Domain: scmagazineus.com
Stories and comments across the archive that link to scmagazineus.com.
Comments · 23
-
Addendum #1/3: Partial list of DNS exploits... apk
http://www.dshield.org/diary/N...
http://www.dshield.org/diary/A...
http://www.theregister.co.uk/2...
http://yro.slashdot.org/story/...
http://www.dshield.org/diary/M...
http://www.theregister.co.uk/2...
http://www.scmagazineus.com/ne...
http://www.dshield.org/diary/S...
https://threatpost.com/en_us/b...
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
* "Read 'em & weep" more are coming... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!
(Simply facts supporting my former post as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)
APK
P.S.=> You can't win, accept it... apk
-
I also know this, per this article, lol... apk
" I'd expect you to at least understand how DNS works." - by ilikejam (762039) on Thursday January 31, @08:32AM (#42749827) Homepage
DNS doesn't work TOO well, & is vulnerable + faulty as hell...
How's that?
In fact, here's a NICE list of that to top this article off:
A DNS FLAWS LIST OVER TIME FOR REFERENCE (only partial):
---
DNS flaw reanimates slain evil sites as ghost domains:
http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/
---
BIND vs. what the Chinese are doing to DNS lately? See here:
http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
---
SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:
http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/
(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)
---
DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):
http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/
(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)
---
Moxie Marlinspike's found others (0 hack) as well...
Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...
(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)
---
DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:
https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211
---
DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:
http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool
---
Potential 0-Day Vulnerability For BIND 9:
http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9
---
Five DNS Threats You Should Protect Against:
http://www.securityweek.com/five-dns-threats-you-should-protect-against
---
DNS provider decked by DDoS dastards:
-
I'll remind you of some "breaks" then
"Remind me again what is "broken"? If you can't name what's broken, then you're just coming up with solutions looking for a problem. DNS works, and works very well." - by unrtst (777550) on Tuesday June 19, @02:04PM (#40372977)
Upon request - see the list below then from over time up to recently...
---
DNS flaw reanimates slain evil sites as ghost domains:
http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/
---
BIND vs. what the Chinese are doing to DNS lately? See here:
http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
---
SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:
http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/
(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)
---
DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):
http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/
(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)
---
Moxie Marlinspike's found others (0 hack) as well...
Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...
(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)
---
DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:
https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211
---
DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:
http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool
---
Potential 0-Day Vulnerability For BIND 9:
http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9
---
Five DNS Threats You Should Protect Against:
http://www.securityweek.com/five-dns-threats-you-should-protect-against
---
DNS provider decked by DDoS dastards:
http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/
---
Ten Pe
-
Norton DNS/Open DNS/ScrubIT DNS
Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:
Norton DNS -> http://nortondns.com/
ScrubIT DNS -> http://www.scrubit.com/
OpenDNS -> http://www.opendns.com/(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)
HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")
HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!
(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)
ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!
( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...
STILL, DNS HAS PROBLEMS... MANY PROBLEMS OVER TIME & EVEN RECENTLY BEYOND THAT OF THIS ARTICLES' POINTS:
---
BIND vs. what the Chinese are doing to DNS lately? See here:
http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
---
SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:
http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/
(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)
---
DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):
http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/
(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)
---
Moxie Marlinspike's found others (0 hack) as well...
Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...
(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack
-
Re:So Mac Users should expect this?
There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system.
http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/
According to your link, the vulnerability was patched the year before the virus was unveiled by Sophos. And it wasn't "in the wild". That's a lot more than "quickly patched". That's Sophos creating an exploit based on a vulnerability they've only discovered because Apple fixed it.
Chance of you catching it: 0%, even at the time of that article. Chance of Sophos selling antivirus based on scare-mongering: only slightly higher.
-
Re:So Mac Users should expect this?
