* Posts by Security nerd #21

20 publicly visible posts • joined 6 Oct 2020

Businesses confess: We pass cyberattack costs onto customers

Security nerd #21

Re: Passing the cost to customers

"I have a hard time believing that bigger enterprises will have 20% of their computers connected to the internet without even a firewall in between."

You'd be surprised unfortunately. Many companies don't even know what kit they are running - let alone the challenges with misconfigured cloud services, and shadow IT introduced by the business teams.

JavaScript library updated to wipe files from Russian computers

Security nerd #21

Re: Any sanctions?

Your browser will download what it is told to from the web server you are connecting to - and that will be independent of any other browser tabs and the versions of javascript modules loaded on those pages.

The NPM updates would be on to the web server and then distributed to the clients on page load.

Whether your browser tab will do stuff outside of its sandbox is subject to the browser version, desktop security, and user stupidity (e.g "Click here to win lots of money"). This is regardless of platform - Windows / Linux or Mac

As other people have noted, doing NPM updates from the web blindly is not good practice - but unfortunately some web developers don't see it that way.

'Admin error': AWS in dead company data centre planning application snafu in Oxfordshire

Security nerd #21

Re: Rather close together

Cheltenham's not that far away from Swindon either, so perhaps some dark fibre between the sites ? ...

Avira also mines imaginary internet money on customers' PCs

Security nerd #21

Re: Serious question from MS users

Windows Defender + OpenDNS / CleanBrowsing seems to have prevented my extended family machines getting malware for a few years now.

Good enough I think - and the only callout I've had was for a Windows scam (the relation was highly embarrassed)

UK government tool to monitor its legacy application estate is… LATE

Security nerd #21

Re: Late?

That assumes they aren't using an old version of Excel and hit the max number of records issue (sound familiar ? looking at you NHS test and trace :) )

Fired credit union employee admits: I wiped 21GB of files from company's shared drive in retaliation

Security nerd #21

Re: I did the same by accident...

Name me one Linux admin who hasn't done "rm -rf * " in the wrong directory.

It is a right of passage, and you only do it once - followed by the swearing and then fixing it whilst hiding your tracks ...

The coming of Wi-Fi 6 does not mean it's time to ditch your cabled LAN. Here's why

Security nerd #21

Re: Idea for Firefox

Due to the proliferation of bots on the net these days, a lot of outfits use their CDN services as a security defence layer as well (as the CDNs have the scale to see the troublesome blighters and leverage this in their products). These means the origin addresses are locked down, and you can't go directly.

This doesn't explain the case above routing through lots of different CDN services - that just looks like rubbish network design, or maybe the ISP is taking advantage of other peoples transit ...

Would be so cool if everyone normalized these pesky data leaks, says data-leaking Facebook in leaked memo

Security nerd #21

People still forgetting the Facebook financial model

The data that was leaked, was scraped "accidently" from Facebook's site. They would have sold it to whoever paid them anyway - that is how they make their millions / billions.

The fact that that someone acquired it for nothing, is bad in Facebook's eyes, so they closed the door on this.

If something is free - you are the product...

And re the above comment about it being creepy - yes Facebook / Google et al tracking & monetisation is insidious - web marketeers give them the data for their customers, and buy their own customers data back in bulk ...meh

Nigerian email scammer sent down for 40 months in the US, ordered to pay back $2.7m to victims

Security nerd #21

Re: I'm in the wrong job......

The US has one of the laxest banking environments in the world.

In some quarters viewed as the #1 global tax haven due to the simplicity of opening accounts without proof, and the glorious state of Delaware with its corporate tax regime.

The kids aren't all right: Fall in GCSE compsci students is bad news for employers and Britain's future growth plans

Security nerd #21

Full time IT education courses

The main challenge with these IT course, from GCSE, through A level and on towards degree, is that the material being taught is already 3-5 years old, and the world has moved on.

