Great... just what we all need, one more company calling us and interrupting our day to deliver a sales pitch.
464 posts • joined 25 Apr 2008
Did this guy just wake up from a 30 year coma?
Many of these risks existed in the 1980s and were worries then.
So don't give us a left wing scare tactic... how about letting us know what you're going to do about it and how you will go about it.
'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature
Rocks... glass houses... c'mon Linus.
Once again Linus is off his meds and ranting as if his creation was perfect from the start.
Oh.. the stories I can tell about hacking into systems using the early versions of UNIX and Linux. All attacking the OS itself and not software. The input points, the early libraries were all such easy targets, than in less than 30 minutes you could teach an average person how to successfully hack systems.
Ahh yes the old paper voting system.
The argument goes, there's no way you can hack the voting system using this method right and of course you can recount them.
There is absolutely no way to hack the voting system using this 'old fashion' method.
Pfftt... c'mon. A security professional should know better.
The old paper, pen, write in, mark a box, fill in an oval etc. has been hacked for HUNDREDS of years.
Someone grabs/casts more than one ballot. Someone who has access can 'lose, add or change ballots.
With the added number of people involved when it comes to paper ballots, it's open to a lot of fraudulent activities. I.e. the original hacker.
There is good and bad to all methods. Along with strengths, weaknesses, vulnerabilities and risks to ALL methods. This is something all computer security professionals should realize.
So I'm assuming, those who want to damn the use of computerized voting systems are ignorant to
Errors all over this
This article should be removed.
The author fails to properly provide exact information. In fact, it changes what is actually stated by OpenSSL Management Committee.
I'm not a huge fan of OpenSLL "Management Committee", since all they do is jump on to an encryption standard, instead of actually creating an algorithm themselves. Sort of like, building a radio for a car and then attempting to tell the world they are an expert on cars.
So, I don't have any real skin in this game, but c'mon... this is really bad reporting.
Stop trying to create something which has already been created or spread the word using your own agenda, spin or artistic flair. Just the facts man.
Labor is the key.
You really have to look at the available labor pool, both technical and nontechnical. Technically, heavy cloud experience is a must. So the talent must exist or be convinced to move to the chosen location.
Labor cost, as well as cost of living will be shared with this. Taxes, taxes, taxes... states willing to make a special deal on tax rate will get a boost in points. Legal political kickbacks for officials will likely be available in some locations. If you're in a conservative leaning city, don't count on winning this.
Some of the obvious...
Austin or Dallas - Hah, really, Texas? Asterisk politics here.
Chicago - High Taxes. High technical labor turnover.
Denver or anything west of the Mississippi River is probably out. Probably needs to be somewhere a bit closer to the east coast. Denver also has the risk of heavy snow closing airport and ground travel more than 5 days a year.
Boston, Neward, New York City, DC/Maryland. High labor cost and living costs.
Canada has different laws. New set of laws and lawyers. Not to mention those pertaining to cloud ops.
So I'd look at Columbus, Atlanta (just barely), Northern VA as well as both PA locations as the top 5, in no particular order.
Business friendly, has workforce, can attract talent and cost of living is reasonable. Airports can handle the extra workload and plenty of ground routes available.
I'm sure I'll get plenty of down votes, considering the amount of people shouting out things without using much thought or because they place their own prejudices into it.
Terrorists using drones against modern forces is pretty much a waste. Due to the technology they use and resources required, it's actually a negative force multiplier. Primarily because their signals can be tracked and you can't just make one from garage parts. Then there is the fact, they run by line of sight and are easily jammed and shot down.
The USA was able to become a country based on the warfare technology they were able to create along with manpower from the French. Technology wise, the USA found technology to make their small arms much more accurate, quicker to load, and much more reliable. This wasn't something they stole from the UK.
80s and 90s Technology and Japan. Yes, Japan flourished during this time, but not with actually creating the technology but rather manufacturing it. Cheap labor was the biggest factor here.
