Infosec not your job but your responsibility? How to be smarter than the average bear The calls are coming from inside the house! Lately, Outlook users have been getting their own version of this classic urban horror myth. The email system is alerting them to suspicious activity on their accounts, and helpfully providing the IP addresses responsible. Those, it seems, belong to a shady organization called… …
"If you're not paid to spend all your time as a security professional but have to make decisions about security, and that's most of us, it's a numbers game."
Even if you're paid to spend all your time as a security professional, it's still a numbers game. What's more, it's a statistical numbers game because individual instances are imponderable, and it's a non-stationary statistical numbers game because the attack space is constantly changing. So the best course of action is affordable pre-emptive resilience (proportionate common sense protection against generic threats) so as much as possible of the bad stuff bounces off leaving you unharmed. Then you can concentrate your day to day attention on the residue that needs special treatment as it arises.
I have literally just come back from having lunch with one of my closest friends. He explained how he was happy to branch out into cybersecurity. He created a new company for that (he already has several that are functioning fine, so he has form in that), company which has secured partnerships with major anti-virus companies present in Europe. He told me how happy he was that this new creation already had about a quarter million euros in orders and upcoming sales.
The whole time I couldn't help thinking : my God what have you gotten yourself into ?
Sure, the money appears to be rolling in now, but what's going to happen to you six months down the line when Putin's dogs savage your clients' data through whatever means ?
I fear for him. Cybersecurity is a world of treason and backstabbing, and you never know where it'll come from.
Maybe "fake it 'till you make it" as they say in venture capital land. I remember an infosec consultant with whom I thought of working saying "never admit you can't undertake any brief. Accept the deal and then find a subcontractor to do it."
On the other hand, I meet so many infosec colleagues who seem to know only what they can repeat from memory that maybe it's quite possible 'legitimately'. All you have to be is a little more knowledgeable than your client (who knows practically nothing).
> A sober view of your attractiveness as a target will get you there.
That's true of course, but needs to be taken with a grain of salt: The "carpet bombing" method of compromising targets (to use as attack relays or simply to steal banking credentials from) doesn't really care if you're the financial director of a Fortune 500 company or a penniless student. This is the basic threat level everybody needs to be protected from, and unfortunately it's a moving target for laymen, since at any moment the world can discover that some widely used piece of kit has hardcoded admin passwords or some such (and unfortunately given the quality of today's kit it's not "if", it's "when").
"Sober view of your attractiveness" indeed, but don't find yourself in the situation to say "Hey, I'm not attractive, why do you hack me?"
And the same is true of completely automated attacks, of course. Self-propagating malware – viruses and worms and the like – and botnets that automatically attack other reachable targets, to name a couple of variants, don't do cost/benefit calculations because the cost is minimal.
And then there are the various pyramid-style criminal franchising operations, which generally prioritize quantity over quality.
The key is that benefit calculations are often done after compromise and other damage, as non-performing victims are abandoned (or relegated to just being another node in that botnet). You have to raise the cost to the attacker by blocking the widespread automated attacks and script kiddies, so only someone with a specific reason would make the effort to penetrate your defenses.
Then on top of that you need resiliency, of course, because frequently they'll get through anyway.
Quote: "...cock-up, not criminals. And so it was. When Microsoft eventually responded, it waved the white flag of fiasco..."
Huh......or maybe a false flag.....the so-called "cock-up" was actually in Fort Meade, MD.....by dubious actors at a "known associate" of the dubious actors located in Redmond, WA......
I think we should be told!
So an IP address assigned to Microsoft? So like an IP for anything anyone pays to be hosted in azure?
Same issue with domain names, anybody can buy Azure storage are hosted on *.microsoft.net DNS addresses, even has a MS company HTTPS cert! that's been used for years in phishing.
https://www.bleepingcomputer.com/news/security/phishing-attack-uses-azure-blob-storage-to-impersonate-microsoft/
-> No, they are not, not unless you are doing things that interest state-level agencies.
RIPA in the UK was ostensibly to fight terrorism and the usual yarn. Then it turned out that councils were using it to catch parents who "cheated" to get their children into schools outside their catchment area.
If there is a power granted, and even if it is not, it will be abused.
RIPA stands for "Regulation of Investigatory Powers Act". It does what it says on the tin - it sets out a framework of rules that public agencies are expected to conform to, and mechanisms for ensuring that they do it.
It was only ever about "terrorism" in so far as that was the current buzzword when the act was being passed. The Home Office and other usual suspects lobbied aggressively that these snooping powers would help deal with terrorism - and as far as it goes, this was true. But no-one ever claimed that this was the only possible or permissible application.
At the time many people pointed out its overly broad applicability, which the Government assured us would not be the case.
As just one example, see the comments by Mr Cohen and the false assurances provided by Charles Clarke in Parliament: https://hansard.parliament.uk/Commons/2000-07-26/debates/02d133e1-f824-4a39-8e1b-7d295414ebad/RegulationOfInvestigatoryPowersBill
OK, I went to the trouble of reading that whole slab of debate. It clearly shows that all parties are well aware that the snooping powers will be available to a wide range of people for a wide range of purposes. That much is not even questioned. So I'm not sure what specific lying assurances you're trying to draw my attention to.
Yep. Like money laundering. Now it's often too fucking difficult to get your money out of the bank, coz they think you're a criminal, and you have to prove you're not.
I recently closed my Virgin account because the 2FA didn't work. 2FA supposedly exists coz of 'money laundering -- for your security.' So what do you do when the system refuses to send the one-time PIN to your phone? You ring them up. And the cunts[1] refuse to answer the phone, until I'd been waiting 30 or 40 minutes. 'Try it now, sir.' Wow, suddenly it works again. 'Must be a glitch, sir.'
Glitch my arse. I decided there and then to close my account. I don't want to find them not answering the phone at all.
[1] To be fair the cunts are not the ones at the other end of the phone, but the ones who refuse to employ enough people to man more phones. Because that way they can save more money, doh! Cunts.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