There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system. http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/ [scmagazineus.com]
Despite the misleading claims in the article you cite, according to F-Secure, "Inqtana.A has not been met in the wild and has internal counter that prevents it's operation after 24. February 2006. So it is unlikely that this variant would be a threat to Mac Users." It was an academic proof of concept, not an in the wild spreading virus and I've seen no reports of it in the wild. Sadly, people writing articles parrot terms like "in the wild" "zero day" and "virus" without understanding what the terminology actually means.
-
Re:So Mac Users should expect this?
Because Apple stated as much. They indicated if you want a virus scan there are numerous open source projects like ClamXav, as well as closed source options from the typical VScan vendors.
There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system.
http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/
They are few and far between and patched relatively quickly but they do occur from time to time. No OS is immune from malware, although they are also not all equally susceptible.
-
DNS KNOWN ISSUES LIST samples... apk
"You're way is perfectly valid... " - by catmistake (814204) on Sunday January 09, @03:43AM (#34812866)
Thank you, however again: I always knew it was.
---
BIND vs. what the Chinese are doing to DNS lately? See here:
http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
---
SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:
http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/
(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)
---
DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):
http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/
---
Moxie Marlinspike's found others (0 hack) as well...
---
DNS provider decked by DDoS dastards:
http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/
---
Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)
http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218
---
DDoS Attacks Via DNS Recursion:
http://it.slashdot.org/it/06/03/16/1658209.shtml
---
DNS ROOT SERVERS ATTACKED:
http://it.slashdot.org/it/07/02/06/2238225.shtml
---
TimeWarner DNS Hijacking:
http://tech.slashdot.org/article.pl?sid=07/07/23/2140208
---
DNS Re-Binding Attacks:
http://crypto.stanford.edu/dns/
---
DNS Server Survey Reveals Mixed Security Picture:
http://it.slashdot.org/it/07/11/21/0315239.shtml
---
Photobucket's DNS records hijacked by Turkish hacking group:
http://www.zdnet.com/blog/security/title/1285
---
Halvar figured out super-secret DNS vulnerability:
http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520
---
BIND Still Susceptible To DNS Cache Poisoning:
http://tech.slashdot.org/tech/08/08/09/123222.shtml
---
Couple that list with DNSBL &/or DNS Request logs?
"configuring a single DNS is far less complicated than making sure 1000 computers have a the correct HOSTS file." - by catmistake (814204) on Sunday January 09, @03:43AM (#34812866)
Well, The REAL PROBLEM(s) HERE? DNS itself.
To wit:
NOW? Now, You may "get my point", on how HOSTS files are an EXCELLENT supplement to DNS servers (especially those set in recursive mode)... & I don't rely on HOSTS files alone.
See - I use
-
Re:server-side tracking
Sure, but that's far fetched from the ability that cookies and the likes of Google Analytics offer for marketers. It's stupid to say "this won't end it all" and think it's better to do nothing.
Only the uninformed think I'm stupid when I say these privacy features won't stop the tracking.
Please, educate yourself to the fact that 54 of the top 100 websites use Flash Cookies (in conjunction with HTTP Cookies). Also take note of the Evercookie and other such fingerprinting systems such as Panopticlick.
You don't have to add features to your web-browser in order to eliminate tracking. I use a VM and a commonly distributed VM image of an OS with a browser installed. Besides the IP address I look just like everyone else using the same VM image. My IP is transient, so I turn off my modem when I'm not using it.
It's foolish to call others stupid when you are ignorant of the topic at hand.
-
HOSTS files are protection vs. DNS faults
"Anyone can set up a DNS server and serve names, and anyone else pointing at that DNS server can resolve them. There has always been some competition to the mainstream DNS and I think this move will bring more." - by Greyfox (87712) on Wednesday December 01, @09:01AM (#34403468) Homepage
Some more notes on DNS servers & their problems, very recent + ongoing ones:
BIND vs. what the Chinese are doing to DNS lately? See here:
http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
---
SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:
http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/
(Yes, even "security pros" are helpless vs. DNS problems, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)
---
DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):
http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/
(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles being exploited!)
