747 posts • joined 31 May 2011
"The current cyber security skills initiatives have been focused on providing the skills for individuals employed in cyber security roles... which does not address the need to improve the security awareness and skills of everyone involved in the design, production and USE of software-based systems.
Emphasis added. This is the most seldom addressed area of security and, as a consequence, one of the most easily exploited. Amen, brother.
Re: "Buy our services", says Kevin McNamee...
The best defence against infection is network-based malware detection... People frequently don’t take appropriate security precautions for their devices, and even when they do a malicious app can easily evade detection by device-based anti-virus. Network based anti-virus embedded on an operator’s network cannot be disabled by cybercriminals, is always on and up to date.
As pointed out above, there needs to be more going on than this. the approach advocated here is essentially "Trust us. You can put all of your eggs into our basket." This makes no sense from a security standpoint! The best approach varies by need and almost never involves a single product. Much better would have been to advocate for correctly configured anti-malware both on the network and on the hosts. At least as important is that the host OSes get patched regularly, which I understand is not the norm for Android phones.
There are obviously other technical measures that should be addressed, but I think shifting the burden of security to the network owners, no matter how much it makes technical sense to do so, will inevitably succumb to corporate need for profits and not get done right. Too, unless a mobile provider builds a network from the ground up with security as the major consideration... well, it seems that the current state of affairs speaks to that quite well.
Because Bitcoin transactions are irreversible and difficult to trace by design, victims will have little or no recourse but to accept their losses. ...if your Bitcoin wallet is compromised, the contents are gone for ever, and there is no way to get anything back. Unfortunately, this is one of the reasons why Bitcoin fraud is becoming popular.
Welcome to the wild, wild West! This system was purposefully set up to shut out government eyes, doing away with both the good and the bad of governmental oversight. No surprise that it makes for an awfully tempting target.
Re: Oxygen transmuting to Hydrogen
How to make a million bucks:
1) Start with two million bucks
2) Give half of that to these guys
Their predictions, made with 66 per cent accuracy...
It would have been 100% except an amazing full third of the flagged web sites were subsequently patched by their administrators.
Re: a cheque?
The article mentioned banking apps using photos of checks/cheques as an example. There are plenty of other things that being able to essentially capture a screen shot might accomplish. There are plenty of examples of extortion schemes on FB over "private" pictures that have come to light, for example.
A species confined to Autralasia is responsible for the Arabian stories about Rocs? Tell me - did you do geography at school?
Because folks from that area never got out and about? I wouldn't care to speculate on the origins of a myth, but the premise of the stories I am aware of about rocs involve sailors encountering them. Of course, sailors never talk to anyone when away from their home ports and are certainly not known for embellishing a tale, so you are probably right that there is no way a story of this nature could have its roots in some far-away place.
Re: That's nice.
When will people realise that electric racecars just aren't useful outside of a racetrack?
About the same time they realize that race cars in general are not useful outside a racetrack.
Re: Malware through ads...
The research pair said there was very little advertising networks could do to prevent the attacks.
My first thought when I read this was, "Why not?" It's not as though at least one app store has made a reasonable attempt at controlling their process. This shouldn't be that much different. Ads generate enough revenue to be able to support some in-house vetting. Taking control of the process rather than allowing their customers to have free rein would go a long way toward filtering out the riffraff.
Re: Modern Mores
I would expect to see an online dump if it was a hacker going for bragging rights. I would expect it to show up for sale, just as you imply, otherwise. My understanding is that most people who are capable of breaking in and grabbing up this sort of information are more likely to sell it off as they are not necessarily set up to exploit it. It's a tried and true concept: one person performs the theft and then sells the goods.
So they have just failed to protect some of the most sensitive data concerning their customers who pay very real money with the expectation that this company would exercise due diligence in their actions? I would appreciate a statement from the company explaining how it is the victim and not its customers. Obviously, I do not know the details in this or any of the many other similar cases, but given the well known and publicized nature of this threat, it seems reasonable that any such breach should be grounds for a third party or regulatory investigation of negligence.
