Among the worst vendors from a security standpoint.
Oracle manages to ensure their customers pay them to increase the number of vulnerabilities on their own network.
491 posts • joined 25 Apr 2008
Among the worst vendors from a security standpoint.
Oracle manages to ensure their customers pay them to increase the number of vulnerabilities on their own network.
There is little doubt what he did was against the law. Just because a web site is poorly secured or coded, doesn't provide a excuse to gain access to information stored on the system. The application provided "some" controls around access and he used a tool to circumvent these.
If I used a common tool to eavesdrop on your communications (MitM attack), this doesn't make it okay; even if the communications were done using public equipment and you didn't employ encryption.
The question isn't about whether he broke the law. He did. There are a lot of things in life I didn't mean to do, but I was still held responsible for them. Starting when I was 11 and broke a window with a baseball.
The questions now revolve around intent as well as damages. He stated he wanted to download government documents, but to do what (exactly) with the information? What damage was done with the information he did gather? Did he send it off to others?
It will take some investigating to determine all of this, and we don't yet have the entire story.
Oracle... the worst vendor in the world from an InfoSec prospective, and yet they want to provide their 2 cents worth. BTW Oracle, this decision makes fantastic sense.
- This is a private cloud system. So you want to manage it differently.
- Looking for one vender only, DOES spur competition. The best deal wins. Taxpayers like this.
- Choosing multiple vendors allows them to increase prices incrementally together. The costs will mainly be fixed, and the format will be such that, at the end of the contract, the DoD isn't subject to vendor lock in.
- One vendor means simplicity. Don't have to send personnel to a variety of vendor training courses. Again, great for the tax payer.
- One solution makes it much easier for patching and maintenance.
- One solution makes it easier to secure. MUCH easier to secure.
There is more, but you get the point.
Oracle is obviously isn't looking out for the tax payer or the security of DoD cloud data. It's only out for its own bottom line.
Oracle, get your security together before you start telling others how silly their ideas and solutions are.
Developers ARE accountable in one form or another. This comes down to policies and procedures laid out by management.
I've said this a few times on this forum. As an information security professional, you better first point the finger at yourself; because it's likely your risk assessment is the point of failure.
Code review and penetration testing the application is vital to risk assessment. If you fail to point out vulnerabilities and their effects (costs) due to bad development policies/procedures, then the fault is on you.
Risk assessment is the foundation of InfoSec. If all you do is look for vulnerabilities, you will be very frustrated at your job, wondering why things are done the way they are (where you work).
There is a HUGE difference between stuxnet and what Russia is doing.
Stuxnet (arguably) purpose was to delay a dangerous nation state from creating a very dangerous product.
Russia's purpose is to denigrate democracy as a whole. To attack and steal from other nation states, corporations and individuals. Not to mention take the lives of anyone who oppose what they are doing.
Don't confuse the tool with how it's used.
You're smart enough to critically think through something without throwing your politics into it. Start doing so. You'll find your whole view on the world will change... and I don't mean politically.
Thank you for the obvious. There is one thing, you have to compare the benefits of selecting this over other cloud services, not compare it to on-prem solutions; as you point out.
This solution is based purely on the storage of data. It doesn't include movement of data, security, encryption, etc... all which of course will cost more, and you can bet they will increase these prices.
Remember, access can include adding more data, not just pulling.
This solution is purely archival in nature. For instance, regulation states you need to keep documents for 5+ years. So you keep it for one year on another cloud or on-prem solution, and the rest of the duration on a solution such as this.
3 people are critically hurt. Instead of focusing on these individuals and their families... everyone wants to provide their political opinion.
This isn't the time for your opinion. The fact you give one without focusing on those who are hurt only proves your heart and brain isn't where it should be. ...and you want the rest of us to believe you have the wisdom and foresight to provide an answer? ...get real.
Another way to get a lot of down votes is to point out 2nd and 3rd order effects people don't want to hear.
Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees, and/or raise the cost of the next computer you purchase by a couple of hundred dollars.
