Posts by Aodhhan

CISCO and Oracle

Two vendors (and their underlying companies) whose products you should avoid.

1- They're products are over priced (especially Oracle database)

2 - They patch when they feel like it (no concept of emergency patching), this is if they do not consider the problem a 'feature' or if you can work around it by shutting off a service.

3- Their customer service / maintenance engineers seemingly have no clue about how networks run, the basics of TCP/IP and only know about 30% of their products.. so you keep getting bounced around. So apparently, all the money you pay them doesn't go into employee salaries.

Typical Democrats

Democrat leadership as a whole believe they are above the fray, entitled and don't have to live by the same rules as everyone else. This attitude creates ignorance to rules, regulations and best practices to many things including information security.

The leadership in the White House, with this attitude allowed intrusion after intrusion into their own systems. Post mortem analysis showed misconfiguration and failure to follow NIST and DISA guidelines which had been in place since 2007; such as certification and accreditation practices.

Once again their attitude and ignorance bites them. Maybe they did get into financial records... maybe they didn't. Those in the Democrat Party with any power have been caught in so many lies or spin statements, there is no way you can believe them.

I like how they say... they went after 'communication'. Which means, all email, text, messaging, etc. was breached. Heck, with this information they wouldn't have to go after database files. I'm sure much of this information was sent to the DMC via email. Not to mention all the information gathered from messaging and text.

Perhaps they don't have much on Donald Trump, but what about emails and other damaging communications which come to light which could indicate the DNC is behind demonstrations which became violent, resulting in injury to people and damage to property.

Democrat philosophy: You must be robots, you can't have your own thought on issues, you must believe ours. If you don't, then we do everything to destroy you. Also, we say we're the compassionate party, but really we aren't. <-- Lovely, considering the USA was built on the notion, that people should be able to think freely, encourage debate, and critical thinking.

John Gunn is an idiot who makes his company look bad. You can't make a statement like this unless you've been hired by all political establishments in a capacity which allows you to have enough knowledge to make this statement. Don't just 'guess'.

Realistically, any political establishment with a brains wouldn't host their own servers (like the DNC did), they would use a 3rd party hosting service which typically brings the costs down and increases security. Apparently, the DNC wanted to host their own systems... why do you think this is?

Go ahead, give me a thumbs down because you just read the title instead of the whole comment.

So what we'll see

...is an increase in China IPs attacking companies who build healthcare management applications, as well as hospitals themselves in an attempt to steal this information.

You don't expect them to create it themselves, do you?

GEESH.

Okay, so dump both.

Makes me want to install and start using these to see if I get a request to "fix" my computer. Then tell them I really need to run a small VPN program (but it's really malware) to do my job, but it wont work, and see if I can get them to download and run it. Then turn the tide, since I know what services they will have available.

You do get what you pay for, especially when it's free.

This will not be the last time something happens with this company.

Not to say this company doesn't have some talented people working for it; however, since their revenue isn't as high as other CA's, they aren't likely to pay their people as well. Which means they're more likely to fill many more positions with people who don't have much talent or experience. You know where this is going.

For individual users, not a big deal... as long as you aren't storing a bunch of embarrassing things. For companies... it's another story.

Blah.. this isn't news.

Once people get access to the shiny new toy they play with it a while. This doesn't mean they throw away the old toy, and they will surely go back and play with it again.

This is the way with everything. Another lazy article written by guess who.

Yeesh.

WONDERFUL!!!

A way of getting to televisions in order to get millennials off their butts. If this can kill game consoles at the same time, we just might be able to get them out of their mom's house.

Don't you wonder...

Just how much of the information was setup to be misinformation.

Seriously, F15 wing blueprints? Something drawn up more than 40 years ago and not exactly something which is classified.

Perhaps they managed to steal some blueprints which were drawn up to fail... causing waste of time and money. You can bet on it.

If N. Korea would put some money into their school systems as well as ensure their people managed to have the same caloric intake as their leader, they wouldn't have to resort to being thieves.

Yeah, this is crazy but....

During penetration testing, I can conduct a MiTM attack on users quite easily because more than 80% of normal users and 25% of privileged users will click through a warning window. I get everyone's skepticism and love to push out anger like a bunch of grounded teenagers, but considering the seemingly love-fest with clicking through warnings, what Bluecoat -- Symantec did with certificates is pretty much nothing in comparison to the real problem.

.

You'd be shocked by the amount of businesses which don't implement proper PKI within their own environments, which only makes the problem worse. This trains people to click through warnings!

Remember you can untrust a certificate and a CA, it's a lot harder to get people to not click warning messages.

Cost

For the cost of what they will pay to recover data and have security consultants in to scrub their system, they could add PKI to their student ID cards and mandate 2 factor authentication.

