If auditors can conduct IT system security assessments...
Shouldn't IT security people be able to perform financial statement audits?
203 publicly visible posts • joined 9 Feb 2014
What a bunch of clowns. The fastest growing market is security and they have lost significant market share every year. The only bigger clowns are the people who buy SRX "firewalls" because of their low price. In other news, Juniper can barely give their "security" products away. Their notworking products are wonderful as well. All they need to do is add hard-coded backdoor admin credentials and they'll have surpassed Cisco in that market share.
Oh wait, they already got backdoored by a third-party for years and never knew it. Never mind.
In the USofA it's called Sarbanes-Oxley and covers all material portions of a public corporation. Specifically, changes to applications that could be material to a company's financial reporting (any application of major significance) needs to go through formal testing and have formal business owner sign-off to proceed to the next step. If someone wants to fire up DevOps for immaterial applications, go for it. But if you want to make a real impact on the business as a going concern, what's the point? We're not working under Uber's "disregard all the rules and laws" playbook.
Same thing happened in the city where I live about a decade ago. Used a city channel assigned to the service department. The person who did it ran his prank about 3:30 AM once and the city called it a malfunction. Then it happened again at 3:30 AM but this time someone heard the tones. Did they catch the person? Probably but they couldn't prove it. How did they catch him? He shot his mouth off to some friends who were already mad about what happened and one called the cops. But they could never find the radio and he denied it and it never happened again. The city said it would cost $40,000 to encrypt the radio signal so they shut the sirens down. Then a tornado blew through town and they had to rebuild the whole thing and make it operational again. Typical government operation.
802.1x on Windows is a massive PITA. Anyone who promotes it probably has never done it in a Microsoft environment. We had so many problems with it on Windows 7 that we set a Scheduled Task to reboot one PC every five minutes so we could get MS enough data so they could then create a hotfix which you later had to know about to ask for. The PC went into thermal overload after the first week because it had been rebooted so many times. Why every five minutes? We had branches where PCs would suddenly fail 802.1x, had to be rebooted and then would work for a week. It was happening to hundreds of them every week but only once per week. And they were all shut off each night so it wasn't an uptime or heat thing that caused it. Turned out to be a race condition. When we started testing 8.1 the same thing happened and 802.1x left the buildings.
Does Outlook Web Access still rely on WebDAV? If so I'd bet a bunch of those are OWA servers in small companies and thus also a domain controller.
Of course this is still better than my last employer in manufacturing. They finally switched away from Windows NT 4 and Exchange 5.5 in 2010. No, not kidding.
Here's the paragraph that will cost Symantec a lot of money:
"Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status. As documented with both the current and past misissuance, Symantec failed to ensure that the organizational attributes, displayed within the address bar for such certificates, meet the level of quality and validation required for such display. Therefore, we propose to remove such indicators, effective immediately, until Symantec is able to demonstrate the level of sustained compliance necessary to grant such trust, which will be a period no less than a year. After such time has passed, we will consider requests from Symantec to re-evaluate this position, in collaboration with the broader Chromium community."
Did yo catch the "effective immediately" part?
The bank I work for has been reticent to leave Symantec because of old people afraid of change. Not any more. We're moving to replace every Symantec certificate we use because we rely on EV certs as part of our customer anti-phishing education campaign. And we just saved tens of thousands of dollars a year as well.
"214-610025 ... 205-600052 ... 5.6-7
That's fascinating. I'd like to learn more. Can you tell us your home address as well, please?"
Sure, I trust you know how to fix this, huh? Thanks for the offer! My address is:
725 5th Ave
New York
NY
10022
Just tell the doorman you're here to see me about the security cameras.
Thanks!
Both of my Nest Outdoor cameras show a version of 214-610025 and my two DropCam Pro inside cameras show a version of 205-600052. His advisory says it affects all of them.
The thermostat has used version numbering in a format similar to "5.2.1" but mine is 5.6-7 (not a typo).
Agreed. They regurgitated some reports on client-side home user products and interpolated it into real data. Right. The reality is that 50% of web traffic is now HTTPS and getting higher each month. Website classification software running at the network level cannot without intercept because, well, the URL is encrypted. If you can go by IP address from a company that does not do intercept you can go anywhere. We see a couple of legitimate websites each day that are infected and the traffic comes in by HTTPS.
It reads like the Russians wrote that thing. "We need to stop companies and governments from decrypting HTTPS because it detects our tools. Let's get their own agency to write a report saying it's a bad thing."
It's all a balance. Companies are responsible for the data they hold about others. They need to protect ALL of that data and not worry about the privacy of some individual on their network doing personal stuff. If you don't want your HTTPS traffic decrypted, save it for home.
Before Nest killed off their community forums 2FA was a major request, probably only second to not installing firmware updates when no one was home to deal with the aftermath of borked equipment.
I wonder when Nest will tell their customers because they haven't done that yet.
Their Family Accounts needs work because once you set up additional accounts they all are administrators of the systems. There's no way to limit who can change what setting. Probably the best feature is that the system uses geo location and can turn on the interior cameras after everyone has left the house and turn them off when the first person comes back.