Re: Robert Beyond Helpmann Jurisdiction?
"The New York Times previously reported how Monsegur worked with the FBI on cyber-attacks against governmental websites in Brazil, Iran, Iraq, Pakistan and Syria."
Do you need a map of the USA to help you work out where those cities are?
I will leave it to you to work out what is inside the US and not.
The FBI is going after foreign targets? I guess someone has to take up the slack with other three letter entities turning their focus homeward.
We will all be driving $25.00 cars that get 1,000 miles to the gallon
Oh, God! I just realized that car manufacturers are working to make the joke about Microsoft making cars come true, except someone else will be opening and closing all the windows. It looks as though there will be some security positions opening in the automotive industry soon.
Re: Fibre to the chip
If it works like my ISP, then it's fibre to the chip, then a converter and modem hookup once it's inside.
The competition consists of two rounds ...downloading a virtual computer image full of vulnerabilities that could present opportunities for a cyber criminal. The teams have ...to identify and fix these vulnerabilities.
No, changing the OS is not an option (because it is the very first thing I thought of).
Sometimes being small...is a good thing
I understand medical science can work miracles these days.
[T]hey sound worse criminals than the supposed russian hackers
I believe you are confusing incompetence with malicious intent.
Re: "Turns out IDS is actually useful for something".
Since it does something other than simply report, it is technically an IPS - an intrusion prevention system - though it probably would not produce as much entertainment on your side of the Atlantic and confusion on mine. Ah well, I learned something unexpected today.
Security patches ... are arguably necessary. Extending the scope of the changes to include updates to the Applications is going to produce chaos.
Not applications, the UI is where the problem is. Applications can have security issues too or have additional functionality added without causing much in the way of distress, but if the entire menu system is rearranged (e.g. drop-downs for ribbon) there might be a bit of trouble. Decouple functionality from cosmetics and things will get a lot better for all.
Think of the Children!
“By digitally imaging the sky for a decade, the LSST will produce a petabyte-scale database enabling new paradigms of knowledge discovery for transformative STEM education. LSST will address the most pressing questions in astronomy and physics, which are driving advances in big data science and computing.”
This is what you get when you run "We will use this telescope for basic science and keep records of what we did," through a manager-speak/buzzword generator several times.
Re: Not much of a surprise there then
Having worked for both regular and reserves, I can say there is not much difference in the training and expectations for the troops in the different commands. The point about outside experience is more pertinent. Really though, while it has been rightly mentioned that there is a huge difference between defense and offense, what is missing from the discussion as to how the military actually functions when it comes to IT. Most of it is handled by contractors who are told what to do and how to do it by someone, often a civilian, who probably is not very technically inclined and has to trust someone else, often someone who works for a competing contracting agency, for information on which a decision can be based. Yes, it makes good headlines to hear about the AR Red Team's victory and I am sure someone got a wonderful dressing down. Will it result in meaningful change (which is really the point of these exercises)? Who knows?
Lost in Translation
Someone is confused about what constitutes an appropriate and effective punishment. There are many historical examples of amputation being used on thieves. It resulted in many people with missing bits, but no overall reduction in theft. No, in order to do it right, you have to go straight for the most severe punishment. Kill them. Kill them all along with their families and neighbors then resuscitate as many as possible so they can be killed again. That will show them!
Mine is the one with a copy of Draco's legal code in the pocket.
The big two enhancements that Microsoft is talking up the loudest are an improved Attack Surface Reduction (ASR) tool “... configured to block some modules and plug-ins from being loaded by Internet Explorer while navigating to websites belonging to the Internet Zone”.
The new ASR will “also block the Adobe Flash plug-in from being loaded by Microsoft Word, Excel, and PowerPoint.”
So, they are implementing a limited control on application hooking? It's a good first step, but it would be nice if it were more generalized and configurable... and had better online documentation. Still, it's decent of MS to create a rich environment for third-party security vendors.
You might add hooks into email and backup services. As far as firewalls are concerned, those holes for updates should be in-bound only, not that aren't ways around this to get information back out.
Re: This is news?
The Nigerian 419'ers are moving onto new ways to extract money from you
Yes, but they will continue to target the least educated and tech savvy. In fact, the way their scams work weed out anyone with a clue. That is not to say that there aren't many individuals and groups out there willing to take advantage just as you suggest, just that there are different "target audiences" for each kind of scam.
Re: Stealth Baloon
Jast saying that balloon had to cross some very paranoid airspace
Re: Unemployed and going on holiday overseas?
But, she did pay! Obviously, you missed the part where it cost her a leg. The return trip would have cost an arm.
Re: See logo
This is exactly what I, and apparently other commentards, thought of first. Hold on a moment...
Cognitive Dissonance, ENGAGE!
No, it's OK. It's all good.
USB firewalls that block certain device classes do not (yet) exist.
Um... actually, they do. There is a McAfee product, Data Loss Prevention that has just that sort of functionality built in. Alas, it is only for Windows devices, but there are likely similar products out there. It is a pain to administer - it has all the hallmarks of an acquired product that was slapped into an existing management console - and is likely to be resented by users as it will keep them from doing what they desperately want to do (infesting the corporate network with malware), but it exists.
Re: oh, sorry!
...immediate cessation of chocolate rations.
There's chocolate?! Why am I always the last to be told?
When in trouble or in doubt...
Network operators shouldn't shortsightedly kill something because they don't understand it - there are more sensible ways to deal with a threat than panicking and beating it to death.
Welcome to the fun, Catherine, and thanks for the research. Most of what you say makes good sense, though I have one quibble with the above statement: this is exactly how network admins should react to anything on their network they do not understand. They should make every effort to gain the knowledge to make a rational decision, but until that point, not so much. Besides the obvious concern that it, whatever it is, is not under your control, there is also the idea that if you do not understand it, you have no assurance you it is configured properly and doing what you want it too. I am not so sure about the panic portion of the equation, but I am sure someone in management can cover that.
Re: Does IDS that actually work?
You are referring to network IDS. I cannot comment much on those as my experience has been with host-based solutions, but my understanding is that firewalls are fairly static, whereas an IDS or IPS should perform some analysis based on heuristics or signatures similar to an AV product (and yes, I know there are some of my fellow commentards who decry their use). However, you mention firewalls, which the article said could be broken by MPTCP. It is more complex than that, depending on configuration of the FW to accept it, the implementation of MPTCP, the FW being used. However, the simple solution, as far as I can tell, is to disable it at the FW if possible. Also, the cited Cisco article includes NATed networks as being affected.
Unless there is a business case for using it, it should be disabled (pretty much true for anything from a security standpoint). If there is a good reason for using it, I'm happy I'm not the person doing the implementation.
How secure is it, really?
Well, this gives you confidentiality (at least in theory) and integrity (with the same caveat). As far as availability goes, how hard would it be to implement a DoS attack against this kind of traffic? Would such an effort affect everyone with a torrent client or would it be possible to target an arbitrary client?
Re: Not exactly new
A good point. So why is Russia OK with Microsoft products while China has banned at least some of them based on security concerns?
No ACs Allowed
Anonymous internet usage in Russia is surging...
I think the real question governments should ask is not how to stop anonymous internet use, but why it is needed. Soon, there will be slogans around the world echoing the gun rights people here in the States: when anonymous surfing is made illegal, only criminals will surf anonymously.
What about OKCupid?
The service is free; they were not being bilked out of money by getting something other than they put down their hard-earned for. They were merely lied to, so that's all right then.
Quite possibly Belgium too for similar reasons. They're facing a split down the middle.
Belgium has always been a house divided. Then again, their government stopped working for a while and pretty much no-one cared.
Re: Point of Issue
Hmm... Next thing, you'll be burning Noah Webster in effigy.