As security professionals, you should all understand and identify risk management based decisions; and be intelligent enough to understand it. This is done by all corporations all the time. Including the one you work for.
Those of us who are penetration testers aren't shocked by the number of individuals who fall victim to phishing. With moderate training, 20% rate is right at the norm with a medium complexity phishing email.
Depending on how the mail is formatted, you can get a much higher rate.
Don't judge too harshly. At work, it's quite likely I can send you a phishing email you'd click on or open an attachment. If I catch you at a very busy time, and get everything on the mail just right to entice you or to fortunately provide information you're working on... you'd fall victim.
It's about the complexity of the phishing email. Shockingly, you find those age 20-30 will fall victim in higher numbers than those over 30 or even those over 50 years of age.
Younger individuals are easier to catch with a phishing, which is "mistakenly" sent to them and contains an attachment with what appears to be confidential information. The younger you are, the more likely you will give into your curiosity over security.
So apps are mining Facebook... if you didn't figure out this was happening, then you really have no business using a computer. If you input anything which is then stored in the cloud, you better understand, somebody somewhere is going to leak, mine or hack your information.
When it comes to the majority of data points... these are already being gathered in by credit agencies, credit card companies, mortgage companies and data services such as INFOGROUP.
They trade this information and sell it out. Make/model cars you've purchased, where you purchase/shop, what brand/model of washer/dryer you purchase, if you voted, mail ads you respond to, type of deodorant you use, etc. You use a credit card, look how detailed the information on your receipt is. Credit card and retail outlets just sell out everything you do.
Even local governments sell out information, such as whether or not you showed up to vote and what dates you voted... i.e. do you show up to vote for more than just national elections? How often has the cops been called to your house? What upgrades you've done to your property, etc.
Until we can vote in people who will not sell out to the corporate data miners and sellers, and will clamp down on the amount of data which can be collected, stored and sold... this will remain a problem everyone should be aware of.
We're finding out it wasn't Trump working with the Russians, but rather it was the Democratic party.
While Russia meddled with the elections, it didn't really impact it.
Also, it appears they didn't necessarily do it on their own accord; we're starting to see the Democratic party provided a conduit to do so.
With this coming to light, I don't expect to see the USA do much about this when it comes to offensive cyber ops.
A phone isn't a vault located in a military bunker. Phones should be looked at as the last place you keep sensitive information.
It's long been known, if someone gains physical control to your computer/device, etc... then they own it.
If not by using some 'secret killing box', then by another method.
So if you're a criminal conducting incriminating actions via your phone... don't be shocked if law enforcement uses it against you.
If you keep GPS active along with other 'features' active on your phone, don't be shocked when Google records your every move, puts the information into a database and then sells this information to Equifax; who then loses it when their database is breached. You chose to accept the risk. A phone shouldn't be looked at as being a secure safety deposit box located at Fort Knox.
You're InfoSec professionals. You're smart enough to look at this from the correct perspective of risk management. Don't get caught up in the emotion of this. Don't let the press or politicians twist your thinking. Keep your perspective true and remember, nothing is hack proof. So the loss or misuse of a box isn't any worse than someone not correctly securing information.
People will never collect SAMBA alerts, because there will always be a high number of them.
Samba is to network services as Flash is to web services. A different solution should have been implemented YEARS ago. You can put brand new siding on a sod house and make it look better, but it's still the same old pig with lipstick. Eventually, something will take advantage of the weak underlying architecture.
You can be from England, Russia, China, USA, Zaire, etc. One thing all have in common is a hate for traitors. You think England hasn't knocked off a few traitors in other countries?
Publicly England will beat its chest, threaten some sanction, expel diplomats etc.
Behind the scenes they'll move on as if they expected it.
Do you really think it's good for England to go to war over a turn-coat Russian? Wake up.
Do you think Russia will go to war over the suspicious death of Ed Snowden? Hardly think so.
They'd beat their chest, rattle saber, wag a finger, etc.
Realistically they'd probably wonder what took so long.
