* Posts by Aodhhan

592 posts • joined 25 Apr 2008

Page:

C'mon, biz: Give white hats a chance to tell you how screwed you are

Aodhhan
Bronze badge

LOOL @ Dunn

Once again, Mr. Dunn hasn't done a lot of forward thinking and proper research.

If all of this is true, (about bounties and poor development practices) then why do most software vendors have occasional security updates?

Probably a majority of bugs are reported back to a vendor from customers who conduct tests (including penetration tests) before completely committing to purchasing their product. Most large corporations now, either have penetration testers (or contract this out) to evaluate the application's security.

Usually, a penetration test is outlined in the agreement between vendor and customer. Companies can no longer get away with saying you can't pen test their product before purchasing it.

It's not unusual to find security vulnerabilities. When we do, it's usually taken care of quickly and without fuss from the vendor. Also, customers don't demand money for doing the pen test, since it's part of their due care/due diligence. However, it's not uncommon for a customer to point out the vulnerability and then not release all of the details. I mean, we aren't paid by them to pen test their software. :) ...so the vendor is forced to figure a lot out on their own; which they typically do well, once it's pointed out.

So, to say a software vendor isn't doing a good job securing their application because they don't offer bug bounties, or have a program for the general gray hats to make money on--doesn't mean they aren't focused on security, or that their software development methodology is poor.

Because of all this, why would a company offer a large bug bounty if they have a product which is being used by many? Consider just how many ridiculous claims and false findings you'd have to deal with from this type of program. Many companies who do have bug bounties aren't really doing it for security... they are doing it as a marketing stunt. It's good publicity, usually gets another story or two published... and nobody knows they don't really do much with the program after a couple of months and the marketing boost from it begins to wear down.

...speaking with one Dutch company about bug bounties (who doesn't even have a bug bounty program of their own), isn't exactly proper research. LOL

1
11

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit

Aodhhan
Bronze badge

Igorance

I can tell the author doesn't have a lot of experience in InfoSec. Also, many of the commenters don't as well. I've been penetration testing for over 15 years, so I've noticed many security cock ups, poor risk management, etc. What I see more of though, are people making comments without thinking it through.

First-- Reworking and following the exact steps a hacker does to your system is common place. It's often necessary to ensure you find everything. This is particularly important with databases... where there is a lot of information. Usually too much for the hacker to scrape and copy in full; so you need to figure out exactly what was copied, removed and/or changed. NOT REWALKING THE STEPS is considered negligent. Making fun of it like this author does, is ridiculously stupid.

Second--ANYONE who thinks their system is so secure because they do everything right is a moron. Not ignorant, but a moron. This includes certificate management. I'm willing to bet I can find a bad cert somewhere in your network. I find them about 70% of the time I look. Or I find they aren't bound correctly, etc. Chances are, your network has at least one, and the system using it doesn't fail because of it.

Third--While no doubt Equifax messed up on this; however, if you don't get why a system doesn't quit working due to an expired certificate--then you haven't worked with really large networks. Also remember, this type of risk is often accepted. Probably on your network as well.

Fourth--Speaking of risk acceptance. Chances are your CIO has accepted some risks, and at first glance (since you're ignorant and don't get the entire picture) you would think he's crazy to do so. ALL NETWORKS HAVE ACCEPTED RISKS.

Fifth-- Struts was a particularly nasty beast. Easy to do (even for you script kiddies) remote exploit which was being actively exploited the same day it was published. Many companies decided to wait until Monday to patch it and became victim to it. Many more would have become victim to it, but were saved by proxy systems being correctly configured to stop outbound traffic. Heck, the system you work on may have been hit, exploited, but saved because of a outbound setting. So... be careful what you gripe about.

So before you begin to throw stones (and nobody in InfoSec should), look at your company's network to see how many exceptions to policy and larger network accepted risks there are.

Also, anyone in InfoSec who believes their network is completely secure from malicious activity should give up this career field, because you don't have what it takes to think forward enough to do the job correctly. All large networks are vulnerable in one way or another... ALL OF THEM. The key is how you respond and gracefully recover from an attack... not just how you work to stop it.

1
0

Former Detroit IT boss sent down 20 months for bathroom bung bonanza

Aodhhan
Bronze badge

Add another

Detroit has been destroyed under poor leadership for the past 40 years.

It's had more than its share of educators and over paid city employees who have done some pretty outrageous crimes. Usually, they don't get very harsh sentences. This doesn't seem to be an exemption.

Whomever stated Detroit isn't a large city should really learn to at least consult the "google' and spend 10 minutes educating themselves. The entire Detroit-Windsor area is quite populated.

Also, most of the "abandoned" buildings and s-hole areas have been demolished and corporations are beginning to move back to Detroit. Don't you just hate people who only 'relay' bad information, instead of having the brain power to do their own fact checking?

Although it's far from being anything spectacular, it's still better than NYC, Chicago, Cleveland and other cities with abandoned, s-hole neighborhoods.

2
1

Princely five years in US big house for Nigerian biz email scammer

Aodhhan
Bronze badge

The fine may seem small, but the companies who were affected by the scam will file civil suits against the men to get their money back. Not only will the companies be awarded what was taken, but it's likely punitive damages will be awarded as well.

When all is said and done, along with legal fees, these guys will be lucky to have any money left. Even if they had $20 mil in the bank before the scam.

1
0

Solid password practice on Capital One's site? Don't bank on it

Aodhhan
Bronze badge

Don't forget

...when you use copy/cut and paste, you're leaving behind the information on a notepad which survives reboot; and this notepad is easily retrievable.

0
3

Email security crisis... What email security crisis?

Aodhhan
Bronze badge

Memo to all Personnel

Attention,

Due to the recent threats and a need to have a system we can store state secrets on, I've ordered our email server to be moved into a towel closet near a bathroom; where it's unlikely any malicious foreign service will find it. We've also instituted an offline backup system to place important files on the laptop computer of my assistant's husband.

Thank you

--Hillary and the DNC--

0
2

Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge

Aodhhan
Bronze badge

Re: @Martin Gregorie

If you're going to spill evilness about those on the opposite side of the political spectrum, you may want to at least take a few minutes to look at how imbedded you are.

You should consider how fascist your words are.

A fascist doesn't want to hear the other side. If someone doesn't believe what you believe, then they are wrong... and should be punished. --This is fascism.

A fascist doesn't look at both sides. They are stuck on what they are told (rarely looking for the truth).

A fascist sees faith as a bad thing, and belittles anyone who follows religious beliefs.

Finally, a fascist calls others fascist without proof...often times without knowing what the word actually means--because they've spent so much time just repeating what they've been told to say.

Attempting to apply 'tribalism' to religion is so completely ignorant, it's clear you don't have any original thoughts of your own, and you've never stopped to use the cognitive creative abilities your brain does have. You may want to try critical thinking for once. You'll find your life suddenly becomes a lot more enjoyable and filled with less hate.

2
4

Voyager 1 left the planet 41 years ago – and SpaceX hopes to land on Earth this Saturday

Aodhhan
Bronze badge

No math outside USA, China and Germany?

Is it only the USA and Germany which bridge mathematics and science in school?

The ISS is moving ~17,500mph because of orbital mechanics. If it was going slower, it will fall back to earth. If it was going a little faster, it would increase it's orbital altitude, if it was going much faster... say 25,000mph, it would escape earth's gravity.

Consider how fast an object must be going to maintain earth orbit, then how fast something needs to go to escape earth's orbit. Finally, work how fast something must go to escape the grasp of the sun. Most objects don't decelerate due to friction, they decelerate from gravitational pull of a large object. Such as a large planet, star, etc.

