Slashdot Mirror

http://www.darkreading.com/shared/printableArticle.jhtml?articleID=212700328

Reader's clicking on infected links because they're articles are so full of ads, they can't tell where the "Next Page" link is anymore.

My solution is thus.

I think the biggest threat is our own idiocy, rather than some ominous force.

Integrity for Avionics, the product you think you own, is simply a trimmed down version of Integrity, which is used in medical devices, industrial robotics, and other stuff like that.

After reading the product docs...

The what?

The OS, which was first deployed in the B1B bomber in 1997, today runs in military and commercial aircraft, including the F-16, F-22, and F-35 military jets, and the Airbus 380 and Boeing 787 airplanes.

The information available suggests that the first deployment was its original purpose, and probable source of original funding. If the military did not subsidize the start of this company and the development of this product, then of course what I've said doesn't hold. But neither of you have provided any other sources of information yet. I've gotten my information from the article. What's the URL of your source?

all accessories to it share guilt.

Sourceforge also host projects involved in network security tools, possession or distribution of which could be considered a crime in many countries. For example German laws over "hacking tools" are hopelessly broad and ill defined. The fact that network tools, programming tools, text editors, web browsers etc can be misused for criminal acts is irrelevant, it'd be foolish to persue a criminal case against distributors.

P2P software is used to share large amounts of data in a network efficient way, people using the tool to distribute copyright material to which they have no distribution rights is copyright infringement. HTTP, FTP, SMB, NFS, rsync, IRC... are vendors of software supporting these protocols in the crosshairs too?

DarkReading wrote that Beijing is bracing for an Olympic Cyber-War. Worth the read.

We created a information security guide for visitors to China for the olympics on behalf of one of our large customers.

If you take nothing else away from this, just be careful bringing your technology devices to China! The environment there is unsafe for most information technology.

They'll have a heck of a time suing when they knew before hand of the sloppy security measures and actually game them an extension on PCI compliance: http://www.darkreading.com/document.asp?doc_id=138838

It's a redirect from InformationWeek, a perfectly legit publication, to http://www.darkreading.com/document.asp?doc_id=156139&WT.svl=news1_1

Admittedly it's annoying; in fact the first attempt to go there crashed my browser.

This article seems to say that Vista is MORE secure than XP, or OSX.

Here's another good article about detecting Rootkits in XP vs Vista using antivirus suites and online scanners.

WARNING PDF go http://bt.ins.com/WorkArea/linkit.aspx?LinkIdentifier=id&ItemID=2665 to view

I also did an interview @ DarkReading.com http://www.darkreading.com/document.asp?doc_id=151382&WT.svl=news1_1 about the survey.

DISCLAIMER: I work for BT, but the survey is pretty unbiased IMHO.

Add free article here.

http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

Oh, trust me, if I'm doing dev work on a machine assigned to me, I *will* be local admin, it's just a matter of (not much)time. You can't actually lock down a Windows box (or any normal consumer OS) against anyone who has long-term physical access to that box. Without full disk encryption, "resetting" the local admin password is nearly trvial in Windows.
    Heck, if I understood this attack better, I could become the admin in a few seconds even with full disk encryption.

OTOH, any company that I've heard of that really locks down their dsktops and still employs developers gives them a second box on a different network to actually get work done, and the locked-down box becomes just an email and intranet app terminal.

/P

I don't know where you got this information but this sounds outright stupid to me. Why wouldn't you use encrypted drives? That way the only thing you need to wipe are the keys. That should eliminate the need for any James Bond stuff to prevent capture. Unless you're suggesting all encryption is crackable.

