* Posts by MasterofDisaster

29 publicly visible posts • joined 27 Jan 2014

Cyberattack brings down InterContinental Hotels' booking systems


IT systems - which ones?

In this case it sounds like it may have been more than reservations systems being breached. When they say "IT systems" it could be anything from access control systems that open your hotel room door to the laundry operations. Hope they are transparent with exactly what happened here and to what extent.

DeadBolt ransomware takes another shot at QNAP storage


Re: Can't imagine exposing a QNAP NAS to the web

If it's in a business environment just make sure no one is able to change configurations to punch-through and gain internet access.

Hacktivists breach Verkada and view 150,000 CCTV cams in hospitals, prisons, a Tesla factory, even Cloudflare HQ


Not again!

The irony of course is that Verkada bills itself as the solution to all the other camera vendors being insecure. Maybe they need to reassess having half the company in sales, instead of engineering. Yet another wakeup call for operators of physical security systems (IoT) to get some religion around updating firmware, managing certificates, and more comprehensive password management (i.e. what IT security has been doing for years).

So, bye-bye mighty nerd haven Fry’s, took Silicon to the Valley... and now you must die


a next chapter?

Hoping at some point to learn why the past few years they had cavernous stores with virtually nothing in them. Hard to imagine there isn't some dirt to be shared on money laundering or similar; how else did they stay afloat this long? On the other hand, Macy's seems to be doing the same trick :)

Hipster whines at tech mag for using his pic to imply hipsters look the same, discovers pic was of an entirely different hipster


King Missile - "Saturday" Lyrics

I want to be different, Like everybody else I want to be like

I want to be just like all the different people

I have no further interest in being the same

Because I have seen different all around

And now I know that that's what I want

I don't want to blend in and be indistinguishable

I want to be a part of the different crowd

And assert my individuality with others

Who are different like me

I don't want to be identical to anyone or anything

I don't even want to be identical to myself

I want to look in the mirror and wonder

"Who is that person? I've never seen that person before;

I've never seen anyone like that before"

I want to call into question the very idea that identity can be attached

I want a floating shifting ever changing persona:

Invisiblility and obscurity

Detachment from the ego and all of it's pursuits

Unity is useless

Conformity is competitive and divisive and leads only to stagnation and death

If what I'm saying doesn't make any sens

That's because sense can not be made

It's something that must be sensed

And I, for one, and incensed by by all this complacency

Why oppose only when there's a war?

Why defend the clinics only when they're attacked?

Why are we always reactive?

Lets activate something

Lets fuck shit up

Whatever happened to revolution for the hell of it?

Whatever happened to protesting nothing in particular, just

Protesting because its Saturday, and there's nothing else to do?

Songwriters: John S. Hall / Roger Murdock

It's Saturday lyrics © Warner/Chappell Music, Inc

Quit that job and earn $185k... cleaning up San Francisco's notoriously crappy sidewalks


Re: That's some seriously hard of thinking

Just to correct, California does not have "negative population growth" - since the 2010 census California has grown at 6.1%, compared to the US overall at 5.5%. Further compounding all these issues.

Greybeard greebos do runner from care home to attend world's largest heavy metal fest Wacken


No Grateful Dead references?

Forgive the paraphrasing, but one of my favorite Grateful Dead lyrics seems appropriate here, from Saint of Circumstance:

"If I can still walk, then I'm sure that I can dance"

With Phil&Friends, Dead&Co, and others rocking in their 70's, these German festafarians are the leading edge of a wave we can see coming.

Not so private eye: Got an Axis network cam? You'll need to patch it, unless you like hackers


Automated patch management

Have to give some credit to Axis that was not pointed out in the article - they are one of the leaders (along with Viakoo) for developing automated ways of updating firmware on cameras. The reality of surveillance cameras is they have been "set it and forget it" for a long time, and the idea of updating firmware is genuinely new to the industry. Without an automated firmware update mechanism camera vendors may as well not bother; it's unrealistic to have the facilities guy on a ladder with a USB updating the hundreds/thousands of cameras across a large enterprise.