If you don't believe 35000mph is fast, perhaps you should consider just how fast it really is. If you were watching traffic on a road, in which the speed limit is 35000mph, you wouldn't see the traffic go by, and you couldn't turn your neck fast enough to keep up; even if you were 5000 feet from the road.

3
0

Wannabe Supreme Brett Kavanaugh red-faced after leaked emails contradict spy testimony

Aodhhan
Bronze badge

ROFLMAO

First off... the emails weren't leaked as first reported. They were approved the evening before by the Senate sub-committee. Senator Booker introducing them was just putting together a grandstanding moment for the crowd, in hopes of becoming a front runner for president.

If you read everything thoroughly, you'll find in each case, it shows how the nominee is actually very UNBIASED in his opinions. (which is why not a lot was really talked about during questioning in the afternoon or making headlines) In protecting freedoms of everyone from all ethnic backgrounds; despite Islamist terrorists attacking the USA a week earlier.

As far as being read into a program. There are items which can come from a program which are declassified or classified releasable outside of it's SCI container. This often happens for certain high ranking government officials, judges, etc. with a need to know.

It's amazing how people immediately disregard facts, when lies or 'spin' is brought up on things they wish to hear.

If you want to make a comment when knowing only 2% of the information, and/or looking at all the facts--instead of looking at everything from all sides--you're free to do so. By now, you're likely used to the taste of toes in your mouth. You will also likely continue to make less than $70K/year.

If you notice, not a lot was brought up in questioning this afternoon... other than grandstanding blah blah questions, and nothing is being made of it today. Well, nothing substantial. I'm sure the far left will still rant and chew on this nothingburger.

6
13

Excuse me, but your website's source code appears to be showing

Aodhhan
Bronze badge

Re: Not the root problem

Here's a quick run thru of why you're SO VERY WRONG.

Any code live to a hacker is potentially a weakness... if not today, then tomorrow. This goes for encryption as well. Typically, developers are 'too busy' to maintain every part of the code.

The most prevalent weakness in web sites, is in not updating/upgrading code developed in out of date environments. For instance, using jQuery 1.7.x (which I see a lot), when the current version is 3.3x. You can even find old .NET web apps, etc. Yeah, a lot of exploits in there.

Giving me access to code, allows me to scrape the website and go to town. If I don't find a weakness, it sure makes it easy to duplicate and redirect users to it. Because there is so much code, I can get not only authentication credentials, but likely internal information; such as an account number, social security... you get the picture now.

If the directory isn't locked down, what would you do if someone... say, updated the code for you? ...think malicious thoughts.

If you think none of this is possible, then what we can tell from you is--you don't have much experience in the real world. So we think "Bulls Eye"!

4
2

Spies still super upset they can't get at your encrypted comms data

Aodhhan
Bronze badge

No way.

Look... we voted out the Obama--Clinton power house Dems which abused their powers and continue to slow down progress by throwing false and malicious accusations against innocent people.

We learned from the Obama era, even the FBI, MI6 and CIA can't be trusted... even within these organizations it's possible for people in the highest levels become corrupt and unfair.

As someone who does pen testing and red teaming for a living... those who concentrate too much on encryption, often leave other weaknesses wide open; because people are, for the most part... lazy and forgetful.

11
8

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Aodhhan
Bronze badge

The brain trust of the sewage department has spoken

Yes, I'm sure the brightest computer scientists and engineers stand outside in the Michigan sunshine...err snow drifts to que for an opportunity to work at the sewage department.

Saving $1Mil is a huge sounding statement, until you realize where they were beforehand.

Since you chose Oracle... you likely would have saved even more money if you decided to use something else. You definitely will find, you will have a more secure database if you went with several different products.

If you had completed a good amount of technical research, you would have found out corporations are moving away from Oracle in favor of 2 to 3 other solutions.

You can't just look at your initial savings, you have to look at savings over the lifecycle of the product... in this case, about 4 years. Not to mention the risk increase/decrease... in the case of Oracle... it's a definite risk increase. Although, who cares if hackers get in to the database and start releasing a bit too much chemical into the wastewater? Especially knowing how well the sewer system drains in the old central part of Detroit, even if it only rains 0.25 of an inch.

10
0

What's holding you back from Google Cloud? Oh, OK... it was hoping you'd say 'lack of hardware security modules'

Aodhhan
Bronze badge

No doubt they have access to the keys. Which is why I always believe it's better to use a 3rd party.

The biggest item here, is to let us know with their services, how much latency is added to each of the most common cloud configurations--when using their HSM. Also, how much it will cost to decrease the latency. This goes for incoming and outgoing traffic.

The cloud is a great place to reduce time and cost, provided you aren't worried about performance.

0
0

ETSI crypto-based access control standards land

Aodhhan
Bronze badge

The nanny state kicks in.

Let's make regulations covering every bit of data we can; then, let's make things so convoluted and difficult to interpret we are sure to get people busted; because, finding people educated enough to understand all of these regulations will be difficult.

We must do this because InfoSec professionals are too stupid to figure out how to secure data. Plus, if encryption best practices change, we want to create even tighter regulations to babysit.

...blah blah blah.

-------

I like the GDPR in theory. In practice, we're beginning to see the rich white men in Brussels are trying to over control the industry.

You don't need to make regulations on how encryption is properly done. All you need to do is create laws to hold businesses responsible and punish appropriately. Require businesses have a robust InfoSec organizations within their corporation. Let the professionals who know a lot more about securing data than politicians, do their job.

Then you don't need to stick your noses in at every turn, cost taxpayers more money than needed... and if big industry changes occur... it's easy to adapt without having to rewrite 35 volumes of outdated regulations.

2
4

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Aodhhan
Bronze badge

You obviously aren't trained in legal matters.

Businesses also have constitutional rights. A business has the right to not do something, and you have the right not to support this business for their decision. Nobody has a monopoly creating a forced action. Everyone can go elsewhere and make a number of choices.

This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.

2
2

SuperProf gets schooled after assigning weak passwords to tutors

Aodhhan
Bronze badge

Re: At Superprof we take security seriously and know how key it is to the running of our business

Taking security seriously doesn't mean you have cousin Nigel--educated by the London public school system and flunked out of taxi driving school--audit your security practices.

Taking security seriously, means you've built your security policies and procedures around industry best practices, and annually have an outside agency audit your security and risk management programs. Then you take the audit to heart to make changes as necessary to constantly improve.

1
0

How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim

Aodhhan
Bronze badge

Re: Well to stay real for a bit

Christian,

The ISPs can't monitor your Internet packets if they are encrypted, and many times, the route taken by the packets for all the web sites you view (from your computer to any particular web site) doesn't pass through the ISP.

However, if you use their DNS servers (and most people do), they can track where you have been on the Internet.

2
6
Aodhhan
Bronze badge

Re: whatismydnsresolver.com

Performing a traceroute doesn't prove anything when it comes to DNS.

The path used by packets to perform information exchange with a particular web site, isn't the same path taken by DNS to resolve queries. Two very different protocols, for two very different services.

C'mon. You should know this.

3
2
Aodhhan
Bronze badge

Re: whatismydnsresolver.com

Don't you just love the ignorant when they post something on a security site?

Pascal's response to this article actually gave me a chuckle. I didn't think anyone who is so ignorant on DNS would post something so silly.

I guess the filter most of us have for being quiet when something doesn't make sense to us wasn't provided Pascal.

Pascal, you aren't the center of the universe. Just because something didn't work for you.. doesn't mean it doesn't work. It just means you're too ignorant to figure it out. Perhaps you should research the problem on YOUR END a bit more. :)

5
4

SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported

Aodhhan
Bronze badge

A waste of time

Let's see how long it takes for everything to get on the notebook sites and dev sites, such as GitHub.

0
0

Juno this ain't right! Chinese hackers target Alaska

Aodhhan
Bronze badge

Not attempting to hide IP

The IP wasn't hidden, because more than likely this wasn't done by the government. It was instead carried out by students and/or faculty at the university. In China, it's a HUGE crime to attempt to hide your actions or use devices such as Onion routers, external proxies, etc.

China's strict control of the Internet within their country, does provide some benefits to intelligence communities in more than just this reason.

2
0
Aodhhan
Bronze badge

Re: There is not enough OMG for this

This is old news. It happened during the Obama administration around 5-8 years ago.

Part of the problem uncovered in an after action report, was the lack of funding the Obama administration provided to the department of defense, DARPA and intelligence agencies. This forced them to use poor quality products and take shortcuts both logically and physically regarding intelligence techniques, tactics and procedures.

2
0

Who was it that hacked Apple? Ozzie Ozzie Ozzie, boy boy boy!

Aodhhan
Bronze badge

It's not going to work...

It's not going to work --to get a job -- when you hack Apple systems using Ubuntu.

This really erks them off.

8
0

Mozilla-endorsed security plug-in accused of tracking users

Aodhhan
Bronze badge

You take privacy seriously... my azz.

Taking privacy seriously means testing and checking all plugins for privacy concerns before making them available to the public.

Obviously this application wasn't checked for privacy concerns... so it seems you don't take privacy seriously. You're only trying to cover your back side after the fact, like a weak politician.

Making some BS statement after the fact, doesn't help your credibility at all. It only makes it worse. Better would be, you are going to make changes in procedures to ensure privacy is maintained prior to making plugins available.

3
0

Former NSA top hacker names the filthy four of nation-state hacking

Aodhhan
Bronze badge

Sorry for the misunderstanding

The NSA doesn't actively practice hacking systems in the USA.

We turn this over to the FBI and let them do it. We only get involved when these twits can't figure it out.

-NSA-

1
0

It's official: TLS 1.3 approved as standard while spies weep

Aodhhan
Bronze badge

That's right...

It's impossible to break into. We haven't found a way in so we gave up.

The protocol is different, but the cipher suites and certs are still the same.

We'll never be able to crack this.

-NSA-

BWah ha ha ha ha.

Psst. Think everyone will buy this?

0
0

CVE? Nope. NVD? Nope. Serious must-patch type flaws skipping mainstream vuln lists – report

Aodhhan
Bronze badge

Then there are other unreported vulns

As a penetration tester for a large company, it's my job to test all applications before they are certified on our networks. This includes internally developed, as well as COTS apps.

Probably more than 60% of the time, I find vulnerabilities for the vendor to fix. Around 10-20% of the time, it's a critical vulnerability (remote and easy to do). Each time, I noticed they NEVER publish the vulnerability. They just add the fix quietly into their next "update". No mention of what we find at all.

So why don't we say something out loud? Because most software vendors/companies have items in their commercial EULA's which amounts to a non-disclosure agreement. Getting on a bulletin board, twitter, etc. will put the company you work for--and your job--in jeopardy; so unfortunately this isn't an option.

So if your a network engineer, be aware of this factor and use it to budget better security equipment to mitigate this fact. Especially with external facing web applications.

0
0

Oracle: Run, don't walk, to patch this critical Database takeover bug

Aodhhan
Bronze badge

I have to ask...

Since Oracle has a horrible reputation of fixing patches--not to mention the high number of EASY exploits; why are you still using this database, and/or any application requiring Oracle Java?

Fortunately, the two companies I've worked for in the past five years have both pretty much phased all Oracle products out--including Java based web apps. Not to mention, getting rid of applications which embed Oracle into their products. Such as Symantec DLP.

3
1

Hackers manage – just – to turn Amazon Echoes into snooping devices

Aodhhan
Bronze badge

Dang...

We were hoping it would take some time before people figure this out.

Now we have to get good at bypassing home physical security systems again.

-NSA-

2
0

Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed

Aodhhan
Bronze badge

Seriously....God?

Anyone who believes you can simply kick out a fix for something in a few days is ignorant about the process... and a moron for not taking the time to learn a bit more about it.

First off... nearly anytime you increase security--albeit slightly--you impact usability. Therefore, it must be tested by security and users. Many times, it must be tested against a load of different software to ensure it doesn't negatively impact them.

Just like chess, when you move a piece to strengthen your position, you also create a weakness because you're no longer defending areas where you once were.

So... the entire operation, usability, security, etc. must be checked, attacked, worked with etc. Sometimes, it isn't fixed during the first iteration, so it must be done over.

This does take some time. If you think you can do better, and teach people something they don't know... then by all means, step up and jump froggy jump! It's easy to be a beotch and complain about something, when you're a moron.

Sometimes it's better to keep your mouth shut and let people think you're an idiot, than to open it up and remove all doubt.

3
2

Cracking the passwords of some WPA2 Wi-Fi networks just got easier

Aodhhan
Bronze badge

Where have you been?

This isn't a new technique. We've been using it for a while.

-NSA-

9
0

Dear alt-right morons and other miscreants: Disrupt DEF CON, and the goons will 'ave you

Aodhhan
Bronze badge

Keep politics out

I don't care which side you belong to. I don't want to see any political activities at a Info Sec conference. I even hate the morons on both sides, who want to interject it on this site.

They only display how hateful and small minded they are; most only repeat what they've heard, and not what they objectively know from doing their own work. If they did, they'd see both sides are moronic liars, who only say things to get your vote and do their best to trash anyone who opposes them.

So.. it's the same ole crap from both sides. Use your brain power for something else, and keep the political thoughts away from security sites and conferences.

1
3

Boffins: Mixed-signal silicon can SCREAM your secrets to all

Aodhhan
Bronze badge

Not new

This has been known by most of the major countries in the world since at least the mid 80s. It's one of the reason there is shielded conduit and tempest solutions, even when the transmission is encrypted.

0
0

Well, well, well. Crime does pay: Ransomware creeps let off with community service

Aodhhan
Bronze badge

Seriously...

If 18 or 22 years of age is too young to be held responsible for poor decisions, then we really need to raise the age for voting, drinking, driving, flying aircraft, etc. They weren't 12 to 14, so young my azz.

Sure it wasn't violent... which is why you give them 1 or 2 years instead of 5-20 years.

If they stole money from you, and you weren't able to feed your kids or make rent... you might think a bit differently. A lot of people live paycheck to paycheck. Losing 500 euros can really hit a family hard and cause undo stress... for a lot longer than 240 hours.

I think the judges have loss touch with what it is like for the majority of people. Those who don't make 300K plus euros per year.

0
0

Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound

Aodhhan
Bronze badge

Good Grief.

Apparently, you think JLR should monitor all their vehicles and some how know when they are sold off?

Of course not. But you do have to think of the process... and bump it up against a few things.

It's the typical security see-saw balance of usability versus security.

Make it too easy, then a auto thief can easily make changes so you can't track the car.

Make it too hard, then the owner gets upset.

Like any new technology where security is involved, it takes a bit for a good balance to be struck. So in the mean time, don't get too pissy about the situation. Instead, work to find a balanced solution. This is what security professionals are supposed to do.

3
2

Google's Alphabet hit by Europe's other GDPR: Global Domination = Profit Reduction

Aodhhan
Bronze badge

Re: Oh, we "customers" or "products" always pay

Apparently you don't understand economics.

If a company is fined and you believe they are going to raise prices because of this... then go elsewhere. Typically though, companies don't raise their prices; stockholders end up taking the biggest hit. Some may go into not paying raises/bonuses to employees. This is why fines can be successful in ending bad behavior.

Where the money goes? ...this depends. Typically there is some sort of general fund it goes into and then those in charge figure out what to do with this. Sometimes the money here goes for good things, like new bridges or other infrastructure projects. Like in Germany, it will likely pay for a pipeline to Russia.