Technology during this time came from all over. For instance the Dutch had quite a few advancements which spawned off into other items. The USA developed magnetic research (which they didn't steal), and continued with creating most of the processors used by nearly every technology during the day. Again, it wasn't stolen. The USA also declassified a lot of technology they alone developed and didn't steal. Such as high resolution imagery/lenses, fine microwave tech, GPS, lasers, etc.
I'm willing to bet no matter what country you live it, you've taken this technology for your own use.
F35 is what it is. Based on early mock live competitions as well as simulator combat the F35 is far superior to the F18 hornet. Not quite as effective as the F22, but you have to look at the role differences. The F35 can do things the F18 simply cannot, and this goes beyond the VSTOL capabilities.
It's easy to look at things from a narrowed view and repeat things others (who have their own agenda) say.
Seeing this is a forum full of IT professionals, you have the intelligence to take a few minutes and critically think about things and be objective; so try it out. This... we are better and smarter than anybody else attitude is ridiculous; not to mention... how often has this 'attitude' gotten you anywhere?
Re: Dont' name and shame persistent offenders
...removing employees also removes good talent.
Remember, it isn't security which drives business; quite the opposite. It's the business needs which drives security.
Ensure proper security policies, procedures and mechanisms are in place.
Ensure proper monitoring is in place, even if it means monitoring individual employees (who raise risk) in order to provide focused individual training and implementation of security mechanisms.
Monitoring 'at risk' employees will often provide a lot of insight into the problem. It also provides proper justification if it does come down to removing the employee from their position.
Whenever you write an article, don't criticize anyone's grammar. You have no leg to stand on. I counted at least 12 different grammatical errors by you, and this isn't counting your improper use of passive voice, and lack of active voice. It appears you have little understanding of subject, verb and objects when writing as well.
A real journalist sticks to the facts about the subject itself, without attempting to belittle anyone associated with the subject.
20 minutes I'll never get back
This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.
I believe this sort of thing has been in just about every OMB information security report since 1999.
More so... it addresses the obvious without any mention of risk assessment.
Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.
Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.
Elizabeth Warren has been tossing out a lot of useless bills in an effort to get her face in front of a camera, and this proposed bill is no exception. Don't be shocked if she claims to have 'computer geek' heritage.
Anyone with more then 2 years experience in IT can see it's a bunch of crap done half-hazardly. It's missing far too many things and doesn't hit details required and powers needed for a true "Information Security Tsar" office covering consumer information by businesses and organizations.
Also, this bill addresses two very different things. An office and a penalty; with no policy in place.
How about we first create the office/organization, then create policy, and finally create penalties.
This way, experts who know what they are doing put something together. Not some lying politician who hopes to be president some day.
Industrial Control Systems is an area which started taking advantage of networking in a very quiet and shadowy manner. Wireless technology makes installing sensors and other items much quicker, easier, cheaper and more convenient than drilling holes between walls and floors and pushing wires through conduit.
So this unsecure technology was grabbed and purchased by many organizations to control lights, security cameras/devices, electrical outlets, elevators, alarms, fire sensors, HVAC, etc.
Building maintenance and information technology had never interacted in the past, so both are ignorant of each other's existence and requirements. It's not uncommon for ICS products to be the biggest shadow-ware out there.
For anyone who has never administered, installed or tested ICS applications and equipment... you're in for one heck of a shock once you do. Then you're in for a fight when you have to secure it and possibly remove all wireless devices.
People who don't understand national defense shouldn't write an article on it
Once again, the Register has a complete lazy and ignorant author on a subject.
I could go into many specifics, but it will take too long to write it all out.
I will say this... having a carrier group is the number one way to extend your country's military offense or defense and attack an enemy at any time and any where. In terms of strategy, this is a threat and counter-threat which isn't easily defeated.
Most of our enemies don't respect our way of life, but they do respect the Navy and its capabilities. When it comes to war and peace... it all boils down to capability and who has more.
blah blah who cares?
Let me know when your government starts using private servers, deletes e-communications, has your top law enforcement agency look the other way, makes underhanded deals with your top investigation personnel, allows national security leaks from servers, convinces half of parliament that security is secondary and finds plenty of people negligent in all of these acts but believes the people are not smart enough to catch on or care. Finally, think Hillary Clintion is a goddess in training.