Yes, because nobody ever names their child with a name originating from another country.
...where do these people come from?
What a fantastically brave conclusion.
...don't forget to stop by the hospital pharmacy and pick up some epi-pens along with other anti-toxins.
Thank you for your post, but it seems you don't know a lot about development.
You can't just cut/paste from a binary. Especially when using a different dev environment.
Yes it's difficult to find out who is behind attacks.
It's not difficult though, to hire experienced InfoSec professionals and support them adequately to provide a sufficient defense in depth architecture, patch management and monitoring to ensure it's difficult to get in, and just as difficult to get data out.
Since it is so difficult to identify hackers, you may want to keep this in mind when it comes to your risk management. Can I get a palm thump to the head?
Isn't if a bit funny when an ignorant Windows user feels the need to be noticed, that they actually post and rave about how bad Windows is? :)
One day my friend, you'll become knowledgeable and experienced; then realize how bad ALL operating systems are.
By itself, it doesn't keep anyone from 'spying' on you or intercepting and attacking the encryption.
HE is about not having to decrypt the data in-transit and then re-encrypting; like when data is passed through perimeter security devices. Or when data is stored at rest, an application doesn't have to decrypt the data before processing it.
You still have to maintain a small modulus to noise ratio (in the key-switching matrices) and manage the field for security.
Switching to low-dimensional fields speeds up the homomorphic process at the cost of security/increased risk. Something we are all familiar with already. We can switch from TLS to SSL, but we also increase risk.
When pen testing and doing code review, you'll occasionally run across hard coded passwords. They are usually left there from testing, weren't documented, and therefore weren't removed.
Still, you bring up a good point about this happening in recent years. Because of the availability of development environment OWASP plugins along with much improved (over the past 5-10 years) static code checking software, we shouldn't see something like this from a large company like Cisco.
Who cares about brexit anymore? Since China is buying up more UK companies every year, it will soon become part of the red giant. Soon, learning Mandarin will be compulsory in every UK school.
Look at the bright side... it will no longer be part of the 5 eyes community.
What happened to all the intelligent InfoSec professionals who used to comment on this site?
All I see now is the rantings of those who think they know about a country's legal system, and those who just spew out political hate. Both without using critical thinking, complete understanding of the facts, and/or any real time experience.
The act in question, doesn't bypass due process.
You also can't look at stored data in the same light as storing material products.
Stored data can be accessed in many locations at the same time, and in essence is then stored in many locations at the same time. If a document is called up and viewed in Chicago from it's stored location in London, it's actually in both places. In fact, you can delete the document in London, but it will still exist in Chicago.
You can't do this with material item, without defying the laws of physics.
What's odd... those who are politically aligned to the left should be for this law. It's something which is very anti-big business, and anti-wealthy. These are the individuals who will be affected more than some bloke living in his mom's basement.
Let's say the s9 is disapproved by the system, but the PM still wants to intercept information on British citizens... all they do is contact their buddies in the CIA to set up their equipment for interception and get the information through them.
--thanks for playing. the PM wins either way.
I remember a time when intelligent conversations and an exchange of information security ideas took place on this site.
Now, it's turned into a political punching bag where trolls spew out their hate for something, or attempt to display how much wit they have (usually the wit is on the low side).
Reading through posts on most of the articles (even those which aren't political) are few and far between when it comes to information exchange. Too often, comments aren't geared towards the subject of the article.
What happened... did all the intelligent security professionals run off?
Before you put on your "literacy police" badge again... you may wish to take a second look at your post. Your words aren't exactly a shining example of literacy.
Great... just what we all need, one more company calling us and interrupting our day to deliver a sales pitch.
Did this guy just wake up from a 30 year coma?
Many of these risks existed in the 1980s and were worries then.
So don't give us a left wing scare tactic... how about letting us know what you're going to do about it and how you will go about it.
Once again Linus is off his meds and ranting as if his creation was perfect from the start.