The USA doesn't like the government interfering in business policy. You know, this whole freedom and liberty idea. The only real exception is health and welfare of the public/customers.

When it comes to this case, most people in the USA think it's moronic, and just a way for a government to screw over a company and the company's work force. In other words, a way to make politicians rich at the expense of employee raises and benefits.

Are people in Europe so stupid they wouldn't know how to download and install another browser; or another application and not use what is already installed? Of course not. Further, Android doesn't prevent the user from doing this. Can you imagine purchasing a new phone and there is not browser at all on it? C'mon. Do you really expect them to just install a competitor application? ...or some plain label and insecure browser? Common sense needs to be used.

0
0

Google answers 'Why Google Cloud?' with services and spectacle

Aodhhan
Bronze badge

Try doing this away from SFO

One of these days, they are going to start doing things away from the bay area.

San Fran has become a crap hole lately, especially in the downtown area. I wouldn't attend a conference there again if they paid for the entire trip.

I'd rather deal with the crowd in Las Vegas or traffic in Chicago than to put up with the smell and sights of downtown San Francisco.

1
0

Dust yourself off and try again: Ancient Solaris patch missed the mark

Aodhhan
Bronze badge

Raise your hand...

If anyone is shocked Oracle had this problem.

...take the walk of shame if you're still using Oracle products. This includes the whacky Symantec products (Like DLP) which build it into the application.

0
2

Insecure web still too prevalent: Boffins unveil HSTS wall of shame

Aodhhan
Bronze badge

Not shocked...

This is a lot more common than most people think. The reason is pretty simple. For corporations who don't use experienced penetration testers and rely on application and web scanning tools. This is because findings from these scanning tools typically state HSTS and other "header" misconfiguration findings are considered "LOW". Because of this, the risk is typically accepted or placed deep in the queue to be fixed.

For those who hire good penetration testers or have them on staff, they will consider most header findings as a medium; even for internal sites (it doesn't take long to fix) to ensure these findings are corrected. Once the developers and middleware admins get used to this, it doesn't take them long to ensure all headers are correctly added and configured for each site.

0
0

Azure promises to keep your backups safe and snug for up to 10 years

Aodhhan
Bronze badge

Marketing

Of course they say this... the longer you keep your data with them, the more money they make.

It's not like they say... they'll do it for free.

3
0

So long and thanks for all the fixes: ERPScan left out of credits on Oracle bug-bash list

Aodhhan
Bronze badge

Nobody is shocked

Oracle has been hosing everyone since it became a publicly traded company.

The only shock, is how many ignorant corporations out there who still purchase Oracle's crap.

2
0

Trump wants to work with Russia on infosec. Security experts: lol no

Aodhhan
Bronze badge

Re: Tee hee. Trump is to Putin as --

Don't forget...

The whole DNC hack was done while Obama was in the White House. Along with Russia gaining Crimea. Oh, and don't forget the red line in the sand fiasco.

Meddling was done between Hillary and the Russians... remember Uranium One?

This is just the democrats yelling louder and without pause--accusing others so people don't talk about the transgressions done while they were in power.

If Trump walked on water, the democrats would scream it's because he doesn't know how to swim.

Yet, so many people buy into their BS and catch Trump Derangement Syndrome, and lose all focus on reality.

3
13

Scumbag confesses in court: LuminosityLink creepware was my baby

Aodhhan
Bronze badge

GM, Ford, Ferrari, and others plead guilty

...to creating sports cars which can easily outrun police and cargo vehicles to carry..uhm, stuff.

They all admit to knowing these high speed vehicles are perfect for criminal activities such as smuggling and trafficking as well as getting away as quickly as possible.

They also admitted to knowing these products have been used in terrorist attacks as well as kidnappings; yet still...they provide customer support as well as spare parts to those in need.