Pfffttt..

With our current crop of politicians... we won't really have to worry about this for another 5 years.

It only takes about 4 or 5 people to scream loud, and some politician will be the opposition for them.

Sophos is the new Oracle?

The old Oracle statement... we'll get to it when we want to (or when they can contract in a good developer to fix it). Until then, consider this a feature.

Think

I like the post about the politicians thinking one way on one topic and another way on a similar topic. This is very true. It's our fault though, when we keep electing these idiots.

Discussing the metadata and how it's so much different now than it was 30 years ago. It really isn't. Just because technology changes, doesn't mean everything about it is different. Cars have changed dramatically over the years. However, they still have wheels, an engine, brakes, lights, etc.

Phone systems, just like TCP/IP packets are routed through a series of switches or switch boards, at each dumping some metadata.

Just like today, there were third parties all over the place for phone transmissions. Especially back 30-50 years ago when there were many phone companies across the USA. Your transmission from one state to another could be routing through several different phone companies.

If there is a difference, it's because we allow ISPs and those running web services to set up third party advertisements etc. to grab the information. This isn't because the Internet is more complex, it's because the endpoint sets this up.

What's next... you're going to outlaw the police from doing investigations... like following criminals to see where they hang out, what they drive, who they associate with, where they do business, their day to day procedures, etc? All because this is metadata?

Or... will we stop having people register homes they buy, cars they drive etc. with our local governments because we have to hand over metadata?

Finally, law enforcement pretty much has their hands full. They aren't wasting time grabbing your metadata if you're not suspected of being a criminal.

You're smarter than to let people tell you, "the sky is falling".

Wow... well, you know.

The costs will be a lot higher to go through all their systems and ensure there isn't any malicious files and malware put on them. It's not uncommon for criminals to give you your network back, with some attached malware/backdoors hidden very well throughout the network. Especially on network devices and DNS, where admins don't typically keep a close eye on.

Hey, but you may have your data back and you managed to encourage and provide motivation for more criminal activities like this. I'm sure those taxpayers are happy with your decision.

IPv6

When pen testing networks, I find it humorous the ease it is to use IPv6 exploits. Too many companies have their entire network dual honed, from their external router to user endpoints and servers. Yet, nothing uses it. Therefore, it's rare for IPv6 to be configured correctly or a good security posture maintained.

If you're not using IPv6 for anything... shut it off!

By default, Windows will activate it on your NICs, so you need to go in and ensure it's unchecked.

Not Accurate

First off... they cannot obtain your browser history, as stated in the first paragraph of this article. Once again, this site provides reporting which is inaccurate and lazy.

Second... this is the same basic information they can obtain when asking for someone's phone information from your telephone company. Things like call history, who you called, who called you, length of call, how you pay for your bill, etc. Without actually listening to your phone conversations.

So this is asking for the same crap for your connection to the Internet. Like routing history, how you pay for your bill, etc.

Third, they still cannot actually get into your system without a warrant. Typically in the USA, once you do something with a third party or use a public medium doing it, your right of privacy ends.

This is still a lot less invasive than most countries. Especially countries where services like ISP, telephone, etc. is either run by the government or subsidized... and therefore can pretty much do what they wish. Always cracks me up when another government person shakes a finger at the USA for doing something their country is already doing, and probably with much stricter policies.

Consider this... there is a lot of people in the USA. The government doesn't have the resources or the people to go after just anyone doing something minor. If they suspect something, get a warrant or watch you... as soon as they figure out you're not doing anything wrong or it's something so minor they don't want to waste the manpower on it... they move on. There's always bigger fish to fry.

Don't let other people or conspiracy theories freak you out or put fear into you. You're smarter than this.

If you aren't doing anything wrong. Aren't committing felonies, hurting anyone in any way or planning to hurt people.. you're safe.

If you're not a criminal, this information should comfort you. After all.. it allows the Justice Department to find criminals who steal your identity, take your money and data. Not to mention find people who are out to hurt others and your family.

Offensive Capability

I believe your list is a bit off on this. Taking into consideration the number of trained troops along with computing power for OFFENSIVE cyber operations capability. The list is probably closer to being: Israel, China, USA, Russia. South Korea could be in the top 5-7 within a few years with the help of China.

The USA isn't number one as they were late getting into the OCO arena, and are just now starting to get a large number of people trained. However, the USA by far has the best defensive cyber operations capability, computing power, as well as some other aspects of the cyber war game. DCO was given a higher priority than OCO until a few years ago, when OCO began to become a priority.

USA also has a disadvantage of military downsizing, dwindling funds, and there are some war legalities in allowing civilians to do targeted offensive attacks. So these types of operations must come from military personnel.

Another crappy article by Pauli

Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.

- You mean creating malware for exploiting SCADA systems, right?

