Hopefully MS does some dupe checking on their end, otherwise this could amount to a DoS attack. Imagine spamming out the victim's URL to hundreds of thousands of Skype users and then MS flooding that URL with requests.
Interesting. I'm a USAA customer and I just loaded up the app. For security-purposes, it seems that the application requires the phone's location before it will allow a user to deposit a check. Presumably this is to combat fraud, such as detect a user in Seattle depositing a check and then the same user in Vienna attempting to deposit a check 10 minutes later. When the window asking whether I wanted to let it use my location popped up, I hit cancel and it did not let me go any further with the deposit. Unfortunately, I don't have any checks handy that I need to deposit, but I can't wait to test this out.
You're right about the moving parts, however I disagree about the flash memory bit. Electrical utilities deploy systems to substations, which utilize flash-based storage systems and they are sold with a 10-year warranty. Having seen devices with rotating storage fail in those environments when flash-based systems have not, I think that it's fair to say that flash memory will definitely go a long way in the reliability department.
I've been thinking of maxing out my 8 Core Mac Pro with 32GB ram, gobs of disk space and installing XenServer or Vmware ESX server and boot via rEFit.
Another option I'm considering is picking up a new box altogether. I have my eye on a Dell server with 2 4x core AMD CPUs. With a 300GB disk and 32GB ram, it goes for just over $3k. Add in a few SAS drives and you're around $4k, but you have a highly capable system capable of running more VMs than you probably need.
I know it's sometimes a pain and can take time, but you might want to consider putting out an RFP for an application test. Depending on the size of your company and procurement policies, you might be required to put the job out for bid anyway. It also gives you a good idea about what's out there. Let me warn you however, that if you're only looking to satisfy an audit requirement, you're probably wasting your time, as you'll probably be force to choose the lowest bid, which will most likely provide the least value in the long run, not to mention a false sense of security.
There are many things to include in the RFP, but the major points that come to mind at the moment are as follows:
- Company information (size, qualifications, location (important if testing is on-site), personnel bios, insurance, etc.)
- Technical Methodology (as detailed as possible)
- Tools used
- Reporting (make them include a sample)
- References (3 professional references seem to be the norm, which should be past clients)
There are many places one can place the RFP, such as magazines (SC, Infosec.), listserves (e.g., securityfocus.com) and of course you can always pick the top-10 replies to your query on slashdot and send the RFP to them. You should get at least 5-6 responses.
TSA should be forced to implement a loss prevention program at each airport. Screeners would only be permitted to inspect checked luggage in a highly monitored area. Companies like SAIC could then sell them a centralized video monitoring service to oversee the inspections and report suspicious behavior. Corporate taxes should foot the bill and then make some money back on the service.
I'm really not surprised to hear this. According to Verizon Business' 2008 Data Breach Report, 46% of reported attacks, while somewhat opportunistic, are directed towards a specific victim with knowledge of how to exploit a specific weakness. While only 15% of the reported attacks were fully targeted, I strongly believe that this number will rise.
With usage of social networking sites on the rise (think Linkedin.com), it really isn't difficult to identify well-placed targets within an organization. Find enough information about an individual, make contact, gain a level of trust, and owning them at work can be trivial. From this point, the attacker can use the victim's trusted relationship in the company (e.g., electronic access) to proceed to take ownership of the network.
My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks. Moreover, according to RFC4035, delegation records and glue records aren't subject to public key verification (i.e. not signed), so DNSSEC could still be vulnerable.
Until DNSSEC is pushed out to the end user to the point that are browsers are performing signature verification, I don't think it's going to buy us the security we're looking for. Even then, with PKI being notoriously difficult to implement, I'm sure it will be botched and somebody will find ways to poison public key registries with fake public keys, etc.
I'm sure everybody read the story in USA Today how Canadian provinces, which unlike US states, have some say over immigration. As a result, Alberta has been headhunting skilled foreign workers whose permanent status in the US has been taking too long. I'd find a link to the article, but I'm too tired right now. Well anyway, given the cold climate there and the potentially huge influx of skilled foreign workers, this could be the perfect storm that would allow places like Alberta that already have what I imagine to be copious bandwidth, to become a new data center capital. Add in efficient outside cooling as mentioned earlier and companies would flock there. And think.. slightly less restrictive laws to deal with since they wouldn't be in the US.
