* Posts by Amos1

203 publicly visible posts • joined 9 Feb 2014

Page:

Car trouble: Keyless and lockless is no match for brainless

Amos1

I had a rental VW that no one could figure out how to start, even at Hertz. Someone from Hertz finally found the manual online. You actually have to take the key fob and insert it into a slot in the dash and push on it, like it's a gigantic button. When I got to the hotel, no one could figure out how to stop the engine but they had valet-only parking so I left it running. The valets eventually figured out you have to push the gigantic key fob button again and it will pop out.

I was so frustrated I initially went back into the rental agency and asked if they had any cars with keys (because even te employees could not figure out how to start the thing). Nope.

Security pros' advice to consumers: 'We dunno, try 152 things'

Amos1

Re: Who needs strong passwords

No, because that whole concept only protects against password guessing and not password cracking of the files or databases that hold credentials. Unless you can make the password strong enough that it lasts longer than the lifetime of the data you're protecting, they are not good enough.

That's where periodic password changes help. If it takes a multi-GPU cracker 40 days to crack a password file but the data only needs protected for 30 days you're in great shape. An example would be a pending SEC filing for the next quarter's earnings. But if you're protecting customer data passwords are never good enough unless all of your customers have really, really short life expectancies.

What I'm saying is that the only reason passwords are still in use is because they have no acquisition fee; i.e. you can create as many username/password accounts as needed and it doesn't cost the company anything initially.

They cost a lot in ongoing soft costs: password resets, poor choices, poor controls, temporary loss of access resulting in productivity hits, an elevated risk of compromise, etc.

Amos1

Re: WTF, security isn't a users responsibility....

You lose. :-)

I work in operational security for a large bank, not compliance, audit or procurement. We know what works for real in prevention and detection and what doesn't (contracts) and we get to draw the line in the sand because we do not report through the CIO. The "line in the sand" rarely needs to happen because once we explain how and why a potential vendor will cause us an issue, "the business" will go to an alternate vendor.

Yes, most are dumb ones. Look at "RSA, the Security Division of EMC". They had a $65 million dollar hack and only in that aftermath did they think it was a good idea to actually create the position of CISO. Not much has changed in business since then. The unwritten policy usually is "Almost any risk is acceptable until it happens to us."

Amos1

Re: Don't open unexpected attachments

Wrong. Humans are the last line of defense, not first. They can be great as early warning sensors for things that got past the technical controls but that's it.

The problem with training is it's like bathing or showering. It doesn't last long yet companies only do it once a quarter or once a year.

Amos1

Re: Who needs strong passwords

Right, because no one has ever shared a password that never needs changed.

When we went to complex passwords checked against a 250K word list we almost shut the company down. Now there are lists over 300 million long. Want to know what the chances are that you would ever pick a password not on that list? Less than 1 in 300,000,000.

Amos1

Re: WTF, security isn't a users responsibility....

One of my favorite questions to ask prospective vendor is this:

"Do you have people dedicated to IT Security or is security everyone's job?"

The dumb ones answer "It's everyone's job!" because when something is everyone's job it's actually no one's job. The smart ones answer "Both."

Seriously, just today we were questioning a major vendor of financial services software why they were shipping a version of Tomcat that was a year and a half old in a new product, one with many remote code exploitation vulnerabilities. Their response was that they watch the news and when they read something about a problem with a piece of software they use, then they put together a roadmap to upgrade it. If I mentioned their name and you work for an FI you would instantly recognize it. This is the nonsense we deal with every day but fortunately we have management that will walk away from a vendor like this.

Amos1

Re: Don't open unexpected attachments

Never got a PDF from a vendor or a law firm with a handy button asking you to click it to agree to their terms, have you? Got one today from an alleged IT security vendor.

Amos1

Re: Don't open unexpected attachments

What the proponents of "user awareness" overlook are the things that work against it: Turnover, labor rules, being pushed by management to get something done fast rather than 100% correct, the fact that the scammers have one full-time job and that is to get past your awareness training, so pretty much everything.

Policies and training are almost worthless without technical controls to back them up. Unless you're in Training, Legal, Audit or Compliance, of course.Then you believe that's all a company needs because without those, you don't have a job.

New phishing campaign uses 30-year-old Microsoft mess as bait

Amos1

It's just an electronic Darwin Award. They sort themselves to the top by clicking on everything, they get encrypted and that removes them from the Internet. Everybody (else) wins.

Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama

Amos1

Re: Web site encryption

Quite. And even if you cannot get your own root certificate installed on their PC it's not a problem.