Oh.. the stories I can tell about hacking into systems using the early versions of UNIX and Linux. All attacking the OS itself and not software. The input points, the early libraries were all such easy targets, than in less than 30 minutes you could teach an average person how to successfully hack systems.
Ahh yes the old paper voting system.
The argument goes, there's no way you can hack the voting system using this method right and of course you can recount them.
There is absolutely no way to hack the voting system using this 'old fashion' method.
Pfftt... c'mon. A security professional should know better.
The old paper, pen, write in, mark a box, fill in an oval etc. has been hacked for HUNDREDS of years.
Someone grabs/casts more than one ballot. Someone who has access can 'lose, add or change ballots.
With the added number of people involved when it comes to paper ballots, it's open to a lot of fraudulent activities. I.e. the original hacker.
There is good and bad to all methods. Along with strengths, weaknesses, vulnerabilities and risks to ALL methods. This is something all computer security professionals should realize.
So I'm assuming, those who want to damn the use of computerized voting systems are ignorant to
This article should be removed.
The author fails to properly provide exact information. In fact, it changes what is actually stated by OpenSSL Management Committee.
I'm not a huge fan of OpenSLL "Management Committee", since all they do is jump on to an encryption standard, instead of actually creating an algorithm themselves. Sort of like, building a radio for a car and then attempting to tell the world they are an expert on cars.
So, I don't have any real skin in this game, but c'mon... this is really bad reporting.
Stop trying to create something which has already been created or spread the word using your own agenda, spin or artistic flair. Just the facts man.
You really have to look at the available labor pool, both technical and nontechnical. Technically, heavy cloud experience is a must. So the talent must exist or be convinced to move to the chosen location.
Labor cost, as well as cost of living will be shared with this. Taxes, taxes, taxes... states willing to make a special deal on tax rate will get a boost in points. Legal political kickbacks for officials will likely be available in some locations. If you're in a conservative leaning city, don't count on winning this.
Some of the obvious...
Austin or Dallas - Hah, really, Texas? Asterisk politics here.
Chicago - High Taxes. High technical labor turnover.
Denver or anything west of the Mississippi River is probably out. Probably needs to be somewhere a bit closer to the east coast. Denver also has the risk of heavy snow closing airport and ground travel more than 5 days a year.
Boston, Neward, New York City, DC/Maryland. High labor cost and living costs.
Canada has different laws. New set of laws and lawyers. Not to mention those pertaining to cloud ops.
So I'd look at Columbus, Atlanta (just barely), Northern VA as well as both PA locations as the top 5, in no particular order.
Business friendly, has workforce, can attract talent and cost of living is reasonable. Airports can handle the extra workload and plenty of ground routes available.
I'm sure I'll get plenty of down votes, considering the amount of people shouting out things without using much thought or because they place their own prejudices into it.
Terrorists using drones against modern forces is pretty much a waste. Due to the technology they use and resources required, it's actually a negative force multiplier. Primarily because their signals can be tracked and you can't just make one from garage parts. Then there is the fact, they run by line of sight and are easily jammed and shot down.
The USA was able to become a country based on the warfare technology they were able to create along with manpower from the French. Technology wise, the USA found technology to make their small arms much more accurate, quicker to load, and much more reliable. This wasn't something they stole from the UK.
80s and 90s Technology and Japan. Yes, Japan flourished during this time, but not with actually creating the technology but rather manufacturing it. Cheap labor was the biggest factor here.
Technology during this time came from all over. For instance the Dutch had quite a few advancements which spawned off into other items. The USA developed magnetic research (which they didn't steal), and continued with creating most of the processors used by nearly every technology during the day. Again, it wasn't stolen. The USA also declassified a lot of technology they alone developed and didn't steal. Such as high resolution imagery/lenses, fine microwave tech, GPS, lasers, etc.
I'm willing to bet no matter what country you live it, you've taken this technology for your own use.
F35 is what it is. Based on early mock live competitions as well as simulator combat the F35 is far superior to the F18 hornet. Not quite as effective as the F22, but you have to look at the role differences. The F35 can do things the F18 simply cannot, and this goes beyond the VSTOL capabilities.
