Posts by canthinkofagoodname

Today I learned something new! Thank you Mark :)

Re: Insider threat is more nuanced than yes/no to monitoring

Appreciate the clarification :)

Before reading any further, I would like to state emphatically that I am (personally) whole-heartedly against UBM as a matter of principle (privacy, healthy workplace etc.). Professionally however...

For me, the main point of confusion was (to my eye) the conflation between L&M (typically system focussed, traditional infosec rather than the broad-church of "Cyber") and UBM (very much people focussed). It's an important distinction to make, particularly for folks that are not tech inclined or lack the industry experience necessary to understand the difference.

Even with that distinction in mind, not all UBM solutions are equally evil; some are quite benign. I have seen UBM solutions that monitor pretty much everything you do (time in certain apps, websites visited, give managers remote view access to your desktop etc.) (pretty nasty); I've also seen solutions whose sole purpose is to remind you to take a break when you've been at your desk for longer than 1hr. Hardly on the same level.

The context in which this applies matters too; would something like the nasty UBM solution above really be considered unreasonable or viewed as a form of bullying in the context of Highly Classified Gov networks? Or an R&D environment for a Defence Prime for example? At what point does the user's perspective matter more or less than the sensitivity of the system or information they work with?

It's also easy to focus on the negative aspects of these solutions (privacy invasion, lack of trust etc.); for Insider Threat, Hunt, even IR teams, these solutions can be invaluable. Most folks would rather catch the threat early and limit the damage, rather than be stuck investigating the fall-out.

To reiterate, personally I am on board with what you're saying in the article, but professionally I think there are valid use cases for these solutions, and sometimes (here come the down votes haha) that means giving your users feelings on the matter a lower weighting.

Re: missing the point?

Australian Copyright law already has some provision for the quoting side; in essence, you can list headlines and quote snippets of an article provided that summary does not provide enough info that you don't need to read the article as a whole (IANAL, paraphrasing what I recall reading today).

The driver for the News Media Code, or justification, is the combination of:

- Ad revenue which would previously have sustained the news media businesses is now going to Google / FB et alia; and

- News Media Business cannot survive without digital platforms like Google / FB.

It's a measure of redistributing wealth from nominated digital platforms, and news media. No copyright issues at all.

To be clear, I don't support the code; I'm both Australian and have serious concerns about the News Media Oligopoly that is News Corp (Murdoch) and Nine-Fairfax here down-under, and this measure only succeeds in reinforcing that grip those two media moguls have.

Nah

Not the best analogy, as you have to pay the Dr regardless; news media, like any other business operating on the web, does not pay* Google for their service.

Happy to be corrected, but I honestly cannot think of an arrangement elsewhere, where I can use someone's services for free** and also demand that service provider pay me for my use of that same service. It's absurd.

There's plenty to not like about Google and Facebook, but in this case I think they are right to push back.

What has really surprised me is MSFT's apparent support and willingness to comply with the code? Surely the only way they would agree to this is if they thought there was no chance of being added to the code by the treasurer, or if they thought they could get away with changing their position after they grab Google's share of the Aus Search Pie?

*yes I get we are the product, my point being money is not directly changing hands

**free as in "no such thing as a free lunch", but you get the idea.

Re: So I watched the Hearing...

I am not sure I agree with you. The system you refer to would be a deliberate weakness which needs to be maintained by vendors (be it key escrow etc), specifically for the government / law enforcement's use.

I think the exploitation route is (marginally) better as the vulnerabilities being exploited will, over time, be discovered and disclosed allowing Apple et alia to patch them. Law Enforcement / the TLA community will need to keep working at it to keep getting access.

To be clear, I am not a fan of the exploit option either; I just think if the government is already hoarding exploits for a variety of reasons, then they would be better off getting broader usage out of that over introducing a systemic weakness to consumer security.

Re: Classic misdirection and virtue signalling

That may be the case, but if the desired outcome for everyone involved is protection of their data and privacy from overly-broad access and disclosure requests from Government, does Redmond's motivation matter?

Re: Isn't there any logging in Windows?

Powershell v5 supports enhanced logging beyond the normal logging "PS Engine started / Stopped", or "PS Shell opened / closed". Enhanced logging includes stuff like script tracing (kind of like a key logger, but for powershell, also includes logging for spawned or called processes), module logging (triggers events if certain cmdlets or combinations of are executed) etc.

Trouble is, as with any comprehensive logging strategy, it requires a lot of storage to maintain any useful timeframe of logs (and potential costs with implementing something like Splunk or ELK to ingest and index those logs), and company's still shy away from spending buckets of cash on security solutions and strategies which might be needed (i.e. cannot guarantee the need or ROI).

There are other issues at play though too; previous versions of the PS engine can still be present on a system which don't support enhanced logging.

PS v2/3 are perfect examples; they don't provide the same level of support for modern cmdlets, but they also don't support enhanced logging, and are still directly integrated into the .Net Framework. An attacker would still have a massive range of effects using the old engines, and a much lower likelihood of detection.

Haven't read IBM's reporting direct yet, but I would be curious to see what version of PS they typically see actors using...

Confusion

You may be confusing someone attempting a Brute Force / Dictionary / Guess attack with Password Cracking.

As you describe it, the process of throwing multiple of variations of passwords at a login page, with the hope of getting the right combination of username and password is generally referred to as a Brute Force attack. The methods vary, like using a simple password list (dictionary) or using a tool which creates variations of different passwords by substituting letters with numbers, special characters etc. Could also be a case of someone sitting at your computer and manually trying different passwords. Doing this against a system that gradually increases lock out times with each unsuccessful login attempt does make this difficult.

What they are referring to in the article is Password Cracking. The specific example in the article speaks to taking a password hash (the result of using a specific algorithim to turn a normal password into gibberish) and using a tool to brute force it (try every hash combination for the size of the password), or use a rainbow table (a list of precomputed hashes) and simply compare the results until they get a match.

Doing it this way is a much faster way of getting someone's password, but requires either capturing the password hash in transit (like capturing the authentication traffic while you log into El Reg for example), or in AD environments (for example) dumping the password store for offline cracking.

The crux of the article is that an 8 character password hash, hashed by NTLM, can be cracked very quickly, and affordably.

Hope that helps

Re: It's not really about the laptop.

Interesting point, particularly when a good portion (my experience, don't have any data to support claim) of folk working in IT (security or otherwise), if not clinically diagnosed, do show at least some of the behavioral characteristics of someone on the spectrum.

I think assuming NCC would know is a bit of a stretch though. In my last job we had a team of high functioning autists come to work with us; goal of the group who organised it was to help people who are on the spectrum to find and keep work (good cause IMO). Before the group came to the workplace though we had their 'handlers', for lack of a better term, come in to brief us on some of the unique challenges that people on the spectrum, and the people who manage them face.

Turns out that individual managers, and the companies they work for, not knowing how to identify and successfully manage / utilise people on the spectrum is fairly common. That stretches beyond IT though too. I dare say most courses or management programs don't have dedicated learning outcomes for managing people on the spectrum, and if people in management/HR/Recruitment positions have no training or experience in identifying or managing people like that, can't really blame them for getting it wrong either.

As you said, we don't know if this woman has aspergers or some other "on the spectrum" condition, but if she does and NCC didn't manage her well, that would be a fairly typical sort of story.