"Certificate error? WTH does that mean? I went to this website yesterday and I didn't get an error! I know it's fine! *CLICK*"

Oz military megahack: When crappy defence contractor cybersecurity 'isn't uncommon', surely alarm bells ring?

Amos1

"Vendor Management" in most companies is just a paperwork exercise

"What do you mean, I have to assure the vendor is doing their job? That's why we hired them!" is a common push-back from "The Business". "An on-site visit? I'm not paying for that! We outsourced to save money!"

So they request audit paperwork which comes back as an SSAE 16 SOC 1 Type 1, which can only be used for financial reviews and not technical operations and had no testing done. It covers the vendor's "cloud" provider's infrastructure and nothing else, not even the web apps the vendor wrote themselves. The security group writes them up for numerous problems marked in the vendor's own docs as "Requires management attention" where the vendor's response was "Accepted the risk".

The paper-pushers in the customer's Vendor Management program look it all over and say "We can't tell the vendor how to run their business and they accepted the risk. So did our business unit."

And then the vendor loses a butt-load of the company's customer data *cough* Equifax *cough* and "The Business" squawks "What do you mean, we have to notify our customers that the vendor we hired got breached? We're not the ones who lost it!"

That's my Monday. Want to know what the rest of the week looks like? You guessed it, the same.

Safe for work video on the subject: https://www.youtube.com/watch?v=9IG3zqvUqJY

HPE coughed up source code for Pentagon's IT defenses to ... Russia

Amos1

Re: Did I understand this right?

Amen to that. I read the US analysis on Kaspersky and mentally substituted "American" every place I read "Russian. Essentially zero difference.

Amos1

Re: Did I understand this right?

That presumes that qualified people are actually looking at the source code for other than availability reasons. Last century Borland released a very popular database software to the public. About six months later someone actually looked at the code and discovered hard-coded backdoor credentials. Stuff never changes.

Amos1

This story is so last century

That's when Symantec (Norton) and other AV vendors gave China all of their virus collections in order to gain access to the Chinese markets. I think Symantec turned over some 2,000 viruses.

Ahh, for the good old days when an AV def update definition disk fit on a single floppy disk.

BYOD might be a hipster honeypot but it's rarely worth the extra hassle

Amos1

Re: Break Your Own Defenses

Bring Your Own Disaster. Of course, corporate-owned isn't much better:

Scene 1: User reports they lost their phone with corporate data on it. You remotely wipe it.

Scene 2: User finds it a week later right where they left it. User screams loud and long because they lost Baby's First Birthday Party pictures.

Scene 3: No one reports a lost device in a timely manner ever again.

Amos1

Re: No hassle here.

Wow, I didn't know managers read El Reg.

Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'

Amos1

The only thing that audits protect you from are auditors and regulators

Those that can, do. Those that can't, audit.

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

Amos1

Re: Reality bites

"This Struts issue is one of the drawbacks of libraries that ship in the folder with the code rather than patches applied at the OS level..."

Correct and this is why the STRUTS and other problems are actually far, far more prevalent than companies believe. Vulnerability scanners just look in default locations unless you specify the correct path. Vulnerability scanner vendors are now listing a warning that they may only find vulnerable components if installed in default paths.

But companies won't care because they can just blame the hack on their defective scanner. Less findings = less work.

Amos1

Re: re: Problem is that the technology works well ...

Nailed it. The worst thing that happened to information security and data protection was this thing called "Risk Management". There is no such thing. When you have five holes in your boat, any one of which could sink it, you don't use "risk management" to "prioritize" fixing the holes or you will eventually sink.

The unwritten "risk management" rule for many managers is this:

"Almost any risk is acceptable until it happens to us, not someone else. And when it does happen, I probably will have moved on so it will be someone else's problem. That is acceptable risk."

The developers vs enterprise architects showdown: You shall know us by our trail of diagrams

Amos1

OMG, did you hit it on the head. I was going to post "This article was written by a true cowboy" but your response is much better. I'm not an architect but in Information Protection, the other nemesis of the cowboys.

If I hear "It worked on my desktop! Fix your firewalls!" one more time I'm going to ____ _____ _____ _____ ____ ____ ____ ________.

Or better yet "We know what we're doing. We need ports A, B and C only." So when it gets installed it needs a half-dozen more ports and servers and they say "Adjust your controls." and we say "We had a third-party review and risk assessment based on your docs and drawings. Make the app work like you said it would."