Probably the worst feature is that they, get this, only send one alert per "zone" per camera every thirty minutes. So if your kid comes home from school and the outdoor camera tells you, anyone can break in for the next thirty minutes and the camera alerts stay off. Dumb, dumb, dumb.
They trumpet their algorithms for motion detection but they can't automatically reset the alerts when motion in a zone has stopped for a minute? The support case I had open replied with "If your neighbor is mowing his lawn we don't want to annoy you." I replied with "So your system isn't smart enough to re-arm the sound alerts when his lawnmower stops?"
A former website vendor experienced a meltdown of a storage system. It occurred three or four years ago and resulted in some instantly-recognizable brand name websites being down for a long time. According to the vendor there was still data in the memory cache so they could not reboot the system as Support recommended; they had to wait until an engineer examined the RAM and the disk to assure they were not going to lose any transactions. It was traced back to a firmware defect. At least that is what the vendor told us. I'll have to look it up and see if we still have the docs since we no longer use them because they went out of the web hosting business (for other reasons). Yes, I thought it was the same model but am not certain.
It guards against precisely one risk and that makes it a point-control and a risk that is far less common than, for example, poor application coding. And it only works if the client cares. That makes it also a client-side control and every client is a single-point-of-failure. There are far more security risks that are real and everyday occurrences that should be focused on first. This is why regulators suck at their jobs; they don't understand the intricacies of the technologies they regulate. I work for a bank and it wasn't that long ago that almost every bank examiner was a retired mainframe admin and that was all they cared about. And yes, we run DNSSEC for exactly one reason: the regulators think it fixes all evil.
Agreed. The 1990's called and they want their exploit back. It sounds like a variation of the FTP Bounce attack way back when. The great part, though, is that many system and "security" admins are too young to remember those good old days or they're just GUI Drivers. If the GUI let's you do it, it must be OK. That's why things we thought we eradicated decades ago are showing up in code today. Kill off something in IPv4 and some new kid comes by and allows it in IPv6. <sigh>
Who the heck would ever write an FTP server in Java anyway? Certainly not Unbreakable Oracle!
> a macro within the document executes two Powershell scripts
> 139.59.46.154:3485/eiloShaegae1 via HTTP
> 45.76.128.165:4443/0w0O6 via HTTP
> 45.76.128.165:4443/0w0O6
So four controls already used in security-conscious organizations, one where the system and network administrators do not administer security devices, would have worked perfectly.
1. Block "PowerShell" in all proxy traffic if it shows up in the User-Agent
2. Remove the ability to execute the two copies of PowerShell from non-administrative users and no, everyone does not have to be an admin.
3. Review your proxy logs for the past several months with an eye towards the destination port. Allow all non-standard destination ports used for business-related sites and drop all others. And review that rule on occasion. You'll see how many bullets you dodged without even knowing it.
4. Run man-in-the-middle HTTPS decryption and in #3 use separate port ranges, one for HTTP and one for HTTPS. None of those non-standard ports have ever been seen in business-related traffic for us, a large bank. 4443 has been seen but never for HTTP. That's a clear deception trick.
Why did I single out "system and network administrators who run security devices"? Like in real estate, those poor people are graded by their management on three things: Availability, Availability and Availability. "I can't get to my cat website because you block dynamic DNS sites running on odd ports!"
"A Barracuda spokesperson has been in touch to add: "We were able to proactively identify an error in the application definition file..."
So they proactively identified an error after it borked every firewall they pushed it to? Perhaps "proactively" means "Before a customer figured out what we screwed up and told us."
Or maybe "proactively" means "Before every customer who ran VoIP or Office 365 for email could contact us because nothing worked."
Other countries fine them? But then any bribes might see the light of day.
I was at a security conference about four years ago and the FBI "senior level" executive droned on about their electronic crime efforts. During the Q&A I asked him why they went after MoneyGram and not Western Union when it was clear from all of the phishing emails that Western Union had at least as big a hand in that arena. The whole room started nodding and the dude acted like he had never heard of Western Union before.
I figured that either the feds have really good email filters so they never saw any or their secretaries were printing their email out for them.
The great thing about having a manual transmission in 'Murica is that the young punk thieves can't drive them. A fellow up the street from where I work got carjacked at a gas station but the fool couldn't move it because it was a stick. So he had to take off running and leave the car.
I'm convinced the reason people don't use parking brakes is because their parents told them to never do it because the cables would rust up and lock in place. I've had that happen last century when the rear brakes were drums but that was the last time. My kids use it all the time as do I but my wife? Nah. Doesn't matter what kind of incline she's parking on. Put in in park and take your foot off the brake and let the car bounce back and forth on the parking pawl while she messes with her purse.
And all using an SPF soft-fail because we really have no clue who is supposed to be sending emails using our domain. We do know tat all 1.2 billion worldwide users of Office 365 are permitted to use our domain IP addresses, though.