- This is pretty much the way it is for many systems. Not limited to SCADA.

- Still not sure if it's the malware which is a complex beast or the SCADA system.

The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.

- Steep learning curve limits the risk? This is hardly a mitigation to score risk against. Multiple vulnerabilities trump the 'learning curve' any day given the probable damage

- Even in this case, if we simulate a high difficulty in launching an attack (different from a 'learning curve'), it's still high risk given the probable damage.

- ...and of course, unless someone creates an automated application so anyone can launch the attack against this particular application/system.

The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.

- Hardly unique. This technique has been employed for YEARS in various forms

Lakhani is a salesman, so what do you expect him to say?

Whenever a statement like this is made: first determine if he's attempting to sell you something. In this case he is. So of course he's going to say anything to get you to look at his solution.

In this case, he's using fear tactics... whenever a salesman does this, run away. If fear has to be used as a tactic, then the product cannot stand on its own or it isn't special or unique.

Second... remember, this is information security... there is no "sure fire, all perfect wall of security".

To say "air gapping" a system is going to fail, because most systems aren't truly air gapped isn't exactly a revelation in line with the burning bush on a mountain. In fact, I'd say it isn't air gapped.

An isolated network (air gapped) used to run SCADA systems is much more secure than a network attached to other networks... which eventually attaches to a cloud of other networks. This is a "duh" moment.

However, no network will be secure unless there are security policies put into place, all devices and systems properly configured, encryption used, monitoring, log management, account/privilege control, etc. You know, the things we call defense in-depth. Just because the system is isolated doesn't mean you can dismiss security devices and defense in-depth. Failure to do so is why isolated SCADA systems are breached.

There are millions of isolated networks running SCADA systems all over the world which haven't been breached. Nearly every large size business uses them. Just ensure you engineer the same security solutions along with monitoring you do with all your other networks enclaves.

Don't let some shady salesman use fear to take your money. You're smarter than this.

It doesn't matter...

It doesn't matter how strong your password is, if it isn't protected by the application holding it.

Yet again, a corporation who should know better didn't follow best practices. Which is really ridiculous. We learned waaaay back when LANMAN hashes were being picked apart (pre 2006) that it didn't matter how strong your password was, it was going to get taken apart in hours if someone could get the hash.

Everyone also found out in 2011, you once again needed to update your encryption and ciphers for data at rest and in transit. Then again with OpenSSL, etc. etc.

I imagine something else will come along in the near future. Something everyone who stores credentials needs to be prepared for and stay on top of.

Old news

Everyone in InfoSec knows that each Oracle application you use on your network decreases your security posture immensely. We stopped using all Oracle products over a year ago and have gotten rid of any applications using Java. Makes patching much easier.

Every application and OS will need patching, but when you take over 2 years to fix some items and use the general public at large to do your security testing (while charging them to use the product)... it just isn't worth the risk.

Coddle them

Give them some money, then impress on them to become contracted analysts for your company.

Convince them you're InfoSec team is young and inexperienced...so they can use a consultant.

Fly them in to sign the contract and collect their bonus.

...then ask the officer to come into the room and slap the cuffs on them.

90K for a LOCAL escalation? C'mon.

Not to mention the fact, you can buy CC numbers for less than $10 each. $90K will go a long way purchasing them without taking the risk of compromising a system and trying to get a local account to escalate.

Appears a lot of 11 year old girls are posting.

Let's all bitch about having to upgrade... something you have to do with any OS, application, architecture etc. What, you don't want to upgrade so a problem is fixed? ...then stop griping; you've made your decision so stand by it like an adult.

...and give a pass to the morons and cheats who write the malicious code. This way when you do become a victim, you can be happy with the fact you didn't upgrade.

Makes perfect sense

You're phone is sending out breadcrumbs when talking to cell towers; essentially leaving footprints. Just like footprints in dirt, the police don't require a court order to follow them.

So while they're able to follow this, it doesn't allow them to actually search the devices without an order.

It's amazing how people love to shout out the obvious, "leave the phone at home", or use a one time phone, etc. As if they're the only individual who can provide this secret information. Then there are those who get a little bit crazy.

Yet... I wonder how liberal they will be on this once they become a victim. Karma is a B.

Of course they can track where the money went...

right to a bank where the laws protect banks from having to release any detailed information about the account holder. Oh, c'mon... you know where I'm talking about.

Doesn't all fit.

While I agree, there needs to be an increase in the budget... you can't use overall GDP as a ratio to determine how much money is required. Why? Well... because the technologies and commerce protected by cyber security in the USA far exceeds a factor of ten. To name a few examples: computer system R&D is more than 10 times larger, as is public telecommunications, public network infrastructure, and systems protecting space and military systems. In other words, the potential loss is in the USA exceeds a factor of 10 from those in Australia.