And the devs squawk "We will need to double the number of services we wrote!" and we reply again "We paid for a third-party review and risk assessment based on your docs and drawings. Make the app work like you said it would." and then it goes to "arbitration" and the devs point out how much time it will take to make the app work like they thought it was already working. And we point out that since they do not have any clue how their app works on the network, we will need a full third-party pen test and a more thorough risk review before we'll advise Operational Risk that is it satisfactory. We usually "win" but the organization loses because of the cowboys' lack of operational discipline.

No, cowboys, it is not a "sprint". It is a business.I get to deal with vendors who use DevOps. When we find an issue with an app they can't even duplicate it because they've got no change control and their internal builds are many iterations past what they give to the customers. Companies claiming to use DevOps now get marked as a higher enterprise risk because what they call "agile" is really known as "unstable".

Red panic: Best Buy yanks Kaspersky antivirus from shelves

Amos1

Actually it was the FBI that was enlisting the Best Buy Geek Squad to spy on their customers' equipment brought in for repairs. Same difference, though.

I read the feds brief on this subject and substituted "American" every place it said "Russian" and yes, it read pretty much the same: "Go back to pen and paper no matter where you live."

Disbanding your security team may not be an entirely dumb idea

Amos1

Re: Sounds like another management idea - "They are all just IT guys, right?"

DBA's have their own priorities: Integrity of data, Performance a.k.a Availability and access to data a.k.a. Availability.

That being said, two of our three DBA's have it right. The third one has Performance for all three.

Amos1

Sounds like another management idea - "They are all just IT guys, right?"

For starters, they are two entirely different disciplines. If IT could have handled information protection tasks, they already would have. But now we have the mess the world has.

IT Security has three balanced priorities: Confidentiality, Integrity of data, and Availability.

IT and developers and CIO's also have three priorities: Availability, Availability and Availability.

For this to work, the bonus-level managers have to have information protection made a part of their priorities. Give them a 10% "bonus haircut" if their groups have a higher failure rate than 1% on Phishing tests and you will see how fast that problem goes away. It has not gone away yet because managers have not been personally incentivized to consider anything except Availability.

Creepy backdoor found in NetSarang server management software

Amos1

Easily detected - monitor for DNS TXT record queries ...

Only mail servers connected to the Internet should be performing regular TXT record lookups. That being said, Mac's do it as well occasionally for whatever reason and those domains can be filtered out.

DNS TXT records are a common way of performing command and control functions or of exfiltrating data via DNS Tunneling.

But you have to be logging all DNS queries and non-aware companies will complain hat it takes too much disk space. 'Cause, you know, it's better to be hacked and not know about it. That way you don't have to notify anyone.

Carbon Black denies its IT security guard system oozes customer secrets

Amos1

Re: You can't patch stupid

Hey, check out the beautiful trophy-thingy here: https://blog.savagesec.com/words-have-meanings-dc925219bb8e

Cylance apparently picked DirectDefense as their 2016 Partner of the Year. Maybe this latest blog of theirs will win them the Cylance 2017 Advertising Partner of the Year.

That is an extremely well-balanced article on the entire data leakage problem as a whole.

Symantec offloads its certs and web security biz to DigiCert

Amos1

Another screw-up by acquisition

2010: Symantec buys Verisign's PKI business for $1.28 billion. Symantec removes the "Secured by Verisign" logo to, OMG, "Secured by Norton" because no consumer has ever had their computer slow to a crawl due to the Norton AV bloatware.

2017: Symantec sells the business for $950 million when it had a yearly revenue of $350 million.Their 34th CEO in the last two years is happy.

Facebook pulls plug on language-inventing chatbots? THE TRUTH

Amos1

Yes, that's what we want you to believe...

Bwa ha ha ha ha ha

Signed,

The AI Bots

So who exactly was to blame for Marketo losing its dotcom?

Amos1

Re: Lets extrapolate 2 simple questions from this:

I do. If I could have grabbed the domain I could have stopped zillions of emails each day and a not of user tracking.

The drinks are on Juniper: Revenue and profits up in Q2 2017

Amos1

Has Juniper ever had a quarter where security sales increased?

We're looking at SRX firewalls, which seem more like routers with a web GUI front end and an IPS in name only. I've gone back through the last few quarters and all I keep reading is how switching is doing great and their security products lost market share again.

A year or so ago they sold off their SSL VPN security product line to Pulse Secure. Do they have any security products anymore other than the SRX's? How do you keep losing market share in the fastest growing segment of the industry for many years, security?

Targeted, custom ransomware menace rears its ugly head

Amos1

Old news. Remember back when...