Vlad that's over: Remote code flaws in Schneider Electric apps whacked


Another wake-up-call

The reality underlying this story is that many industrial organizations are ill-equipped to handle firmware updates at scale and safely. In many cases the facilities team (not IT) control the infrastructure, and are not used to pesky firmware updates. Last year Trend Micro estimated that over half of security cameras they tracked in North America had one or more malware agents on them....and probably still do because most camera firmware updates are done with a guy on a ladder sticking a USB in (a process that doesn't scale). Some camera vendors and third parties are developing automated capabilities, but if Schneider thinks updating device firmware will solve things let's hope it's fully automated.

Three storage hardware devices, a cash raise and Oracle gets blocked


Cameras are becoming better attack surfaces

Trend Micro reported last year that 51% of cameras they tracked in North America had one or more malware agents present (mostly undetected). More smarts in the cameras might mean better cyber-protection for them, but might also make them a lot more attractive (and effective) as attack surfaces. Combined with most cameras being maintained by physical security staff (and not IT), will be interesting to see how the hackers exploit a lot more horsepower.

HPE inks object storage reseller deal in EMEA – with Cloudian


HPE has a number of options in object storage; the deal announced with DDN did not mention their object storage (WOS), but wouldn't be surprising if WOS ended up resold by HPE in certain markets (like HPC). Seems like HPE is doing the right thing by bringing in Cloudian (and DDN, and Scality) to grab as much market as possible. Sorry Scality.

Toss your day job. Start a backup company. Sorted



The third cohort ("the strivers") have a lot of companies that are barely treading water, gaining new customers slowly and living off the maintenance revenues. These are zombie companies more than powerful R&D houses. This means stagnation and decay over time. Would expect to see this cohort either die off or get gobbled up by the other two. No way can the third cohort thrive-survive-strive over time.

Seagate hauls out fat form factor throwback hard drive


It never made sense to flog very high capacity into markets like video surveillance - the drive rebuild times are too long! This offering seems to make a lot more sense in a market like surveillance where lowest price and shortest recovery time is needed.

Turns out there's a market for marijuana... plants' video surveillance


Buzz killer

The broad issue in selling storage for video surveillance is the incredibly long sales cycle; a lot of deals take 12 -18 months to close and there is a race to the bottom with pricing. Few storage vendors (or their salespeople) have the stomach for that.

On the other hand, what I thought this article was going to go into is how Colorado and other places have codified seed-to-sale video surveillance and multiple months of needing to retain that data. The combination of specific regulations, long retention periods, real audits and compliance checking represent an opportunity not just for storage, but for service assurance, IoT, and other physical security technologies. Video surveillance is often run in very shoddy ways (many reports of less than 70% uptime), so legal weed might be one of the few places where real IT skills and technology are wanted in physical security.

Surveillance camera compromised in 98 seconds


Another check is to set thresholds on bandwidth used by the camera; typical usage is relatively stable, and if infected you should pretty quickly get an alert. It's amazing to me that with this going on for a while that multiple layers of both prevention and detection are not being employed.

25,000 malware-riddled CCTV cameras form network-crashing botnet


Physical security got to the party very late....

Physical security is still analog in many places, and the move to IP is probably the slowest of any major industry. Hackers finding the weak point and exploiting it - not surprising. What is surprising is the shocking head-in-sand approach by many security integrators who are being paid maintenance contracts to make sure this stuff works (note: IT MSPs don't cover this stuff for the most part, and it's a huge missed opportunity for them because of how behind the times the security integrators are). Apparently working and being secure are two completely different concepts to a security integrator.

Like IoT in general, in physical security it seems that basic IT needs like "operational intelligence", "service assurance", "monitoring", and "cyber-security" are weirdly lacking. Adding real IT competency would prevent situations like this.

Ironic: CCTV systems slide open a backdoor into your biz network


Lack of IT/Physical Security coordination

Well known issue in physical security: the stuff is all IP-based, but almost never directly run or managed by IT. It's run by physical security teams, who need to retain/control their empire, but don't know much about IT. Scratch the surface and that's why you find that most video surveillance systems have an uptime of 70% - they simply are not managed or treated as IT systems. Anyone know of something your IT team manages with a 70% uptime? Didn't think so.

Tandy 102 proto-laptop still alive and beeping after 30 years, complete with AA batteries


Mine still works too!

Have it on my desk at work; still powers on and works like a champ, but not really using it for anything. Anyone have an acousticoupler to hook to up at 300 baud to the intertubes?

Is tech monitoring software still worth talking about?