I am suggesting precisely that. While it is still incredibly off-topic when compared against the original parent article (considering most people don't care or need to encrypt their data drives, and said encryption is totally irrelevant to the question of data recovery - just because you don't have a key to read it immediately doesn't mean the data files can't be recovered intact from a disk and later analyzed), yes, even "government grade" encryption is susceptible; I suggest you educate yourself a bit more before you start bandying about words like stupid - look into the details of the U.S. Navy EP-3E ARIES mid-air collision with a Chinese F-8 Finback. In their case, much of the data on the aircraft was encrypted, but this did very little to soothe the Navy's concerns... Fact is, they were fairly certain that the Chinese analysts stood a high probability of recovering vast amounts of sensitive data, encrypted and otherwise from the aircraft, as you can't possibly encrypt everything on the aircraft; too many of the surveillance and communication (not to mention flight control) systems on the aircraft demand or record data at rates far in excess of what an encryption/decryption algorithm can keep up with - crypto requires time and resources, neither of which are generally over abundant when it comes to air operations.

From GlobalSecurity.org:

After Sunday's collision, the 24-member crew had just minutes before making an emergency landing on China's Hainan Island to destroy sensitive information. This would include codes for encryption systems and the records of electronic intelligence that had been collected during the flight - both of which would be highly useful to a potential adversary.

The 19 "electronic warfare" technicians, working shoulder-to-shoulder at terminals back in the windowless fuselage, practice such destruction techniques under far less stressful circumstances. The first few minutes last Sunday morning - over water, hundreds of miles from the plane's base on Okinawa, and in the presence of armed and hostile jets - were undoubtedly palm-sweaty tense as the pilots struggled to regain control of the plummeting four-engine plane.

Even if the crew was able to destroy all the computer codes and electronic records of the flight, US military and intelligence services "will probably treat as compromised much of the equipment just to be on the safe side," says Smith, a former military intelligence officer. Using reverse engineering, for example, Chinese technicians will be able to gather important data on the receivers, radars, and other highly classified equipment used in gathering the "SIGINT" (signals intelligence) and "ELINT" (electronic intelligence). This could be the difference between victory and loss in time of war.

There is also this at DarkReading (originally from VARBusiness):

JUNE 16, 2006 | PORTLAND, Ore. -- In 2001, an American spy plane collided in the air with a Chinese fighter and was forced to land on Chinese island. Since then, researchers have been looking for a way to quickly erase computer hard drives to deny access to sensitive intelligence data.

Scientists at the Georgia Institute of Technology (Atlanta), working with L-3 Communications Corp. (New York), said they have developed a technique for quickly erasing hard-disk drives. The team reports development of a prototype fast-erasure system to prevent sensitive information from reaching enemy eyes.

At the time of the U.S.-China incident, there was no way the

The researchers concluded that permanent magnets are the best solution. Other methods, including burning disks with heat-generating thermite, crushing drives in presses, chemically destroying the media or frying them with microwaves all proved susceptible to sensitive, patient, recovery efforts.

And the Chinese did manage to recover the data... I cant find the article right off.

Storm

What immcintosh said. What we did in the book is not illegal as far as we know. I wrote an article about the state of the law and computer security through the lens of MMORPGs for darkreading. Here's a pointer: http://www.darkreading.com/document.asp?doc_id=136128&WT.svl=column1_1 And just for the record, our books do sell pretty well (EOG is off to a fine start), but we do it to help improve the state of software security from the dark ages to the Bronze age. gem http://www.cigital.com/~gem

Had no trouble reaching the 'print' version here:http://www.darkreading.com/document.asp?doc_id=142127&print=true

Ah, but you fail it!

In other words, stupid people and people who dont care about security punish the rest of us. How nice. You dont know how much I would appreciate a "Internet License" to show basic security and protections on the net.

Anyone who thinks non free software can be secured should be denied said license. FTFA:

This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations. (See Bots Rise in the Enterprise.)

If you think you can do better than Fortune 100 support teams, you are sorely mistaken. They have all the time, money and employees they want to throw at this problem and still get their ass kicked. People trying to tweak non free software are working in the dark and will always be surprised. No matter how much they spend, they can never fix the problem.