These are all just government systems. I could launch into the public sector, but then it just gets crazy in figures. Plus, the USA government doesn't provide a lot of funding for cyber security for private commerce, outside of universities, certain R&D grants and government contracts and underlying infrastructure.

While it is likely some of your government's systems have been breached, you can't just say this without extraordinary proof and accurate estimates of loss. If you have good InfoSec professionals, they can audit networks, find this out and provide the proof you need. Or... ask another government's red team to come in and scare the crap out of them.

Better is to stay on track using risk analysis and estimated cost figures from breaches, loss of data, etc. If you can't get over 1 Billion on this, especially since the country is way behind the curve to begin with... then someone else should do the job. You have to speak their language. If you can't convince them they stand to lose more than 1 Billion (or their pukey jobs), they aren't going to spend 1 Billion.

DNS

I hinted at this yesterday. DNS is a fantastic method of moving information into and out of a compromised server because it bypasses ALL SECURITY on a network. I've used it many times when penetration testing. It compounds the problem when all the DNS servers in an enterprise pass information back and forth to each other. Lets a hacker pivot to so many other different devices and servers in a network.

Even if you set DNS up correctly and securely (including encryption)... you can always get someone to open up a phishing email to start running things with their privileges/credentials (so encryption is now moot) and then pass the info back/forth via DNS. Info, including... DoS or C&C info. Again... bypassing all security devices. A savvy hacker will encrypt the communications to make it even more difficult to notice.

I loved how I got thumbs down yesterday for telling people (individual users) they're nuts if they run their own DNS servers at home. To protect DNS takes more than a typical SOHO firewall/security device. If you run a DNS server out of your home, you have a pretty sizeable security hole you cannot fix cheaply.

Good Luck

If the UK can figure out how to accomplish this, please show the US government. Corporate lobbies have shut this down so hard that both sides of the political spectrum have given up in Washington.

Nothing new

Same steps which have been done for more than a thousand years. People have prepared and learned using incident response long before computers were invented.

Only the details have changed with technology and methods/mechanism of attack.

Only here, once again Mr. Pauli has confused things by trying to be cute. Grief from an incident is far different than the response. Don't mix them. Also, if people want to avoid grief... they need only follow one step: Stop breathing.

Good Luck

IoT is basically "SCADA for the masses" and we all know how poorly SCADA system security is lagging by corporations who know better. Here, Verizon is up against a typical Joe configuring their own system, as well as every corporation who puts a processor and a NIC on any device they make.

Any attempt to put together and implement costly standards will be met with huge resistance by a large amount of corporate lobbies; no matter what country you're in. The general public won't really care until some hacker manages to lock down someone's kegerator.

I wish them luck.

DNS Attacks

Amazing.

For most individuals, you have no control over your DNS server. This is all controlled by your ISP, who likely has already established secure methods of encryption among forwarders as well as using firewall technology like Infoblox to ensure it is safe from malicious attacks.

If you're a home user who has set up your own DNS server you have provided an excellent means for a malicious hacker to get into your network. It's unlikely you have it setup correctly and have the funds to use a technology to keep this port protected. DNS is a great way to move things back and forth from a victim machine, bypassing any SOHO firewall. Also your HIDS or antivirus won't detect a thing.

What's funny is how people freak whenever they suspect the government might use metadata, but click "OK" to every business and freak who wants to track them whenever they use an app or service.

Nor does anyone have a fit when this metadata is made available by all (including governments) when there is a breach.

Governments don't have to own DNS servers to get your metadata... you've been giving it to them for a very long time, along with Google, Amazon, etc.

Means nothing

This is just a waste of taxpayer money. What's worse, this sort of action allows individuals like this author read into and interpret something which isn't the case, and isn't the intention of the statements within.

This is the FAA's jurisdiction. Commerce department can put out a voluntary guide for anything... it doesn't mean the ruling department (FAA in this case) has to look or consider it.

Another look into the Obama administration and how inefficient it is.

Snowden isn't an academic by any means.

I love it when someone in their 20s, without any formal education (in anything) believe they've had so much experience, they understand and know it all. Especially when it comes to the laws of a country they've never studied or set foot in. Oh.. someone I know said this? I must repeat it.

Just so you understand... the government of any country has the responsibility to protect its citizens. So, instead of just ranting off what you believe to be the law in a country you've never set foot in... stop and look through the action and first see if they are protecting citizens and second.. did they follow the law.

The part you look at first... best interest of a few, or a political action, should be done later.

Stop overthinking stupid things and use your brain on something productive.

It's the release of some information about a vulnerability. Don't over think it.

People get so wrapped up in hate and stupidity. Then instead of thinking through the item objectively, they just repeat something they've 'heard'.