* Posts by Aodhhan

194 posts • joined 25 Apr 2008

Page:

Botnet-powered ballot stuffing suspected in 2nd referendum petition

Aodhhan
Bronze badge

It's not democracy when...

...people who aren't elected make the decisions.

...people who make decisions don't listen to those who live in the respective location, country, etc.

...there isn't a large vote on a decision, which includes representatives who look at how it affects people in a certain area.

...leadership over-plays hype and uses fear to overcome popular ideals of the people.

Once the general population loses voice on any decision affecting the nation at large. You've lost democracy. I say democracy is worth any pain you may endure so long as the people maintain a voice.

A few ignorant leadership members in Brussels wants to make decisions about a country without providing any extra resources or money to deal and support their decision. So now a tax has to be levied to support it. Taxation without representation.

I say, KUDOS to those who voted to get away from EU. It takes bravery to face the fear which has been shouted and threatened upon the people. It takes intelligence to see thru the BS.

11
4

NASCAR team red-flagged by ransomware attack

Aodhhan
Bronze badge

Really... ignorant about NASCAR?

Let's see, a NASCAR originating team (Chip-Gannasi) just won LeMans using a Ford. Which hasn't been in the race for 40 years; kicking Farrari's arse with ease. Other endurance drivers which have been winners (Corvette teams) also race in NASCAR. Such as Dale Earnhardt Jr.

F1 Racing.. really? You know who will win the race by the 3rd lap. I see more passing in the hallways of a retirement home. Not to mention the yellow flag rules in Europe, don't exactly make things exciting.

NASCAR isn't regional. It's followed all over North America, Australia and a few other regional countries.

American owned racing teams or drivers are at the top of quite a few racing leagues. Even those which run all over Europe. Including rally cross.

Finally, it isn't just a NASCAR team which can be ignorant to computer security. Many corporations throughout the world fall victim to this without backups.

It doesn't take a genius to yell out "NO backups, stupid?". So really.

0
0

Revive revived: Oculus DRM push shattered as DIY devs strike back

Aodhhan
Bronze badge

I'm not impressed by Oculus. The VR product is buggier than an candy bar on the ground.

No. It's not acceptable to bypass DRM for operability. If it was, there wouldn't be any DRM, because nobody would use it.

I think in the long run this will hurt Oculus. Many games which could be well suited for a VR environment may not happen because of this. Such as any games with a Hollywood movie as a base. Hollywood is a huge proponent of DRM.

If Oculus' code is so poor. All the bugs, plus having to bypass DRM... what other problems are there. How secure is their code? What attack vectors are now available due to poor coding?

No, it isn't a company trying to shut down competitors... wow, silliness. It's about poor coding and QA practices. If I pay for a product, I want it to work properly and not have to jimmy it's way around things to do it. I definitely don't want the coding to be so poor it may introduce or allow the introduction of vulnerabilities.

0
0

Drubbed StubHub carder grub guilty, faces 12 years in cooler club

Aodhhan
Bronze badge

Yeah, have to wonder about the A$ as "1337" :)

1
0
Aodhhan
Bronze badge

Re: But ... but ... but ...

Genius at work.

The law doesn't provide a favor to criminals because protections weren't in place. In most countries this applies to anything, left anywhere at anytime; and no matter how you came to possess it.

Even if a 3rd party is negligent in handling any property which is stolen.

Besides, there are likely thousands of transactions handled a second. Many times... a web service handles different transactions to the same IP address... especially when most companies use one or two IPs and have thousands of employees. You get the picture now. Especially if they don't do it all at one time, which was the case here.

0
0

No watershed: China hacker groups in decline before Xi-Obama deal

Aodhhan
Bronze badge

Pauli...you crappy columnist

Once again, you take the word of only one organization. Instead of using more than one source to collaborate data. Even so, you never investigate the matter fully to figure out why... you just take their word as gospel. WHY is a big part of journalism.

In some circles of state sponsored Chinese hacking against government networks there has been a decline... but nowhere near what is being presented by this article. The real data, Chinese hacking groups and memberships are classified, and even if you received it from USSTRATCOM or CYBERCOM, it wouldn't provide it in this manner.

China works all angles to get around any agreements, and the Obama administration is about as forthcoming with the truth in cybersecurity as they were when he stated you could keep your own doctor or ensuring Hillary maintained government guidelines on her own servers.