Hear about that Spam King in Russia? He sent spam to the wrong mob boss and is now dead. Darn:

'Spammer Murder' Is a Hoax

Now days internet become as an important part on the human life. everything is done by using internet and many companies do their business by using internet to market their products and services. every year.. every month and every days the business in internet are increasing.. and.. also the cybercrime... therefore the companies need to pay attention more about their security by find out the best solution to defend themselves from attacker or intruders.. as the result they need to spend more budget to get good security. the question is.. if the cost of cybercrime is increasing, are companies budgeting enough to defend themselves?:) here has an article about this topic.. http://www.darkreading.com/document.asp?doc_id=133814

How does unauthorized code even get into a financial institutions systems?

http://www.darkreading.com/document.asp?doc_id=113460&print=true

No. 1: The Thumb Drive Caper

In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.

The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.

That was just one of many ways to do it.

Really who cares. Americans have been too busy watching America's Next Top SomethingOrOther to give a rats ass about their civil liberties. Started off small and now its escalating. While I doubt the FBI is using this for the nightmare scenarios depicted by those who can't see a need for it (not I said CAN'T see a need for it) I dislike the thought, but I do see where there would be a need for it. The potential for abuse from a system like this is what's scary to me, not the fact that its in use. So while everyone cries foul AFTER the fact, remember there have been many rambling on about this for years. I did it in 2000 when Carnivore was released, I rambled on about CIPAV and always take the time to support the efforts of groups like EFF and EPIC. One person like a little privacy maniac some would say. For me means little, I'm aware of what can be done to my privacy, but I'm also aware of how to truly retain a portion of my privacy. Its when this becomes outlawed as it has been done in Germany will I truly get fed up and move out the US. While the rest of normal America focuses on the important things in life like Bratney Spears, Americas Next Stupid Reality Show, Whats Oprah Doing Now crap.

I stumbled over this in-depth article, based on interviews with Kaleidescape people. Describes the whole story of the Kaleidescape product from the beginning right through to the end of this court case.

Seems like DVD-CCA's original legal strategy was not really well thought-out. They tried to patch it up with a bunch of bluster and an "I AM ABOVE ZE LAW!" attitude, but the judge would have none of it.

at the risk of being a karma whore, here's the article without ads http://www.darkreading.com/document.asp?doc_id=122 116&print=true

As the guy who wrote this story, just wanted to say thanks to all posters for some excellent discussion. Most of the criticism has been both valid and useful, and we'll try to keep some of these comments in mind for future stories. I also offer a special note of thanks to those who offered extra insight -- I'm the first to concede that a short story like this doesn't cover all the angles on a complex subject like this. Also a really big thanks to those who flamed the critics on the story's behalf.:) If you go through this entire thread, as I have, you'll find a fascinating array of opinions on what to do in the event of a breach, including some that are diametrically opposed. I think the spectrum of views on this proves that it's not all "common sense" stuff that everybody knows. There are some real questions on how to proceed after a breach is detected. I've done my best to summarize some of the comments and offer a few thoughts of my own in today's blog http://www.darkreading.com/blog.asp?blog_sectionid =327&WT.svl=blogger1_1. Hope we can continue the discussion.

One-third content, two-thirds ads and links. Yeah, that's a good design.

1 part content, nothing extra

You'll use this link. "Print buttons" are your friend, unless you really like 2 pages of content being spread over 10 pages.

"Doesn't Google have difficulty hiring people?"

Yes, they, like the M$ and other executives are having self-created difficulties.

http://collectingmythoughts.blogspot.com/2007/01/3 424-too-young-to-retire-sheryl.html
http://blogs.usatoday.com/oped/2007/01/too_young_t o_re.html

"I have a Ph.D. in Computer Science. I have 20 years of experience. I am 50 years old. I am unemployable. I can't even get an interview at companies like Google, Cisco, M$, Dell, HP and Apple, whose Washington lobbyists..."

http://www.darkreading.com/document.asp?doc_id=115 318&WT.svl=column2_1

"Google's executive staff has [idiotically] concluded that interviewing takes too long and that by sorting potential employes based on grades -- largely an artificial metric in business -- they are probably missing out on many great employees they might otherwise hire. Unfortunately, Google's 'solution' to this problem is to hire people [who are capable of doing] jobs '3 levels higher' than the jobs they are hired for."

