Posts by Security nerd #21 20 publicly visible posts • joined 6 Oct 2020
"I have a hard time believing that bigger enterprises will have 20% of their computers connected to the internet without even a firewall in between."
You'd be surprised unfortunately. Many companies don't even know what kit they are running - let alone the challenges with misconfigured cloud services, and shadow IT introduced by the business teams.
Your browser will download what it is told to from the web server you are connecting to - and that will be independent of any other browser tabs and the versions of javascript modules loaded on those pages.
The NPM updates would be on to the web server and then distributed to the clients on page load.
Whether your browser tab will do stuff outside of its sandbox is subject to the browser version, desktop security, and user stupidity (e.g "Click here to win lots of money"). This is regardless of platform - Windows / Linux or Mac
As other people have noted, doing NPM updates from the web blindly is not good practice - but unfortunately some web developers don't see it that way.
Due to the proliferation of bots on the net these days, a lot of outfits use their CDN services as a security defence layer as well (as the CDNs have the scale to see the troublesome blighters and leverage this in their products). These means the origin addresses are locked down, and you can't go directly.
This doesn't explain the case above routing through lots of different CDN services - that just looks like rubbish network design, or maybe the ISP is taking advantage of other peoples transit ...
The data that was leaked, was scraped "accidently" from Facebook's site. They would have sold it to whoever paid them anyway - that is how they make their millions / billions.
The fact that that someone acquired it for nothing, is bad in Facebook's eyes, so they closed the door on this.
If something is free - you are the product...
And re the above comment about it being creepy - yes Facebook / Google et al tracking & monetisation is insidious - web marketeers give them the data for their customers, and buy their own customers data back in bulk ...meh
The main challenge with these IT course, from GCSE, through A level and on towards degree, is that the material being taught is already 3-5 years old, and the world has moved on.
Having spent a few decades in IT, I'm now firmly of the belief that real world experience is far better for anyone wanting a career in IT, and don't set any store in those presenting me with their MSc level qualifications in their CV. What I do find unfortunately is a tendency for new starters to want to go straight in to an IT specialism (such as Cyber Security), without having done the hard miles first on the likes of an IT support desk, or infrastructure teams.
Learn what the users want and need, and how it works, before making the dive in to a specialism folks :)
If Akamai went down, it would probably affect everybody (well non China anyway).
The Internet is held together with gaffer tape, and at some point it will break. Although of course its meant to be resilient, but if all the traffic ends up being routed under some road in Africa / India / Basingstoke (delete as appropriate) ....
Advertising companies just make things worse - I'll be glad when 3rd party cookies are fully banned, although not via Google's intended method please.
If It's Apple doing the MITM - they own the browser and the device. They can put whatever certificates they like in to the system, suppress warnings on their "special" certificates, and the average user wouldn't notice.
Thats the truly scary bit. But hey - it's shiny
If a public VPN provider is MITMing the connection, it's the same scenario as the user has just installed the VPN app, and probably ignored the permissions required (which will include the certs etc). Apart from tin foil hat scenarios, the only real reason to use these is to bypass regional restrictions - laudible in a few situations, but only a few ...
Why do they think that proxying a connection is a security improvement ? Just means that they can listen in on any web sessions being carried out (particularly if MITMing the connection) - and that is quite apart from slowing down the user experience as well, whilst you wait for the traffic to go to and from Apple's services ...
No different to believing that your public service VPN company isn't also tracking and monitoring everything you do. If you aren't in control, it's not "secure" ...
The £18M figure plucked from the air piqued my interest - so 10 minutes of (insert evil search engine name here) later, I see they've recently signed a £14M contract for organic waste disposal, so perhaps related (it will likely be flushed down the drain after all)
Some interesting information available publicly on what they are current contracted for - with associated mad deals (including 30 year PFI contracts ...)
Having done a fair few PCI DSS compliance reviews over the last 15 years, I've come to the firm conclusion that the whole point of it is to try and offload the responsibility on to the payment provider (i.e. use their code / servers etc) - not try and do it yourself. Some pretty clever stuff being done these days, with field level iframes etc, to make it entirely transparent to the user.
The PCI standard might have worked in 2004 - but doesn't work in 2020, when using API driven services, fronted by cloud load balancers etc. (Have you ever tried to get a VA scan through Akamai ? ...)
Get down to the basic SAQ-A, and it ends up with "do you have some InfoSec policies", and "Do you sack people" - job done.
Whilst bypassing the fact that most accounting organisations & banks rely on Excel to massage / produce their company official financials (so you can really trust what you see - not) - isn't the real elephant in the room the fact that all this data is now stored on x number of laptops, network file shares / Teams / DropBox / Google Drive etc etc
Nice small data exposure to be considered - but I guess that GDPR / DPA has been forgotten about in this strange times
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
