Posts by Aodhhan 684 publicly visible posts • joined 25 Apr 2008
SQL being roughly equivalent to COBOL
You know...
If you're not educated on a subject, please don't believe you're obliged to show the world how ignorant you are.
Your statement displays your closed mindedness towards learning. As if COBOL hasn't been through any changes since 1959.
I guess you probably believe Microsoft DOS or UNIX hasn't had any changes since 1980.
Not all is lost though; I do believe the food industry can still use you.
What company did Hyatt's PCI audit? Obviously the auditor was lazy or ignorant... or perhaps Hyatt lied about data protection measures. Don't rule out both being the case.
Having the CVV number is against PCI standards,
Requirement 3.2 - Storing sensitive authentication data after authorization. You can only do so if there is a business justification (not likely in this case) and if it is stored securely. Obviously this wasn't met.
Requirement 3.2.2 specifically states not to store CVV information after authorization.
Then there is Requirement 3.4 which goes into PAN data security and the use of STRONG encryption. Again, this obviously wasn't the case.
Requirements 3.5 and 3.6 goes into documenting procedures for key management. Here is where the PCI auditor should have caught the problem.
So when it comes down to it. Requirement 3.x in general was not implemented, nor was it properly audited.
The information security community deserves to know who the PCI auditor is who last signed off on internal safe keeping of customer data.
It's ridiculous enough when people ignorantly and emotionally inject speculation into any story... but it's just downright moronic to inject inflammatory politics into a story.
The real thing to look at here is the New York Times. In the past year, they've been proven wrong so much, it's amazing anyone reads this rag... even if it's been left on a subway seat.
Then the story itself is written in such a way, they throw out things to get the imagination and emotion stirring.. yet in small print, they remark "speculation".
Then you see so many perpetuate the madness and crap here. The media has definitely mastered taking advantage of people's ignorance and emotion.
The title and underlying message of this story is false, wrong and a lie.
Do you only have a 3rd grade reading level?
The statement is, "There is no constitutional right to SELL WARRANT PROOF encryption".
This is true about anything and everything. So to make it a huge deal is moronic.
This applies equally to locks, safes, fences, pockets, cubby holes, etc. If a warrant is issued, the owner is obligated to provide access.
The message of the entire speech is, "Responsible encryption".
More ultra-far left wing lies to invoke emotion, because they know when people are emotional, they don't think through things. They only grab on to what someone says, whether it's true or a lie.
This isn't news... it's old information. This has been going on for years.
News would be, doing real journalism to find out something new.
Such as... China is getting around UN Sanctions, by contracting North Korea hackers to probe for weaknesses in the utility networks of USA, England, South Korea, etc. Thus, they are able to fund North Korean military and receive valuable information system information.
C'mon. Stop with the lazy reporting.
In your example, the child was given access to the card by the OWNER of the card.
In this legal case, those who provided access to the defendant weren't authorized to do so. They WEREN'T the OWNERS of the data which was stolen.
So in your example, it's like the child passed on the credit card number and PIN to a friend.
Then this friend used the information to charge on the father's credit card. This friend wasn't given access by the OWNER, the friend was given access by the child who had access to the information.
It isn't about passwords, it's about trespassing and having authorized access.
From an information security perspective, this is an insider threat who is an accessory to data theft.
Anyone who believes a site's claim they maintain your anonymity is lying, and anyone who buys it is an idiot.
Of course logs are kept. If nothing else for maintenance, speed/efficiency and security reasons. The stories of ISPs and VPN companies cooperating with law enforcement should let you know this. Of course they are going to assist law enforcement when certain crimes are taking place. The only people who have a problem with this are those who break the law.
Someone talked about how the company should worry about their business for cooperating with law enforcement. No, a company should worry about their business if they cover up the identity of a sexual predator.
It's not about imbedding advertising in signs, stores, etc. which you walk by, drive by, etc.
It's about having to interact with the advertising in order to achieve something or keep yourself alive. For instance... if you don't take cover or interact with the advertising in some manner, you don't get credit to level or achieve something. "Your character is hungry so you must purchase a sandwich at subway" sort of thing; or perhaps you take cover behind a plain wall instead of an advertising sign so you die.
It's also talking about having to sit thru a 30 second ad between levels or when loading a new screen, level, etc.