Other self-created difficulties:
* failure to recruit at more than a handful of the thousands of collegs and universities in the USA
* failure to cover interview and relocation costs for impoverished by capable US candidates
* decrease in education and training for new-hires and current employees from what firms were offering in the 1980s
* abuse of resume parsers attached to overly limited data-bases instead of hiring competent humans
* failure to include human contact name, that person's e-mail address and voice telephone number in every help-wanted ad
* failure to advertise jobs in print media across the country
* turning out products of low quality repeatedly, which repels many capable American professionals
* conduct and products that are ethically questionable, which repel many capable American professionals from seeking work at their firms (e.g. that whole "permatemp" scam, RFID, many ERP projects, body shopping)

It's hard to know where to begin and others have commented on many of the problems with this so-called analysis, but I want to take issue with one of the core statements in the article:

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

Huh? This is perhaps the most oversimplified and outright incorrect statement about what it takes to create secure applications that I have ever seen.

Let's take one very simple counterexample. Let's imagine that in the Apache* scenario, all string operations use the legacy C APIs (strcpy, strcat, sprintf, etc.) and the developers were too lazy to even add the manual error-prone bounds checks, whereas in IIS6, all string operations use Microsoft's strsafe.h replacement APIs (StringCchCopy, StringCchCat, StringCchPrintf, etc.) with extra diligence to make sure they are correct and even protect against integer overflows. Now which application is more secure, regardless of whether one has more lines on a graph?

I'm guessing the author's intent was to talk about attack surface area and how it relates to securing applications, but this is an extremely poor way to do it.

* - For the pedants, I'm not saying this is really the case with Apache.

...to save almost this much electricity. For example when your browser locks up with CPU at 90%+ and memory useage rocketing while IE7 spends minutes rendering an Ajax-heavy site. We've just spent two days tracking this problem down independently and it's unbelievable how inefficient this piece-of-shit feature is.

You are so right about the loss of privacy and the growing demand for sensitive customer data. In fact, Dark Reading just posted a comprehensive story on the black market for stolen data just last night: http://www.darkreading.com/document.asp?doc_id=103 198&WT.svl=news1_1 I was particularly surprised by the organization behind the criminals who buy the data, and the relatively low price they pay for it.

As noted in a previous article http://www.darkreading.com/document.asp?doc_id=102 624 This is not being done to educate; it is done to control. There are two groups this shafts: 1) The ignorant "sharer" who does not understand security and gets penalized by the government after "warnings" are done away with by the penal system 2) The intentional sharer who believes in free Interent access for all. Why this needs to be legislated? Who knows... Sad state of affairs when the government tells people who is allowed to come over for supper...

You are right about using a virtual machine.

But I have to disagree with the magnets. It can be done though there is not a consumer version of this available, it can be done;
http://www.darkreading.com/document.asp?doc_id=973 78

But you're right. It's better to avoid the problem, maybe keeping the stuff offsite and using vpns (if you have the bandwidth). Maybe giving your offsite computer a deadman's switch (i.e. script). Might be easy to implement with the new 802.11n stuff coming too.

But I'm with you. Don't bother with the dross in the first place.

I personally abhor the notion of Trusted Computing on my personal computer, but if you're using a computer provided to you by the government or a corporation for the express purpose of working, it's their right to control what goes on on that computer. It's possible that this will help to stem the tide of malware (at least in corporate environments) by rejecting execution privledges, and allow IT staff to better enforce policies about what can and cannot be run on their computer. It would also help stop things like the Free USB Key Attack (formerly discussed on slashdot).

Of course, this could also make users feel like they are not trusted, and could even lead to overconfidence in the security of the system. Still I see it as a major plus, at least unless I get saddled with it at home.

"A recent column (Social Engineering, the Shoppers' Way) on darkreading.com shows how easy it is for a penetration team to walk into a supposedly secure facility using a shoppers club card because the man trap was misconfigured. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, they had the run of the place."

"A recent column (Social Engineering, the Shoppers' Way) on darkreading.com shows how easy it is for a penetration team to walk into a supposedly secure facility using a shoppers club card because the man trap was misconfigured. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, they had the run of the place."