* Posts by Amos1

204 posts • joined 9 Feb 2014


'I feel violated': Engineer who pointed out traffic signals flaw fined for 'unlicensed engineering'


I wonder how all of the Sanitary Engineers will feel about this. They might go on strike if we start calling them "janitors" again.

Peace in our time! Symantec says it can end Google cert spat


If auditors can conduct IT system security assessments...

Shouldn't IT security people be able to perform financial statement audits?

Juniper's first quarter: Revenue and losses up. Business as usual, then


Seriously, losing money year after year in security?

What a bunch of clowns. The fastest growing market is security and they have lost significant market share every year. The only bigger clowns are the people who buy SRX "firewalls" because of their low price. In other news, Juniper can barely give their "security" products away. Their notworking products are wonderful as well. All they need to do is add hard-coded backdoor admin credentials and they'll have surpassed Cisco in that market share.

Oh wait, they already got backdoored by a third-party for years and never knew it. Never mind.

Victory! The smell of skunkworks in your office in the morning


How do you handle the legal part of governnance?

In the USofA it's called Sarbanes-Oxley and covers all material portions of a public corporation. Specifically, changes to applications that could be material to a company's financial reporting (any application of major significance) needs to go through formal testing and have formal business owner sign-off to proceed to the next step. If someone wants to fire up DevOps for immaterial applications, go for it. But if you want to make a real impact on the business as a going concern, what's the point? We're not working under Uber's "disregard all the rules and laws" playbook.

DTMF replay phreaked out the Dallas tornado alarm, say researchers


Same old, same old

Same thing happened in the city where I live about a decade ago. Used a city channel assigned to the service department. The person who did it ran his prank about 3:30 AM once and the city called it a malfunction. Then it happened again at 3:30 AM but this time someone heard the tones. Did they catch the person? Probably but they couldn't prove it. How did they catch him? He shot his mouth off to some friends who were already mad about what happened and one called the cops. But they could never find the radio and he denied it and it never happened again. The city said it would cost $40,000 to encrypt the radio signal so they shut the sirens down. Then a tornado blew through town and they had to rebuild the whole thing and make it operational again. Typical government operation.

Prisoners built two PCs from parts, hid them in ceiling, connected to the state's network and did cybershenanigans


Re: Microsoft Proxy Server

802.1x on Windows is a massive PITA. Anyone who promotes it probably has never done it in a Microsoft environment. We had so many problems with it on Windows 7 that we set a Scheduled Task to reboot one PC every five minutes so we could get MS enough data so they could then create a hotfix which you later had to know about to ask for. The PC went into thermal overload after the first week because it had been rebooted so many times. Why every five minutes? We had branches where PCs would suddenly fail 802.1x, had to be rebooted and then would work for a week. It was happening to hundreds of them every week but only once per week. And they were all shut off each night so it wasn't an uptime or heat thing that caused it. Turned out to be a race condition. When we started testing 8.1 the same thing happened and 802.1x left the buildings.


Re: Hang on, they were using What?

My thoughts precisely.But it's a government, one that has people's tax returns so you know that data security is of paramount concern to the State. Hahahahahahahahahahaha!

McAfee is McAfee again, promises security with kum ba yah


Perhaps someone with Photoshop skills could paste John McAfee's picture in the middle of that logo

He would look like he had horns.

Schneider Electric still shipping passwords in firmware


Next headline: "Cisco buys Schneider Electric"

Why not? It seems they both like hard-coded backdoor passwords so half of the integration work is already done.

WONTFIX: No patch for Windows Server 2003 IIS critical bug – Microsoft


Re: Numbers?

The version of IIS is inextricably tied to the operating system version. Server 2003 was IIS 6.0 and I think XP was IIS 6.1


Re: re: I think you'll find that's what we do :-)

Does Outlook Web Access still rely on WebDAV? If so I'd bet a bunch of those are OWA servers in small companies and thus also a domain controller.

Of course this is still better than my last employer in manufacturing. They finally switched away from Windows NT 4 and Exchange 5.5 in 2010. No, not kidding.


Re: "not because of any technical reason"

It's rarely the technology that's the problem and almost always the implementation.

Google slaps Symantec for sloppy certs, slow show of SNAFUs


Here's the paragraph that will cost Symantec a lot of money:

"Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status. As documented with both the current and past misissuance, Symantec failed to ensure that the organizational attributes, displayed within the address bar for such certificates, meet the level of quality and validation required for such display. Therefore, we propose to remove such indicators, effective immediately, until Symantec is able to demonstrate the level of sustained compliance necessary to grant such trust, which will be a period no less than a year. After such time has passed, we will consider requests from Symantec to re-evaluate this position, in collaboration with the broader Chromium community."

Did yo catch the "effective immediately" part?

The bank I work for has been reticent to leave Symantec because of old people afraid of change. Not any more. We're moving to replace every Symantec certificate we use because we rely on EV certs as part of our customer anti-phishing education campaign. And we just saved tens of thousands of dollars a year as well.

Nest cameras can be easily blacked out by Bluetooth burglars


Re: I wonder where that version number came from

"214-610025 ... 205-600052 ... 5.6-7

That's fascinating. I'd like to learn more. Can you tell us your home address as well, please?"

Sure, I trust you know how to fix this, huh? Thanks for the offer! My address is:

725 5th Ave

New York



Just tell the doorman you're here to see me about the security cameras.



I wonder where that version number came from

Both of my Nest Outdoor cameras show a version of 214-610025 and my two DropCam Pro inside cameras show a version of 205-600052. His advisory says it affects all of them.

The thermostat has used version numbering in a format similar to "5.2.1" but mine is 5.6-7 (not a typo).

Are you undermining your web security by checking on it with the wrong tools?


Re: Bit disappointed

Agreed. They regurgitated some reports on client-side home user products and interpolated it into real data. Right. The reality is that 50% of web traffic is now HTTPS and getting higher each month. Website classification software running at the network level cannot without intercept because, well, the URL is encrypted. If you can go by IP address from a company that does not do intercept you can go anywhere. We see a couple of legitimate websites each day that are infected and the traffic comes in by HTTPS.

It reads like the Russians wrote that thing. "We need to stop companies and governments from decrypting HTTPS because it detects our tools. Let's get their own agency to write a report saying it's a bad thing."

It's all a balance. Companies are responsible for the data they hold about others. They need to protect ALL of that data and not worry about the privacy of some individual on their network doing personal stuff. If you don't want your HTTPS traffic decrypted, save it for home.

Aah, all is well in the world. So peaceful, so– wait, where's the 2FA on IoT apps? Oh my gawd


Good first move by Nest but it took way too long and their "family accounts" are not that good

Before Nest killed off their community forums 2FA was a major request, probably only second to not installing firmware updates when no one was home to deal with the aftermath of borked equipment.

I wonder when Nest will tell their customers because they haven't done that yet.

Their Family Accounts needs work because once you set up additional accounts they all are administrators of the systems. There's no way to limit who can change what setting. Probably the best feature is that the system uses geo location and can turn on the interior cameras after everyone has left the house and turn them off when the first person comes back.

Probably the worst feature is that they, get this, only send one alert per "zone" per camera every thirty minutes. So if your kid comes home from school and the outdoor camera tells you, anyone can break in for the next thirty minutes and the camera alerts stay off. Dumb, dumb, dumb.

They trumpet their algorithms for motion detection but they can't automatically reset the alerts when motion in a zone has stopped for a minute? The support case I had open replied with "If your neighbor is mowing his lawn we don't want to annoy you." I replied with "So your system isn't smart enough to re-arm the sound alerts when his lawnmower stops?"

Wow, did you see what happened to Veracode? Oh no, no, it's not dead. It's been bought by CA


Well, I guess we're not going to proceed with Veracode then

Too bad. I really like their products but only old, entrenched IT bods will buy IBM, HP or CA. This product will go down the toilet soon.

3Par brought down Australian Tax Office with >REDACTED<


Re: Don't hide behind it

A former website vendor experienced a meltdown of a storage system. It occurred three or four years ago and resulted in some instantly-recognizable brand name websites being down for a long time. According to the vendor there was still data in the memory cache so they could not reboot the system as Support recommended; they had to wait until an engineer examined the RAM and the disk to assure they were not going to lose any transactions. It was traced back to a firmware defect. At least that is what the vendor told us. I'll have to look it up and see if we still have the docs since we no longer use them because they went out of the web hosting business (for other reasons). Yes, I thought it was the same model but am not certain.

1.37bn records from somewhere to leak on Monday


One of the clues given was "food" / "water" and "It's not what you think"

That's from the Twitter account of the person he's working with. That make me think of a large disaster relief provider like the International Red Cross. From the screenshot it's a MySQL database so you know, "free".

How's your online bank security looking? The Dutch studied theirs and... yeah, not great


DNSSEC is fairly worthless in the real world

It guards against precisely one risk and that makes it a point-control and a risk that is far less common than, for example, poor application coding. And it only works if the client cares. That makes it also a client-side control and every client is a single-point-of-failure. There are far more security risks that are real and everyday occurrences that should be focused on first. This is why regulators suck at their jobs; they don't understand the intricacies of the technologies they regulate. I work for a bank and it wasn't that long ago that almost every bank examiner was a retired mainframe admin and that was all they cared about. And yes, we run DNSSEC for exactly one reason: the regulators think it fixes all evil.

Java and Python have unpatched firewall-crossing FTP SNAFU


Re: Classic mode FTP

Agreed. The 1990's called and they want their exploit back. It sounds like a variation of the FTP Bounce attack way back when. The great part, though, is that many system and "security" admins are too young to remember those good old days or they're just GUI Drivers. If the GUI let's you do it, it must be OK. That's why things we thought we eradicated decades ago are showing up in code today. Kill off something in IPv4 and some new kid comes by and allows it in IPv6. <sigh>

Who the heck would ever write an FTP server in Java anyway? Certainly not Unbreakable Oracle!

Revealed: Web servers used by disk-nuking Shamoon cyberweapon


> a macro within the document executes two Powershell scripts

> via HTTP

> via HTTP


So four controls already used in security-conscious organizations, one where the system and network administrators do not administer security devices, would have worked perfectly.

1. Block "PowerShell" in all proxy traffic if it shows up in the User-Agent

2. Remove the ability to execute the two copies of PowerShell from non-administrative users and no, everyone does not have to be an admin.

3. Review your proxy logs for the past several months with an eye towards the destination port. Allow all non-standard destination ports used for business-related sites and drop all others. And review that rule on occasion. You'll see how many bullets you dodged without even knowing it.

4. Run man-in-the-middle HTTPS decryption and in #3 use separate port ranges, one for HTTP and one for HTTPS. None of those non-standard ports have ever been seen in business-related traffic for us, a large bank. 4443 has been seen but never for HTTP. That's a clear deception trick.

Why did I single out "system and network administrators who run security devices"? Like in real estate, those poor people are graded by their management on three things: Availability, Availability and Availability. "I can't get to my cat website because you block dynamic DNS sites running on odd ports!"

Parents have no idea when kidz txt m8s 'KMS' or '99'


We use LOL at work all the time because the managers don't understand it

Lack of Leadership

Happy Friday: Busted Barracuda update borks corporate firewalls


PR people have no soul or conscience

"A Barracuda spokesperson has been in touch to add: "We were able to proactively identify an error in the application definition file..."

So they proactively identified an error after it borked every firewall they pushed it to? Perhaps "proactively" means "Before a customer figured out what we screwed up and told us."

Or maybe "proactively" means "Before every customer who ran VoIP or Office 365 for email could contact us because nothing worked."

Western Union coughs up $586m for turning a blind eye to fraudsters


Other countries fine them? But then any bribes might see the light of day.

I was at a security conference about four years ago and the FBI "senior level" executive droned on about their electronic crime efforts. During the Q&A I asked him why they went after MoneyGram and not Western Union when it was clear from all of the phishing emails that Western Union had at least as big a hand in that arena. The whole room started nodding and the dude acted like he had never heard of Western Union before.

I figured that either the feds have really good email filters so they never saw any or their secretaries were printing their email out for them.

Chevy Bolt electric car came alive, reversed into my workbench, says stunned bloke


The great thing about having a manual transmission in 'Murica is that the young punk thieves can't drive them. A fellow up the street from where I work got carjacked at a gas station but the fool couldn't move it because it was a stick. So he had to take off running and leave the car.

I'm convinced the reason people don't use parking brakes is because their parents told them to never do it because the cables would rust up and lock in place. I've had that happen last century when the rear brakes were drums but that was the last time. My kids use it all the time as do I but my wife? Nah. Doesn't matter what kind of incline she's parking on. Put in in park and take your foot off the brake and let the car bounce back and forth on the parking pawl while she messes with her purse.


Interesting that he claims the car would have gone forward had he left it in gear since he obviously backed it into the garage.

US cops seek Amazon Echo data for murder inquiry


Whay don't they just look in the Alexa app on his phone?

The app keeps a transcript of EVERYTHING it hears so you can mark it as correct or not. If something is in there it would let them narrow the warrant. If it had all been erased, it would give them other grounds.

A single typo may have tipped US election Trump's way


"a illegitimate" - Utter BS and CYA'ing

No one would write a sentence that way. "This is a illegitimate email". Seriously? More MSM cover-up for clowns in jobs beyond their competencies.

Virgin Media users report ongoing problems delivering legit emails. Again


Re: We send a few hundred million messages a month to domains all over the world

And all using an SPF soft-fail because we really have no clue who is supposed to be sending emails using our domain. We do know tat all 1.2 billion worldwide users of Office 365 are permitted to use our domain IP addresses, though.

DMARC? In all capitals? Isn't that shouting and who is this Marc fellow anyway?

can't find _dmarc.thomascook.com: Non-existent domain

El Paso city bungs $3.2m to email crooks pretending to be bosses


Don't worry. All of your income tax returns are totally safe with your city or school district.

Yeah, I live in one of the states that allow cities to leverage an income tax against their citizens. :-(

Computer forensics defuses FBI's Clinton email 'bombshell'


Re: Here's the math that does not add up

And if she does get elected, she and Bill will have His n' Hers matching impeachment documents to laugh at.


Here's the math that does not add up

There is no way in heck that Hillary's primary State Dept. "clintonemail.com" Inbox and Outbox only contained 62,000 emails. ZIp, nada, none.

What it sounds like is that someone set up that laptop with an automatic sync to clintonemail.com and while Huma may not have used it personally very much, all the time it was running it silently synced EVERYTHING to it.And now the FBI has every email that Huma had access to.

Barracuda email security scanning services in worldwide TITSUP


Clobbered the US also

We noticed we were queuing outbound email mid-morning and all were to Barracuda domain MX records on multiple /24 subnets. Several of our vendors were down. Various email testing services either reported they could not even connect or they could get a TCP 25 connection but that was it.

US DNC hackers blew through SIX zero-days vulns last year alone


What they didn't say...

Was whether the exploits came from that 2013 NSA stash or from that new guy, the one who swiped "terabytes" of NSA documents and files, including exploits. If so, that would diminish the fact that it was a non-USA state actor.

Crims cram credit card details into product shots on e-shops


Old trick, actually

Several years ago a university in Ohio noticed that the image file of their football team picture kept getting bigger and bigger and it was causing slow downloads. They thought it was corrupt so they replaced it and it happened again. Then they got wise and called in the techies. The same server was used for student fees and the malware was writing the card data to the football team picture using steganogaphy. They did have tight egress controls on the web server so this was a way to exfiltrate the data. Literally everyone who visited the page and saw the image of the football team was now in possession of stolen card numbers.

US govt straight up accuses Russia of hacking prez election


Re: Wait...

Yeah, really. The Russians are such amateurs. We just wait to see how it turns out and if we don't like it, we overthrow the government and install our own puppets. Because it always turns out so well for us, like Iran in the 50's. <sigh>

My Nest smoke alarm was great … right up to the point it went nuts


Bulk battery buy?

I'm pretty sure my Nest Protects take special AA-sized batteries, not regular ones. Lithium ion's or something. That's why they have years of life.

Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'


The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:

"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"

Sysadmin #1: “We got the new government hacking detection tool running and we’re already getting hits!”

Sysadmin #2: “Ummm…”

Suspicious DNS activity runs rife


It is a real threat, though

W protect against it at the bank where I work after a pen test years ago used it and managed to get 3 M/bps throughput. DNS tunneling, ICMP tunneling, SSH tunneling, you name it; they're all real threats. It's also a data exfiltration channel used by malware. A fully split DNS is the only way to truly handle this one, though. If internal systems don't need to query DNS servers on the Internet because they go through a proxy server, then don't let them do it. Problem solved.

IoT manufacturer caught fixing security holes


I put one in, a Kevo

I finally sold my 1999 car and ended up with a 2016 model that doesn't even have an ignition key. Just keep that fob thingy in your pocket. I actually got so enamored of it that I hated digging into my pocket just to lock and unlock the house. So I put a Kevo on the door between the house and the garage interior. It's very convenient but there's no way I would put one on an exterior door or, God forbid, hook it to the Internet. Kevo has sent a few firmware updates already. It goes to your phone and you just put your phone near the lock for the ten minutes or so it takes to do the update.

Tor torpedoed! Tesco Bank app won't run with privacy tool installed


Re: Missing the point again (@ Charles 9)

Relying on client-side controls for security, as in the app, is a fool's game. Physical possession = Game Over as far as any kind of security goes. It can help you reduce the number of incidents but that's it.


A bit heavy-handed but the intent is understandable

At the financial institution where I work we block Tor exit nodes unconditionally if they attempt to access anything but the brochureware website. (We do not block just because it's installed.) Everyone wants the bank to reimburse them for losses due to their own negligence, sorry, "accepted risk", and this is a method we use to keep the bad people out. It does seem a bit odd for a supermarket but one would hope they've correlated incurred losses to Tor and that's why they did it.

Colleagues at international banks, particularly those with clients in South America, have said they see a lot of their legitimate traffic come in via Tor, allegedly because of repressive governments or hiding of assets offshore or whatever. For them the risk of Tor use is low. For us, we've only had attacks come in via Tor so we waved it bye-bye.

Quiet cryptologist Bill Duane's war with Beijing's best


"excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

From various reports of the incident: They allowed people to release emails from quarantine despite anyone with any sense knowing people are easily fooled. The From address clearly was not from EMC or RSA yet it was about an HR retention (salary) program. RSA, the "Security (revenue) Division of EMC" did not hire their first CISO until after the breach. They had an unsegmented network. They had poor egress controls. They did not have an effective DLP program.

They were easy pickings, just like most of the corporate America run by old guys who are clueless about the 21st century risks.

Stop resetting your passwords, says UK govt's spy network


Re: No words in any language

How long have you worked at GCHQ? Isn't the real reason for this "advice" because it makes your job too hard when the old password no longer work?

How to evade the NSA: OpSec guide for journalists also used by terrorists


Sure, keep on using those custom tools

In a galaxy long, long ago an astute analyst realized that "random" is not normal on the Internet. That meant that patterns of "random" traffic were in fact encrypted communications. Since all encryption mechanisms can be fingerprinted, the terrorists (and journalists) using those custom applications are saying "Nah, nah. You can't read this!" while JSOC is smiling and saying "Let me know how that works out for you." as the cruise missile is targeted. PGP is especially fingerprintable.

WordPress pushes free default SSL for hosted sites


Re: Pwnd

Yeah, no kidding, If your employer doesn't do HTTPS decryption they are going to get whacked hard. Then more employers will do HTTPS decryption, reducing the over all security of the end user. What a "duh" move.

Don't – don't – install iOS 9.3 on your iPad 2: Upgrade bricks slabs


Yeah, it happened to me. Connecting it to iTunes as recommended gives a dialog box that something was wrong and asks if I would I like to upgrade or restore. I selected Upgrade to 9.3 and it churned for a while, tried it and failed to activate again.

It was about 1 AM by then so I just selected Restore to 9.2.1 and went to bed. When I got up it was operational and I had to go through the initial setup stuff as usual. But when I tried to check for software updates, it said I was already on v9.3. Maybe that happened because I had tried the iTunes upgrade to v9.3 initially. Or maybe it's lying to me. Whatever. It did restore perfectly.

Unfortunately the old iPad 2 does not get Night Shift functionality, so I was sad again. :-)

Apple Macs, iPhones, iPads, Watches, TVs can be hijacked by evil Wi-Fi, PDFs – update now


v9.3 update and iPads - This is weird

I started the v9.2.1 restore late last night and when I came down this morning it appeared to be working but still needed all of the setup stuff. It just finished the setup process and Settings says it is now on v9.3. I never told it to proceed with the v9.3 update but it apparently did it by itself when it was connected to iTunes. I'm OK with that but it's still weird.



Biting the hand that feeds IT © 1998–2020