If a hacking group reorganizes or changes names and locations... apparently this wayword organization sees this as being removed from the Chinese hacking ranks? Or if they stop hacking US Government networks and go after privately owned networks, they don't show up anymore? Or a few other scenarios I wont name.

Don't be naïve in thinking China is going to stop going after the hard work laid down by other countries. It's what they do. They don't have the research and development budgets we do. Even the cars they develop are knockoffs of something created in the US, Japan or Europe.

They'll switch things up, and numbers will be reported differently, but don't be out fooled for a moment when it comes to China.

1
0

AirPort owners: Apple's patched a mystery vuln

Aodhhan
Bronze badge

Pay twice as much...

...and wait twice as long for a patch. This has long been the mantra of Apple.

Perhaps they should lower their public affair budget so they can increase development and testing.

1
2

Password reset: 45 million creds leak from popular .com forums

Aodhhan
Bronze badge

Probably...

Due to the number, this has to do with an application poorly written to provide a 10 digit password which is semi-complex, for either initial registration or password reset.

I'd go with the latter, if the programmer was lazy. Instead of putting in a random generator to come up with something complex to add it to the database, send out an email, etc. He used a wordlist of around 20-30 preset passwords, which probably rotated.

This is why you have an independent person check out code before release!

0
0

Smut shaming: Anonymous fights Islamic State... with porn

Aodhhan
Bronze badge

Better would be to...

...put links on their pages to sites which install ransomware. You know they'd click yes to anything from a fellow islamist.

6
0

Microsoft releases open source bug-bomb in the rambling house of C

Aodhhan
Bronze badge

Re: C is not an applications programming language

Spoken like a computer end user who is only aware of the "programming for grandparent" languages like visual basic.

C or rather C++ is still widely used as the basis for many applications, especially those requiring speed and high end calculations. Many applications used to build the console and online games (you apparently spend too much time on), are written in C++.

Applications used to conduct bank transactions are written in C++ and others use FORTRAN... yeah I know you don't know what this is.

Just because you see a front in GUI in Windows doesn't mean it's mostly written in C#.

So.. shut off your gaming console, burn your nasty collection of 4 year old t-shirts, and leave your mother's basement. You just might learn a bit more about programming languages. At least you might do a bit more research before posting.

3
0

SOHOpeless Cisco wireless kit needs critical patch

Aodhhan
Bronze badge

CISCO and Oracle

Two vendors (and their underlying companies) whose products you should avoid.

1- They're products are over priced (especially Oracle database)

2 - They patch when they feel like it (no concept of emergency patching), this is if they do not consider the problem a 'feature' or if you can work around it by shutting off a service.

3- Their customer service / maintenance engineers seemingly have no clue about how networks run, the basics of TCP/IP and only know about 30% of their products.. so you keep getting bounced around. So apparently, all the money you pay them doesn't go into employee salaries.

0
0

Russian government hackers spent a year in our servers, admits DNC

Aodhhan
Bronze badge

Typical Democrats

Democrat leadership as a whole believe they are above the fray, entitled and don't have to live by the same rules as everyone else. This attitude creates ignorance to rules, regulations and best practices to many things including information security.

The leadership in the White House, with this attitude allowed intrusion after intrusion into their own systems. Post mortem analysis showed misconfiguration and failure to follow NIST and DISA guidelines which had been in place since 2007; such as certification and accreditation practices.

Once again their attitude and ignorance bites them. Maybe they did get into financial records... maybe they didn't. Those in the Democrat Party with any power have been caught in so many lies or spin statements, there is no way you can believe them.

I like how they say... they went after 'communication'. Which means, all email, text, messaging, etc. was breached. Heck, with this information they wouldn't have to go after database files. I'm sure much of this information was sent to the DMC via email. Not to mention all the information gathered from messaging and text.

Perhaps they don't have much on Donald Trump, but what about emails and other damaging communications which come to light which could indicate the DNC is behind demonstrations which became violent, resulting in injury to people and damage to property.

Democrat philosophy: You must be robots, you can't have your own thought on issues, you must believe ours. If you don't, then we do everything to destroy you. Also, we say we're the compassionate party, but really we aren't. <-- Lovely, considering the USA was built on the notion, that people should be able to think freely, encourage debate, and critical thinking.

John Gunn is an idiot who makes his company look bad. You can't make a statement like this unless you've been hired by all political establishments in a capacity which allows you to have enough knowledge to make this statement. Don't just 'guess'.

Realistically, any political establishment with a brains wouldn't host their own servers (like the DNC did), they would use a 3rd party hosting service which typically brings the costs down and increases security. Apparently, the DNC wanted to host their own systems... why do you think this is?

Go ahead, give me a thumbs down because you just read the title instead of the whole comment.

4
1

China pledges tighter privacy as it centralises personal health data

Aodhhan
Bronze badge

So what we'll see

...is an increase in China IPs attacking companies who build healthcare management applications, as well as hospitals themselves in an attempt to steal this information.

You don't expect them to create it themselves, do you?

0
0

Fresh hell for TalkTalk customers: TeamView trap unleashed

Aodhhan
Bronze badge

GEESH.

Okay, so dump both.

Makes me want to install and start using these to see if I get a request to "fix" my computer. Then tell them I really need to run a small VPN program (but it's really malware) to do my job, but it wont work, and see if I can get them to download and run it. Then turn the tide, since I know what services they will have available.

0
0

Let's Encrypt lets 7,600 users... see each other's email addresses

Aodhhan
Bronze badge

You do get what you pay for, especially when it's free.

This will not be the last time something happens with this company.

Not to say this company doesn't have some talented people working for it; however, since their revenue isn't as high as other CA's, they aren't likely to pay their people as well. Which means they're more likely to fill many more positions with people who don't have much talent or experience. You know where this is going.

For individual users, not a big deal... as long as you aren't storing a bunch of embarrassing things. For companies... it's another story.

1
1

Tell us, evil phisherfolk: What's wrong with Angler Exploit Kit?

Aodhhan
Bronze badge

Blah.. this isn't news.

Once people get access to the shiny new toy they play with it a while. This doesn't mean they throw away the old toy, and they will surely go back and play with it again.

This is the way with everything. Another lazy article written by guess who.

Yeesh.

0
0

Forget Game of Thrones as Android ransomware infects TVs

Aodhhan
Bronze badge

WONDERFUL!!!

A way of getting to televisions in order to get millennials off their butts. If this can kill game consoles at the same time, we just might be able to get them out of their mom's house.

0
0

North Korea hacks 140k computers in planned mass attacks on Seoul

Aodhhan
Bronze badge

Don't you wonder...

Just how much of the information was setup to be misinformation.

Seriously, F15 wing blueprints? Something drawn up more than 40 years ago and not exactly something which is classified.

Perhaps they managed to steal some blueprints which were drawn up to fail... causing waste of time and money. You can bet on it.

If N. Korea would put some money into their school systems as well as ensure their people managed to have the same caloric intake as their leader, they wouldn't have to resort to being thieves.

1
0

Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried

Aodhhan
Bronze badge

Yeah, this is crazy but....

During penetration testing, I can conduct a MiTM attack on users quite easily because more than 80% of normal users and 25% of privileged users will click through a warning window. I get everyone's skepticism and love to push out anger like a bunch of grounded teenagers, but considering the seemingly love-fest with clicking through warnings, what Bluecoat -- Symantec did with certificates is pretty much nothing in comparison to the real problem.

.

You'd be shocked by the amount of businesses which don't implement proper PKI within their own environments, which only makes the problem worse. This trains people to click through warnings!

Remember you can untrust a certificate and a CA, it's a lot harder to get people to not click warning messages.

5
0
Aodhhan
Bronze badge

Re: Prepare to get stung (again, and again) by the Yellow & Black peril

Control of the certificate was never lost, it was 'supposedly' maintained by Symantec.

They have a history of killing acquired technology?? You get this based on what?

Did you apply to be a maintenance worker at Symantec and get turned down or what??

I'm not Symantec fan, but seriously... you're an angry person who lets their emotions bypass the cerebral cortex.

0
10

Penn State University network sacked by China malware blitz

Aodhhan
Bronze badge

Cost

For the cost of what they will pay to recover data and have security consultants in to scrub their system, they could add PKI to their student ID cards and mandate 2 factor authentication.

0
0
Aodhhan
Bronze badge

Re: The US will be the biggest loser in a Cyber War?

Oh how little, so very little you know.