DMARC? In all capitals? Isn't that shouting and who is this Marc fellow anyway?
can't find _dmarc.thomascook.com: Non-existent domain
There is no way in heck that Hillary's primary State Dept. "clintonemail.com" Inbox and Outbox only contained 62,000 emails. ZIp, nada, none.
What it sounds like is that someone set up that laptop with an automatic sync to clintonemail.com and while Huma may not have used it personally very much, all the time it was running it silently synced EVERYTHING to it.And now the FBI has every email that Huma had access to.
We noticed we were queuing outbound email mid-morning and all were to Barracuda domain MX records on multiple /24 subnets. Several of our vendors were down. Various email testing services either reported they could not even connect or they could get a TCP 25 connection but that was it.
Several years ago a university in Ohio noticed that the image file of their football team picture kept getting bigger and bigger and it was causing slow downloads. They thought it was corrupt so they replaced it and it happened again. Then they got wise and called in the techies. The same server was used for student fees and the malware was writing the card data to the football team picture using steganogaphy. They did have tight egress controls on the web server so this was a way to exfiltrate the data. Literally everyone who visited the page and saw the image of the football team was now in possession of stolen card numbers.
The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:
"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"
Sysadmin #1: “We got the new government hacking detection tool running and we’re already getting hits!”
Sysadmin #2: “Ummm…”
W protect against it at the bank where I work after a pen test years ago used it and managed to get 3 M/bps throughput. DNS tunneling, ICMP tunneling, SSH tunneling, you name it; they're all real threats. It's also a data exfiltration channel used by malware. A fully split DNS is the only way to truly handle this one, though. If internal systems don't need to query DNS servers on the Internet because they go through a proxy server, then don't let them do it. Problem solved.
I finally sold my 1999 car and ended up with a 2016 model that doesn't even have an ignition key. Just keep that fob thingy in your pocket. I actually got so enamored of it that I hated digging into my pocket just to lock and unlock the house. So I put a Kevo on the door between the house and the garage interior. It's very convenient but there's no way I would put one on an exterior door or, God forbid, hook it to the Internet. Kevo has sent a few firmware updates already. It goes to your phone and you just put your phone near the lock for the ten minutes or so it takes to do the update.
At the financial institution where I work we block Tor exit nodes unconditionally if they attempt to access anything but the brochureware website. (We do not block just because it's installed.) Everyone wants the bank to reimburse them for losses due to their own negligence, sorry, "accepted risk", and this is a method we use to keep the bad people out. It does seem a bit odd for a supermarket but one would hope they've correlated incurred losses to Tor and that's why they did it.
Colleagues at international banks, particularly those with clients in South America, have said they see a lot of their legitimate traffic come in via Tor, allegedly because of repressive governments or hiding of assets offshore or whatever. For them the risk of Tor use is low. For us, we've only had attacks come in via Tor so we waved it bye-bye.
From various reports of the incident: They allowed people to release emails from quarantine despite anyone with any sense knowing people are easily fooled. The From address clearly was not from EMC or RSA yet it was about an HR retention (salary) program. RSA, the "Security (revenue) Division of EMC" did not hire their first CISO until after the breach. They had an unsegmented network. They had poor egress controls. They did not have an effective DLP program.
They were easy pickings, just like most of the corporate America run by old guys who are clueless about the 21st century risks.
In a galaxy long, long ago an astute analyst realized that "random" is not normal on the Internet. That meant that patterns of "random" traffic were in fact encrypted communications. Since all encryption mechanisms can be fingerprinted, the terrorists (and journalists) using those custom applications are saying "Nah, nah. You can't read this!" while JSOC is smiling and saying "Let me know how that works out for you." as the cruise missile is targeted. PGP is especially fingerprintable.
Yeah, it happened to me. Connecting it to iTunes as recommended gives a dialog box that something was wrong and asks if I would I like to upgrade or restore. I selected Upgrade to 9.3 and it churned for a while, tried it and failed to activate again.
It was about 1 AM by then so I just selected Restore to 9.2.1 and went to bed. When I got up it was operational and I had to go through the initial setup stuff as usual. But when I tried to check for software updates, it said I was already on v9.3. Maybe that happened because I had tried the iTunes upgrade to v9.3 initially. Or maybe it's lying to me. Whatever. It did restore perfectly.
Unfortunately the old iPad 2 does not get Night Shift functionality, so I was sad again. :-)
I started the v9.2.1 restore late last night and when I came down this morning it appeared to be working but still needed all of the setup stuff. It just finished the setup process and Settings says it is now on v9.3. I never told it to proceed with the v9.3 update but it apparently did it by itself when it was connected to iTunes. I'm OK with that but it's still weird.
Many people, including me, are reporting that this update causes your iPad to be stuck on an "Unable to activate. Please try later or connect to iTunes" screen. And if you connect to iTunes, it still does not activate. If you boot into Recovery mode and attempt the 9.3 update again, iTunes will tell you to try the 9.3 update, download it, apply it and still does not work. Mine just finished restoring to 9.2.1 right now, which is the only reported fix.
While I have an old iPad 2 people are reporting this on various models including the much newer iPad Air 1.