I don't condone this guys product, but let's get real. Those who need to be arrested and focused on (with laws) are those who use the product illegally. With a few simple changes to his words, he could've marketed this as a security tool in many locations (including the US) and been fine.

2
0

Sub-Prime: Amazon's big day marred by server crashes, staff strikes

Aodhhan
Bronze badge

Seriously snowflake?

The employer has the responsibility to provide for the physical and mental well-being of its employees?????

No it doesn't; you do. How about this... listen better in school, buckle down, and get an education. Then you wouldn't have to work in a warehouse.

Perhaps you should try a job outdoors, in the elements... like many jobs.

Perhaps try putting your life on the line, such as first responders.

Maybe try high rise construction or trash collection.

Waaaah.. underpaid. No you're not. Look at the thousands of other occupations out there where it takes a lot more to collect a paycheck. Taking an order, tossing it in a box, putting it on a truck... etc. Not exactly worthy of high wages. You don't see most people working in department stores driving the newest cars.

Quit using WANT, want, WANT, and start using earn EARN earn.

4
8

Oracle cuts ribbon on distributed ledger service

Aodhhan
Bronze badge

They have to do something

Their over priced, under secured database is starting to be used less and less; so Oracle has to do something.

Banks don't exactly have a huge supply chain, so saying any of them use this isn't really saying much. Where they do, it's so regulated by every country, that it's not really providing anything but a common application.

My worry is simple. It's Oracle. Once again, they rush a product through... to be one of the first so they can charge way too much. All their products are pushed this way... all their products have security holes which can be used as examples of what not to do.

Oracle: Not exactly the best name in the InfoSec world.

I imagine, nothing will change in this regard.

4
0

Irish fella accused of being Silk Road admin 'Libertas' hauled to US

Aodhhan
Bronze badge

Re: Extraditing random people?

Look... instead of looking silly, why don't you take 3 minutes and use Google on the phone which is obviously stuck 10 inches from your eyes. What makes idiots comment about something they admittedly don't know anything about?

It's not about where a 'server' is (good grief... really, you think it's about the server?) It's about where the crime is committed/damage takes place.

2
4

Revealed in detail: World powers stuff spyware kit, how-to guides in dodgy nations' pockets

Aodhhan
Bronze badge

It's the snowflake way

If we yell loud enough with a message which is just corny enough (it doesn't have to be true), somebody will eventually believe it, provide us a forum, and we will be smart and important.

Anyone can publish anything. Doesn't mean it's worth its weight in dog crap.

1
3

Indictment bombshell: 'Kremlin intel agents' hacked, leaked Hillary's emails same day Trump asked Russia for help

Aodhhan
Bronze badge

Smoke and mirrors

The democrats are basically shouting over everyone and taking any little thing they can and running with it.

They're doing this to cover up the fact Hillary broke the law and set up a private server, used her position of power against her rivals, made terrible choices both in and out of office (including choices which killed people).

Hillary's strategy is... if you shout really loud and don't allow anyone else to talk, then the public will not be able to hear the real truth and see just how bad you really are. The only fallacy in this, is not shutting up long enough to understand the public isn't stupid.

The DNC will continue it's push against Trump, but there are a lot of people in Hillary's own party who are very happy she didn't win the election; could you imagine?

3
1

Ukraine claims it blocked VPNFilter attack at chemical plant

Aodhhan
Bronze badge

Re: Come on!

Actually, it was Obama who said Putin is nice.

Obama: Hey, Putin is nice... let's pull our defense systems out of eastern Europe as a sign of good faith and friendship.

Putin: Ha! The American's pulled back, strike Crimea! No worries... Obama will just draw another red line he will not enforce.

1
1

Timehop admits to more data leakage, details GDPR danger

Aodhhan
Bronze badge

Well done.

A company using primarily servers facing the Internet fails to use MFA for administrators.

You have to consider the CIO neglectful in their duties for not ensuring MFA is implemented

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018