0
0

Government regulation will clip coders' wings, says Bruce Schneier

Aodhhan
Bronze badge

Pfffttt..

With our current crop of politicians... we won't really have to worry about this for another 5 years.

It only takes about 4 or 5 people to scream loud, and some politician will be the opposition for them.

0
0

Sophos U-turns on lack of .bat file blocking after El Reg intervenes

Aodhhan
Bronze badge

Sophos is the new Oracle?

The old Oracle statement... we'll get to it when we want to (or when they can contract in a good developer to fix it). Until then, consider this a feature.

1
0

Your comms metadata is super-revealing but the law doesn't protect it

Aodhhan
Bronze badge

Think

I like the post about the politicians thinking one way on one topic and another way on a similar topic. This is very true. It's our fault though, when we keep electing these idiots.

Discussing the metadata and how it's so much different now than it was 30 years ago. It really isn't. Just because technology changes, doesn't mean everything about it is different. Cars have changed dramatically over the years. However, they still have wheels, an engine, brakes, lights, etc.

Phone systems, just like TCP/IP packets are routed through a series of switches or switch boards, at each dumping some metadata.

Just like today, there were third parties all over the place for phone transmissions. Especially back 30-50 years ago when there were many phone companies across the USA. Your transmission from one state to another could be routing through several different phone companies.

If there is a difference, it's because we allow ISPs and those running web services to set up third party advertisements etc. to grab the information. This isn't because the Internet is more complex, it's because the endpoint sets this up.

What's next... you're going to outlaw the police from doing investigations... like following criminals to see where they hang out, what they drive, who they associate with, where they do business, their day to day procedures, etc? All because this is metadata?

Or... will we stop having people register homes they buy, cars they drive etc. with our local governments because we have to hand over metadata?

Finally, law enforcement pretty much has their hands full. They aren't wasting time grabbing your metadata if you're not suspected of being a criminal.

You're smarter than to let people tell you, "the sky is falling".

0
2

Calgary uni pays ransomware criminals $20k for its files back

Aodhhan
Bronze badge

Wow... well, you know.

The costs will be a lot higher to go through all their systems and ensure there isn't any malicious files and malware put on them. It's not uncommon for criminals to give you your network back, with some attached malware/backdoors hidden very well throughout the network. Especially on network devices and DNS, where admins don't typically keep a close eye on.

Hey, but you may have your data back and you managed to encourage and provide motivation for more criminal activities like this. I'm sure those taxpayers are happy with your decision.

1
0

Juniper: Yes, IPv6 ping-of-death hits Junos OS, too

Aodhhan
Bronze badge

IPv6

When pen testing networks, I find it humorous the ease it is to use IPv6 exploits. Too many companies have their entire network dual honed, from their external router to user endpoints and servers. Yet, nothing uses it. Therefore, it's rare for IPv6 to be configured correctly or a good security posture maintained.

If you're not using IPv6 for anything... shut it off!

By default, Windows will activate it on your NICs, so you need to go in and ensure it's unchecked.

0
0

FBI tries again to get warrantless access to your browser history

Aodhhan
Bronze badge

Not Accurate

First off... they cannot obtain your browser history, as stated in the first paragraph of this article. Once again, this site provides reporting which is inaccurate and lazy.

Second... this is the same basic information they can obtain when asking for someone's phone information from your telephone company. Things like call history, who you called, who called you, length of call, how you pay for your bill, etc. Without actually listening to your phone conversations.

So this is asking for the same crap for your connection to the Internet. Like routing history, how you pay for your bill, etc.

Third, they still cannot actually get into your system without a warrant. Typically in the USA, once you do something with a third party or use a public medium doing it, your right of privacy ends.

This is still a lot less invasive than most countries. Especially countries where services like ISP, telephone, etc. is either run by the government or subsidized... and therefore can pretty much do what they wish. Always cracks me up when another government person shakes a finger at the USA for doing something their country is already doing, and probably with much stricter policies.

Consider this... there is a lot of people in the USA. The government doesn't have the resources or the people to go after just anyone doing something minor. If they suspect something, get a warrant or watch you... as soon as they figure out you're not doing anything wrong or it's something so minor they don't want to waste the manpower on it... they move on. There's always bigger fish to fry.

Don't let other people or conspiracy theories freak you out or put fear into you. You're smarter than this.

If you aren't doing anything wrong. Aren't committing felonies, hurting anyone in any way or planning to hurt people.. you're safe.

If you're not a criminal, this information should comfort you. After all.. it allows the Justice Department to find criminals who steal your identity, take your money and data. Not to mention find people who are out to hurt others and your family.

1
1

Cyber burglars love to pillage Euro businesses they've pwned before

Aodhhan
Bronze badge

You're right! Don't forget the part where they're also in their underwear.

1
0

The Fog of Cyberwar: Now theft and sabotage instead of just spying

Aodhhan
Bronze badge

Offensive Capability

I believe your list is a bit off on this. Taking into consideration the number of trained troops along with computing power for OFFENSIVE cyber operations capability. The list is probably closer to being: Israel, China, USA, Russia. South Korea could be in the top 5-7 within a few years with the help of China.

The USA isn't number one as they were late getting into the OCO arena, and are just now starting to get a large number of people trained. However, the USA by far has the best defensive cyber operations capability, computing power, as well as some other aspects of the cyber war game. DCO was given a higher priority than OCO until a few years ago, when OCO began to become a priority.

USA also has a disadvantage of military downsizing, dwindling funds, and there are some war legalities in allowing civilians to do targeted offensive attacks. So these types of operations must come from military personnel.

0
0

'Irongate' attack looks like Stuxnet, quacks like Stuxnet ...

Aodhhan
Bronze badge

Another crappy article by Pauli

Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.

- You mean creating malware for exploiting SCADA systems, right?

- This is pretty much the way it is for many systems. Not limited to SCADA.

- Still not sure if it's the malware which is a complex beast or the SCADA system.

The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.

- Steep learning curve limits the risk? This is hardly a mitigation to score risk against. Multiple vulnerabilities trump the 'learning curve' any day given the probable damage

- Even in this case, if we simulate a high difficulty in launching an attack (different from a 'learning curve'), it's still high risk given the probable damage.

- ...and of course, unless someone creates an automated application so anyone can launch the attack against this particular application/system.

The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.

- Hardly unique. This technique has been employed for YEARS in various forms

0
1

Air-gapping SCADA systems won't help you, says man who knows

Aodhhan
Bronze badge

Lakhani is a salesman, so what do you expect him to say?

Whenever a statement like this is made: first determine if he's attempting to sell you something. In this case he is. So of course he's going to say anything to get you to look at his solution.

In this case, he's using fear tactics... whenever a salesman does this, run away. If fear has to be used as a tactic, then the product cannot stand on its own or it isn't special or unique.

Second... remember, this is information security... there is no "sure fire, all perfect wall of security".

To say "air gapping" a system is going to fail, because most systems aren't truly air gapped isn't exactly a revelation in line with the burning bush on a mountain. In fact, I'd say it isn't air gapped.

An isolated network (air gapped) used to run SCADA systems is much more secure than a network attached to other networks... which eventually attaches to a cloud of other networks. This is a "duh" moment.

However, no network will be secure unless there are security policies put into place, all devices and systems properly configured, encryption used, monitoring, log management, account/privilege control, etc. You know, the things we call defense in-depth. Just because the system is isolated doesn't mean you can dismiss security devices and defense in-depth. Failure to do so is why isolated SCADA systems are breached.

There are millions of isolated networks running SCADA systems all over the world which haven't been breached. Nearly every large size business uses them. Just ensure you engineer the same security solutions along with monitoring you do with all your other networks enclaves.

Don't let some shady salesman use fear to take your money. You're smarter than this.

8
0

Chinese bit-squatter information thieves dupe Taiwan Govt site

Aodhhan
Bronze badge

You're right about this; however,Taiwan is able to use this to garner support in their bid to separate from China's government, provide TTP details to other governments, and show progressive areas of China (such as Hong Kong) what is being used to affect their local economy (not to mention, quietly fund the Chinese government through theft).

1
1

65 million millennial blog bores' Tumblr logins ... for! sale! on! darknet!

Aodhhan
Bronze badge

It doesn't matter...

It doesn't matter how strong your password is, if it isn't protected by the application holding it.

Yet again, a corporation who should know better didn't follow best practices. Which is really ridiculous. We learned waaaay back when LANMAN hashes were being picked apart (pre 2006) that it didn't matter how strong your password was, it was going to get taken apart in hours if someone could get the hash.