Seriously, with all the recent articles regarding the detrimental effects multitasking has on a person, this sounds like it could do more harm than good. Imagine being in a fire fight and an IM window pops up on your HUD. That would really anger me.
Situational awareness is certainly a good thing, but there have to be limits, otherwise one's overall awareness will decrease due to input overload. A good example is using Google maps on one's N95 or iPhone while driving. Sure, it increases situational awareness vis-a-vis one's current location, but at the cost of smashing into the car ahead or running over a pedestrian because you didn't notice that the light had turned red.
One solution to the entire unlocking business is to buy an unbranded phone from the start. While one pays a premium for the phone, none of the features are locked by the carrier and one is free to use the phone overseas.
Of course it's more difficult to buy unbranded CDMA phones, but it's probably possible.
In a proper deployment, performance-wise, the shared medium should not have a large impact if one's access points aren't oversubscribed. The world is moving towards "thin" APs that are networked over a high speed backbone of so-called "wireless switches" that perform the wireless management, making the AP just that and nothing much more. Assuming one has enough APs and the wired backbone is sufficient, in theory, collisions should be minimal and performance should be at least as good as FastEthernet.
Furthermore, nobody is suggesting that we replace wired Ethernet with wireless as a core distribution, backbone or server farm access technology. We're only talking user desktop/laptop access here.
From a security perspective, there isn't a whole lot one can do to prevent a motivated employee from running tcpdump once authenticated. Tools such as group policy, NAC, etc., can mitigate the risk to the point that it isn't much higher than an employee running ettercap against the workgroup switch. Of course this is theory, and I would advise my clients to let others work out the kinks before implementing a forklift upgrade.
Did anybody even bother to read TFA??? The victims of the attack were recruiters, not candidates. Most recruiters I've heard about, with some exceptions, aren't the most technically minded shall we say.
More interestingly, the recruiters' accounts were configured to send out emails with a bit of malware attached, which encrypted user files, such as documents. Fortunately, the the encryption was fairly weak, and I hear most of the files were recovered.
I actually heard about this several weeks ago from a friend who works at an undisclosed government agency that was hit by this. I'm surprised it took this long to report.
Unless I'm mistaken, intelligence agencies and related services often gather intelligence from various news services. I would be shocked if they weren't internally distributing copyrighted works for briefings, reports, etc. If so, they should pay up as well. Anybody from Langley or Ft. Meade able to confirm?
If you bother to RTFA, it suggests that this is quite dangerous in the long run as it would seriously dilute the gene pool, wiping out much-needed bio diversity. In otherwords, males aren't obsolete yet since we see time and time again that mono-cultures don't tend to last very long.
How is the risk of a remotely activated device detonating any greater than detonating a tape recorder with a built-in timer (i.e. Pan-Am 103)? If the latter can't make its way past physical security then why should the former? Do remotely activated devices use invisible explosives? Are they in any way different from locally activated devices that make them somehow undetectable? In this case, the risk is inherrently in the payload NOT in the activation technology.
I agree that there are holes in the system, but crying security risk before thinking the matter through does us all a disservice.
I would venture to guess that the BSR, which is appears to be more or less of a mobile IP router + base station transceiver most likely employs something analagous to a standard Mobile IP setup. More than likely, wireless BSR to mobile terminal (e.g. phone or pda) communications employs some form of layer-1 encryption. For exteneral communications, it probably employs a series of IPsec tunnels (e.g. between the foreign and home agent routers) to offer confidentiality and data integrity security services.
Uhhmm, I think we clearly have a case of prior art here. Remember Die Hard? All one has to do is tweak the ILS parameters and the altimeter and the pilot will do the terrorists' job for them completely unwittingly!