...then you have a story.
You seem to be either closed minded or too lazy to do a simple web search.
Kaspersky has had plenty of times where it's been responsible for system problems.
Here is just one of the latest patches released by Kaspersky:
If you understand how IDS and AV applications work, you'll begin to understand they will ALL have occasional problems with the underlying OS and detection.
LOL @ Russia
This suit perfectly shows how Russia doesn't understand the concept of freedom of speech and choice. In the USA, you don't need a reason to boycott any product. Even if this hurts your business or reputation. This is one of the most powerful outcomes of a free economy. Good products tend to do well, and crappy or harmful products die out quickly because people do boycott them.
The US Government as a whole is beginning to follow the same software guidelines the DoD has been using for years. DoD has never allowed Kaspersky products on their systems. Don't feel shunned though, many applications from allied nations aren't approved for use either.
What's happened to the UK?
Time to get rid of this prime minister and the rest of her party toadies. It's time to find people who understand good ole British strength. Tired of seeing England in such a yellow light. You wouldn't catch Churchill or Thatcher acting in this manner. They weren't scared to stand up to a bully in order to protect British interests.
You can't just waggle your finger at Putin and expect he'll do anything but laugh, kick your (now tiny) balls, and walk right over you.
Don't waggle and warn, DO SOMETHING ABOUT IT.
Re: Madness. Madness everywhere
Yes, let's all believe anything published in the New York Times.
I would rather buy a tabloid paper with the latest news on UFOs, as it has more credibility.
A perfect example of how ignorant Hillary's State Department was.
There is no doubt in my mind (due to where I worked) that the NSA, USSTRATCOM and a couple of other government letters reported to the State Department about the cyber threats from not just Russia but going back to the Soviet Union in the 80s.
From 2007 through 2015 I know there are a variety of different cyber intel/threat reports directly addressed to the US State Department regarding activities from many unfriendly countries... including Russia. Some were provided for action for the Department to follow to increase information security, and some was provided due OCO/DCO activities within various countries.
What we noticed, is most of the time, the State Department didn't care or follow strictly cyber security guidance. This was noted many times in annual IA reports for State Dept. systems. THis department would just accept or ignore many identified risks.
So... if this guy thinks TECHIES aren't providing information to those setting and enforcing policy and procedures.. then he is just part of the system who ignored what is put together for them. I can point to many policies regarding cyber security from OPM to State Department regulations not to mention laws such as FISMA which have been in place for many years covering information security.
So... this man is an ignorant fool to blame anything but himself for not knowing what is and has been in place for many years. Wait, he's not being ignorant, he's simply trying to make an excuse for how poorly the State Department followed guidelines, policy and laws regarding information security.
Yeah, sure, right...
Probably another scam where they hacked themselves and hid the money away to be retrieved later.
It doesn't make sense for a business to have an outward facing wallet containing a companies entire cryptocurrency capital. A company will typically 'bleed' the outward facing wallet into a central wallet which isn't available to the world. Much like a store will bleed the cash out of all of their registers and put the money into a safe until they deposit it into a bank.
Another crappy article
I think I've read at least 15 articles this year regarding this.
Amazingly, this article doesn't provide any real references or links.
Most of all, there is nothing new or unique.
Not shocking is providing any background into exactly what systems in the financial industry still uses low level language development, and providing perspective into how much of the financial industry has upgraded to systems developed with managed code.
Perhaps an article should be written about the development updates, changes, etc. around financial services. I won't hold my breath... too many lazy column writers.
Has she been under a rock?
This is how it has always been. In nearly every security certification the mantra is, "Absolute security is impossible". Therefore, there should always be a plan to ensure when a system is owned, it fails 'gracefully', and if necessary it fails over to a backup/COOP system.
Then there is prioritizing criticality. The scale used for this can get a bit complicated, but broken down into the simplest form, it's about paranoia.
Once again, we have someone who is relatively new to security trying to make a name for themselves... without taking 15 minutes to really think about what they are saying.
Rule is.. if it appears to be the obvious, then it probably is; therefore, someone else has already figured it out.
