British govt agents step in as Harrods becomes third mega retailer under cyberattack

Re: We can't continue to regard these simply as "IT Problems"

That's the problem: Management don't fund any preparitory/defensive work before any attack as they feel it's scare mongering by the techies so money down the drain. It's only once they've been hit does management really understand the consequencies.

My place was hit a while ago and money was suddenly flowing on IT security initatives,

There's an arguement to be had that every organisation should endure at least one painful cyber incident.

I.T. and business continuity as seen as costs with little benefit (until the shit hits the fan)

the problem is DR / BC is seen as providing little cost benefit by many companies, its a "necessary evil"

DR/BC don't generate income or value for share holders

I.T. systems are also seen as a cost, with little benefit, but when they break or become unavailable everyone screams "we didn't realise they were so critical"

boards and managers need to get on board with cyber security, staff need to do the training about malware, spyware, phishing and ransomware as many attack start with an email or infected file sent to ordinary staff

until the attitude of staff / boards change companies will be vulnerable

Re: Fortnum & Mason

Stupid Americanized (sic) Sensationalized (sic) Story.

Other than normal interest of the security services - and Police - things not being reported as ‘British Govt Agents’ step in’ locally for retail security issues of late

James Bond is not rooting out Scattered Spider so Charlie can swing by for a Royal Curbside (sic) collection.

It’s also a Bank Holiday today. Yay !

Re: Mangement don't care

I had a weird external logon attempt from a completely out of bounds country of an external UID that had only been set up for access of a Teams channel two weeks ago.

I'm sure there are plenty of benign explanations for this, but I've seen this too often so I'm going to have a chat with the outfit we're having cvonnections with to see if we can get some truly clever people in to dig this out - I'm afraid I don't have a deep enough skillset to be certain I have covered all the bases.

Re: M&S Store shopping - no stock at the best of times

The principle of having a range of stock in store seems to have been abandoned. I've had trouble for years buying items of clothing in specific sizes for elderly relatives. The message seems always be to go online. This presumably must generate a lot of unnecessary returns as a result of not being able to see or try garments in store. There seems to be space - there are even stores where the floor space has been actively reduced - but perhaps there is less wastage overall if the majority of stock is kept centrally.

Having done some work with a clothing retailer there is a genuine problem in matching the size variations in manufacturing orders to the eventual demand. In the old days, when most of the manufacturing was done in the UK, they could place an initial order and top it up depending on how the season went. Now, you're stuck with what came on the boat.

Re: M&S Store shopping - no stock at the best of times

Then stop buying suits from M&S.

Their quality has crashed over the last couple of decades anyway, the woolblend stuff they used to sell was of decent quality. There's no particular point in paying a premium price for some polyester blend made in China stuff that's so bad that you wouldn't buy it if you could feel it before handing the money over. It's not like they are particularly short on competition.

Re: M&S Store shopping - no stock at the best of times

I'd recommend John Lewis for a suit. I'm 6ft 3 and I find the clothes are better at JL than M&S anyway.

Also, as a tall bloke - do you too get fucked off that all the 33 long jeans are always at the bottom of the rack, while the 29" leg trousers are on the top rack?

Surely it should be the other way round!?

Re: M&S Store shopping - no stock at the best of times

Andy, try 2tall.com. At 6ft 4in you are a bit short (bet you've always wanted to hear that!) and follow the measuring guidelines precisely. Clothes fit nicely and returns are simple. Mail order as it should be.

I'm a happy customer, John (6ft 8in)

Re: M&S Store shopping - no stock at the best of times

> regular 6 foot 4 bloke

Nobody ever has my perfectly average size 13 slippers.

Re: M&S Store shopping - no stock at the best of times

I've noticed the quality of M&S sandwiches - which until recently used to be excellent - has recently dived (specifically for vegan options). Reduced selection, fewer of them. I've given up and moved to Sainsburys.

They do do some rather nice animal monogrammed socks though, worth seeking out.

Re: M&S Store shopping - no stock at the best of times

As a result of an event which necessitated the insertion of quite a bit ot titanium to keep me together I found that no off the rack suit now fits me.

As I'm very often in Germany I now occasionally go to an outfit who do a sort of made to measure, I assume someone must have set this up in the UK too. The idea is that you visit one of their many shops, and someone competent measures the delta between you and one of their template suits. That delta + your choice of fabrics gets sent to wherever they make the suits, and in a few weeks you have a final fitting where they will adjust anything that wasn't 100%.

The result is a well fitted suit, despite my now somewhat non-standard dimensions. It's definitely more expensive than off the rack but it's not quite at Saville Row second mortgage levels either, and I have been told it looks good (I'm a bad judge of that, I just enjoy it sitting comfortably where it belongs). If you must wear a suit, this can be quite a good investment.

Re: M&S Store shopping - no stock at the best of times

A bigger problem is size consistency across the same item.

38 29 Blue jeans fit. 38 29 Black don’t <shrug>

It’s consistently inconsistent across different types of jeans/trousers/chinos etc

Re: security , no it's in the way

We've had problems with permissions in Microsoft world: We give accounts the correct limited permissions but when we log support calls saying it doesn't work MS just say "Oh just give the account Admistrator rights: That'll fix it" and want to close the ticket.

Re: security , no it's in the way

We just went through a 4 year refit where we cleaned up a lot of that crap. I now have agents running on any endpoint and server that pick up vulnerabilities (part of standard build), and my aim for this year is to automate most of it.

The agents give me two remaining categories of issues:

1 - legacy. There's old stuff that cannot be patched without involving a herd of developers because backward compatibility wasn't a thing then. As we're moving off those platforms at some vague point in the future we weren't going to prioritise fixing that. I have at least managed to start discussions about giving that lot their own playground with a fat moat around it so I have one access point to check instead of a monthly 30 page problem report. With a pipe to an NDS so I can keep an eye on it.

2 - dev. Always dev. I've managed to get to a stage where security is at least paid attention to in design, but I catch them regularly abusing admin right privileges to install unapproved and (worse) untested software. Now I don't want to be a Nazi about this, but we test for a reason. Once we ended admin permission because we had a trojaned install (which thankfully was picked up immediately, but if that had been a zero day we would have had quite a lot of recovery work) we all of a sudden got attention, and I now have their managers running an approval process I can keep an eye on. I'm not sure what they teach people in programminmg courses, but does it really always have to start with 'gain admin level'?

Anyway, they're now listening. Until we get new people, of course..

Re: security , no it's in the way

It's a question of "what happens if we do get hacked"

Make that "when" and ask it of manglement. "If" gives wriggle room.

Re: Did anyone see the story about Co-Op ?

I've found that Teams overloads the office network pretty quickly if everyone has their camera on.

So it doesn't work as a policy unless you've got a lot of per-user bandwidth at every office location.

Re: Did anyone see the story about Co-Op ?

Pointless having the camera on. One thing I've noticed is that the men often love to have the camera on, and the women won't unless they're presenting.

Watch for it, you'll notice it too now.

Anyway, it takes a few minutes to set up a virtual camera and then you can have backgrounds, animations, or even entirely cloned people on your camera. Turning it on makes no difference now, that ship sailed about 6 months ago.

Re: Did anyone see the story about Co-Op ?

My local co-op now has almost no fresh vegetables on the shelves (although still a reasonable amount of meat - I presume because that is expensive and moves more slowly) and certainly only one sort of anything (one sort of mushrooms, etc). Milk looks quite low as well, unless they are keeping some in the back to reduce panic buying.

And signs saying it is due to the reported problems. Looks like its logistics systems are badly affected.

I also don't expect much agility after an 11 year sleep. That's more a coma, really.

:)

There used to be (is?) a suit hire in Godalming who used a pair of Rolodexes for everything and it was probably as fast as mucking about with a poor interface to a database. The owner there could also instantly size you without measuring even accounting for the different suits.

Foyles

Charing Cross Road. That was the road for books. TCR was the road for electronics, mostly branches of Stern-Clyne.

There was a poster on the bus shelter outside with the slogan "Foyled again? Got to Dillons."

Re: DragonForce Claiming responsibility

"Matt" called it well, as usual: Matt cartoon

Re: It's OK, they are taking proactive steps

Also interesting the both Co-Op and Harrods said exactly the same, almost word for word, to their customers "We are not asking our members or customers to do anything differently at this point."

Re: Protection & patching

M&S got rid of their IT department about 6 years ago, so I'm going to guess that it is they who are "patching like fury".

Re: The threashold has been crossed

Government agencies only recognise the trend when a luxury goods retailer with a large international customer base ministers and/or their wives as customers is affected.

FTFY

Re: screw M&S

This weaselling should not be allowed. If you have to give any data to any business for the purposes of a transaction it should not be used beyond those purposes and the business should be solely responsible to you for the actions of any of its agents as well as its own actions. And let's have criminal liability for directors.

Re: screw M&S

(The page below is 'protected'- had to 'view source' to copy this. That says it all.)

I suspect that (in this case) it isn't deliberate. Certainly, in my browser, I could do Select All and I could also start a selection drag by clicking in the fixed portion of the text (near the top) and dragging further down. Once selected, I could Copy with no problem.

It looks like careless capturing of clicks for the opening of sections. So FU rather than conspiracy. Still piss-poor programming.

Re: Buy my Detectohack box

Do those guys that used to sit in the silo to turn the missile key work from home now as well?

notwithstanding the above, zero trust architecture is a thing designed to prevent hacks from within the business.

https://en.wikipedia.org/wiki/Zero_trust_architecture

There was a time when hackers modified Sega Dreamcasts and had them installed in businesses beneath the floor tiles or above ceiling tiles and remotely connected into corporate networks.

Zero trust architecture mitigates exploits like that and those concepts make it safe for people to be working from home.

obviously if its super sensitive work then it should be done from controlled environments like a company secured office, but lower level activities like admin or HR can be done relatively safely from home with obvious caveats.

Yes there would seem to be problems in the distribution to stores; on Friday my local M&S received the soft fruit delivery for all three stores in my area. This I understand is just one example of the problems.

Now M&S are releasing food again, the local food banks are benefitting from the mistakes…

Re: We all know why it keeps happening

We need two things. One is a directors' responsibility added in company law. The other is an arrangement similar to aircraft reporting where the incident is analysed: what happened, how it was recovered, how the system could have been better arranged to minimise the attackers' access and what could have been done to prevent access in the first place with the results circulated to CISOs so that the lessons could be applied widely.