Posts by Amos1

If auditors can conduct IT system security assessments...

Shouldn't IT security people be able to perform financial statement audits?

Seriously, losing money year after year in security?

What a bunch of clowns. The fastest growing market is security and they have lost significant market share every year. The only bigger clowns are the people who buy SRX "firewalls" because of their low price. In other news, Juniper can barely give their "security" products away. Their notworking products are wonderful as well. All they need to do is add hard-coded backdoor admin credentials and they'll have surpassed Cisco in that market share.

Oh wait, they already got backdoored by a third-party for years and never knew it. Never mind.

How do you handle the legal part of governnance?

In the USofA it's called Sarbanes-Oxley and covers all material portions of a public corporation. Specifically, changes to applications that could be material to a company's financial reporting (any application of major significance) needs to go through formal testing and have formal business owner sign-off to proceed to the next step. If someone wants to fire up DevOps for immaterial applications, go for it. But if you want to make a real impact on the business as a going concern, what's the point? We're not working under Uber's "disregard all the rules and laws" playbook.

Same old, same old

Same thing happened in the city where I live about a decade ago. Used a city channel assigned to the service department. The person who did it ran his prank about 3:30 AM once and the city called it a malfunction. Then it happened again at 3:30 AM but this time someone heard the tones. Did they catch the person? Probably but they couldn't prove it. How did they catch him? He shot his mouth off to some friends who were already mad about what happened and one called the cops. But they could never find the radio and he denied it and it never happened again. The city said it would cost $40,000 to encrypt the radio signal so they shut the sirens down. Then a tornado blew through town and they had to rebuild the whole thing and make it operational again. Typical government operation.

Perhaps someone with Photoshop skills could paste John McAfee's picture in the middle of that logo

He would look like he had horns.

Next headline: "Cisco buys Schneider Electric"

Why not? It seems they both like hard-coded backdoor passwords so half of the integration work is already done.

Here's the paragraph that will cost Symantec a lot of money:

"Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status. As documented with both the current and past misissuance, Symantec failed to ensure that the organizational attributes, displayed within the address bar for such certificates, meet the level of quality and validation required for such display. Therefore, we propose to remove such indicators, effective immediately, until Symantec is able to demonstrate the level of sustained compliance necessary to grant such trust, which will be a period no less than a year. After such time has passed, we will consider requests from Symantec to re-evaluate this position, in collaboration with the broader Chromium community."

Did yo catch the "effective immediately" part?

The bank I work for has been reticent to leave Symantec because of old people afraid of change. Not any more. We're moving to replace every Symantec certificate we use because we rely on EV certs as part of our customer anti-phishing education campaign. And we just saved tens of thousands of dollars a year as well.

Good first move by Nest but it took way too long and their "family accounts" are not that good

Before Nest killed off their community forums 2FA was a major request, probably only second to not installing firmware updates when no one was home to deal with the aftermath of borked equipment.

I wonder when Nest will tell their customers because they haven't done that yet.

Their Family Accounts needs work because once you set up additional accounts they all are administrators of the systems. There's no way to limit who can change what setting. Probably the best feature is that the system uses geo location and can turn on the interior cameras after everyone has left the house and turn them off when the first person comes back.

Probably the worst feature is that they, get this, only send one alert per "zone" per camera every thirty minutes. So if your kid comes home from school and the outdoor camera tells you, anyone can break in for the next thirty minutes and the camera alerts stay off. Dumb, dumb, dumb.

They trumpet their algorithms for motion detection but they can't automatically reset the alerts when motion in a zone has stopped for a minute? The support case I had open replied with "If your neighbor is mowing his lawn we don't want to annoy you." I replied with "So your system isn't smart enough to re-arm the sound alerts when his lawnmower stops?"

Well, I guess we're not going to proceed with Veracode then

Too bad. I really like their products but only old, entrenched IT bods will buy IBM, HP or CA. This product will go down the toilet soon.

One of the clues given was "food" / "water" and "It's not what you think"

That's from the Twitter account of the person he's working with. That make me think of a large disaster relief provider like the International Red Cross. From the screenshot it's a MySQL database so you know, "free".

DNSSEC is fairly worthless in the real world

It guards against precisely one risk and that makes it a point-control and a risk that is far less common than, for example, poor application coding. And it only works if the client cares. That makes it also a client-side control and every client is a single-point-of-failure. There are far more security risks that are real and everyday occurrences that should be focused on first. This is why regulators suck at their jobs; they don't understand the intricacies of the technologies they regulate. I work for a bank and it wasn't that long ago that almost every bank examiner was a retired mainframe admin and that was all they cared about. And yes, we run DNSSEC for exactly one reason: the regulators think it fixes all evil.

> a macro within the document executes two Powershell scripts

> 139.59.46.154:3485/eiloShaegae1 via HTTP

> 45.76.128.165:4443/0w0O6 via HTTP

> 45.76.128.165:4443/0w0O6

So four controls already used in security-conscious organizations, one where the system and network administrators do not administer security devices, would have worked perfectly.

1. Block "PowerShell" in all proxy traffic if it shows up in the User-Agent

2. Remove the ability to execute the two copies of PowerShell from non-administrative users and no, everyone does not have to be an admin.

3. Review your proxy logs for the past several months with an eye towards the destination port. Allow all non-standard destination ports used for business-related sites and drop all others. And review that rule on occasion. You'll see how many bullets you dodged without even knowing it.

4. Run man-in-the-middle HTTPS decryption and in #3 use separate port ranges, one for HTTP and one for HTTPS. None of those non-standard ports have ever been seen in business-related traffic for us, a large bank. 4443 has been seen but never for HTTP. That's a clear deception trick.