Re: All as bad
I can tell you have no access to intelligence or understand exactly what happened. All you are typing out is what you 'think', without doing much if any research.
There is a large difference between an AV application taking piece of code positively identified as a threat (from memory), and downloading an entire file stored on a system. In short, downloading the entire file is going too far. Imagine the information an AV company has to gain if they believe word processing files are infected; and download the entire file full of personal and corporate secrets.
Then with terabytes of information, they are able to search for tags in files such as "Secret", military terms, engineering terms, and other key words to sift through more thoroughly.
An AV which downloads the entire file instead of just the positively identified code isn't being friendly or acting in your best interest.
Re: ARPANet survivability wasn't the initial goal.
Nobody cares about how you interpret what you read on WikiLeaks or heard from your uncle Joe about Arpanet.
Your incessant need to show your cut and paste skills isn't impressive. Especially when it contributes very little... if at all to the actual story.
If you're convicted on felony charges in federal court you serve the entire time in prison. Good behavior, early parole, etc. is only considered for convictions handed out by state court systems.
Once the FBI gets involved, so does a federal prosecutor. No early release to look forward to, which is why federal prosecutors get more plea bargains than state/county/district prosecutors.
Re: Idiots and their gold will soon be parted...
Absolutely agree with you.
However, it only takes reading through some of the forums on this web site to make you realize more than half the people you meet or hear from are below average intelligence.
It amazes me how many people arrogantly assume they are so important the NSA gives a rats ass about them.
Must be nice to be a snowflake, so you can criticize everything no matter what the outcome is. To live in your own little world... where everything is as you think it is.
However, most people know doing these two things will ensure you never make it this world... because you never develop the skills to think critically and see through the BS.
One of the funniest threads ever
This thread ranks in my top 10 for the number of trolls spilling out information which makes me laugh.
Wish I could just yell out stupid things without first putting some thought into it.
People coming up with outlandish theories and accusations without any proof about how anyone is being spied upon is what makes the intel community go around as well as laugh. It only takes someone to sit back and think about things for 10 minutes to see some of the idiocy, because far too many people don't think about anything for 10 seconds and/or just repeat something they've heard.
What does shock me, is the amount of people who unleash hate on governments which change every 4-10 years who must answer to their people in one form or another. In the same breath they protect and talk up governments which are tyrannical, toss people in jail for saying the wrong thing, are far more corrupt the any government in the west, and the government stays the same for years and years.
If we in INFOSEC, have so many people who think off the cuff without stepping back to think things through, then there will be a lot of organizations who spend far too much money on things and will be a lot more vulnerable than need be.
Only in Hollywood, do hackers and security defenders come up with solutions in a second. Only in Hollywood do all solutions come exactly when they need to.
This isn't new
A group of us put together a computer program back in 2003 when I was a computer engineering student to do this.
The processing operation isn't much different from those used to crack passwords. Mathematics and tossing in stored data into entry points is what computers excel at.
Thinking this is new, is pretty boring and lazy reporting.
Then we can shut these countries out of the original WWW, and watch crime on the Internet go down, as well as cripple their economy more.
I'm sure this will go over well with large businesses in these countries.
Typical backass governments
Time to hold yourself responsible for some of this. INFOSEC professionals have been harping on you for years to come up with laws and methods of regulating information of private citizens, yet you've balked and pocketed money from lobbyists and other business representatives who have urged you not to get involved.
To me, you're just deflecting all blame onto business after the fact, and won't change as long as big business is tossing money at you.
Yet other risky apps still run
The browser will still run Java, Flash, anything Oracle.
Thanks Google for being stupid, yet again.
It isn't 99 years for one or two crimes, it's a series of many attacks and breaches.
Not to mention, if you can't do the time then don't do the crime. Besides, where similar crimes have been committed, the individual was given less than 8 in prison. Most will likely be let out around 4-5 years.
If he is truly diagnosed with Asperger syndrome, he's likely to be sentenced to a mental facility and not a prison. Which means he'll serve even less time.
I guess we should not hold Equifax and Uber...etc. responsible for their actions in England. Especially since they didn't outright try to defraud or attack anyone like this individual did.