Monitoring is critical to "broken glass" policing

If your not monitoring it is very likely the overall organization sees more "broken glass" than they should, thus forming a view of IT and the overall system. In some places that's okay (lots of IT teams carry forward with a poor view of their efforts), but if the "broken glass" is something mission-critical to the company then it is hard to see not having monitoring specifically tuned to that mission-critical element. For example, if you manage an IP-based video surveillance network and it is very visible when it fails (e.g. bank heist with no video footage), you'd be foolish not to have a purpose-built monitoring tool for at least that purpose. The less broken glass, the more likely there are multiple monitoring approaches (purpose built for the mission-critical stuff, generic for the other systems). In other (and fewer) words, monitoring is a reflection of the corporate importance of what is monitored.

See that fist punching through the clouds? That's Veeam's, that is


Why no consolidation?

At last glance it seemed like there were >200 backup and disaster recovery companies out there, with a lot of them startups. Why isn't Veeam scooping them up and consolidating the market?

Chicago cops under fire for astonishingly high dashcam, mic failures


>30% failures rates are common for video surveillance

Dirty little secret for years in physical security is how low the "uptime" is for video surveillance; typically around 70%. City of Philadelphia audited their city-wide surveillance system and found it worked only 32% of the time (http://www.viakoo.com/orphaned-video-system-in-philadelphia/). End result is police never look at it because they know it's incomplete at best.

Webcam spyware voyeur sentenced to community service


Just google "hacked security cameras" and the issue is not just putting tape on your laptop camera, but how secure is your organization's physical security? Too many people don't change default passwords, don't put physical security onto a separate network from corporate, and don't have any warning/alerting mechanism to detect tampering. With all the focus on cyber-security it is well worth remembering physical security can be as (or more) vulnerable to hacking and malicious attacks.

Door keys are an option. It's just a matter of time


Industrial IoT leads, not consumer

I'm also at IoT World, and to correct the mis-perception of this article there is a lot going on in "industrial IoT" that is real-world and meaningful. Easy to point to the consumer side and say it is not ready, but a lot of enterprise needs are being met better through industrial IoT, and there are real-life examples. Shouldn't El Reg focus more on that, than the less-developed consumer side?

Think server vulns are the IT department's problem? Think again


Good article, especially in highlighting the scope outside of strictly IT. As was mentioned with aviation, physical security (access control, video surveillance) should be included in this more because there are more and more cases where that is used to gain the insight needed to overcome logical security. For reference, look at the Carbanak malware-based bank heist where video was hacked in order to learn from observation how things worked inside.

Seagate’s EVault joins the backup providers swarm



I have not gone through the list, but my suspicion is that of the 100+ companies there are quite a few zombies. They had an initial spurt of customers, still serve them well, but are unable to gain new customers because they are NOT the "new shiny thing on the block" nor are they the big entities that would take the business based on bundling or price. If you were a new buyer in this market you wouldn't look at everyone; hot startups and established entities is where you'd focus. The BC/DR company hot 2 or 3 years ago may now be left in the cold, slowly bringing down spending in sales & marketing, living a zombie-like existence while feeding off of maintenance renewals. Would not be surprised that such companies are the majority in this space.

Air gaps: Happy gas for infosec or a noble but inert idea?


Watch those cameras!

As physical security also is part of the network (IP cameras, access control, etc), those systems also become part of the threat profile. Just like no one thinks of the HVAC system (that lead to the Target breach), too often people are forgetting that any "touchpoint" can be used (that's why even the pixels on screen, captured by IP camera connected to network, could be used in an air gap situation). Services like Viakoo that monitor/diagnose issues in security video IP streams have been finding more cases of digital tampering of surveillance camera footage, in part because if you're able to infect/hack computers, you also will hack into the security video to erase your tracks. While this article may not be "real-world", the lesson should be taken to heart that with IoT expanding rapidly, so are the potential points of entry/infection.

Mail Migration


Test the backup

As other have pointed out, make sure both old and new systems are backed up - and also make sure you test the recovery node to make sure it is actionable if needed.

Spot the joints: You say backup, I say archiving


Just like backup {not equal to} recovery

In the same way that backup and archiving are becoming distinctly different, so is recovery. Backup and Disaster Recovery (BDR) vendors really need to be looked at differently if the goal is recovery as opposed to backup.