Some years ago a web app SQL injection attack used xp_cmdshell(), which used to be enabled by default on Microsoft SQL and never can really be removed, to install a service as SYSTEM on a SQL server? It transparently encrypted all data in the database as it was stored and decrypted it as it came out?

Some months later the attackers deleted the decryption key, delivered the ransom demand and the SHTF. The company, which had a rock-solid backup strategy, ended up having to pay in full because their compliance-driven annual restore test was done, well, annually. The last unencrypted backup of all online transactions was months old and of no use.

And then there was this recent event: http://www.itworldcanada.com/article/canadian-firm-pays-425000-to-recover-from-ransomware-attack/394844

Rackspace goes TITSUP in global outage outrage

Amos1

Re: Terrible design

You've never heard of the subscription model, eh?

Ubuntu 'weaponised' to cure NHS of its addiction to Microsoft Windows

Amos1

What rubbish. XP usage had nothing to do with WannaCry.

"The reference to Windows XP is an uncomfortable reminder that the WannaCry attack that hit the NHS..."

WannaCry crashed on XP but not on 7. What bit the NHS (and Telefonica and others), as proven by the Shodan search engine, was their propensity for either hanging servers directly on the Internet or by intentionally exposing the TCP 139 and TCP 445 file sharing ports directly on the Internet and available to the entire world.

Negligence and incompetence cannot be fixed by changing the desktop operating system.

Amadeus airline booking system TITSUP and it's not ransomware

Amos1

What other airlines are affected? Southwest Airlines in the USA announced at the airport last night that they had a reservations system outage.

Researchers blind autonomous cars by tricking LIDAR

Amos1

Re: Interesting research

Yes, but one not only outside not only its design parameters (since corrected) but where the driver put way too much trust in his own limited experiences (incorrect sample size for the task). The one smart thing Tesla did was to grab (and apparently stream in real-time) the telemetry so the facts could not be seriously disputed. That's the data you also need to tamper with reliably to cover up the crime.

Microsoft recommends you ignore Microsoft-recommended update

Amos1

Re: Flailing Helplessly

You missed one. "When you outsource critical business functionality you have put your company's future in someone else's hands." And your outages will just become pat of the other 99.999%'ers who are also down and have zero leverage to get prioritized.

Here, have some service credits to make up for all those lost sales and lost productivity. K thx

Anthem to shell out $115m in largest-ever data theft settlement

Amos1

Re: "a full third of the package [..] has been earmarked to cover attorney fees"

What country do you live in? It's certainly not the US.

Breaking news, literally: Newspaper's quakebot rumbled for fake story

Amos1

M6.8 - SANTA BARBARA CHANNEL, CALIF.

Preliminary Earthquake Report

Magnitude 6.8

Date-Time • 29 Jun 2025 14:42:16 UTC

• 29 Jun 2025 07:42:16 near epicenter

• 29 Jun 2025 09:42:16 standard time in your timezone

Location 34.300N 119.800W

Depth 10 km

Distances • 14 km (9 miles) SSE (156 degrees) of Isla Vista, CA

• 16 km (10 miles) S (175 degrees) of Goleta, CA

• 16 km (10 miles) SW (214 degrees) of downtown Santa Barbara, CA

• 145 km (90 miles) W (281 degrees) of Los Angeles Civic Center, CA

Location Uncertainty Horizontal: 0.0 km; Vertical 0.0 km

Parameters Nph = 0; Dmin = 0.0 km; Rmss = 0.00 seconds; Gp = 0°

Version = 0

Event ID ci 37161284

Followed an hour later by:

Subject: 2025-06-29 14:42:16 DELETED: (M6.8) SANTA BARBARA CHANNEL, CALIF. 34.3 -119.8 (84ba6)

DELETED: Event ci 37161284

== EVENT DELETED NOTIFICATION ==

***This event has been deleted after review by a seismologist.***

Geographic coordinates: 34.300N, 119.800W

Magnitude: 6.8

Universal Time (UTC): 29 Jun 2025 14:42:16

Time near the Epicenter: 29 Jun 2025 07:42:16

Location with respect to nearby cities:

14 km (9 miles) SSE (156 degrees) of Isla Vista, CA

16 km (10 miles) S (175 degrees) of Goleta, CA

16 km (10 miles) SW (214 degrees) of downtown Santa Barbara, CA

145 km (90 miles) W (281 degrees) of Los Angeles Civic Center, CA

DISCLAIMER: https://sslearthquake.usgs.gov/ens/help.html?page=help#disclaimer

Amos1

Re: Real time monitoring...