Let's ensure everyone everywhere is held accountable.
Re: Weid Legal System
Your assessment of the United States is entirely WRONG.
A "state" as defined as one of the 50 states in the USA is different from the definition of a "nation state". USA is a federalist nation (like many other countries). Perhaps this is what you should read up on.
Each state in the USA may have its own constitution and set of laws; this doesn't change the fact the USA's constitution as the law of the land. This is no different than most countries who have provinces, county, city laws.
If you were given a middle school civics test on the US government, you'd score about 35%.
Re: Two stupid things happened
Don't go around saying someone has upset the INFOSEC community when they haven't. This is just irresponsible nonsense; especially coming from someone who posts anonymously.
Don't make too much of this
First off... equipment/software used for encrypted communication isn't classified as long as the keys aren't valid. The keys are changed quite often or valid for one use, so the chance they are still valid isn't likely.
It also doesn't make sense this is placed in a cloud, and not installed on a laptop.
Don't rule out the chance this is a honeypot of sorts. Run the applications at your own risk.
Thom Langford at Publicis Groupe is a LAZY IDIOT--Here is why
Can't believe this guy is a CISO. Apparently, he has connections somewhere.. because it cannot be on merit and management skills.
There are so many different areas in INFOSEC, that to be so narrow when it comes to hiring professionals is idiotic (to say mildly).
For instance, to conduct penetration testing and red team skills for a person without at least 3 years security experience will take 2-4 years to become proficient. This doesn't include the huge amount of costs associated with training. On top of salary, you can expect to pay in excess of 60K.
I don't mind providing individuals right out of school a chance to prove themselves; however, I wouldn't make an entire INFOSEC organization full of them. Even so, I want to see some background displaying computer skills beyond OS configuration and administration.
Now the LAZY PART--Let's not forget one of the jobs of a CISO... and this is to ensure those who work in INFOSEC are motivated to accomplish a common goal.
If you have an expectation, then ensure employees have the resources (training, systems, etc.)required to do the job in an efficient manner. Don't expect them to become overly creative and find ways to apply Band-Aids.
If as a CISO, you find a good percentage of INFOSEC employees aren't meeting your expectations, then first look in the mirror... and ask yourself, if you're doing everything you should.
If you're unable to motivate and provide leadership, then it's time someone else fill the CISO role. Because you're spending too much time on the golf course or trying to impress those in the corporate board room.
When it comes down to it, this is an injection attack via web services.
Something us penetration testers see all the time. Fuzz the web application to grab information, and then craft or intercept/edit HTML packets from information we gather.
Don't over think the problem and develop conspiracy theories about this. I doubt the NSA or anyone else purposely coded in weak routines which can be exploited in many of the applications I've tested in the past year with similar vulnerabilities.
This is just a common problem which needs to be addressed through better coding practices and better testing.
Don't be too rough on developers. You'd be amazed at the turn over rate at some companies. This means you have new developers getting placed into large development projects which have been alive for years. Pretty soon, nobody is an expert on the entire mess of coded inhumanity.
Security has become a buzzword for non security groups.
Linus.. first off, stop acting like you ran out of valium. Though I do get the emotion pointed towards certain developer factories.
Security people don't care if you call it a bug, *uck up, mistake, etc. No matter what, it's a vulnerability which must be weighed and mitigated. Getting hung up on nomenclature is parochial and should be beyond any developer or engineer's list of important things to consider.
Just because someone who has a long developer background or a degree in computer science and becomes a member of a security team, doesn't make them a true security person. He's still a developer or theorist who looks at things entirely different than an engineer who specializes in security.
A true security engineer doesn't give a rats @** how you fix the bug, mistake, *uck up, etc. as long as the resulting vulnerability is fixed and can no longer be exploited.
One last thing... when it comes to 'how it should be handled'. Don't forget... users (this includes some admins) are the true idiots. No matter how you develop something to become idiot proof... somebody somewhere will create a better idiot. So allowing 'buggy' processes to run, with the design of having the 'user' make the decision/choice of how to handle things, is actually worse than being an idiot.