I didn't read TFA, but NPR reported this a few weeks ago. According to the NPR report, they performed autopsies on the few bees that were found dead in the vicinity of the colony. Apparently, they suffered from odd cysts and internal lesions. One possibility that hasn't been discussed is that genetically modified crops might be part the equation. I know we all love CRM'd (Crop Rights Management??) crops, but it wouldn't be the first time that an ecosystem has been threatened by a combination of GMO crops and the over-application of herbicides.
It sounds like you've been drinking of the state-approved coolaid. Perhaps if certain countries aborted their tried-and-failed policy of toppling home-grown, democratically elected governments and installing their own(see Iran/1953, Palestine 2006 and many others in between), curbed support for oppressive regimes that only serve their interest for a short period of time (Vietnam, Saudi Arabia (and Gulf states), and now Iraq are prime examples of this), and realized that the entire world does not want to walk in their footsteps, people might begin to stop hating us.
On a somewhat related note, the Washington Post recently published an interesting Op-Ed written by Robert Kaiser, entitled "Topped By Hubris, Again". Or wait... perhaps they really do hate us because of our freedom.
Given the extent which the US is attempting to provoke Iran into war (including Bush's recent address), would anybody be surprised if this was publically blamed on Iran? With the latest build-up of forces in the Gulf, the raid on a consular office in Iraq, all they need now is a reason (other than WMD crap we've all heard before) to convince the US public. Perhaps this is the beginning.
Don't be fooled by the 20k troop "surge" that probably won't accomplish much. The real action to come could very well be be on the eastern shores of the Gulf.
They most certainly are not Islamic states. They are North African states with muslim-majority populations, but the rule of law is not Islamic Sharia', so they can hardly be labeled Islamic States.
Here's some news. Internal attacks by rogue operators can be more harmful than external attacks. This is something that every security manager should have burned into memory. Background checks are very important, but regardless of how draconian one's access control scheme becomes, there will always be an individual with the keys to the castle who can wreak havoc. The general idea is to make sure no one person can disrupt business continuity, but there will always be people who ignore this I suppose. It's a good thing that nobody relies on email for business continuity.. *chuckle*
Slashdot Mirror
Hopefully MS does some dupe checking on their end, otherwise this could amount to a DoS attack. Imagine spamming out the victim's URL to hundreds of thousands of Skype users and then MS flooding that URL with requests.
Interesting. I'm a USAA customer and I just loaded up the app. For security-purposes, it seems that the application requires the phone's location before it will allow a user to deposit a check. Presumably this is to combat fraud, such as detect a user in Seattle depositing a check and then the same user in Vienna attempting to deposit a check 10 minutes later. When the window asking whether I wanted to let it use my location popped up, I hit cancel and it did not let me go any further with the deposit. Unfortunately, I don't have any checks handy that I need to deposit, but I can't wait to test this out.
Now it can do what my Nokia N95 (or nearly any S60 device) has been doing for ages through Walkinghotspot
You're right about the moving parts, however I disagree about the flash memory bit. Electrical utilities deploy systems to substations, which utilize flash-based storage systems and they are sold with a 10-year warranty. Having seen devices with rotating storage fail in those environments when flash-based systems have not, I think that it's fair to say that flash memory will definitely go a long way in the reliability department.
I've been thinking of maxing out my 8 Core Mac Pro with 32GB ram, gobs of disk space and installing XenServer or Vmware ESX server and boot via rEFit. Another option I'm considering is picking up a new box altogether. I have my eye on a Dell server with 2 4x core AMD CPUs. With a 300GB disk and 32GB ram, it goes for just over $3k. Add in a few SAS drives and you're around $4k, but you have a highly capable system capable of running more VMs than you probably need.
I know it's sometimes a pain and can take time, but you might want to consider putting out an RFP for an application test. Depending on the size of your company and procurement policies, you might be required to put the job out for bid anyway. It also gives you a good idea about what's out there. Let me warn you however, that if you're only looking to satisfy an audit requirement, you're probably wasting your time, as you'll probably be force to choose the lowest bid, which will most likely provide the least value in the long run, not to mention a false sense of security. There are many things to include in the RFP, but the major points that come to mind at the moment are as follows: - Company information (size, qualifications, location (important if testing is on-site), personnel bios, insurance, etc.) - Technical Methodology (as detailed as possible) - Tools used - Reporting (make them include a sample) - References (3 professional references seem to be the norm, which should be past clients) There are many places one can place the RFP, such as magazines (SC, Infosec.), listserves (e.g., securityfocus.com) and of course you can always pick the top-10 replies to your query on slashdot and send the RFP to them. You should get at least 5-6 responses.