It's easy to look at things from a narrowed view and repeat things others (who have their own agenda) say.
Seeing this is a forum full of IT professionals, you have the intelligence to take a few minutes and critically think about things and be objective; so try it out. This... we are better and smarter than anybody else attitude is ridiculous; not to mention... how often has this 'attitude' gotten you anywhere?
...removing employees also removes good talent.
Remember, it isn't security which drives business; quite the opposite. It's the business needs which drives security.
Ensure proper security policies, procedures and mechanisms are in place.
Ensure proper monitoring is in place, even if it means monitoring individual employees (who raise risk) in order to provide focused individual training and implementation of security mechanisms.
Monitoring 'at risk' employees will often provide a lot of insight into the problem. It also provides proper justification if it does come down to removing the employee from their position.
Whenever you write an article, don't criticize anyone's grammar. You have no leg to stand on. I counted at least 12 different grammatical errors by you, and this isn't counting your improper use of passive voice, and lack of active voice. It appears you have little understanding of subject, verb and objects when writing as well.
A real journalist sticks to the facts about the subject itself, without attempting to belittle anyone associated with the subject.
This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.
I believe this sort of thing has been in just about every OMB information security report since 1999.
More so... it addresses the obvious without any mention of risk assessment.
Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.
Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.
Elizabeth Warren has been tossing out a lot of useless bills in an effort to get her face in front of a camera, and this proposed bill is no exception. Don't be shocked if she claims to have 'computer geek' heritage.
Anyone with more then 2 years experience in IT can see it's a bunch of crap done half-hazardly. It's missing far too many things and doesn't hit details required and powers needed for a true "Information Security Tsar" office covering consumer information by businesses and organizations.
Also, this bill addresses two very different things. An office and a penalty; with no policy in place.
How about we first create the office/organization, then create policy, and finally create penalties.
This way, experts who know what they are doing put something together. Not some lying politician who hopes to be president some day.
Industrial Control Systems is an area which started taking advantage of networking in a very quiet and shadowy manner. Wireless technology makes installing sensors and other items much quicker, easier, cheaper and more convenient than drilling holes between walls and floors and pushing wires through conduit.
So this unsecure technology was grabbed and purchased by many organizations to control lights, security cameras/devices, electrical outlets, elevators, alarms, fire sensors, HVAC, etc.
Building maintenance and information technology had never interacted in the past, so both are ignorant of each other's existence and requirements. It's not uncommon for ICS products to be the biggest shadow-ware out there.
For anyone who has never administered, installed or tested ICS applications and equipment... you're in for one heck of a shock once you do. Then you're in for a fight when you have to secure it and possibly remove all wireless devices.
Once again, the Register has a complete lazy and ignorant author on a subject.
I could go into many specifics, but it will take too long to write it all out.
I will say this... having a carrier group is the number one way to extend your country's military offense or defense and attack an enemy at any time and any where. In terms of strategy, this is a threat and counter-threat which isn't easily defeated.
Most of our enemies don't respect our way of life, but they do respect the Navy and its capabilities. When it comes to war and peace... it all boils down to capability and who has more.
Let me know when your government starts using private servers, deletes e-communications, has your top law enforcement agency look the other way, makes underhanded deals with your top investigation personnel, allows national security leaks from servers, convinces half of parliament that security is secondary and finds plenty of people negligent in all of these acts but believes the people are not smart enough to catch on or care. Finally, think Hillary Clintion is a goddess in training.
...then you have a story.
You seem to be either closed minded or too lazy to do a simple web search.
Kaspersky has had plenty of times where it's been responsible for system problems.
Here is just one of the latest patches released by Kaspersky:
If you understand how IDS and AV applications work, you'll begin to understand they will ALL have occasional problems with the underlying OS and detection.
This suit perfectly shows how Russia doesn't understand the concept of freedom of speech and choice. In the USA, you don't need a reason to boycott any product. Even if this hurts your business or reputation. This is one of the most powerful outcomes of a free economy. Good products tend to do well, and crappy or harmful products die out quickly because people do boycott them.