Yes, but Chess was included in OS/2 (in contrast to Solitaire and Minesweeper being bundled with Windows), so 50% effort on both groups. For a complete win, you must show proof of an install on a machine in the wild.
Re: Another Tech That Should Die
For more entertainment, the CAPTCHA could present a series of Ishihara tests.
You have to get this stuff right if there is to be any hope for space tourism to really take off!
Re: There seems to be no penalty for running over budget
Additionally, the people writing and approving the contracts are often not those actually involved in them. When it comes to IT, this is especially telling as they are often completely unaware of what the actual requirements of a project should be and are thus unequipped to make a reasonable determination on any bids submitted.
In many cases, while the contract is supposed to be written and reviewed by a panel, they often all report to the same person which essentially grants that person all the decision-making power. The advise of the panel may be ignored or, if the manager in question is more skillful, steered to the desired outcome.
There is so much waste built into the way our government runs. It is no surprise, though, given how much money is at stake. While most rules put into place around this process were made to minimize government expenditures, money will find a way to overcome.
There oughta be a law...
Unfortunately, with many users having poor password practices, attacks like this are only likely to increase
There are plenty of laws and rules surrounding financial institutions. Why shouldn't sites that are work with or gather financial data treat customers in the same manner corporate IT tends to treat users, enforcing password strength, forcing them to change on a regular basis, et cetera? I know this would not be popular among customers, so it would cause many to go to less secure sites as they would be easier to deal with unless there were some industry-wide requirement to have this in place in order to do business.
There has been plenty of discussion among El Reg readers concerning passwords and their use, so I am sure that someone will point out the error of my ways, but I would like just once to see government get ahead of a real problem instead of being completely reactive or, worse and more typical, manufacturing the crisis themselves.
Re: How far?
Please define what a 'kms' is, as it does not appear to be a standard SI unit of measurement.
500 km = 3,571,428.5714285714285714285714286 lg
give or take
...to own the oldest poop joke ever? There has to be a joke in there somewhere.
As most Reg readers will know, fibre-optic cables work by bouncing a light beam along a wire without losing focus or intensity, allowing information to be transmitted along huge distances at massive speeds.
So, roughly the speed of light in that medium? Fast enough for the data to acquire mass? Sorry, I am caffeine deficient this morning.
The "WD" in WD-40 stands for "water displacement," so to rephrase: With duct tape* and Water Displacement 40. Using Google Translate (with apologies), it yields this:
Ductum lineam, et cum Praesentibus Aquam XL
Going back the other direction gives us this mess: Drawing the line, and with the presence of water, 40. Clearly this needs work that I'm not up for... er... for which I am not up.
* Duck Tape is a brand name.
Pump and Dump
P.S. Proof of concept: Stock market pump-and-dump spam has almost entirely stopped. The stock exchanges acted to block the profits, and the spammers
gave up moved on to greener pastures.
Fixed that for you. The problem is that there are so many suckers. Still good points - Have an up-vote.
Re: Er... news?
So this is another "stuff bought second hand not wiped" news story?
Yes, in as much as there was data on it that might be valuable in and of itself (e.g. account details). However, the researcher was able to learn enough about the second hand box to be able to hack systems that are still in production, assuming they are still set up the same as the terminal he purchased. Knowing that the owner doesn't change the default password or that the password can be recovered from the discarded machine and is likely to be the same on systems still in use can be pure gold (literally). Finally, "Oh's findings suggest the retailer had a poor security policy that went beyond anything particular to the terminal he bought on eBay."
I would like to know which retailer this is so I can avoid walking through its doors.
- Oh noes, fanbois! iPhone 6 Plus shipments 'DELAYED' in the UK
- The sound of silence: One excited atom is so quiet that the human ear cannot detect it
- Bloat-free, unlocked Moto X to be dubbed 'Pure Edition', says report
- In a spin: Samsung accuses LG exec of washing machine SABOTAGE
- Feature Be your own Big Brother: Monitoring your manor, the easy way