Re: Smut Blocker
OpenDNS is a service worth considering; however, if you read their terms of service (Paragraph 8 - User Data), you will see Cisco is collecting data on you. They don't stipulate any particular data... which means it can be anything, such as: behavior, habits and trends.
It doesn't matter which ISP's DNS you use, you're going to notice their terms of service include a section(s) on user data (or similar) indicating they will be collecting information.
If you read the report, it provides an explanation in a note.
The lesson here is...
Don't just take every report, article or presentation as the 'end all be all' for security. There are a lot of INFOSEC professionals who forget the basics and develop bad habits and bad logic.
INFOSEC isn't about stopping each hacker and closing down every vulnerability. THIS IS IMPOSSIBLE. Something taught in EVERY security certification.
INFOSEC comes down to identifying and managing risk. Just because someone says you must shut down something doesn't necessarily mean you should or even can. One minor security change in an information system can affect a lot of people, not to mention a businesses bottom line.
Kudos to Alister who has said all the right things for this article.
Re: Round up the usual suspects
New to information security? There are plenty of reasons for being in country when attempting to infiltrate a systems network.
Regardless of what anyone thinks, he made the statement of being in the FSB. So take him at his word and add espionage charges along with hacking. Make an example of him. Whether or not the Russians admit to it, a signal will be sent.
Air gap, air gap, air gap... sqwaaaak. Bunch of parrots repeating crap, without any talent to quiet themselves for 5 minutes so they can think critically.
Experienced security professionals know air gap isn't necessarily the answer. There are plenty of ways to connect to an enclosed gapped network. Especially when 200+ people have access to a few of them on each flight.
The answer is early and proper security injected into the systems development lifecycle. An aircraft connected to a WAN or cloud can be perfectly safe provided security is considered from day one until they retire the plane.
Because loss of network/computer systems on an airplane is an obvious security concern as well as a target for terrorists... governments should get involved in protecting these systems with compliance standards.
Airlines and aircraft manufacturers may scream about cost and delays, but consider a worst case scenario... where malware is launched quietly into the systems of 10+ aircraft, placed by malicious insiders, staying dormant until a particular date/time.
I guess Germans and French are so highly educated they've become lazy; since, they've attributed a lot less to modern technology and assistance to other nations than the US, UK, and many other countries.
The Germans and French are so highly educated, their GDP, GNP, and most other economic indicators is less than US, UK and other nations.
I'm not sure what you're education is in, but it sure isn't in foreign studies, economics, military, technology or anything outside of the fast food industry; which by the way, is calling for you.
Think about it for several minutes...
If you're going to try to destabilize a county, you will do everything possible to help the least popular candidate gain office. This way, the majority of the people already distrust who is in office, and it becomes a powder keg just waiting for a spark.
Let us not forget
Why isn't the US Congress, along with every state legislature not pointing fingers at themselves?
For years, information security bills have been killed because huge corporations contribute large amounts of money to their campaigns to make sure any security bill dies in committee.
While I enjoy these theatrics by those in Congress who put on a performance worthy of an Emmy nomination, we all know at the end of the day, you will waggle your finger... then when the lights go out, take more money from these corporations to maintain the status quo.
Bravo and shame on our elected officials.
Re: Judging a book by it's cover
We're all the same on the inside... this is a parochial method of thinking. I take it you're an adult now, and can stop repeating things you were taught when you were 8.
The problem is, the lungs, liver, [insert any organ] may be 'roughly' the same; however, how the brain is programmed and processes isn't the same. It's the brain, not any other organ which dictates your actions.
If you're poor and you grow up in crappy conditions, you're going to see life a lot different than someone who didn't want for anything. You're also going to have very different life experiences.
We don't need white people to 'help us', defend or pander to us. We definitely don't want white people going out of their way to show us they aren't racist. It's not shocking to us, when we invite these white individuals to come to our house to have an evening meal... they'll do everything to change the subject or wiggle out.
You want to lash out against racism then lash out at racism/prejudice, but do it without describing color, religion, jihad, etc. Stop pandering and whining, and start living and accepting ALL people the SAME.
If this kid was white, there wouldn't be any mention of race, religion, conspiracy, etc.