---
Moxie Marlinspike's found others (0 hack) as well...
Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...
---
SO, WHAT CAN A HOSTS FILE DO VS. THOSE PROBLEMS ABOVE? PROTECT YOU! Read on...
14 ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK:
1.) Adblock blocks ads in only 1 browser family (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF...).
2.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).
3.) Adblock doesn't protect email programs external to FF, Hosts files do.
4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).
5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via PINGS &/or WHOIS though, regularly, so you have the correct IP & it's current)).
6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
7.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:
-
Re:Ok then, list the trojans in the wild
Mac users are very fond of pointing out this distinction, leaving out that trojans and malware, and social engineering, these days are the overwhelming majority of Windows issues as well.
Yes. Yes they are.
Now please list the count of Windows trojans vs. mac trojans. I'll get you started with the Mac count:
1 (or is this trojan actually in the wild yet?)
After all, we are talking about active trojans in the wild...
Do you not think that a system with a few orders of magnitude fewer active security threats might not, in fact, be more secure for the average user.
No I don't. I just believe that the claim that Mac has no such issues now is proven wrong. That is all. Nobody have claimed that Windows doesn't have a longer list of malware in the wild.
And questioning whether this one is in the wild is either disingenuous or you haven't RTFA or anything else on the subject. This is clearly proven to be in the wild, fx as a disguised iPhoto app for download.
Among some of the first Mac OSX trojans discovered in the wild was this one in 1996: http://www.macrumors.com/2006/02/16/the-first-mac-os-x-virus-a-new-os-x-trojan/.
And in 1997: http://boingboing.net/2007/10/31/mac-trojan-in-the-wi.html
Then you had these two: http://www.scmagazineus.com/two-in-the-wild-trojans-target-mac-os-x/article/111551/ . The ARDAgent one was drive-by stealth install (which Mac users also are fond of pointing out is a Windows only problem)
You've had a handful of others in the wild as well, like:
http://blog.trendmicro.com/mac-os-x-dns-changing-trojan-in-the-wild/ http://www.macupdate.com/info.php/id/30265/iservices-trojan-removal-tooletc. There are more, but again, I'm not in any way claiming the list isn't shorter than similar Windows list, nobody is. But the claim that Mac OSX have no such malware in the wild have clearly been proven wrong (a long time ago).
-
PA security officer fired for talking at conferenc
e (damn
/. and its short subject field).
Our state CISO was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.
By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.
He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."
As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.
I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:
Site one
Site two
Further, here is an article which talks to the firee after he became the state's first CISO and what he had to contend with. -
Probably the Asprox botnet.
I googled 318x.com and SQL injection and found this. A little further searching revealed that Asprox has been ramping up activity recently.
-
Re:How convenient
The DLP market, Data-Loss Prevention, is a burgeoning and growing market.
Trend Micro purchased Provilla to jumpstart their way to catching Symantec. Cisco's CSA Agent can act as a DLP device when paired with sniffers.
DLP modules can be particularly nasty. They are, in effect, beneficial (to the company) rootkits. Often, the good ones like Leakproof (I have no affiliation with the product, it won SC magazine's product 5/5 Award - http://www.scmagazineus.com/trend-micro-leakproof/review/2632/) can't be seen or can be explicitly exempted from A/V scans.
They follow rules, like notify if any workstation copies a PDF to a USB drive or attaches it to a webmail outbound message.
This will become more and more common in the workplace. Virtual desktops plus rootkits with no local admin rights to the user.
In this way, the same effects as regions and LPARs and mainframe access rights are re-achieved in the modern age with virtual desktops and VPN.
It may not be everyone's idea of utopia, but private companies are doing this more and more. Even road warriors are getting thinbooks and asked to use remote VPN desktops to control everything. -
Re:No Joke
They aren't. There's no way anyone is being infected by these sites.