Anybody can sign up for them. I don't think I've ever seen one below a 6. The Europeans also send them, GDACS, but their's are sometimes delayed from USGS. When I got that email I immediately started looking at Santa Barbara Channel webcams so I could see a tsunami in real-time, until the cameras went away, of course.

I noticed the date but figured that someone was messing around with the alien earthquake generator and had accidentally hit the Run Now button on that scheduled task.

WikiLeaks doc dump reveals CIA tools for infecting air-gapped PCs

Amos1

Re: Who comes up with these silly application names?

I think they have the opportunity to tweak them or try again with the name generator. Brutal Kangaroo jumping from machine to machine with impunity. That's just poetic.

I wonder what Honest Politician would do? Probably doesn't exist yet.

NSA had NFI about opsec: 2016 audit found laughably bad security

Amos1

Re: 2 sweet FA

Neither. The use of 2FA would reveal them to be NSA operatives because real companies and real people don't use it. Therefore the use of 2FA would be what put them in a high-risk position because it would "out" them.

HPE hatches HPE Next – a radical overhaul plan so it won't be HPE Last

Amos1

"DNA" or "DOA"?

HPE to staff: 'We are permanently clipping your costs'

Amos1

If the TSA really does ban laptops in the cabin, you might see biz travel drop even more. But it would mean one more checked bag at $25 per leg so their profits might even go up.

Amos1

Re: "Each of us needs to play a role by spending HPE's money like it's our own"

Reminds me of a former employer. The CEO sent an impassioned letter (on paper) to everyone asking them to dig deep and donate to the company Political Action Committee (PAC). They asked 1% of gross salary of every hourly and salary employee.

He was clueless about the Interwebs and the company's Yahoo message board soon had a post listing the contributions to the company PAC as obtained from a public website. Instead of filling out a separate form for each company officer contributing, they put them all on the same form even though most contributions were below the reportable limit. The previous year the CEO contributed a whopping 0.0002% of his salary to the PAC. Had he contributed the full 1% he asked of everyone else, the PAC would have hit its goal for the next year and a half.

The interesting part was that the disclosure form had to list the contributor's salary and contribution. We found out that some managers were paid far, far more than anyone had guessed. And they never asked us to contribute to the PAC again.

Amos1

Re: Nothing new

Yeah, because they clearly have nothing better to do than handle travel requests. That's why their companies are in the toilet, micro-mismanaging instead of selling and visiting customers.

Amos1

Re: Corporates still contracting w/ TLA company are ripe for trimming "cost inefficiencies" itself

"whippersnapper"? *chuckle* I literally have not been called that in over half a century. I'm in my 60's and trying to weigh two job offers. It is true; there is no employment shortage in IT security for qualified people. My biggest challenges literally are the dinosaurs who are making technology and business decisions but who let themselves go obsolete years ago. They're the ones letting the TLA vendors make their decisions for them and their companies are unknowingly paying the price both in dollars and capabilities.

Amos1

Corporates still contracting with a TLA company are ripe for trimming "cost inefficiencies" itself

Two-Letter Acronym or Three-Letter Acronym. CA, CSC, DXC, EMC, HPE, IBM, etc

I've interviewed at and been approached by companies where senior (old and gray-haired) managers brag about their long-term relationships with these dinosaurs. I've seen those invoices and those companies could speed up their responsiveness to their own customers and employees as well as cutting a butt-load of money off their expenses simply by moving on. Themselves, to another company, so an outsider could come in and demonstrate how to shave millions of dollars and years of time off the bottom line.

Chrome on Windows has credential theft bug

Amos1

Re: Not on Win7+ I believe...

Yes, with all the attention given to SMB lately most companies will block that traffic outbound. But there are many, many smaller companies who have those systems handled by someone else, even their ISP. Or they bought something and once they had connectivity they left it alone. They are at risk as is the home user. No, the credentials will not have to be typed manually on business devices. That's all handled transparently. Given how fast Google automatically patches things this probably is a non-issue.

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

Amos1

Re: Plenty of blame to go around

If you're not buying the current version you're not a customer, you're a former customer. Supporting former customers for free is a sure-fire method to increase your expenses and reduce your profits with no gain for you.

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

Amos1

Re: Risk Management

Hahahahaha. They'll get or already were promoted for saving money. :-)

This is a five minute video on how risk acceptance works in the real world. It is safe for work: https://www.youtube.com/watch?v=9IG3zqvUqJY

'I feel violated': Engineer who pointed out traffic signals flaw fined for 'unlicensed engineering'

Amos1

I wonder how all of the Sanitary Engineers will feel about this. They might go on strike if we start calling them "janitors" again.

Page: