Unsure why people are moved to throw their data into the hands of someone (company) that would never treat their data sacred. I don't care what argument you put forth, no one is going to care (security wise) about your data as vigilant as you would (and should). Math wise, the cloud makes no sense to me, even on the free model.
1) wait for you to download your data over the Interwebs (mobile you say... tick tock) 2) There is NO GUARANTEE someone in the company isn't looking at your data or selling it. You're simply trusting they won't
Storage is dirt cheap. 2TB drives are like what 100-200 US per pop give or take. They're compact enough to throw in a messenger bag along with a laptop. Data availability is much faster than downloading it over the wire. Throw on crypto (say Truecrypt) and you have a decent amount of security. Only concern, is your HD goes bad. In either event, another backup 2TB is 100-200. Cloud pay for play? @ 10.00 per month, its STILL the cost if not more than buying your own device.
"Foreign intelligence" speaks for itself. Any country complaining about it is playing a shell game. The reality is, they'd do the same if they had the capabilities to do so.
Either his site is being SQLi'd to death or he is being/.'d ctf.notsosecure.com no worky. Maybe he can come back and monetize this CTF to include: "How to run a webserver while being visitedDoS'd"
Guidelines meet nothing. All a guideline means: "this work(ed,s) for $INSERT_AUTHOR" and this is what many constantly fail to realize. If standards and guidelines worked, many compromises and security lapses would not occur. Guidelines are so outdated and based on re-hashed (herd following the herd) concepts that they are laughable. Further, too many individuals and companies often do follow guidelines and use that as the de-facto "we are secured." As someone who has had to deal with MSP, and MSSP functions catering to these companies, I can tell you some scary stuff. Many of the staff tasked with this (security) are like fish out of the water. They don't understand security, but DO UNDERSTAND SCADA based systems. There is always a disconnection from the Praetorian Guard and those in the infosec/hacker community.
This is what happens when you let companies oversee themselves without any real penalties. Imagine a speeding sign. You speed, cop pulls you over, gives you a warning. You do the same, he pulls you over and gives you a warning.... You will keep speeding. Government has allowed many of the NRCs to self-govern causing all sorts of stupidity ranging from: "we can't do security testing here, it will bring down the grid!", to all other forms of nonsense the NRC lobbyists will throw around. The reality is simple, the gov can't just "shut these places down." What are you gonna do, allow NYC to go dark. The entire regulatory "Dosey Do" one's partner is as old as the industry itself: "If you speed..." All bark and no bite. Its surprising we haven't had any major malfunctions on a constant basis
You "assume" SSL certs would have done something. The reality is, SSL certs can and have been stolen in the past. Malware authors do this all the time (steal certs) to overcome warnings. This does not include the fact that SSL vendors have also been compromised (http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/). SSL doesn't do as much as you'd like and if you're solely relying on that, then you maybe need take some advanced offensive security classes.
There has been some commentary via mailing lists and Twitter feeds that this was not a big deal. Firstly, hats off to HD and his team, there was nothing they could have done about it. Secondly, this isn't to be taken lightly. Sure the attackers were minor script kiddies, but the reality is, the attack could have been extremely vicious. Consider an attacker replicating the content of the site and simply replacing the applications (nexpose, metasploit) with backdoored versions.
Companies like Register and GoDaddy are lacking in the validation category. ANYONE can create fake identification using GIMP, Photoshop, etc., the fact they did not offer anything other than a fax request is mind bogglingly stupid. They should have called BACK the registrant's number to confirm the change request. But, companies would argue: "that would be costly" not even thinking of turning that kind of validation into say a business model: "for $10 extra per year..." when they should be doing it from the jump. (Neither here nor there) Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.
Over 10 years ago, the US gave everyone a glimpse of their tapping capabilities via way of Carnivore aka DCS1000. Then news came out about Magic Lantern which was used to collar mobster Nicki Scarfo. That then should have been a no-brainer: "the gov is/can watch you..." Few years later, idiots^W people took to TOR which was initially a Navy project. They created an "E-Bay like" site where people can "rate my drugs." What a bunch of illiterate morons who used the site. If I were a reporter, my story would start something like: "Silk Road users were so technologically advanced, yet dense on common sense..."
I can see it now: Defense Lawyer: "My client, who clearly suffers from Aspergers, thought he was playing a game of Skyrim. Bitcoin is not real currency, and he thought the target would respawn in Toronto"
High Frequency Trading isn't new... http://en.wikipedia.org/wiki/High-frequency_trading This past June, a news article caused a $28million dollar gain: "If you’re a high-frequency trader, a few milliseconds is a big deal. And in this case, a 15-millisecond head-start meant that $28 million in shares traded hands before the number was even published, http://qz.com/91242/the-15-millisecond-head-start-that-led-to-28-million-in-trades/" This shouldn't come as a surprise that companies in the business of making money will do everything that they can to (drum roll...) make money
You're missing the gist of it here. The reality on production server is, most are locked down from egress attacks. This does not stop, minimize, and or deter an attacker from hitting you up with a client side attack on a non-production machine, passing a hash, then to and from trusted sources until it gets out:
Attacker --> client side --> workstation
workstation --> attack --> production server
production server workstation
workstation --> via SSL --> attacker.
