Posts by Andy Humphreys 11 publicly visible posts • joined 14 Jun 2018
Fair comment if you are indeed just running a very simple file server. For me I'm also running NFS and iSCSi to support VSphere datastores as well as also running a few jail-based apps incl. Plex which sometimes benefits from the CPU when transcoding.
I guess one's perspective of what is reasonable cost depends on the direct benefits that will arise. I'm hosting around 60TB of data, so it was worth the extra pennies to get the additional protection.
You don't need a server grade board nowadays. I've got a Gigabyte X570 Gaming X board coupled with a Ryzen 7 2700X and 64GB (2x32GB) Samsung ECC happily running TrueNAS Core 12.
Cost of board about £170, memory £325, processor £200. Runs my RAID-Z1 vdevs very well!
I found the Encryption FAQ on their press release to be a little disingenuous;
"We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.
However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."
To me, it would seem that other than selective tokenisation, they are just using some form of full disk or transparent encryption of data at rest.
Great if someone can walk into a data center and walk out with the disk, but otherwise fallible to any legitimate command that can coerce the data off the disk.
Perhaps if they had looked at encrypting/decrypting in application in conjunction with HSMs or similar, then the risk of such a clear-text exposure could have been more reduced?
The NCR machine here at the Tesco Superstore up the road from the office, shows Windows XP Professional, copyright 1983-2001! When I took the picture of the machine last June, it was in a state of shutdown, but frozen up..
Whether embedded or not, to any customer who has been spoon fed the risks of staying with XP, it then doesn't look that brilliant..
OK well I'm obviously not as close to it as you are, but fair enough on that point if that's the case.
I'm still not so sure that's any better for Morrisons. He still managed to get the data out of Morrisons, and then onto/through his PC to send it through Tor. Still indicates a sub-standard control structure in my opinion..
Preventing employees from being able to install the software in the first place would have been a better move. A content/category filtering proxy or firewall with TLS inspection, might help to discover and block traffic that did make it to the border. U/NBA devices might help to detect an anomoly.
My point is that for an organisation the size of Morrisons, I should hope that they do have these sorts of measures and controls in place. I've seen organisations much smaller, who can achieve this, so why not them? Exfiltrations in the manner as you described, through 80/443 would be an absolute triviality without those proxy/FW measures. Finally, Insider accounts for around 75% of all data breaches. The controls absolutely have to take into priority those sorts of potential incidents, be they deliberate or accidental.
Yep I would agree with above. Why should Morrisons not have to take some responsibility for what I'm effect is a personal data breach that - with better controls - could have either been made much more difficult to achieve, or could have been detected much sooner, perhaps even thwarted?
If this were a Financial Services Org, then excrement would be hitting the fan and sticking..
There are plenty of technologies out there able to help lock down the use of Tor etc. and other DLP bits and pieces, not to mention logging, monitoring and alerting..
I can't see much evidence that any of this was in effective use..
I host all of my content on a 12TB custom built storage device, FreeNAS running, and with Plex running there in a jail, with a secondary Media Server on another machine, NFS attached to the storage.
For me Plex Pass is about being able to Sync (and transcode on the fly) content down to my phone. I travel a lot, and so it's nice to be able to pull a few albums down, or maybe even a couple films/TV whatever. And the beauty is I don't even have to be at home. Can do it at the airport whilst I'm waiting to board! Or if I don't sync, then once I've got an internet connection, I just stream it straight from my server to my laptop. Kodi can't do that.
I'm even experimenting at the moment with an Android based Car Head Unit - installed Plex and I can either sync or just stream stuff straight down to the car, wherever I happen to be.
Don't need the cloud.. and the Plex Pass is relatively nothing in terms of cost anyhow..
Companies can store the PAN (16 digit number) and remain PCIDSS compliant, so long as it's properly protected and they comply to all the other requirements that jump in when storage of the PAN is chosen. They cannot store the sensitive data such as mag stripe data & CV2.
But I would agree, there cannot be many situations left where anybody would absolutely need to keep the full PAN itself. Most if not all PSPs nowadays will provide a tokenisation option, and so any storage should be of the token, for any company that might need to carry out repeat payments etc.
My bet is that they were actually performing a data/systems check for GDPR (a little late) and in that process they found they had been breached last year. So now they know about the breach, they have to report it in under 72 hours. My view is that it points to the theory that they have relevant event logging, but nobody was monitoring it, or, if there was an alert, it was missed or ignored? Either way, seems like a cock-up..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