The US Government as a whole is beginning to follow the same software guidelines the DoD has been using for years. DoD has never allowed Kaspersky products on their systems. Don't feel shunned though, many applications from allied nations aren't approved for use either.
Time to get rid of this prime minister and the rest of her party toadies. It's time to find people who understand good ole British strength. Tired of seeing England in such a yellow light. You wouldn't catch Churchill or Thatcher acting in this manner. They weren't scared to stand up to a bully in order to protect British interests.
You can't just waggle your finger at Putin and expect he'll do anything but laugh, kick your (now tiny) balls, and walk right over you.
Don't waggle and warn, DO SOMETHING ABOUT IT.
Yes, let's all believe anything published in the New York Times.
I would rather buy a tabloid paper with the latest news on UFOs, as it has more credibility.
There is no doubt in my mind (due to where I worked) that the NSA, USSTRATCOM and a couple of other government letters reported to the State Department about the cyber threats from not just Russia but going back to the Soviet Union in the 80s.
From 2007 through 2015 I know there are a variety of different cyber intel/threat reports directly addressed to the US State Department regarding activities from many unfriendly countries... including Russia. Some were provided for action for the Department to follow to increase information security, and some was provided due OCO/DCO activities within various countries.
What we noticed, is most of the time, the State Department didn't care or follow strictly cyber security guidance. This was noted many times in annual IA reports for State Dept. systems. THis department would just accept or ignore many identified risks.
So... if this guy thinks TECHIES aren't providing information to those setting and enforcing policy and procedures.. then he is just part of the system who ignored what is put together for them. I can point to many policies regarding cyber security from OPM to State Department regulations not to mention laws such as FISMA which have been in place for many years covering information security.
So... this man is an ignorant fool to blame anything but himself for not knowing what is and has been in place for many years. Wait, he's not being ignorant, he's simply trying to make an excuse for how poorly the State Department followed guidelines, policy and laws regarding information security.
Probably another scam where they hacked themselves and hid the money away to be retrieved later.
It doesn't make sense for a business to have an outward facing wallet containing a companies entire cryptocurrency capital. A company will typically 'bleed' the outward facing wallet into a central wallet which isn't available to the world. Much like a store will bleed the cash out of all of their registers and put the money into a safe until they deposit it into a bank.
I think I've read at least 15 articles this year regarding this.
Amazingly, this article doesn't provide any real references or links.
Most of all, there is nothing new or unique.
Not shocking is providing any background into exactly what systems in the financial industry still uses low level language development, and providing perspective into how much of the financial industry has upgraded to systems developed with managed code.
Perhaps an article should be written about the development updates, changes, etc. around financial services. I won't hold my breath... too many lazy column writers.
This is how it has always been. In nearly every security certification the mantra is, "Absolute security is impossible". Therefore, there should always be a plan to ensure when a system is owned, it fails 'gracefully', and if necessary it fails over to a backup/COOP system.
Then there is prioritizing criticality. The scale used for this can get a bit complicated, but broken down into the simplest form, it's about paranoia.
Once again, we have someone who is relatively new to security trying to make a name for themselves... without taking 15 minutes to really think about what they are saying.
Rule is.. if it appears to be the obvious, then it probably is; therefore, someone else has already figured it out.
I can tell you have no access to intelligence or understand exactly what happened. All you are typing out is what you 'think', without doing much if any research.
There is a large difference between an AV application taking piece of code positively identified as a threat (from memory), and downloading an entire file stored on a system. In short, downloading the entire file is going too far. Imagine the information an AV company has to gain if they believe word processing files are infected; and download the entire file full of personal and corporate secrets.
Then with terabytes of information, they are able to search for tags in files such as "Secret", military terms, engineering terms, and other key words to sift through more thoroughly.
An AV which downloads the entire file instead of just the positively identified code isn't being friendly or acting in your best interest.
Biting the hand that feeds IT © 1998–2018