This would fill a wiki page so I will stop there. There was a point to be made without me having to spell things out
I believe there is more going on to this than you would understand. For example, the Zeus/Qakbot strain always downloads a file. Most times it will be randomized. For arguments sake, lets say it was named nbc.exe. What Zeus/Qakbot did was communicate out via IE. Even though the nbc.exe was the application responsible for running the show, the communications portion was done via good ole GET and POST via HTTPS. At issue with detecting nbc.exe where Zeus/Qakbot was/is concerned, is the fact that the operators of the malware were/are changing the executable N amount of hours. So most AV systems wouldn't even detect it. So no... IPS/IDS here means nothing. Blacklisting *may* have worked to stop the communication, but even then a fast flux would have trumped that.
Any IDS/IPS is only as good as its signatures. The problem with these devices is that attackers can use a flurry of heuristic tactics to completely bypass these systems as well as DLP. There is a difference had you mentioned SIEM which *may* have worked if there were vigilant analysts looking at logs repeatedly. In order to understand why IDS/IPS' fail, you need to understand attacks. At any point in time, when I perform pentests, I ALWAYS start off sending a barrage of data to generate junk. This is done for a few reasons: 1) it tests responses from DFIR teams and 2) allows me to get in under the radar. Now when you state: "machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect" you're 10000000% wrong. Any IPS/IDS admin doing this is giving themselves a headache. Do you have any idea how many false positives it would generate from employees going to log into say Gmail, their banks, or anything else using SSL.
While I understand WHY the USPS would do this, I wonder how much money they've spend on storing data (the photos) all the while cutting the hours of employees due to budget cuts, etc. as for the comment by Bruce Schneier: "whether it was a postal worker taking down information or a computer taking images, the program was still an invasion of privacy." I disagree. There is a difference between taking an address down and reading your mail. I don't see Bruce complaining about UPS, FedEx, etc. doing the same. Get over it
Slashdot Mirror
Unsure why people are moved to throw their data into the hands of someone (company) that would never treat their data sacred. I don't care what argument you put forth, no one is going to care (security wise) about your data as vigilant as you would (and should). Math wise, the cloud makes no sense to me, even on the free model.
1) wait for you to download your data over the Interwebs (mobile you say... tick tock)
2) There is NO GUARANTEE someone in the company isn't looking at your data or selling it. You're simply trusting they won't
Storage is dirt cheap. 2TB drives are like what 100-200 US per pop give or take. They're compact enough to throw in a messenger bag along with a laptop. Data availability is much faster than downloading it over the wire. Throw on crypto (say Truecrypt) and you have a decent amount of security. Only concern, is your HD goes bad. In either event, another backup 2TB is 100-200. Cloud pay for play? @ 10.00 per month, its STILL the cost if not more than buying your own device.
"Foreign intelligence" speaks for itself. Any country complaining about it is playing a shell game. The reality is, they'd do the same if they had the capabilities to do so.
Either his site is being SQLi'd to death or he is being /.'d ctf.notsosecure.com no worky. Maybe he can come back and monetize this CTF to include: "How to run a webserver while being visitedDoS'd"
Guidelines meet nothing. All a guideline means: "this work(ed,s) for $INSERT_AUTHOR" and this is what many constantly fail to realize. If standards and guidelines worked, many compromises and security lapses would not occur. Guidelines are so outdated and based on re-hashed (herd following the herd) concepts that they are laughable. Further, too many individuals and companies often do follow guidelines and use that as the de-facto "we are secured." As someone who has had to deal with MSP, and MSSP functions catering to these companies, I can tell you some scary stuff. Many of the staff tasked with this (security) are like fish out of the water. They don't understand security, but DO UNDERSTAND SCADA based systems. There is always a disconnection from the Praetorian Guard and those in the infosec/hacker community.
This is what happens when you let companies oversee themselves without any real penalties. Imagine a speeding sign. You speed, cop pulls you over, gives you a warning. You do the same, he pulls you over and gives you a warning. ... You will keep speeding. Government has allowed many of the NRCs to self-govern causing all sorts of stupidity ranging from: "we can't do security testing here, it will bring down the grid!", to all other forms of nonsense the NRC lobbyists will throw around. The reality is simple, the gov can't just "shut these places down." What are you gonna do, allow NYC to go dark. The entire regulatory "Dosey Do" one's partner is as old as the industry itself: "If you speed..." All bark and no bite. Its surprising we haven't had any major malfunctions on a constant basis
You "assume" SSL certs would have done something. The reality is, SSL certs can and have been stolen in the past. Malware authors do this all the time (steal certs) to overcome warnings. This does not include the fact that SSL vendors have also been compromised (http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/). SSL doesn't do as much as you'd like and if you're solely relying on that, then you maybe need take some advanced offensive security classes.
There has been some commentary via mailing lists and Twitter feeds that this was not a big deal. Firstly, hats off to HD and his team, there was nothing they could have done about it. Secondly, this isn't to be taken lightly. Sure the attackers were minor script kiddies, but the reality is, the attack could have been extremely vicious. Consider an attacker replicating the content of the site and simply replacing the applications (nexpose, metasploit) with backdoored versions.