Don't be so sure -- there have been plenty of cases the last few years with major websites being duped into pushing out malware.
For eample, the New York Times pushed out trojans recently: http://www.scmagazineus.com/New-York-Times-inadvertently-sold-ad-space-to-hackers/article/148990/
Another one (a little longer back) revolved around .WMF files - an old printer image metafile format that can include executable code which windows ran without asking anything. Simply viewing the file in internet explorer ran the payload. Icing on the cake is that it still worked if the malicious .wmf files were renamed to .JPG thanks to the way IE handles the image rendering. Some entrepreneuring people spread a bunch of these on the major ad networks without getting caught, and there you go... Any website running ads from these networks now came with a malicious payload.
http://www.dailykos.com/story/2006/1/1/235748/4675
Now, hey may not have done so intentionally, but plenty of big, mainstream websites have indeed been caught unwittingly pushing out trojans and malware over the last few years. It's really not that far-fetched. These are just two examples, there have been plenty more over the years. -
Re:So pretty much the same...
I wonder if this bears a ton of significance considering the timing of the US equivalent being appointed ?
-
Re:ActiveX
Oh, of course established companies never release flawed software, right? Their ActiveX control does not have to be malicious in itself, it is sufficient if it tears holes into your defense for others to abuse. ActiveX needs to die a very quick death already. And can we please club that idea that a browser, JavaScript and a bit of fairy-dust can fully replace any local application regardless of specific implications out of people's heads?
-
Re:Downright Gibsonian
You might be getting old, but reporting malicious attacks like the weather is a good thing. Some will get tired of it, but the good thing is that perhaps the average joe public user will become aware of how vulnerable their on-line experience and computer are. Fighting DDoS attacks has been done successfully, but it takes a lot of work, and a lot of hardware. There are a couple of stories on the Internet about such.
The most recent botnet reports show that 100s of millions of PCs are infected with via a MS vulnerability that was fixed with a patch last year.
We need to see the awareness level increased, and some serious attention to detail on the patch/upgrade cycles.
-
Re:Good or bad
Sometimes the 'user mindset' gets silly. I often find our users think they're so important to the company that they're justified in doing ANYTHING, including surfing for porn in open cubicles during business hours at world headquarters with tour groups walking past. Or, more frightening, to cover up their ignorance or to short-cut understanding... blah, blah, blah.
Sure, there are roadblock powertrippers out there in the IT security field, just as there are in pretty much any security field (CIA, cops, mall security, etc.) On the other hand, there are legitimate risks out there that do have real-world bottom-line consequences. No one thinks that viruses are a big deal until you've got an entire factory floor idled because the controller's infected. No one thinks that they'll be hacked and make the news for it, but they do (Caterpillar, TJX, even security company Guidance Software, to name a few).
What gets me down about my job (yes, I'm in IT security) is not the adversarial nature of it. What really gets me is that absolutely NO ONE really wants security implemented until AFTER the company makes the Wall Street Journal for being hacked. Who gets fired on that day? Often times, it's the security people, despite the fact that they'd been trying to implement countermeasures that would have at least reduced the damage from the attack. Until your company makes the WSJ, security is overhead, a liability, a roadblock. Afterwards, they're the ones who let the barbarians through the gates, regardless of how many times the board denied funding security projects.
I used to be jazzed about IT security, but 10+ years of being told that nothing overrides the business need, and that I'm nothing but a roadblock has ground me down to the point where I'm just punching the clock and trying to figure out what career path to do next.
And to all you whiny, lazy, good-for-nothing assholes who can't remember their precious password: Can you remember where your car keys are? Your Social Security Number? Your birthdate? Your wife's birthdate? The phone number to the restaurant that delivers your dinner? The name of the girl you had a crush on in 4th grade? People remember all sorts of things when they want to, and when it's important to them. Now, think about this... if your company makes the WSJ because you set your password to Ripken09, who are they going to fire? Yeah, you're right: they'll can the poor security schmuck that's dedicated his career to compensating for stupid pukes like you, but you'll probably keep your job since there really wasn't much that could be done about the hacker anyway.