Everyone also found out in 2011, you once again needed to update your encryption and ciphers for data at rest and in transit. Then again with OpenSSL, etc. etc.

I imagine something else will come along in the near future. Something everyone who stores credentials needs to be prepared for and stay on top of.

1
0

Scrum.org hacked, may have lost crypto keys and some user data

Aodhhan
Bronze badge

Re: Storing passwords that can be decrypted...

yeah, it's a shame isn't it?

Considering the extent of the compromise, I have to wonder about their defense in-depth strategy.

Especially when there isn't anything which triggers alarms and bells when a local account is created on a public facing server.

Also... in this day and age, start using web hosting applications coded in HTML 5.

..and I will ROFLMAO if we find out it's built using something like WordPress.

2
0

Oracle eBusiness Suite has 'huge, massive, ginormous' pwn surface

Aodhhan
Bronze badge

Old news

Everyone in InfoSec knows that each Oracle application you use on your network decreases your security posture immensely. We stopped using all Oracle products over a year ago and have gotten rid of any applications using Java. Makes patching much easier.

Every application and OS will need patching, but when you take over 2 years to fix some items and use the general public at large to do your security testing (while charging them to use the product)... it just isn't worth the risk.

1
0

IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks

Aodhhan
Bronze badge

Coddle them

Give them some money, then impress on them to become contracted analysts for your company.

Convince them you're InfoSec team is young and inexperienced...so they can use a consultant.

Fly them in to sign the contract and collect their bonus.

...then ask the officer to come into the room and slap the cuffs on them.

1
0

Windows 10 zero day selling for $90,000

Aodhhan
Bronze badge

90K for a LOCAL escalation? C'mon.

Not to mention the fact, you can buy CC numbers for less than $10 each. $90K will go a long way purchasing them without taking the risk of compromising a system and trying to get a local account to escalate.

0
0

Microsoft warns of worm ransomware, finds fix in Windows 10 upgrade

Aodhhan
Bronze badge

Appears a lot of 11 year old girls are posting.

Let's all bitch about having to upgrade... something you have to do with any OS, application, architecture etc. What, you don't want to upgrade so a problem is fixed? ...then stop griping; you've made your decision so stand by it like an adult.

...and give a pass to the morons and cheats who write the malicious code. This way when you do become a victim, you can be happy with the fact you didn't upgrade.

1
25

These big-name laptops are infested with security bugs – study

Aodhhan
Bronze badge

Really?

What do you do the reinstall with, the disks which come with your system? Pfftt.. you're just reinstalling the same crap. Look thru the registry after you do the reinstall and you'll see. I don't see most people purchasing a new laptop which comes with an OS, reformatting it and purchasing a clean copy of Microsoft or Apple OS.

1
0

Get outta here, officer, you don't need a warrant to track people by their phones – appeals court

Aodhhan
Bronze badge

Makes perfect sense

You're phone is sending out breadcrumbs when talking to cell towers; essentially leaving footprints. Just like footprints in dirt, the police don't require a court order to follow them.

So while they're able to follow this, it doesn't allow them to actually search the devices without an order.

It's amazing how people love to shout out the obvious, "leave the phone at home", or use a one time phone, etc. As if they're the only individual who can provide this secret information. Then there are those who get a little bit crazy.

Yet... I wonder how liberal they will be on this once they become a victim. Karma is a B.

0
1

SWIFT finally pushes two-factor auth in banks – it only took several multimillion-dollar thefts

Aodhhan
Bronze badge

Of course they can track where the money went...

right to a bank where the laws protect banks from having to release any detailed information about the account holder. Oh, c'mon... you know where I'm talking about.

0
0

Infosec newbie looking for entry level training? So is SWIFT

Aodhhan
Bronze badge

Re: Any evidence SWIFT was hacked?

Yes. Recent reports show it was partially at fault for the initial breach out of the Bangladesh bank in Feb 2016, and then was breached again in April 2016.

0
0

Oz infosec boffins call for mature threat debate

Aodhhan
Bronze badge

Doesn't all fit.

While I agree, there needs to be an increase in the budget... you can't use overall GDP as a ratio to determine how much money is required. Why? Well... because the technologies and commerce protected by cyber security in the USA far exceeds a factor of ten. To name a few examples: computer system R&D is more than 10 times larger, as is public telecommunications, public network infrastructure, and systems protecting space and military systems. In other words, the potential loss is in the USA exceeds a factor of 10 from those in Australia.

These are all just government systems. I could launch into the public sector, but then it just gets crazy in figures. Plus, the USA government doesn't provide a lot of funding for cyber security for private commerce, outside of universities, certain R&D grants and government contracts and underlying infrastructure.

While it is likely some of your government's systems have been breached, you can't just say this without extraordinary proof and accurate estimates of loss. If you have good InfoSec professionals, they can audit networks, find this out and provide the proof you need. Or... ask another government's red team to come in and scare the crap out of them.

Better is to stay on track using risk analysis and estimated cost figures from breaches, loss of data, etc. If you can't get over 1 Billion on this, especially since the country is way behind the curve to begin with... then someone else should do the job. You have to speak their language. If you can't convince them they stand to lose more than 1 Billion (or their pukey jobs), they aren't going to spend 1 Billion.

0
0

Dedupe, dedupe, dedupe dedupe dedupe... Who snuck in to attack Microsoft Edge?

Aodhhan
Bronze badge

Re: dedupe? wtf? why?

Because it's A LOT faster and allows more uniformity.

Unless you want to go back to the coding days where you really had to worry about where things were put into memory to ensure there were no conflicts. Manual memory management was a pain in the arse when most programs were less than 512K. Now programs require gigs of memory, it would take forever just to get it out the door by a team of people dedicated to it. Even then, you'd gripe because you'll use a program only to find it conflicts with another, and crashes. ..and if you think memory leaks are bad now. HA!

Again I say, half the people who post are below average intelligence... but it's probably a lot higher when it comes to knowledge of computer theory.

2
5
Aodhhan
Bronze badge

Re: Awaiting a "fix" from MSFT...

This isn't a Microsoft problem; this is a computer theory problem (there are many of these) which can be alleviated by the operating system. In this case, the problem is how memory itself is deduped, stored and secured.

It's likely other operating systems will find the same or similar problems since all use deduplication to handle data. Not only in memory, but on permanent storage media as well. Pointers instead of duplicate information is used all over the place to save time and space.

3
2

You've patched that Flash hole, but have the users? Phone's ringing. It's for you

Aodhhan
Bronze badge

Re: Reason #349187 to block ads...

Might be socialist in Europe, but here in the USA it's the FUBAR economic system.

0
0

Quiet cryptologist Bill Duane's war with Beijing's best

Aodhhan
Bronze badge

Re: Easy fix

It's true... half the people who post are below average intelligence.

Sure, use Linux because as a penetration tester... I can say it's no more secure than Windows.

This scenario has been played out many times in the networking labs at nearly every university with computer system theory degrees.

Imagine if everyone in a company used Linux, Ubuntu, etc. on their desktop. In practice it's easier to get a foothold into a network if this is the case. Far more open source apps built without security in mind. Linux has no real effective whitelisting in place to alleviate this. This is just one attack vector. There are many.

Keep spouting Linux is more secure. It shows where you are on the bell curve.

6
3

Palo Alto IDs another C&C-over-DNS attack

Aodhhan
Bronze badge

DNS

I hinted at this yesterday. DNS is a fantastic method of moving information into and out of a compromised server because it bypasses ALL SECURITY on a network. I've used it many times when penetration testing. It compounds the problem when all the DNS servers in an enterprise pass information back and forth to each other. Lets a hacker pivot to so many other different devices and servers in a network.

Even if you set DNS up correctly and securely (including encryption)... you can always get someone to open up a phishing email to start running things with their privileges/credentials (so encryption is now moot) and then pass the info back/forth via DNS. Info, including... DoS or C&C info. Again... bypassing all security devices. A savvy hacker will encrypt the communications to make it even more difficult to notice.

I loved how I got thumbs down yesterday for telling people (individual users) they're nuts if they run their own DNS servers at home. To protect DNS takes more than a typical SOHO firewall/security device. If you run a DNS server out of your home, you have a pretty sizeable security hole you cannot fix cheaply.

0
1

Blighty's National Cyber Security Centre cyber-reveals cyber-blueprints

Aodhhan
Bronze badge

Good Luck

If the UK can figure out how to accomplish this, please show the US government. Corporate lobbies have shut this down so hard that both sides of the political spectrum have given up in Washington.

0
0

Page:

Forums