Companies like Register and GoDaddy are lacking in the validation category. ANYONE can create fake identification using GIMP, Photoshop, etc., the fact they did not offer anything other than a fax request is mind bogglingly stupid. They should have called BACK the registrant's number to confirm the change request. But, companies would argue: "that would be costly" not even thinking of turning that kind of validation into say a business model: "for $10 extra per year..." when they should be doing it from the jump. (Neither here nor there) Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.
while( var = Backdoor() )
{
fluff goes here
}
else
{
just give em selinux
}
Over 10 years ago, the US gave everyone a glimpse of their tapping capabilities via way of Carnivore aka DCS1000. Then news came out about Magic Lantern which was used to collar mobster Nicki Scarfo. That then should have been a no-brainer: "the gov is/can watch you..." Few years later, idiots^W people took to TOR which was initially a Navy project. They created an "E-Bay like" site where people can "rate my drugs." What a bunch of illiterate morons who used the site. If I were a reporter, my story would start something like: "Silk Road users were so technologically advanced, yet dense on common sense..."
grep -vir selinux would never work France!
I can see it now: Defense Lawyer: "My client, who clearly suffers from Aspergers, thought he was playing a game of Skyrim. Bitcoin is not real currency, and he thought the target would respawn in Toronto"
Would be nice to have an article linked correctly... https://medium.com/the-physics-arxiv-blog/716ca39266c9
Not if you're driving a Prius it isn't!
High Frequency Trading isn't new... http://en.wikipedia.org/wiki/High-frequency_trading This past June, a news article caused a $28million dollar gain: "If you’re a high-frequency trader, a few milliseconds is a big deal. And in this case, a 15-millisecond head-start meant that $28 million in shares traded hands before the number was even published, http://qz.com/91242/the-15-millisecond-head-start-that-led-to-28-million-in-trades/" This shouldn't come as a surprise that companies in the business of making money will do everything that they can to (drum roll...) make money
You're missing the gist of it here. The reality on production server is, most are locked down from egress attacks. This does not stop, minimize, and or deter an attacker from hitting you up with a client side attack on a non-production machine, passing a hash, then to and from trusted sources until it gets out: Attacker --> client side --> workstation workstation --> attack --> production server production server workstation workstation --> via SSL --> attacker. This would fill a wiki page so I will stop there. There was a point to be made without me having to spell things out
I believe there is more going on to this than you would understand. For example, the Zeus/Qakbot strain always downloads a file. Most times it will be randomized. For arguments sake, lets say it was named nbc.exe. What Zeus/Qakbot did was communicate out via IE. Even though the nbc.exe was the application responsible for running the show, the communications portion was done via good ole GET and POST via HTTPS. At issue with detecting nbc.exe where Zeus/Qakbot was/is concerned, is the fact that the operators of the malware were/are changing the executable N amount of hours. So most AV systems wouldn't even detect it. So no... IPS/IDS here means nothing. Blacklisting *may* have worked to stop the communication, but even then a fast flux would have trumped that.
Any IDS/IPS is only as good as its signatures. The problem with these devices is that attackers can use a flurry of heuristic tactics to completely bypass these systems as well as DLP. There is a difference had you mentioned SIEM which *may* have worked if there were vigilant analysts looking at logs repeatedly. In order to understand why IDS/IPS' fail, you need to understand attacks. At any point in time, when I perform pentests, I ALWAYS start off sending a barrage of data to generate junk. This is done for a few reasons: 1) it tests responses from DFIR teams and 2) allows me to get in under the radar. Now when you state: "machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect" you're 10000000% wrong. Any IPS/IDS admin doing this is giving themselves a headache. Do you have any idea how many false positives it would generate from employees going to log into say Gmail, their banks, or anything else using SSL.
"Does Your Work Schedule Make You Unproductive?" - no but Slashdot and TheChive sure do
I don't know, paper was generated by MIT, so it just may be legit http://pdos.csail.mit.edu/scigen/
You had me at Windows
Everyone is in luck: June 21st, 2013, 07:09 GMT By Eduard Kovacs http://news.softpedia.com/news/LinkedIn-Outage-Caused-by-DDOS-Attack-on-Network-Solutions-362473.shtml --- This means, that on Sunday, you will all find out it was a DoS attack. This also means, on Sunday, if you visit that site you can also get the Powerball results which haven't been posted yet and all retire.
While I understand WHY the USPS would do this, I wonder how much money they've spend on storing data (the photos) all the while cutting the hours of employees due to budget cuts, etc. as for the comment by Bruce Schneier: "whether it was a postal worker taking down information or a computer taking images, the program was still an invasion of privacy." I disagree. There is a difference between taking an address down and reading your mail. I don't see Bruce complaining about UPS, FedEx, etc. doing the same. Get over it
The same elite "Cyber" group in the PLA is also selling fake Rolexes. If you believe Mandiant, feel free to contact me about shares in the Brooklyn Bridge http://cybernonsense.blogspot.com/2013/02/chinese-hackers-and-security-malware_4130.html