TSA should be forced to implement a loss prevention program at each airport. Screeners would only be permitted to inspect checked luggage in a highly monitored area. Companies like SAIC could then sell them a centralized video monitoring service to oversee the inspections and report suspicious behavior. Corporate taxes should foot the bill and then make some money back on the service.
I'm really not surprised to hear this. According to Verizon Business' 2008 Data Breach Report, 46% of reported attacks, while somewhat opportunistic, are directed towards a specific victim with knowledge of how to exploit a specific weakness. While only 15% of the reported attacks were fully targeted, I strongly believe that this number will rise. With usage of social networking sites on the rise (think Linkedin.com), it really isn't difficult to identify well-placed targets within an organization. Find enough information about an individual, make contact, gain a level of trust, and owning them at work can be trivial. From this point, the attacker can use the victim's trusted relationship in the company (e.g., electronic access) to proceed to take ownership of the network.
... is the only foul smell that permeates from my 8-core Mac Pro.
My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks. Moreover, according to RFC4035, delegation records and glue records aren't subject to public key verification (i.e. not signed), so DNSSEC could still be vulnerable. Until DNSSEC is pushed out to the end user to the point that are browsers are performing signature verification, I don't think it's going to buy us the security we're looking for. Even then, with PKI being notoriously difficult to implement, I'm sure it will be botched and somebody will find ways to poison public key registries with fake public keys, etc.
I'm sure everybody read the story in USA Today how Canadian provinces, which unlike US states, have some say over immigration. As a result, Alberta has been headhunting skilled foreign workers whose permanent status in the US has been taking too long. I'd find a link to the article, but I'm too tired right now. Well anyway, given the cold climate there and the potentially huge influx of skilled foreign workers, this could be the perfect storm that would allow places like Alberta that already have what I imagine to be copious bandwidth, to become a new data center capital. Add in efficient outside cooling as mentioned earlier and companies would flock there. And think.. slightly less restrictive laws to deal with since they wouldn't be in the US.
Could this be a new trend???
Seriously, with all the recent articles regarding the detrimental effects multitasking has on a person, this sounds like it could do more harm than good. Imagine being in a fire fight and an IM window pops up on your HUD. That would really anger me.
Situational awareness is certainly a good thing, but there have to be limits, otherwise one's overall awareness will decrease due to input overload. A good example is using Google maps on one's N95 or iPhone while driving. Sure, it increases situational awareness vis-a-vis one's current location, but at the cost of smashing into the car ahead or running over a pedestrian because you didn't notice that the light had turned red.
One solution to the entire unlocking business is to buy an unbranded phone from the start. While one pays a premium for the phone, none of the features are locked by the carrier and one is free to use the phone overseas.
Of course it's more difficult to buy unbranded CDMA phones, but it's probably possible.
In a proper deployment, performance-wise, the shared medium should not have a large impact if one's access points aren't oversubscribed. The world is moving towards "thin" APs that are networked over a high speed backbone of so-called "wireless switches" that perform the wireless management, making the AP just that and nothing much more. Assuming one has enough APs and the wired backbone is sufficient, in theory, collisions should be minimal and performance should be at least as good as FastEthernet.
Furthermore, nobody is suggesting that we replace wired Ethernet with wireless as a core distribution, backbone or server farm access technology. We're only talking user desktop/laptop access here.
From a security perspective, there isn't a whole lot one can do to prevent a motivated employee from running tcpdump once authenticated. Tools such as group policy, NAC, etc., can mitigate the risk to the point that it isn't much higher than an employee running ettercap against the workgroup switch. Of course this is theory, and I would advise my clients to let others work out the kinks before implementing a forklift upgrade.
Did anybody even bother to read TFA??? The victims of the attack were recruiters, not candidates. Most recruiters I've heard about, with some exceptions, aren't the most technically minded shall we say.
