at Columbus, Atlanta (just barely), Northern VA as well as both PA locations as the top 5, in no particular order.

Business friendly, has workforce, can attract talent and cost of living is reasonable. Airports can handle the extra workload and plenty of ground routes available.

I'm sure I'll get plenty of down votes, considering the amount of people shouting out things without using much thought or because they place their own prejudices into it.

Terrorists using drones against modern forces is pretty much a waste. Due to the technology they use and resources required, it's actually a negative force multiplier. Primarily because their signals can be tracked and you can't just make one from garage parts. Then there is the fact, they run by line of sight and are easily jammed and shot down.

The USA was able to become a country based on the warfare technology they were able to create along with manpower from the French. Technology wise, the USA found technology to make their small arms much more accurate, quicker to load, and much more reliable. This wasn't something they stole from the UK.

80s and 90s Technology and Japan. Yes, Japan flourished during this time, but not with actually creating the technology but rather manufacturing it. Cheap labor was the biggest factor here.

Technology during this time came from all over. For instance the Dutch had quite a few advancements which spawned off into other items. The USA developed magnetic research (which they didn't steal), and continued with creating most of the processors used by nearly every technology during the day. Again, it wasn't stolen. The USA also declassified a lot of technology they alone developed and didn't steal. Such as high resolution imagery/lenses, fine microwave tech, GPS, lasers, etc.

I'm willing to bet no matter what country you live it, you've taken this technology for your own use.

F35 is what it is. Based on early mock live competitions as well as simulator combat the F35 is far superior to the F18 hornet. Not quite as effective as the F22, but you have to look at the role differences. The F35 can do things the F18 simply cannot, and this goes beyond the VSTOL capabilities.

It's easy to look at things from a narrowed view and repeat things others (who have their own agenda) say.

Seeing this is a forum full of IT professionals, you have the intelligence to take a few minutes and critically think about things and be objective; so try it out. This... we are better and smarter than anybody else attitude is ridiculous; not to mention... how often has this 'attitude' gotten you anywhere?

Grammar Police

Iain,

Whenever you write an article, don't criticize anyone's grammar. You have no leg to stand on. I counted at least 12 different grammatical errors by you, and this isn't counting your improper use of passive voice, and lack of active voice. It appears you have little understanding of subject, verb and objects when writing as well.

A real journalist sticks to the facts about the subject itself, without attempting to belittle anyone associated with the subject.

20 minutes I'll never get back

This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.

I believe this sort of thing has been in just about every OMB information security report since 1999.

More so... it addresses the obvious without any mention of risk assessment.

Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.

Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.

Political crap

Elizabeth Warren has been tossing out a lot of useless bills in an effort to get her face in front of a camera, and this proposed bill is no exception. Don't be shocked if she claims to have 'computer geek' heritage.

Anyone with more then 2 years experience in IT can see it's a bunch of crap done half-hazardly. It's missing far too many things and doesn't hit details required and powers needed for a true "Information Security Tsar" office covering consumer information by businesses and organizations.

Also, this bill addresses two very different things. An office and a penalty; with no policy in place.

How about we first create the office/organization, then create policy, and finally create penalties.

This way, experts who know what they are doing put something together. Not some lying politician who hopes to be president some day.

ICS Fun

Industrial Control Systems is an area which started taking advantage of networking in a very quiet and shadowy manner. Wireless technology makes installing sensors and other items much quicker, easier, cheaper and more convenient than drilling holes between walls and floors and pushing wires through conduit.

So this unsecure technology was grabbed and purchased by many organizations to control lights, security cameras/devices, electrical outlets, elevators, alarms, fire sensors, HVAC, etc.

Building maintenance and information technology had never interacted in the past, so both are ignorant of each other's existence and requirements. It's not uncommon for ICS products to be the biggest shadow-ware out there.

For anyone who has never administered, installed or tested ICS applications and equipment... you're in for one heck of a shock once you do. Then you're in for a fight when you have to secure it and possibly remove all wireless devices.

Good luck!

People who don't understand national defense shouldn't write an article on it

Once again, the Register has a complete lazy and ignorant author on a subject.

I could go into many specifics, but it will take too long to write it all out.

I will say this... having a carrier group is the number one way to extend your country's military offense or defense and attack an enemy at any time and any where. In terms of strategy, this is a threat and counter-threat which isn't easily defeated.

Most of our enemies don't respect our way of life, but they do respect the Navy and its capabilities. When it comes to war and peace... it all boils down to capability and who has more.

blah blah who cares?

Let me know when your government starts using private servers, deletes e-communications, has your top law enforcement agency look the other way, makes underhanded deals with your top investigation personnel, allows national security leaks from servers, convinces half of parliament that security is secondary and finds plenty of people negligent in all of these acts but believes the people are not smart enough to catch on or care. Finally, think Hillary Clintion is a goddess in training.

...then you have a story.

What's happened to the UK?

Time to get rid of this prime minister and the rest of her party toadies. It's time to find people who understand good ole British strength. Tired of seeing England in such a yellow light. You wouldn't catch Churchill or Thatcher acting in this manner. They weren't scared to stand up to a bully in order to protect British interests.

You can't just waggle your finger at Putin and expect he'll do anything but laugh, kick your (now tiny) balls, and walk right over you.

Don't waggle and warn, DO SOMETHING ABOUT IT.

A perfect example of how ignorant Hillary's State Department was.

There is no doubt in my mind (due to where I worked) that the NSA, USSTRATCOM and a couple of other government letters reported to the State Department about the cyber threats from not just Russia but going back to the Soviet Union in the 80s.

From 2007 through 2015 I know there are a variety of different cyber intel/threat reports directly addressed to the US State Department regarding activities from many unfriendly countries... including Russia. Some were provided for action for the Department to follow to increase information security, and some was provided due OCO/DCO activities within various countries.

What we noticed, is most of the time, the State Department didn't care or follow strictly cyber security guidance. This was noted many times in annual IA reports for State Dept. systems. THis department would just accept or ignore many identified risks.

So... if this guy thinks TECHIES aren't providing information to those setting and enforcing policy and procedures.. then he is just part of the system who ignored what is put together for them. I can point to many policies regarding cyber security from OPM to State Department regulations not to mention laws such as FISMA which have been in place for many years covering information security.

So... this man is an ignorant fool to blame anything but himself for not knowing what is and has been in place for many years. Wait, he's not being ignorant, he's simply trying to make an excuse for how poorly the State Department followed guidelines, policy and laws regarding information security.

Yeah, sure, right...

Probably another scam where they hacked themselves and hid the money away to be retrieved later.

It doesn't make sense for a business to have an outward facing wallet containing a companies entire cryptocurrency capital. A company will typically 'bleed' the outward facing wallet into a central wallet which isn't available to the world. Much like a store will bleed the cash out of all of their registers and put the money into a safe until they deposit it into a bank.

Another crappy article

I think I've read at least 15 articles this year regarding this.

Amazingly, this article doesn't provide any real references or links.

Most of all, there is nothing new or unique.

Not shocking is providing any background into exactly what systems in the financial industry still uses low level language development, and providing perspective into how much of the financial industry has upgraded to systems developed with managed code.

Perhaps an article should be written about the development updates, changes, etc. around financial services. I won't hold my breath... too many lazy column writers.

Has she been under a rock?

This is how it has always been. In nearly every security certification the mantra is, "Absolute security is impossible". Therefore, there should always be a plan to ensure when a system is owned, it fails 'gracefully', and if necessary it fails over to a backup/COOP system.

Then there is prioritizing criticality. The scale used for this can get a bit complicated, but broken down into the simplest form, it's about paranoia.

Once again, we have someone who is relatively new to security trying to make a name for themselves... without taking 15 minutes to really think about what they are saying.

Rule is.. if it appears to be the obvious, then it probably is; therefore, someone else has already figured it out.

NSA rants

It amazes me how many people arrogantly assume they are so important the NSA gives a rats ass about them.

Must be nice to be a snowflake, so you can criticize everything no matter what the outcome is. To live in your own little world... where everything is as you think it is.

However, most people know doing these two things will ensure you never make it this world... because you never develop the skills to think critically and see through the BS.

One of the funniest threads ever

This thread ranks in my top 10 for the number of trolls spilling out information which makes me laugh.

Wish I could just yell out stupid things without first putting some thought into it.