I guess there's the problem in a nutshell. The only people who care enough about security to do something about it are those who stand a chance of losing something when security fails. The vast majority of the time, the only people at risk are the security guys.
Holy crap, I just re-read that. Never realized how bitter and vindictive I've become. I got to get me a new job!
-
more info.
more info on hardware based encryption... http://www.scmagazineus.com/Crypto-chip-How-the-TPM-bolsters-enterprise-security/article/111865/ IMO best choice FDE drive, they come from Seagate, fujitsu and hitachi. Seagate has best "out of box" solution. FDE is faster, cheaper, easiest to use, easiest to manage. http://www.seagate.com/www/en-us/products/laptops/momentus/momentus_5400_fde.2/ (Since your not managing large numbers you don't need the servers...if you did manage 10-100,000, the servers would be a must, and well worth it) Dell and Lenovo now sell laptops with the choice of FDE drives. check out vendor www.wave.com, awesome customer service (these guys know what they're doing)
-
Re:Business value and risk
It's not about the probability of someone breaching 56-bit DES, it's about the consequences.
How about Hannaford or TJX using weak keys? Their CSO should be weighing the cost of changing their infrastructure to not use wireless, or using strong keys, MAC Filtering and firewalls to mitigate their exposure vs the risk of losing 47,000,000 credit and debit card numbers.
The CSOs of those companies would need to weigh different factors than businesses with no B&M retail outlets. It's about deciding "How much is my data worth", "What are the consequences of that data being exposed" and "Based on those two answers, here's the broad strokes of our Information Security strategy".
Does that risk belong to the company alone, as in the case of a manufacturing company making proprietary widgets, or is the risk shared with the general public, as in the case of a supermarket with a horrific and weak wireless policy? Those are the kinds of questions CSOs should worry about, not "What model of firewall do we use", as the summary was saying.
The VPN example was flawed, sure. But if you think in terms of the consequences it makes more sense. If you're sending credit card data over a 56-bit DES tunnel, and someone intercepts and decrypts that traffic, that's horrible. More horrible will be the impact to the company when the department is shown as negligent for having relatively weak crypto. -
Re:Business value and risk
It's not about the probability of someone breaching 56-bit DES, it's about the consequences.
How about Hannaford or TJX using weak keys? Their CSO should be weighing the cost of changing their infrastructure to not use wireless, or using strong keys, MAC Filtering and firewalls to mitigate their exposure vs the risk of losing 47,000,000 credit and debit card numbers.
The CSOs of those companies would need to weigh different factors than businesses with no B&M retail outlets. It's about deciding "How much is my data worth", "What are the consequences of that data being exposed" and "Based on those two answers, here's the broad strokes of our Information Security strategy".
Does that risk belong to the company alone, as in the case of a manufacturing company making proprietary widgets, or is the risk shared with the general public, as in the case of a supermarket with a horrific and weak wireless policy? Those are the kinds of questions CSOs should worry about, not "What model of firewall do we use", as the summary was saying.
The VPN example was flawed, sure. But if you think in terms of the consequences it makes more sense. If you're sending credit card data over a 56-bit DES tunnel, and someone intercepts and decrypts that traffic, that's horrible. More horrible will be the impact to the company when the department is shown as negligent for having relatively weak crypto. -
Re:The register's older writeup on this ...
Some additional reports from earlier this week and previous...
http://blog.trendmicro.com/e-commerce-sites-invaded/
http://www.scmagazineus.com/Attack-injects-malicious-JavaScript-into-e-commerce-sites/article/104206
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
http://www.cpanel.net/security/notes/random_js_toolkit.html
http://isc.sans.org/diary.html?date=2008-01-18
http://isc.sans.org/diary.html?date=2008-01-14
http://www.webhostingtalk.com/showthread.php?p=4902045