More interestingly, the recruiters' accounts were configured to send out emails with a bit of malware attached, which encrypted user files, such as documents. Fortunately, the the encryption was fairly weak, and I hear most of the files were recovered.
I actually heard about this several weeks ago from a friend who works at an undisclosed government agency that was hit by this. I'm surprised it took this long to report.
Unless I'm mistaken, intelligence agencies and related services often gather intelligence from various news services. I would be shocked if they weren't internally distributing copyrighted works for briefings, reports, etc. If so, they should pay up as well. Anybody from Langley or Ft. Meade able to confirm?
If you bother to RTFA, it suggests that this is quite dangerous in the long run as it would seriously dilute the gene pool, wiping out much-needed bio diversity. In otherwords, males aren't obsolete yet since we see time and time again that mono-cultures don't tend to last very long.
How is the risk of a remotely activated device detonating any greater than detonating a tape recorder with a built-in timer (i.e. Pan-Am 103)? If the latter can't make its way past physical security then why should the former? Do remotely activated devices use invisible explosives? Are they in any way different from locally activated devices that make them somehow undetectable? In this case, the risk is inherrently in the payload NOT in the activation technology.
I agree that there are holes in the system, but crying security risk before thinking the matter through does us all a disservice.
I would venture to guess that the BSR, which is appears to be more or less of a mobile IP router + base station transceiver most likely employs something analagous to a standard Mobile IP setup. More than likely, wireless BSR to mobile terminal (e.g. phone or pda) communications employs some form of layer-1 encryption. For exteneral communications, it probably employs a series of IPsec tunnels (e.g. between the foreign and home agent routers) to offer confidentiality and data integrity security services.
That's my guess at any rate.
Uhhmm, I think we clearly have a case of prior art here. Remember Die Hard? All one has to do is tweak the ILS parameters and the altimeter and the pilot will do the terrorists' job for them completely unwittingly!
I didn't read TFA, but NPR reported this a few weeks ago. According to the NPR report, they performed autopsies on the few bees that were found dead in the vicinity of the colony. Apparently, they suffered from odd cysts and internal lesions. One possibility that hasn't been discussed is that genetically modified crops might be part the equation. I know we all love CRM'd (Crop Rights Management??) crops, but it wouldn't be the first time that an ecosystem has been threatened by a combination of GMO crops and the over-application of herbicides.
It sounds like you've been drinking of the state-approved coolaid. Perhaps if certain countries aborted their tried-and-failed policy of toppling home-grown, democratically elected governments and installing their own(see Iran/1953, Palestine 2006 and many others in between), curbed support for oppressive regimes that only serve their interest for a short period of time (Vietnam, Saudi Arabia (and Gulf states), and now Iraq are prime examples of this), and realized that the entire world does not want to walk in their footsteps, people might begin to stop hating us.
On a somewhat related note, the Washington Post recently published an interesting Op-Ed written by Robert Kaiser, entitled "Topped By Hubris, Again". Or wait... perhaps they really do hate us because of our freedom.
Given the extent which the US is attempting to provoke Iran into war (including Bush's recent address), would anybody be surprised if this was publically blamed on Iran? With the latest build-up of forces in the Gulf, the raid on a consular office in Iraq, all they need now is a reason (other than WMD crap we've all heard before) to convince the US public. Perhaps this is the beginning.
Don't be fooled by the 20k troop "surge" that probably won't accomplish much. The real action to come could very well be be on the eastern shores of the Gulf.
They most certainly are not Islamic states. They are North African states with muslim-majority populations, but the rule of law is not Islamic Sharia', so they can hardly be labeled Islamic States.
Here's some news. Internal attacks by rogue operators can be more harmful than external attacks. This is something that every security manager should have burned into memory. Background checks are very important, but regardless of how draconian one's access control scheme becomes, there will always be an individual with the keys to the castle who can wreak havoc. The general idea is to make sure no one person can disrupt business continuity, but there will always be people who ignore this I suppose. It's a good thing that nobody relies on email for business continuity.. *chuckle*