Having spent a few decades in IT, I'm now firmly of the belief that real world experience is far better for anyone wanting a career in IT, and don't set any store in those presenting me with their MSc level qualifications in their CV. What I do find unfortunately is a tendency for new starters to want to go straight in to an IT specialism (such as Cyber Security), without having done the hard miles first on the likes of an IT support desk, or infrastructure teams.

Learn what the users want and need, and how it works, before making the dive in to a specialism folks :)

OVH data centre destroyed by fire in Strasbourg – all services unavailable

Security nerd #21

Website attack levels

I imagine a lot of websites will now have a substantial decrease in traffic, from all the botnets these guys host ...

Like a challenge in a high profile 'face-of-IT' role? Welcome to the Home Office

Security nerd #21

Deputy Director ?

Isn't a deputy director role just there to cover his / her bosses backside ? Or is the "director" title just a question of pay grade (with a shockingly poor pay grade - but perhaps a nice pension)

HPE urges judge to pick through Deloitte-bashing report it claims demolishes Autonomy founder's defence

Security nerd #21

See if HPE want to buy one at vast expense, and do a bit of eBay arbitrage

Ever felt that a few big tech companies are following you around the internet? That's because ... they are

Security nerd #21

If Akamai went down, it would probably affect everybody (well non China anyway).

The Internet is held together with gaffer tape, and at some point it will break. Although of course its meant to be resilient, but if all the traffic ends up being routed under some road in Africa / India / Basingstoke (delete as appropriate) ....

Advertising companies just make things worse - I'll be glad when 3rd party cookies are fully banned, although not via Google's intended method please.

Apple iOS 14.5 will hide Safari users' IP addresses from Google's Safe Browsing

Security nerd #21

Re: Proxying

If It's Apple doing the MITM - they own the browser and the device. They can put whatever certificates they like in to the system, suppress warnings on their "special" certificates, and the average user wouldn't notice.

Thats the truly scary bit. But hey - it's shiny

If a public VPN provider is MITMing the connection, it's the same scenario as the user has just installed the VPN app, and probably ignored the permissions required (which will include the certs etc). Apart from tin foil hat scenarios, the only real reason to use these is to bypass regional restrictions - laudible in a few situations, but only a few ...

Security nerd #21


Why do they think that proxying a connection is a security improvement ? Just means that they can listen in on any web sessions being carried out (particularly if MITMing the connection) - and that is quite apart from slowing down the user experience as well, whilst you wait for the traffic to go to and from Apple's services ...

No different to believing that your public service VPN company isn't also tracking and monitoring everything you do. If you aren't in control, it's not "secure" ...

A freshly formed English council waves £18m at UK tech industry, asks: Can somebody design and run pretty much everything for us?

Security nerd #21

The £18M figure plucked from the air piqued my interest - so 10 minutes of (insert evil search engine name here) later, I see they've recently signed a £14M contract for organic waste disposal, so perhaps related (it will likely be flushed down the drain after all)

Some interesting information available publicly on what they are current contracted for - with associated mad deals (including 30 year PFI contracts ...)

Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard

Security nerd #21

Having done a fair few PCI DSS compliance reviews over the last 15 years, I've come to the firm conclusion that the whole point of it is to try and offload the responsibility on to the payment provider (i.e. use their code / servers etc) - not try and do it yourself. Some pretty clever stuff being done these days, with field level iframes etc, to make it entirely transparent to the user.

The PCI standard might have worked in 2004 - but doesn't work in 2020, when using API driven services, fronted by cloud load balancers etc. (Have you ever tried to get a VA scan through Akamai ? ...)

Get down to the basic SAQ-A, and it ends up with "do you have some InfoSec policies", and "Do you sack people" - job done.

What a Hancock-up: Excel spreadsheet blunder blamed after England under-reports 16,000 COVID-19 cases

Security nerd #21

Whilst bypassing the fact that most accounting organisations & banks rely on Excel to massage / produce their company official financials (so you can really trust what you see - not) - isn't the real elephant in the room the fact that all this data is now stored on x number of laptops, network file shares / Teams / DropBox / Google Drive etc etc

Nice small data exposure to be considered - but I guess that GDPR / DPA has been forgotten about in this strange times