Why did I single out "system and network administrators who run security devices"? Like in real estate, those poor people are graded by their management on three things: Availability, Availability and Availability. "I can't get to my cat website because you block dynamic DNS sites running on odd ports!"

We use LOL at work all the time because the managers don't understand it

Lack of Leadership

PR people have no soul or conscience

"A Barracuda spokesperson has been in touch to add: "We were able to proactively identify an error in the application definition file..."

So they proactively identified an error after it borked every firewall they pushed it to? Perhaps "proactively" means "Before a customer figured out what we screwed up and told us."

Or maybe "proactively" means "Before every customer who ran VoIP or Office 365 for email could contact us because nothing worked."

The great thing about having a manual transmission in 'Murica is that the young punk thieves can't drive them. A fellow up the street from where I work got carjacked at a gas station but the fool couldn't move it because it was a stick. So he had to take off running and leave the car.

I'm convinced the reason people don't use parking brakes is because their parents told them to never do it because the cables would rust up and lock in place. I've had that happen last century when the rear brakes were drums but that was the last time. My kids use it all the time as do I but my wife? Nah. Doesn't matter what kind of incline she's parking on. Put in in park and take your foot off the brake and let the car bounce back and forth on the parking pawl while she messes with her purse.

Whay don't they just look in the Alexa app on his phone?

The app keeps a transcript of EVERYTHING it hears so you can mark it as correct or not. If something is in there it would let them narrow the warrant. If it had all been erased, it would give them other grounds.

"a illegitimate" - Utter BS and CYA'ing

No one would write a sentence that way. "This is a illegitimate email". Seriously? More MSM cover-up for clowns in jobs beyond their competencies.

Don't worry. All of your income tax returns are totally safe with your city or school district.

Yeah, I live in one of the states that allow cities to leverage an income tax against their citizens. :-(

Clobbered the US also

We noticed we were queuing outbound email mid-morning and all were to Barracuda domain MX records on multiple /24 subnets. Several of our vendors were down. Various email testing services either reported they could not even connect or they could get a TCP 25 connection but that was it.

Old trick, actually

Several years ago a university in Ohio noticed that the image file of their football team picture kept getting bigger and bigger and it was causing slow downloads. They thought it was corrupt so they replaced it and it happened again. Then they got wise and called in the techies. The same server was used for student fees and the malware was writing the card data to the football team picture using steganogaphy. They did have tight egress controls on the web server so this was a way to exfiltrate the data. Literally everyone who visited the page and saw the image of the football team was now in possession of stolen card numbers.

Bulk battery buy?

I'm pretty sure my Nest Protects take special AA-sized batteries, not regular ones. Lithium ion's or something. That's why they have years of life.

The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:

"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"

Sysadmin #1: “We got the new government hacking detection tool running and we’re already getting hits!”

Sysadmin #2: “Ummm…”

It is a real threat, though

W protect against it at the bank where I work after a pen test years ago used it and managed to get 3 M/bps throughput. DNS tunneling, ICMP tunneling, SSH tunneling, you name it; they're all real threats. It's also a data exfiltration channel used by malware. A fully split DNS is the only way to truly handle this one, though. If internal systems don't need to query DNS servers on the Internet because they go through a proxy server, then don't let them do it. Problem solved.

I put one in, a Kevo

I finally sold my 1999 car and ended up with a 2016 model that doesn't even have an ignition key. Just keep that fob thingy in your pocket. I actually got so enamored of it that I hated digging into my pocket just to lock and unlock the house. So I put a Kevo on the door between the house and the garage interior. It's very convenient but there's no way I would put one on an exterior door or, God forbid, hook it to the Internet. Kevo has sent a few firmware updates already. It goes to your phone and you just put your phone near the lock for the ten minutes or so it takes to do the update.

"excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

From various reports of the incident: They allowed people to release emails from quarantine despite anyone with any sense knowing people are easily fooled. The From address clearly was not from EMC or RSA yet it was about an HR retention (salary) program. RSA, the "Security (revenue) Division of EMC" did not hire their first CISO until after the breach. They had an unsegmented network. They had poor egress controls. They did not have an effective DLP program.

They were easy pickings, just like most of the corporate America run by old guys who are clueless about the 21st century risks.

Sure, keep on using those custom tools

In a galaxy long, long ago an astute analyst realized that "random" is not normal on the Internet. That meant that patterns of "random" traffic were in fact encrypted communications. Since all encryption mechanisms can be fingerprinted, the terrorists (and journalists) using those custom applications are saying "Nah, nah. You can't read this!" while JSOC is smiling and saying "Let me know how that works out for you." as the cruise missile is targeted. PGP is especially fingerprintable.

Yeah, it happened to me. Connecting it to iTunes as recommended gives a dialog box that something was wrong and asks if I would I like to upgrade or restore. I selected Upgrade to 9.3 and it churned for a while, tried it and failed to activate again.

It was about 1 AM by then so I just selected Restore to 9.2.1 and went to bed. When I got up it was operational and I had to go through the initial setup stuff as usual. But when I tried to check for software updates, it said I was already on v9.3. Maybe that happened because I had tried the iTunes upgrade to v9.3 initially. Or maybe it's lying to me. Whatever. It did restore perfectly.

Unfortunately the old iPad 2 does not get Night Shift functionality, so I was sad again. :-)

v9.3 update and iPads - This is weird

I started the v9.2.1 restore late last night and when I came down this morning it appeared to be working but still needed all of the setup stuff. It just finished the setup process and Settings says it is now on v9.3. I never told it to proceed with the v9.3 update but it apparently did it by itself when it was connected to iTunes. I'm OK with that but it's still weird.