In other words... it's about nuisance and control of the player.
Without knowing the extent of the problem it's difficult to know in real terms just how slowly Microsoft is addressing this.
However, there's no debate Google is irresponsibly advertising weaknesses in millions of individual's computers; in order to beat their chest like a bunch of gorillas.
If you want to beat your chest after all of the flaws are fixed... this is fine. Doing it while the vulnerabilities exist and then pointing them out in a loud parochial manner isn't exactly showing your superior knowledge of anything.
Just because the file was on his home system doesn't mean he was actively using it.
Show of hand all you developers...
How many of you have taken any of your work coding home so you can...
...reference from it in the future?
...keep a copy of 'your' work to show prospective employers?
...collect work you're especially proud of?
....etc.?
Yep, about what I thought, 100%
Just because someone works for the government, doesn't mean they're intelligent. Just Google, Hillary Clinton.
If he was really an agent of Putin, it would be the last thing he'd admit to.
He's reacting more like a scared little Russian wussy trying to get back home to his mommy; with hopes Putin will reward him for his actions.
Look, if you can't be a man and handle the consequences then don't do the crime.
I do agree he will die within a year in prison... from embarrassment and having to live with himself for displaying to the world what a crying little coward he is.
What I'm hearing is the CEO and CIO of a firm selling itself as a 'security guru' for large corporations didn't itself didn't have the foresight to implement controls to prevent a system breach in the event someone didn't follow policy and procedures whether by accident or with malice intent?
In other words... the security brains didn't implement a malicious insider attack prevention/detection strategy? These are the policies, procedures and checks put into place to ensure an insider attack (whether on purpose or by accident) doesn't occur or is quickly detected.
Also... if automated scans aren't taking place, then most organizations will work overnight and demand the vendor get on site immediately to rectify the problem. This itself is also a management screw up.
So stop blaming one blue collar individual. Processes, procedures and QA/QC/Audit, not to mention communication is all on management and executive leadership.
What I see is poor risk management caused by lack of education and experience by everyone from the CEO down to the first line supervisors at Equifax.
It's not just the main information it's about how it was obtained.
The document contained source and method information.
Do you realize how many agents and informants have lost their lives because of someone believing it was in the best interest of the public? People steal information without a clue to its true value in labor and lives.
If this attack only cost them 42 million, then they haven't done a good enough job of ensuring this doesn't happen again.
It costs a lot more than 42m for a company like this to investigate the entire network, hire more InfoSec professionals, ensure the systems are clean, purchase more InfoSec equipment, create policies, audit policies, update legacy systems, hire more employees to tackle customer relations and damage control, not to mention loss of subscriptions, etc..
Total cost should be around 200-400 million, not 42.
Either we aren't being told the truth, or they're still too ignorant about information security.
The charge stems from the fact he owns, moderates, and provides a web site known to be used to sell drugs in the USA. If amazon.com sold drugs illegally, Mr. Bezos will be put behind bars.
You don't have to do the selling yourself; the fact you create an application which automatically does this, or create a site for the express purpose of selling illegal drugs is going to get you into trouble.
CEO: Yes, we're absolutely positive the breach to our systems happened six months ago.
Congress: What evidence do you have of this?
CEO: Six months ago we first started seeing anomalous behavior on our system logs
Congress: This is fantastic news! How far back do you keep logs?
CEO: Six months.
:(
The way this is being handled, you can imagine what they believe is a 'good' emergency breach plan of action.
1 - Have someone finally read the logs; notice you only keep them for 6 months; come up with the idea the breach has only going on for 6 months--according to the logs.
2 - State you believe the threat is eradicated (A real InfoSec pro knows this is impossible)
3 - Keep all external connections as wide open as possible and don't audit them for the time you've been keeping this secret.
4 - Rely on our own idiots (who we contract out for security advice) to handle this problem
5 - Think about sending some people to a forensic course, but don't actually do it.
6 - Use a search engine to research, Network Breach Plan... look at the recommended checklist items and then do the opposite -- to be original and different from competitors
7 - Remember to keep this a secret for months
8 - Pull 80% of your resources to come up with an excuse because you know it will eventually leak out.
This is too easy.
This is much worse than the United States.
So in England, you can be convicted on circumstantial evidence for spying.
Pffttt... and you all grip about the USA and it's electronic device checks through customs?
Yeah, you better look at your own laws first.
In England, if you don't give up your password, they'll just suspect you're actually hiding threats to the state and convict you on circumstance.
It's unavoidable for some high ranking government officials to conduct some business via their personal communication channels once people start the communication to them from it. What's important is finding out if these are isolated incidents or a trend, and whether or not the information is classified. If it's just isolated incidents, then quit busting on it; especially since there's no doubt those in Congress use personal emails and SMS messages all the time for official correspondence with other government officials.
I'm not a huge fan of Trump (I'm not registered with any political party), but it's becoming ridiculous when Democrat's keep hurling charges and accusations as soon as one loses steam. Yeah... the RUSSIAN PROBE is really getting old. No proof yet people keep yapping. Lemmings, eh?
What has Trump done so far... are you kidding? This shows you're a lemming who just repeats rantings.
Among other things, he's increased military funding across all colors of money.
He's also returned many of the promises back to the veterans, and is ripping through the VA; finally removing people who shouldn't be there.
He's gotten China and Russia to back the USA on UN Resolutions.
He's stopped many atrocities happening in Syria, and mellowed out that government.
How soon so many things are forgotten.
You don't have to like him or agree with him, but don't sit there griping about nothing getting done. It only shows you're being an ignorant parrot.
It's so easy to repeat insults and be angry.
It's a lot tougher to do some research and make yourself better and smarter than you were yesterday.
Quit griping, whining and crying. You may not like it, but face it... you put yourself into the predicament. Do you complain when they look thru your backpack or luggage? No, because you know it's part of the traveling routine when you go thru customs. You can be upset all you like, but it comes down to common sense, and understanding that governments will always protect themselves and their people.
Look... if you don't like the laws of a country, then don't go there. There are many laws in every country enacted to protect the people and the government. Whether you disagree with it, doesn't matter.
I don't hear people griping because Saudi Arabia, Egypt, Russia or China (who all have similar laws) made them unlock their electronic device.
Let's talk common sense. If you travel with confidential documents on your device you're an idiot. These devices are too easily lost or stolen. Given enough time, the person who controls the device also controls the info on it. You're better off setting up a VPN to a system which holds the files as you need them.
If you're not friendly to a government then you're open season for this government and it's allies. You travel to another country, leave your laptop in your room to go eat, shop, sight see... whatever, then don't be shocked if 3 months later your AV picks up unique spyware on your computer. Likely placed there by a country's intel agency. Or at least... they looked thru it and possibly downloaded something while you were out of your room. This isn't limited to shady governments; this happens with ALL of them.
So, you send out your email encrypting it with the public key? If so... then nobody can read it; unless of course you do what Adobe did, and release the private key.
BOTH keys can encrypt/decrypt. Which does which when... depends on its use.
Hey... you don't happen to work at Adobe do you?
This goes against reports from Verizon, Gemalto, FFIEC, PCI, etc.
Unless this report by NCC Group is only on undeveloped financial sectors.
Also be weary of reports which you can't view unless you become a member. Most security reports are in the open... and this means open to scrutiny and review.
This report is provided more as a phishing scam, behind doors.
As someone who is a pen tester in the banking industry, I can tell you information security has improved greatly over the past 2 years.
Notas... if you think you were talking to an administrator, security analyst, or developer... then you're mistaken. Banks don't waste these employees time by answering questions from the general public. A helpdesk person isn't technical. Their job is to write up tickets for the experts to deal with.
Not to mention, if someone asks me what we are using for a firewall, protocol communication app, etc... do you really think I'd tell them? THINK man.
Actually, the cost isn't bad at all. It appears you don't have a lot of InfoSec experience.
There is a lot more than just looking at code and restoring data involved in the costs.
Don't forget about the investigation (including talking to people-- suspects/witnesses), forensics, network security experts, not to mention corrective actions, etc. There is also looking through all other systems this individual had access to, then going through all of them with a fine tooth comb.
I can go on, but I'm sure you're starting to get the picture... there's a lot more than meets the eye.
It's unfortunate you have tunnel vision.
There are a lot of smaller companies who will lose a large amount of money because of this. These companies may have to lay off people or keep from hiring new individuals. Let's hope your employer or the employer of someone you care about isn't one of them.
Good grief... where are the InfoSec professionals?
Stop being so lazy. You should at least be able to understand how to work a search engine to find out the details of what happened; without going, "Duh... I don't get it".
This was an attack on the supply chain. You may want to learn a lot more about these types of attacks. They aren't new. In fact, supply chain attacks on computers have been going on since the late 60s, and really took off during the 80s.
Image what you can do if you, as a hacker, can gain control of a third party download server which provides new applications as well as updates/upgrades. For instance, you can add your own malicious packages to the applications and libraries being downloaded. Very stealthy, and the consumer presses the "OKAY" button to let it run with system (or similar) permissions. The attack becomes even more deadly, because it's a well known and trusted application.
...get it yet?
There are many third party download server services available (for hire) which aren't owned or controlled by the actual software vendor. If you've downloaded an application from the Internet, it's very likely you've used one.
I agree with you...
Typical with reporters today... they provide a half-ass story because they're too lazy or too ignorant to do a bit of research in order to come up with questions and ensure all are answered.
A business doesn't hire a contractor unless the contractors has an excellent work history. So there must have been something which triggered this individuals dark sided motivation to maliciously attack his client's network.
However, no matter what this company did to him, it doesn't justify his actions. There are a lot of other things he could have done without putting his own freedom at risk.
Equifax has shown us there are plenty of executives in charge of technical operations who have no business being in these positions. Looking through the LinkedIn Resumes and Equifax web site information on their technical executives tells me the executive board is made from the 'good ole boy' network.
In addition to the CIO and security officer retiring, why isn't the CTO along with risk management and auditing executives cleaning out their desks? They failed to realize the importance of proper security policies and procedures. They also were a part of not understanding the threats facing their systems. Then there is the CEO... whose chief responsibility is to protect shareholders; obviously failed to do his job and should step down as well.
I've heard so many excuses when it comes to patching over the years. It takes an experienced and knowledgeable InfoSec professional to inform executives of the risks facing their systems. When the risk of a vulnerability is a 7+; along with the exploit score of 10 and can be EASILY executed remotely.. this is a huge red flag where the CIO must convince everyone the patching must be done immediately. Inside 48 hours. If other responsible executives do not get this... then they don't have the background to be in their position.
It will be interesting to finally see the entire InfoSec structure along with the experience and technical expertise of their personnel. Not to mention their policies and procedures in place to audit the established security policies; not just for patch management, but for all operations.
Sure you have a lot of educated idiots with tech degrees when it comes to InfoSec, but you have a lot more when they don't have this background.
What we are beginning to see, is the lack of experience and practice in more disciplines than just InfoSec who are responsible for this breach.
For example, where was auditing, compliance, risk management and operations? These aren't InfoSec disciplines, these are straight up management disciplines designed to ensure everyone is doing whatever their job is effectively.
For this reason, it isn't just the tech bosses like the CIO who should step down. The top officers responsible for auditing, compliance, risk and operations should also step down.
The CEO should also step down, as his/her primary role is to protect the stock holders. Obviously this wasn't done, and he continues to fail in this regard.
IT IS NOT DIFFICULT TO SET HEADERS.
Many header settings can be done by properly configuring the web server.
For instance, to set up "Content-security-policy" on an Apache server you can configure this via the .htaccess configuration file.
It is true many web sites don't properly configure their sites when it comes to headers. It's a matter of paying attention to detail and using all the available defense in depth techniques to make things more difficult for malicious hackers.
The Qualys site is good for ensuring encryption protocols and cipher suites; as well as certificate validation. Again, as a matter of attention to detail, you need to understand the limitations of your tools along with their purpose.
This is a good lesson to all InfoSec professionals. When there is a trend showing you aren't paying attention to detail... you will be nitpicked and harshly criticized; thus damaging your reputation further. This will continue to go on. Wait until all the discovery information comes out about Equifax's network, along with the training and knowledge of their InfoSec staff. The criticism has only just begun.
First.. it was his choice to break the law.
Second... If he threatened you and your wife and kids, I bet you'd want him to spend a long time in a small box.
Third... The majority of crimes are non-violent.
Fourth... HE ACCEPTED A PLEA DEAL.
Fifth.. sure, go to another country and compare it to the US legal system. Ignorance isn't bliss in this case.
Sixth.. Don't like the USA, don't go. Hundreds of millions of people manage to live/visit the USA without having to deal with the justice system.. why you ask? Because they aren't criminals; g-grief.
Seven... Well, we can keep people in jail indefinitely. If you're worried about their employment. All honesty though, In the USA there are a lot of jobs for those who have served time in prison. It's a matter of the ex-con to take advantage of them.
Have you ever sat back and imagined what life would be like if we didn't punish non-violent offenders?
Unless you're a genius and/or well educated... it's likely you'd be taken advantage of quite a bit. Yeah, thanks for your credit card and other things stolen from your house while you're at work.
Threatening someone isn't "harassment".
I doubt you'd be incline to think differently, if he sent you texts threatening you and your family. Blackmail exposure, etc.
No, appeals court will not have a field day with this... because HE ACCEPTED A PLEA DEAL.
Apparently there is a reading comprehension problem.
Are you an Equifax InfoSec employee? You're definitely not a cypher-Sherlock.
Doing what you suggest doesn't protect a database breach. Just because you freeze your information, doesn't mean the database automatically erases all the information stored there.
It also doesn't protect the way access is gained to this database by other DBs, systems, employees, etc.
I think you're reading the wrong books there, Nancy Drew.
...purchasing Hilary's book where she blames everyone but herself.
She too suffered a security breach by not following best practices... believing she was beyond all of this and only worrying about the bottom line.
She managed to get by without any charges or loss of money. Perhaps you can learn from her!
Using an open source version of Apache was Equifax's choice.
What will most InfoSec professionals tell you about using open source when it comes to IA or IA-enabled software? Simple: DON'T Accept the RISK.
I'm willing to bet an InfoSec professional somewhere at Equifax provided this warning. Management Ignored it.
Or... Equifax decided to not hire InfoSec professionals with experience and training in penetration testing and/or software development testing. Because the open source item would have been addressed as a risk; especially where a web application uses/relies on security (for login and credential protection at a minimum).
Either way, Equifax is negligent. It's not Apache's fault; this rests square on Equifax's shoulders.
Credit organizations have more information on us than most people know. For instance: properties purchased/sold, vehicles purchased/sold, credit/debit card use history (location, amount, etc.), marriage(s)/divorce(s) information, organizational memberships, registered to vote and where you've voted history, where and type of hotel rooms you've used, on and on and on. It's a treasure trove of information for Intel and LE agencies to grab on you.
Credit agencies have had us all by the left nut for a long time, and more of them pop up each year... it's time we use this to reign them back a bit, and set an example to corporate greed executives who think they have a better money maker than a casino.
It's about time we all wake up and start getting on our local and federal legislatures to reign in credit agencies. It seems every other month a new credit agency pops up. Why not.. it's HUGE business.
If you're worried about the typical PII items being released... this is nothing.
Consider everything a credit agency knows and collects about you, your family and lifestyle trends.. under the guise they use it to determine risk. This isn't information for the past 1-5 years, this is lifetime:
- Properties purchased, location, and type (2 bedroom, 3 bath, 2100 sq feet etc).
- Vehicles purchased, make, model, year etc. They can also interpolate your average mileage per year.
- Organizations you belong to.
- Donations, amount, etc.
- Hobbies
- Registered to vote, elections participated in
- Income, investments (type, to whom, active/passive, 401K, etc.)
- Insurance coverage, what you cover, specialty items covered
- Nearly every single monetary transaction monitored, classified into various things; i.e. from where, location, etc.
- Tax information
- Employment information
- Household expenses, gas/electric/heat bills... etc.
----On and on and on. These databases know you better than your mother, best friend and spouse.
With all of this, they can interpolate many of your lifestyle and professional choices and to what degree.
This isn't just a credit company... it's a FOR PROFIT INTELLIGENCE ORGANIZATION.
With all of this information, they sell it to those who gather it all in and sell it to businesses.
Places such as: InfoGroup, InfoUSA, YesMail, etc. Sell this information for big bucks and nearly every Fortune 500 company subscribes to MANY of these (not just one) for direct marketing and other overt/covert corporate greed schemes. It can also be used against you in court or by organizations like Scientology to discredit or publicly humiliate.
This is a common occurrence on this site.
Someone trying to get cute with 'flashy' bi-lines or oversell and article so they become stupidly liberal with it; or are just too ignorant to understand and too lazy to do a bit of research before writing.
This is why it's best to go to reference (if they provide one) or do a search to find someone who does understand the story and puts some time into writing it.
A liberal who knows the Russian system very well and loved today by millions of Russians, whose name is Garry Kasparov can let you in on some of the things you likely believe is fine when you defend the Russian government.
Free speech - Does not exist in Russia
Freedom to assemble - Does not exist in Russia
Free and fair elections - Does not exist in Russia
You get the idea... so many values the west holds close doesn't exist at all in Russia.
What does exist in Russia?
Government thievery--when you have a great idea (unless you're already wealthy or part of the system), the government will take your idea, give it to one of their buddies... kick you in the balls and send you to work in a factory to tighten bolts.
Poverty--Most Russian families still do not live in nice homes with yards.
Like your car? Likely wouldn't have one in Russia. If you did, it would have all the features of a cheap Volkswagen.
Widespread dissent. Despite what most people are lead to believe... Putin isn't regarded highly by the working class.
So MI5 and FBI are spying on their own citizens... I have yet to hear a story where they are tossing people in Jail or taking away money and someone's livelihood because they spoke poorly of Nancy Pelosi or Chuck Schumer.
These sort of intel operations are funded through an entirely different part of Title X (ten) where Congress can't really interfere with it. They set this up by law a very long time ago; and explaining it is a long and boring ordeal.
The problem isn't with the operational laws or funding... they are fine. The problem is the accountability of officials who misuse/abuse the information. There needs to be strict roles and responsibilities along with black/white consequences.
Another leftist who doesn't understand the definition of democracy.
If the people want to allow something, no matter how odd it is to you...then this is the very definition of democracy.
People in England allow the government to manage and record public action on video. This isn't something against democracy, it's democracy in action. The English feel it provides more security and safety than privacy. They want it... they got it... they allow it. This is Democracy in action. You may not like it; you may think it's crazy. This doesn't change the fact it's still democracy at work.
Tracking/monitoring/recording is a two way thing. It can prove ones guilt, but it can also prove an individual's innocence. We've also learned, people today aren't as embarrassed about their actions as they once were [thank goodness].
I'm betting you don't really understand the definition of fascism either.
Working InfoSec for a bank, I'm aware of all the problems.
First... doing banking via a phone app is a lot different than say, using your credit card to buy an item online.
All features must be activated by the customer. Nothing is default "on/open".
Most banking apps have limitations on them. For instance... you can deposit and you can view balances, but you aren't allow to electronically withdraw in most cases.
You can make electronic payments, but only to reputable companies/organizations (your utility companies for instance), but not to individuals. You can opt to some others, such as ebay.
The customer must place limits on transactions; with the default being "0.00".
There are more but you get the picture.
This isn't uncommon for liberal courts to provide light sentences and penalties for acts like this.
There is a reason Microsoft and other tech giants headquarter themselves in states within in the 9th district court's jurisdiction, and then manufacture, develop, etc. in separate states where wages and other costs are lower.
Napoleon's way of law is far different from what is used today. It was an empire not a democracy. Where in the end, no matter how you sliced it the government had no accountability to the people. This also meant the social classes had laws applied differently.
Today, most countries in the west (yes, this includes Europe) use constitutional law where the rights and freedoms of individuals are laid out, as well as the role and responsibilities of government.
All other laws made must past a constitutional test... to ensure they do not go against anything laid out in the constitution. This is a HUGE difference from Napoleon.
This doesn't mean... you can do something as long as there isn't a law forbidding it. In nearly any case where possible damage is done against another, it will bump up against something within the constitution. Where there is questions and arguments... there are courts and juries to decide.
Right now... EU has legal arguments all over since each country has a constitution (which precedes the idea of the EU; so it's not written with it in mind -- and the amendments with EU in mind for the most part... are hideous) and now there is a EU constitution of sorts (again hideous to get all on board). Because of this, in all reality, each country has lost a lot of identity when it comes to the courts. Because as you have seen... a group of legal scholars in Belgium or France decides what's best without understanding an individual's culture, or what the people really want in a particular area. It's also costly for people to work within it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
